1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418
HP 5920 & 5900 Switch Series
Security
Part number: 5998-2887
Software version: Release2208
Document version: 6W100-20130228

Advertising

   Summary of Contents for HP 5920

  • Page 1: Command Reference

    HP 5920 & 5900 Switch Series Security Command Reference Part number: 5998-2887 Software version: Release2208 Document version: 6W100-20130228...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents AAA commands ··························································································································································· 1   General AAA commands ················································································································································· 1   access-limit enable ··················································································································································· 1   accounting command ··············································································································································· 2   accounting default ···················································································································································· 2   accounting lan-access ·············································································································································· 4   accounting login ······················································································································································· 5   authentication default ··············································································································································· 7  ...

  • Page 4: Table Of Contents

    radius nas-ip ··························································································································································· 44   radius scheme ························································································································································ 45   radius session-control enable ······························································································································· 46   reset radius statistics ·············································································································································· 46   retry ········································································································································································· 47   retry realtime-accounting ······································································································································ 48   secondary accounting (RADIUS scheme view) ··································································································· 49   secondary authentication (RADIUS scheme view) ····························································································· 51  ...

  • Page 5: Table Of Contents

    login-password ······················································································································································ 87   protocol-version ····················································································································································· 88   search-base-dn ······················································································································································· 89   search-scope ·························································································································································· 89   server-timeout ························································································································································· 90   user-parameters ····················································································································································· 91   802.1X commands ···················································································································································· 93   display dot1x ························································································································································· 93   dot1x ······································································································································································· 95   dot1x authentication-method ································································································································ 96  ...

  • Page 6: Table Of Contents

    port-security timer autolearn aging ···················································································································· 132   port-security timer disableport ···························································································································· 132   Password control commands ·································································································································· 134   display password-control ···································································································································· 134   display password-control blacklist ····················································································································· 135   password-control { aging | composition | history | length } enable ···························································· 136  ...

  • Page 7: Table Of Contents

    crl check ······························································································································································· 179   crl url ····································································································································································· 180   display pki certificate access-control-policy ······································································································ 181   display pki certificate attribute-group ················································································································ 182   display pki certificate domain ···························································································································· 184   display pki certificate request-status ·················································································································· 188   display pki crl ······················································································································································ 189  ...

  • Page 8: Table Of Contents

    ssh server authentication-timeout························································································································ 234   ssh server compatible-ssh1x enable ·················································································································· 235   ssh server enable ················································································································································· 236   ssh server rekey-interval ······································································································································ 236   ssh user ································································································································································· 237   SSH client configuration commands ·························································································································· 239   bye ········································································································································································ 239   cd ··········································································································································································...

  • Page 9: Table Of Contents

    display ssl client-policy ········································································································································ 273   pki-domain (SSL client policy view) ··················································································································· 274   prefer-cipher ························································································································································· 275   server-verify enable ············································································································································· 277   ssl client-policy ····················································································································································· 278   version ·································································································································································· 278   IP source guard commands ···································································································································· 280   display ip source binding ··································································································································· 280  ...

  • Page 10: Table Of Contents

    arp scan ······························································································································································· 303   ARP gateway protection commands ·························································································································· 304   arp filter source ···················································································································································· 304   ARP filtering commands ··············································································································································· 305   arp filter binding ·················································································································································· 305   uRPF commands ······················································································································································ 307   ip urpf ··································································································································································· 307   display ip urpf ······················································································································································...

  • Page 11: Table Of Contents

    pfs ········································································································································································· 350   protocol ································································································································································ 351   qos pre-classify ···················································································································································· 352   remote-address ····················································································································································· 353   reset ipsec sa ······················································································································································· 354   reset ipsec statistics ············································································································································· 356   sa duration ··························································································································································· 356   sa hex-key authentication ··································································································································· 357   sa hex-key encryption ·········································································································································...

  • Page 12: Table Of Contents

    ······························································································································································· 396   reset ike sa ··························································································································································· 396   sa duration ··························································································································································· 397   Support and other resources ·································································································································· 399   Contacting HP ······························································································································································ 399   Subscription service ············································································································································ 399   Related information ······················································································································································ 399   Documents ···························································································································································· 399  ...

  • Page 13: Aaa Commands

    AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain.

  • Page 14: Accounting Command

    Related commands display domain accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting method of the ISP domain is used for command line accounting. Views ISP domain view Predefined user roles...

  • Page 15

    Syntax In non-FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting default In FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]...

  • Page 16: Accounting Lan-access

    Examples # Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands • hwtacacs scheme local-user •...

  • Page 17: Accounting Login

    accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup accounting methods, local accounting and no accounting. With this command, the device performs RADIUS accounting by default, performs local accounting when the RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid.

  • Page 18

    Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

  • Page 19: Authentication Default

    authentication default Use authentication default to specify the default authentication method for an ISP domain. Use undo authentication default to restore the default. Syntax In non-FIPS mode: authentication default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication default...

  • Page 20: Authentication Lan-access

    example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup authentication methods, local authentication and no authentication. With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid.

  • Page 21: Authentication Login

    none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify multiple authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup authentication methods, local authentication and no authentication.

  • Page 22

    authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication login Default The default authentication method of the ISP is used for login users. Views ISP domain view Predefined user roles...

  • Page 23: Authentication Super

    Related commands authentication default • hwtacacs scheme • ldap scheme • • local-user radius scheme • authentication super Use authentication super to specify the authentication method for user role switching. Use undo authentication super to restore the default. Syntax authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } undo authentication super Default The default authentication method of the ISP domain is used for user role switching authentication.

  • Page 24: Authorization Command

    • If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role switching authentication, where n is the same as that in the target user role. For example, to switch to a level-3 user role whose username is test, the device uses $enab3@domain-name$ or $enab3$ for role switching authentication, depending on whether the domain name is required.

  • Page 25: Authorization Default

    none: Does not perform authorization. An authenticated user gets the default user role. For more information about the default user role, see Fundamentals Configuration Guide. Usage guidelines Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.

  • Page 26

    In FIPS mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization default Default The default authorization method of an ISP domain is local. Views ISP domain view Predefined user roles...

  • Page 27: Authorization Lan-access

    Related commands hwtacacs scheme • local-user • radius scheme • authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. Syntax In non-FIPS mode: authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization lan-access In FIPS mode: authorization lan-access { local | radius-scheme radius-scheme-name [ local ] }...

  • Page 28: Authorization Login

    authorization when the RADIUS server is invalid, and does not perform authorization when both of the previous methods are invalid. Examples # Configure ISP domain test to use local authorization for LAN users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization lan-access local # Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup.

  • Page 29

    Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. After passing authentication, FTP users can access the root directory of the device, and other login users get the default user role.

  • Page 30: Display Domain

    display domain Use display domain to display the ISP domain configuration. Syntax display domain [ isp-name ] Views Any view Predefined user roles network-admin network-operator Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. Usage guidelines If no ISP domain is specified, the command displays the configuration of all ISP domains.

  • Page 31: Domain

    Table 1 Command output Field Description Domain ISP domain name. State Status of the ISP domain. Limit to the number of user connections. If the number is not limited, Access-limit this field displays Disabled. Access-Count Number of online users. Default authentication scheme Default authentication method.

  • Page 32: Domain Default Enable

    Parameters isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain slash (/), back slash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). Usage guidelines All ISP domains are in active state when they are created.

  • Page 33: State (isp Domain View)

    Usage guidelines There can be only one default ISP domain. The specified ISP domain must already exist. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. Examples # Create an ISP domain named test, and configure it as the default ISP domain.

  • Page 34: Local User Commands

    Examples # Place the ISP domain test to blocked state. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] state block Related commands display domain Local user commands authorization-attribute Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

  • Page 35: Bind-attribute

    vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument is in the range of 1 to 4094. After a passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN. work-directory directory-name: Specifies the work directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 512 characters.

  • Page 36

    Syntax bind-attribute { ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } * undo bind-attribute { ip | location | mac | vlan } * Default No binding attribute is configured for a local user. Views Local user view Predefined user roles...

  • Page 37: Display Local-user

    display local-user Use display local-user to display the local user configuration and online user statistics. Syntax display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { ftp | lan-access | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] Views Any view Predefined user roles...

  • Page 38: Display User-group

    State: Active Service Type: SSH/Telnet/Terminal User Group: system Bind Attributes: Authorization Attributes: Work Directory: flash: User Role List: network-admin Network access user jj: State: Active Service Type: Lan-access User Group: system Bind Attributes: IP Address: 2.2.2.2 Location Bound: 3/3/2 (slot/subslot/port) MAC Address: 0001-0001-0001 VLAN ID:...

  • Page 39: Group

    Views Any view Predefined user roles network-admin network-operator Parameters group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines If no user group name is specified, the command displays the configuration of all user groups. Examples # Display the configuration of all user groups.

  • Page 40: Local-user

    Default A local user belongs to the system predefined user group system. Views Local user view Predefined user roles network-admin Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Examples # Assign device management user 1 1 1 to user group abc. <Sysname>...

  • Page 41: Password

    • network: Network access user, who accesses network resources through the device. Network access users can use the LAN access service. all: Specifies all users. service-type: Specifies the local users who use a specified type of service. • ftp: FTP users. lan-access: LAN users, mainly users accessing the network through an Ethernet, such as 802.1X •...

  • Page 42

    Default A local user has no password configured. Views Local user view Predefined user roles network-admin Parameters cipher: Sets a ciphertext password. hash: Sets a hashed password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. In non-FIPS mode, a cipher password is a string of 1 to 1 17 characters, a hashed password is a string of 1 to 1 10 characters, and a plaintext password is a string of 1 to 63 characters.

  • Page 43: Service-type

    Related commands display local-user service-type Use service-type to specify the service types that a local user can use. Use undo service-type to delete service types configured for a local user. Syntax In non-FIPS mode: service-type { ftp | lan-access | {ssh | telnet | terminal } * } undo service-type { ftp | lan-access | { ssh | telnet | terminal } * } In FIPS mode: service-type { lan-access | { ssh | terminal } * }...

  • Page 44: State (local User View)

    [Sysname-luser-manage-user1] service-type ftp Related commands display local-user state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local user view Predefined user roles...

  • Page 45: Radius Commands

    undo user-group group-name Default There is a user group named system in the system. Views System view Predefined user roles network-admin Parameters group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. Usage guidelines A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.

  • Page 46: Data-flow-format (radius Scheme View)

    Predefined user roles network-admin Parameters interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds, in the range of 1 to 15. The default setting is 3. send send-times: Specifies the maximum number of accounting-on packet transmission attempts, in the range of 1 to 255.

  • Page 47: Display Radius Scheme

    Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

  • Page 48

    Examples # Display the configuration of all RADIUS schemes. <Sysname> display radius scheme Total 1 RADIUS schemes ------------------------------------------------------------------ RADIUS Scheme Name : radius1 Index : 0 Primary Auth Server: : 2.2.2.2 Port: 1812 State: Active VPN : vpn1 Primary Acct Server: IP: 1.1.1.1 Port: 1813 State: Active...

  • Page 49: Display Radius Statistics

    Field Description Service port number of the server. If no port number is specified, this field Port displays the default port number. State Status of the server: active or blocked. VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured.

  • Page 50

    Examples # Display RADIUS packet statistics. <Sysname> display radius statistics Auth. Acct. SessCtrl. Request Packet: Retry Packet: Timeout Packet: Access Challenge: Account Start: Account Update: Account Stop: Terminate Request: Set Policy: Packet With Response: Packet Without Response: Access Rejects: Dropped Packet: Check Failures: Table 5 Command output Field...

  • Page 51: Key (radius Scheme View)

    key (RADIUS scheme view) Use key to set the shared key for secure RADIUS communication. Use undo key to restore the default. Syntax key { accounting | authentication } { cipher | simple } string undo key { accounting | authentication } Default No shared key is configured.

  • Page 52: Nas-ip (radius Scheme View)

    If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. HP recommends you to configure a loopback interface address as the source IP address for outgoing RADIUS packets.

  • Page 53: Primary Accounting (radius Scheme View)

    Examples # Set the source IP address for outgoing RADIUS packets to 10.1.1.1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] nas-ip 10.1.1.1 Related commands display radius scheme • radius nas-ip • primary accounting (RADIUS scheme view) Use primary accounting to specify the primary RADIUS accounting server. Use undo primary accounting to remove the configuration.

  • Page 54: Primary Authentication (radius Scheme View)

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.

  • Page 55

    Syntax primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary authentication Default No primary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

  • Page 56: Radius Nas-ip

    If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out, and the device looks for an active server with the highest priority for authentication. For security purpose, all shared keys, including shared keys configured in plain text, are saved in cipher text.

  • Page 57: Radius Scheme

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option. Usage guidelines The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server.

  • Page 58: Radius Session-control Enable

    Parameters radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines A RADIUS scheme can be referenced by more than one ISP domain at the same time. The device supports at most 16 RADIUS schemes. Examples # Create a RADIUS scheme named radius1 and enter its view.

  • Page 59: Retry

    Syntax reset radius statistics Views User view Predefined user roles network-admin Examples # Clear RADIUS statistics. <Sysname> reset radius statistics Related commands display radius statistics retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

  • Page 60: Retry Realtime-accounting

    Examples # Set the maximum number of RADIUS packet transmission attempts to 5 for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] retry 5 Related commands radius scheme • timer response-timeout (RADIUS scheme view) • retry realtime-accounting Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default.

  • Page 61: Secondary Accounting (radius Scheme View)

    minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.

  • Page 62

    • cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 1 17 characters. In FIPS mode, the key is a string of 15 to 1 17 characters. •...

  • Page 63: Secondary Authentication (radius Scheme View)

    [Sysname] radius scheme radius2 [Sysname-radius-radius2] secondary accounting 10.110.1.1 1813 [Sysname-radius-radius2] secondary accounting 10.110.1.2 1813 Related commands display radius scheme • • key (RADIUS scheme view) • primary accounting (RADIUS scheme view) vpn-instance (RADIUS scheme view) • secondary authentication (RADIUS scheme view) Use secondary authentication to specify a secondary RADIUS authentication server.

  • Page 64

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.

  • Page 65: Security-policy-server

    security-policy-server Use security-policy-server to specify a security policy server. Use undo security-policy-server to remove a security policy server. Syntax security-policy-server { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] undo security-policy-server { { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] | all } Default No security policy server is specified.

  • Page 66: State Secondary

    Default The primary RADIUS server specified for a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication server. active: Specifies the active state, the normal operation state.

  • Page 67

    Default Every secondary RADIUS server specified in a RADIUS scheme is in active state. Views RADIUS scheme view Predefined user roles network-admin Parameters accounting: Sets the status of a secondary RADIUS accounting server. authentication: Sets the status of a secondary RADIUS authentication server. ip-address: Specifies the IPv4 address of a secondary RADIUS server.

  • Page 68: Timer Quiet (radius Scheme View)

    timer quiet (RADIUS scheme view) Use timer quiet to set the quiet timer for the servers specified in an RADIUS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views RADIUS scheme view Predefined user roles...

  • Page 69: Timer Response-timeout (radius Scheme View)

    Views RADIUS scheme view Predefined user roles network-admin Parameters minutes: Real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.

  • Page 70: User-name-format (radius Scheme View)

    Default The RADIUS server response timeout period is 3 seconds. Views RADIUS scheme view Predefined user roles network-admin Parameters seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds. Usage guidelines If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service.

  • Page 71: Vpn-instance (radius Scheme View)

    Parameters keep-original: Sends the username to the RADIUS server as it is entered. with-domain: Includes the ISP domain name in the username sent to the RADIUS server. without-domain: Excludes the ISP domain name from the username sent to the RADIUS server. Usage guidelines A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs.

  • Page 72: Hwtacacs Commands

    Usage guidelines The VPN specified here applies to all servers in the RADIUS scheme for which no VPN is specified. Examples # Specify VPN test for RADIUS scheme radius1. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] vpn-instance test Related commands display radius scheme HWTACACS commands data-flow-format (HWTACACS scheme view)

  • Page 73: Display Hwtacacs Scheme

    Examples # In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet Related commands display hwtacacs scheme display hwtacacs scheme Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.

  • Page 74

    VPN Instance: 2 Primary Acct Server: : Not Configured Port: 49 State: Block VPN Instance: Not configured VPN Instance NAS IP Address : 2.2.2.3 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 12 Response Timeout Interval(seconds) Username Format : with-domain ------------------------------------------------------------------ Table 7 Command output Field Description...

  • Page 75: Hwtacacs Nas-ip

    hwtacacs nas-ip Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets. Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets. Syntax hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] Default The source IP address of a packet sent to the server is the IP address of the outbound interface.

  • Page 76: Hwtacacs Scheme

    [Sysname] hwtacacs nas-ip 129.10.10.1 Related commands nas-ip (HWTACACS scheme view) hwtacacs scheme Use hwtacacs scheme to create an HWTACACS scheme and enter its view. Use undo hwtacacs scheme to delete an HWTACACS scheme. Syntax hwtacacs scheme hwtacacs-scheme-name undo hwtacacs scheme hwtacacs-scheme-name Default No HWTACACS scheme exists.

  • Page 77

    undo key { accounting | authentication | authorization } Default No shared key is configured. Views HWTACACS scheme view Predefined user roles network-admin Parameters accounting: Sets the shared key for secure HWTACACS accounting communication. authentication: Sets the shared key for secure HWTACACS authentication communication. authorization: Sets the shared key for secure HWTACACS authorization communication.

  • Page 78: Nas-ip (hwtacacs Scheme View)

    nas-ip (HWTACACS scheme view) Use nas-ip to specify a source address for outgoing HWTACACS packets. Use undo nas-ip to delete a source address for outgoing HWTACACS packets. Syntax nas-ip { ipv4-address | ipv6 ipv6-address } undo nas-ip [ ipv6 ] Default The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view.

  • Page 79: Primary Accounting (hwtacacs Scheme View)

    primary accounting (HWTACACS scheme view) Use primary accounting to specify the primary HWTACACS accounting server. Use undo primary accounting to remove the configuration. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default...

  • Page 80: Primary Authentication (hwtacacs Scheme View)

    If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

  • Page 81

    port-number: Specifies the service port number of the primary HWTACACS authentication server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server.

  • Page 82: Primary Authorization

    primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to remove the configuration. Syntax primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary authorization Default No primary HWTACACS authorization server is specified.

  • Page 83: Reset Hwtacacs Statistics

    If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

  • Page 84: Secondary Accounting (hwtacacs Scheme View)

    Related commands display hwtacacs scheme secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove a secondary HWTACACS accounting server. Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]...

  • Page 85: Secondary Authentication (hwtacacs Scheme View)

    You can configure up to 16 secondary HWTACACS accounting servers for an HWTACACS scheme. With the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary HWTACACS accounting server configured earlier has a higher priority) and tries to communicate with it.

  • Page 86

    Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server. port-number: Specifies the service port number of the secondary HWTACACS authentication server, a TCP port number in the range of 1 to 65535.

  • Page 87: Secondary Authorization

    Examples # Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key abc for HWTACACS scheme hwt1 <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple abc Related commands •...

  • Page 88

    • simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain numbers, uppercase letters, lowercase letters, and special characters.

  • Page 89: Timer Quiet (hwtacacs Scheme View)

    timer quiet (HWTACACS scheme view) Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme. Use undo timer quiet to restore the default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views HWTACACS scheme view Predefined user roles...

  • Page 90: Timer Response-timeout (hwtacacs Scheme View)

    Parameters minutes: Real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server. Usage guidelines For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically.

  • Page 91: User-name-format (hwtacacs Scheme View)

    Predefined user roles network-admin Parameters seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds. Usage guidelines HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

  • Page 92: Vpn-instance (hwtacacs Scheme View)

    name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server. If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain.

  • Page 93: Ldap Commands

    Related commands display hwtacacs scheme LDAP commands authentication-server Use authentication-server to specify the LDAP authentication server for an LDAP scheme. Use undo authentication-server to remove the LDAP authentication server. Syntax authentication-server server-name undo authentication-server server-name Default No LDAP authentication server is specified. Views LDAP scheme view Predefined user roles...

  • Page 94

    Syntax display ldap scheme [ scheme-name ] Views Any view Predefined user roles network-admin network-operator Parameters scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters. Usage guidelines If no LDAP scheme name is not specified, the command displays the configuration of all LDAP schemes. Examples # Display the configuration of all LDAP schemes.

  • Page 95

    Field Description VPN to which the LDAP server belongs. If no VPN is specified, this field VPN Instance displays Not configured. LDAP Protocol Version LDAP version, LDAPv2 or LDAPv3. Server Timeout Interval LDAP server timeout period, in seconds. Login Account DN DN of the administrator.

  • Page 96: Ipv6

    Usage guidelines The LDAP service port configured on the device must be consistent with that of the LDAP server. If you change the IP address and port number of the LDAP authentication server, the change is effective only for LDAP authentication that occurs after your change. Examples # Specify the IP address and port number of the LDAP authentication server as 192.168.0.10.

  • Page 97: Ldap Scheme

    Examples # Specify the IP address and port number of the LDAP authentication server as 192.168.0.10. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] ip 192.168.0.10 port 4300 Related commands ldap server ldap scheme Use ldap scheme to create an LDAP scheme and enter its view. Use undo ldap scheme to delete an LDAP scheme.

  • Page 98: Login-dn

    Use undo ldap server to delete an LDAP server. Syntax ldap server server-name undo ldap server server-name Default No LDAP server exists. Views System view Predefined user roles network-admin Parameters server-name: LDAP server name, a case-insensitive string of 1 to 64 characters. Examples # Create an LDAP server ccc and enter its view.

  • Page 99: Login-password

    Usage guidelines The administrator DN specified on the device must be consistent with that configured on the LDAP server. If you change the administrator DN, the change is effective only for LDAP authentication that occurs after your change. Examples # Specify the administrator DN as uid=test, ou=people, o=example, c=city. <Sysname>...

  • Page 100: Protocol-version

    Examples # Configure the administrator password to abcdefg in plain text. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] login-password simple abcdefg Related commands display ldap scheme • login-dn • protocol-version Use protocol-version to specify the LDAP version. Use undo protocol-version to restore the default. Syntax protocol-version { v2 | v3 } undo protocol-version...

  • Page 101: Search-base-dn

    Related commands display ldap scheme search-base-dn Use search-base-dn to specify the base DN for user search. Use undo search-base-dn to restore the default. Syntax search-base-dn base-dn undo search-base-dn Default No base DN is specified for user search. Views LDAP server view Predefined user roles network-admin Parameters...

  • Page 102: Server-timeout

    Views LDAP server view Predefined user roles network-admin Parameters all-level: Specifies that the search goes through all sub-directories of the base DN. single-level: Specifies that the search goes through only the next lower level of sub-directories under the base DN. Examples # Specify the search scope for the LDAP authentication as all sub-directories of the base DN.

  • Page 103: User-parameters

    Examples # Set the LDAP server timeout period to 15 seconds. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] server-timeout 15 Related commands display ldap scheme user-parameters Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user object class. Use undo user-parameters to restore the default.

  • Page 104

    Examples # Set the user object class to person. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] user-parameters user-object-class person Related commands display ldap scheme • login-dn •...

  • Page 105: X Commands

    802.1X commands display dot1x Use display dot1x to display information about 802.1X. Syntax display dot1x [ sessions | statistics ] [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics. interface interface-type interface-number: Specifies an interface by its type and number.

  • Page 106

    The port is an authenticator Authentication mode is Auto Port access control type is MAC-based 802.1X multicast-trigger is enabled Mandatory authentication domain: Not configured Max online users is 256 EAPOL Packets: Tx 1087, Rx 986 Sent EAP Request/Identity Packets : 943 EAP Request/Challenge Packets: 60 EAP Success Packets: 29, Fail Packets: 55 Received EAPOL Start Packets : 60...

  • Page 107: Dot1x

    Field Description 802.1X unicast-trigger is enabled Specifies whether unicast trigger is enabled on the port. Specifies whether periodic online user re-authentication is enabled on Periodic reauthentication is disabled the port. The port is an authenticator Role of the port. Authorization state of the port, which can be Force-Authorized, Auto, Authenticate mode is Auto or Force-Unauthorized.

  • Page 108: Dot1x Authentication-method

    Predefined user roles network-admin Usage guidelines 802.1X must be enabled both globally and on the intended port. Otherwise, it does not function. Examples # Enable 802.1X globally. <Sysname> system-view [Sysname] dot1x # Enable 802.1X on Ten-GigabitEthernet 1/0/1. [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x [Sysname-Ten-GigabitEthernet1/0/1] quit Related commands...

  • Page 109: Dot1x Handshake

    PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an HP iNode 802.1X client. CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.

  • Page 110: Dot1x Mandatory-domain

    Predefined user roles network-admin Usage guidelines The online user handshake function enables the device to periodically (set with the dot1x timer handshake-period command) send handshake messages to the client to verify the connectivity status of online 802.1X users. If no response is received from an online user after the maximum number of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state.

  • Page 111: Dot1x Max-user

    Examples # Configure the mandatory authentication domain my-domain for 802.1X users on Ten-GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain Related commands display dot1x dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default.

  • Page 112: Dot1x Multicast-trigger

    dot1x multicast-trigger Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. Use undo dot1x multicast-trigger to disable the function. Syntax dot1x multicast-trigger undo dot1x multicast-trigger Default The multicast trigger function is enabled. Views Ethernet interface view Predefined user roles network-admin Usage guidelines The multicast trigger function enables the device to act as the initiator and periodically multicast Identify...

  • Page 113: Dot1x Port-method

    Views Ethernet interface view Predefined user roles network-admin Parameters authorized-force: Places the port in the authorized state, enabling users on the port to access the network without authentication. auto: Places the port initially in the unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in the authorized state to allow access to the network.

  • Page 114: Dot1x Quiet-period

    Parameters macbased: Uses MAC-based access control on the port to separately authenticate each user attempting to access the network. By using this method, when an authenticated user logs off, no other online users are affected. portbased: Uses port-based access control on the port. By using this method, once an 802.1X user passes authentication on the port, any subsequent user can access the network through the port without authentication.

  • Page 115: Dot1x Re-authenticate

    Related commands display dot1x • dot1x timer • dot1x re-authenticate Use dot1x re-authenticate to enable the periodic online user re-authentication function. Use undo dot1x re-authenticate to disable the function. Syntax dot1x re-authenticate undo dot1x re-authenticate Default The periodic online user re-authentication function is disabled. Views Ethernet interface view Predefined user roles...

  • Page 116: Dot1x Timer

    Syntax dot1x retry max-retry-value undo dot1x retry Default The maximum number of attempts that the device can send an authentication request to a client is two. Views System view Predefined user roles network-admin Parameters max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client.

  • Page 117

    Default The handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is 3600 seconds, the server timeout timer is 100 seconds, the client timeout timer is 30 seconds, and the username request timeout timer is 30 seconds. Views System view Predefined user roles...

  • Page 118: Dot1x Unicast-trigger

    • Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client. Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity •...

  • Page 119: Reset Dot1x Statistics

    [Sysname-Ten-GigabitEthernet1/0/1] dot1x unicast-trigger Related commands display dot1x • dot1x multicast-trigger • • dot1x retry dot1x timer • reset dot1x statistics Use reset dot1x statistics to clear 802.1X statistics. Syntax reset dot1x statistics [ interface interface-type interface-number ] Views User view Predefined user roles network-admin Parameters...

  • Page 120: Mac Authentication Commands

    MAC authentication commands display mac-authentication Use display mac-authentication to display MAC authentication settings and statistics, including the global settings, port-specific settings, MAC authentication statistics, and online user statistics. Syntax display mac-authentication [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator Parameters...

  • Page 121

    Current number of online users is 1 Current authentication domain: Not configured Authentication attempts: successful 1, failed 0 MAC Addr Auth state 00e0-fc12-3456 authenticated Table 11 Command output Field Description MAC authentication is enabled Indicates whether MAC authentication is enabled globally. User account type: MAC-based or shared.

  • Page 122: Mac-authentication

    Field Description Authentication attempts: successful 1, MAC authentication statistics, including the number of successful and failed 0 unsuccessful authentication attempts. MAC Addr MAC address of the online user. User status: Auth state • authenticated—The user has passed MAC authentication. • unauthenticated—The user failed MAC authentication.

  • Page 123: Mac-authentication Max-user

    Use undo mac-authentication domain to restore the default. Syntax mac-authentication domain domain-name undo mac-authentication domain Default No authentication domain is specified for MAC authentication users. The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."...

  • Page 124: Mac-authentication Timer

    Syntax mac-authentication max-user user-number undo mac-authentication max-user Default The maximum number of concurrent MAC authentication users on a port is 256 Views Ethernet interface view Predefined user roles network-admin Parameters user-number: Sets the maximum number of concurrent MAC authentication users on the port. The value range is 1 to 256.

  • Page 125: Mac-authentication User-name-format

    Parameters offline-detect offline-detect-value: Sets the offline detect timer in the range of 60 to 65535, in seconds. quiet quiet-value: Sets the quiet timer in the range of 1 to 3600, in seconds. server-timeout server-timeout-value: Sets the server timeout timer in the range of 100 to 300, in seconds. Usage guidelines MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards...

  • Page 126

    Predefined user roles network-admin Parameters fixed: Uses a shared account for all MAC authentication users. account name: Specifies the username for the shared account. The name takes a case-insensitive string of 1 to 55 characters excluding the at signs (@). If no username is specified, the default name mac applies.

  • Page 127: Reset Mac-authentication Statistics

    [Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase Related commands display mac-authentication reset mac-authentication statistics Use reset mac-authentication statistics to clear MAC authentication statistics. Syntax reset mac-authentication statistics [ interface interface-type interface-number ] Views User view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies a port by its type and number. Usage guidelines If no port is specified, the command clears all global and port-specific MAC authentication statistics.

  • Page 128: Port Security Commands

    Port security commands display port-security Use display port-security to display port security configuration, operation information, and statistics for one or more ports. Syntax display port-security [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. Usage guidelines If no port is specified, this command displays port security information for all ports.

  • Page 129

    Max number of secure MAC addresses: Not configured Current number of secure MAC addresses: 0 Authorization is permitted Table 12 Command output Field Description AutoLearn aging time Sticky MAC address aging timer, in minutes. Disableport Timeout Silence period (in seconds) of the port that receives illegal packets. OUI value List of OUI values allowed for authentication.

  • Page 130: Display Port-security Mac-address Block

    Field Description Indicates whether the authorization information from the authentication server (RADIUS server or local device) is ignored or not: Authorization • permitted—Authorization information from the authentication server takes effect. • ignored—Authorization information from the authentication server does not take effect. display port-security mac-address block Use display port-security mac-address block to display information about blocked MAC addresses.

  • Page 131

    000f-3d80-0d2d Ten-GigabitEthernet 1/0/1 --- On slot 1, 1 MAC address(es) found --- --- 1 mac address(es) found --- # Display the count of all blocked MAC addresses. <Sysname> display port-security mac-address block count --- 2 mac address(es) found --- # (IRF devices) Display the count of all blocked MAC addresses. <Sysname>...

  • Page 132: Display Port-security Mac-address Security

    000f-3d80-0d2d Ten-GigabitEthernet 1/0/1 --- On slot 1, 1 MAC address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses of port Ten-GigabitEthernet 1/0/1 in VLAN 1. <Sysname> display port-security mac-address block interface ten-gigabitethernet 1/0/1 vlan 1 MAC ADDR Port...

  • Page 133

    Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. count: Displays only the count of the secure MAC addresses. Usage guidelines With no parameter specified, the command displays information about all secure MAC addresses.

  • Page 134: Port-security Authorization Ignore

    MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 000d-88f8-0577 1 Security Ten-GigabitEthernet 1/0/1 NOAGED 1 mac address(es) found Table 14 Command output Field Description MAC ADDR Secure MAC address. VLAN ID ID of the VLAN to which the port belongs. Type of the MAC address added.

  • Page 135: Port-security Enable

    not want the port to use such authorization attribute for users, you can use this command to ignore the authorization information received from the server. Examples # Configure port Ten-GigabitEthernet 1/0/1 to ignore the authorization information from the authentication server. <Sysname>...

  • Page 136: Port-security Intrusion-mode

    • dot1x port-control dot1x port-method • mac-authentication • port-security intrusion-mode Use port-security intrusion-mode to configure the intrusion protection feature so the port takes the predefined actions when intrusion protection detects illegal frames on the port. Use undo port-security intrusion-mode to restore the default. Syntax port-security intrusion-mode { blockmac | disableport | disableport-temporarily } undo port-security intrusion-mode...

  • Page 137: Port-security Mac-address Security

    Related commands display port-security • display port-security mac-address block • port-security timer disableport • port-security mac-address security Use port-security mac-address security to add a secure MAC address. Use undo port-security mac-address security to remove a secure MAC address. Syntax In Ethernet interface view: port-security mac-address security [ sticky ] mac-address vlan vlan-id undo port-security mac-address security [ sticky ] mac-address vlan vlan-id In system view:...

  • Page 138

    You can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure. To successfully add secure MAC addresses on a port, first complete the following tasks: Enable port security on the port.

  • Page 139: Port-security Max-mac-count

    port-security max-mac-count Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port. Use undo port-security max-mac-count to restore the default. Syntax port-security max-mac-count count-value undo port-security max-mac-count Default Port security has no limit on the number of secure MAC addresses on a port. Views Ethernet interface view Predefined user roles...

  • Page 140: Port-security Oui

    Use undo port-security ntk-mode to restore the default. Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default NTK is disabled on a port and all frames are allowed to be sent. Views Ethernet interface view Predefined user roles network-admin Parameters...

  • Page 141: Port-security Port-mode

    Default No OUI value is configured. Views System view Predefined user roles network-admin Parameters index-value: Specifies the OUI index, in the range of 1 to 16. oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.

  • Page 142

    Views Interface view Predefined user roles network-admin Parameters Keyword Security mode Description A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address but to the secure MAC address table as secure MAC addresses.

  • Page 143

    Keyword Security mode Description In this mode, a port performs 802.1X authentication and userlogin-secure userLoginSecure implements MAC-based access control. It services only one user passing 802.1X authentication. Same as the userLoginSecure mode, except that this mode userlogin-secure-ext userLoginSecureExt supports multiple online 802.1X users. This mode is the combination of the userLoginSecure and macAddressWithRadius modes.

  • Page 144: Port-security Timer Autolearn Aging

    Related commands display port-security • port-security max-mac-count • port-security timer autolearn aging Use port-security timer autolearn aging to set the secure MAC aging timer. Use undo port-security timer autolearn aging to restore the default. Syntax port-security timer autolearn aging time-value undo port-security timer autolearn aging Default Secure MAC addresses do not age out.

  • Page 145

    Syntax port-security timer disableport time-value undo port-security timer disableport Default The port silence period is 20 seconds. Views System view Predefined user roles network-admin Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300.

  • Page 146: Password Control Commands

    Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration.

  • Page 147: Display Password-control Blacklist

    Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 15 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time.

  • Page 148: Password-control { Aging | Composition | History | Length } Enable

    network-operator Parameters user-name name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines With no arguments provided, this command displays information about all users in the password control blacklist.

  • Page 149

    Syntax password-control { aging | composition | history | length } enable undo password-control { aging | composition | history | length } enable Default The password control functions (aging, composition, history, and length) are all enabled. Views System view Predefined user roles network-admin Parameters...

  • Page 150: Password-control Aging

    password-control aging Use password-control aging to set the password expiration time. Use undo password-control aging to restore the default. Syntax password-control aging aging-time undo password-control aging Default The global password expiration time is 90 days, the password expiration time of a user group equals the global setting, and the password expiration time of a local user equals that of the user group to which the local user belongs.

  • Page 151: Password-control Alert-before-expire

    Related commands display password-control • password-control aging enable • password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire...

  • Page 152: Password-control Composition

    Syntax password-control complexity { same-character | user-name } check undo password-control complexity { same-character | user-name } check Default Both username checking and repeated character checking are disabled. Views System view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character repeated consecutively three or more times.

  • Page 153

    In FIPS mode, the global password composition policy is as follows: A password must contain four types of characters from uppercase letters, lowercase letters, digits, and special characters, and each type must contain at least one character. In both non-FIPS and FIPS modes, the password composition policy of a user group is the same as the global policy, and the password composition policy of a local user is the same as that of the user group to which the local user belongs.

  • Page 154: Password-control Enable

    # Specify that the password of device management user abc must contain at least three types of characters and each type must contain at least five characters. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control composition type-number 3 type-length 5 Related commands display password-control •...

  • Page 155: Password-control History

    Syntax password-control expired-user-login delay delay times times undo password-control expired-user-login Default A user can log in three times within 30 days after the password expires. Views System view Predefined user roles network-admin Parameters delay delay: Sets the maximum number of days during which a user can log in using an expired password.

  • Page 156: Password-control Length

    Predefined user roles network-admin Parameters max-record-num: Specifies the maximum number of history password records for each user. The value range is 2 to 15. Usage guidelines When the number of history password records reaches the set maximum number, the subsequent history record overwrites the earliest one.

  • Page 157: Password-control Login Idle-time

    Parameters length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode. Usage guidelines Before you execute this command, make sure the global password control feature and the minimum length function are enabled.

  • Page 158: Password-control Login-attempt

    Default The maximum account idle time is 90 days. Views System view Predefined user roles network-admin Parameters idle-time: Specifies the maximum account idle time in days, in the range of 0 to 365. 0 means no restriction for account idle time. Usage guidelines If a user has not been logged in within the specified idle time since the last successful login, the user account becomes invalid.

  • Page 159

    exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts. lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period of time before trying again.

  • Page 160: Password-control Super Aging

    Username: test IP: 192.168.44.1 Login failures: 2 Lock flag: lock Blacklist items matched: 1. After 3 minutes, the user is removed from the password control blacklist and can log in again. Related commands display password-control • display password-control blacklist • reset password-control blacklist •...

  • Page 161: Password-control Super Length

    Use undo password-control super composition to restore the default. Syntax password-control super composition type-number type-number [ type-length type-length ] undo password-control super composition Default In non-FIPS mode, the super password composition policy is as follows: A super password must contain at least one type of characters from uppercase letters, lowercase letters, digits, or special characters (see Security Configuration Guide), and each type must contain at least one character.

  • Page 162: Password-control Update-interval

    Syntax password-control super length length undo password-control super length Default In non-FIPS mode, the minimum super password length is 10 characters. In FIPS mode, the minimum super password length is 15 characters. Views System view Predefined user roles network-admin Parameters length: Specifies the minimum length of super passwords in characters.

  • Page 163: Reset Password-control Blacklist

    Parameters interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval. Usage guidelines The set minimum interval is not effective on a user who is prompted to change the password at the first login or after the password expires.

  • Page 164: Reset Password-control History-record

    reset password-control history-record Use reset password-control history-record to delete history password records. Syntax reset password-control history-record [ super [ role role name ] | user-name name ] Views User view Predefined user roles network-admin Parameters super: Deletes the history records of a specified super password or all super passwords. role role name: Specifies a user role, in the range of 1 to 63.

  • Page 165: Public Key Management Commands

    Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.

  • Page 166

    C1BA2B75020077C74745C933E2F390DC0B39D35B88283D700A163BB309B19F8F87216A44AB FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1 2DA4C04EF5AE0835090203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2012/06/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2012/06/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7...

  • Page 167

    96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2012/06/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B =============================================...

  • Page 168

    Key name: dsa1 Key type: DSA Time when key pair created: 15:35:42 2012/06/12 Key code: 308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of the local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA...

  • Page 169: Display Public-key Peer

    Related commands public-key local create display public-key peer Use display public-key peer to display information about peer public keys. Syntax display public-key peer [ brief | name publickey-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name.

  • Page 170: Peer-public-key End

    Table 18 Command output Field Description Key name Name of the peer public key. Key type Key type: RSA and DSA. Key modulus Key modulus length in bits. Key code Public key string. # Display brief information about all peer public keys. <Sysname>...

  • Page 171: Public-key Local Create

    Execute the peer-public-key end command to exit public key view, and the system saves the public key. The system verifies the public key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, for example, the key displayed by the display public-key local public command, the system saves the key.

  • Page 172

    The key pairs are automatically saved and can survive system reboots. Table 21 A comparison of different types of asymmetric key pairs Number of key pairs Modulus length HP recommendation Type • If you specify a key pair name, the command creates a host key pair.

  • Page 173

    Type Number of key pairs Modulus length HP recommendation The command only creates one host key ECDSA 192 bits. pair. NOTE: Only SSH 1.5 uses the RSA server key pair. Examples # Create local RSA key pairs with default names.

  • Page 174

    If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++ .......++++++ Create the key pair successfully. # Create a local DSA key pair with the name dsa1. <Sysname>...

  • Page 175: Public-key Local Destroy

    .++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+..+.......+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. Related commands display public-key local public • • public-key local destroy public-key local destroy Use public-key local destroy to destroy local key pairs. Syntax public-key local destroy { dsa | ecdsa | rsa } [ name key-name ] Views System view Predefined user roles...

  • Page 176: Public-key Local Export Dsa

    <Sysname> system-view [Sysname] public-key local destroy dsa Confirm to destroy the key pair? [Y/N] :y # Destroy the local ECDSA key pair with the default name. <Sysname> system-view [Sysname] public-key local destroy ecdsa Confirm to destroy the key pair? [Y/N]:y # Destroy the local RSA key pair rsa1.

  • Page 177: Configuration Guide

    or ecdsakey, and cannot start with a slash (/). For more information about file name, see Fundamentals Configuration Guide. Usage guidelines Whether the command exports or displays the local DSA host public key depends on the presence of the filename argument. You can use the command to display or export the local DSA host public key before distributing it to a peer device.

  • Page 178: Public-key Local Export Rsa

    XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= dsa-key # Export the host public key of the local DSA key pair dsa1 in OpenSSH format to the file dsa1.pub. <Sysname> system-view [Sysname] public-key local export dsa name dsa1 openssh dsa1.pub # Display the host public key of the local DSA key pair dsa1 in SSH2.0 format. <Sysname>...

  • Page 179

    Views System view Predefined user roles network-admin Parameters name key-name: Specifies the name of a local RSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name.

  • Page 180: Public-key Peer

    # Display the host public key of the local RSA key pair with the default name in SSH2.0 format. <Sysname> system-view [Sysname] public-key local export rsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-2012/06/12" AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/b YcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xd v4tlas+mLNloY0dImbwS2kwE71rgg1CQ== ---- END SSH2 PUBLIC KEY ---- # Display the host public key of the local RSA key pair with the default name in OpenSSH format.

  • Page 181: Public-key Peer Import Sshkey

    Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If your device is an HP device, use the display public-key local public command to display and record its public key.

  • Page 182

    Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default The device has no peer public key. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file for saving the local host public key.

  • Page 183: Pki Commands

    PKI commands The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. attribute Use attribute to configure an attribute rule for certificate issuer name, subject name, or alternative subject name.

  • Page 184

    nequ: Specifies the not-equal operation. attribute-value: Sets an attribute value for the rule, a case-insensitive string of 1 to 128 characters. Usage guidelines Different attributes contains different attribute fields: Each of the subject name and the issuer name can contain only one DN, but can contain multiple •...

  • Page 185: Ca Identifier

    Related commands display pki certificate attribute-group • rule • ca identifier Use ca identifier to specify the trusted CA. Use undo ca identifier to remove the trusted CA. Syntax ca identifier name undo ca identifier Default No trusted CA is specified. Views PKI domain view Predefined user roles...

  • Page 186: Certificate Request From

    undo certificate request entity Default No PKI entity is specified for certificate request. Views PKI domain view Predefined user roles network-admin Parameters entity-name: Specifies the name of the entity for certificate request, a case-insensitive string of 1 to 31 characters. Usage guidelines A PKI entity describes the identity attributes of an entity for certificate request, including the common name, the organization, the unit in the organization, the locality, the state and country where the entity...

  • Page 187: Certificate Request Mode

    Predefined user roles network-admin Parameters ca: Specifies the CA to accept certificate requests. ra: Specifies the RA to accept certificate requests. Usage guidelines The CA server determines which authority, CA or RA, accepts certificate requests. This authority setting must be consistent with the that on the CA server. An independent RA is recommended as the authority to accept certificate requests.

  • Page 188: Certificate Request Polling

    Usage guidelines A certificate request can be submitted to a CA in offline or online mode. In online mode, a certificate request can be automatically or manually submitted: • Auto request mode—A PKI entity automatically obtains the CA certificate and submits a certificate request to the registration acceptance authority when an associated application performs identity authentication.

  • Page 189: Certificate Request Url

    Parameters count count: Sets the maximum number of attempts for querying certificate request status, in the range of 1 to 100. interval minutes: Sets a polling interval in minutes, in the range of 5 to 168. Usage guidelines After a PKI entity submits a certificate request, the CA server might need a long period of time if it verifies the certificate request manually.

  • Page 190: Common-name

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the registration server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the registration server is on the public network, do not specify this option. Usage guidelines The specified URL contains the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location can be an IPv4 address, IPv6 address, or a domain name, and cgi_script_location is the path of the application script...

  • Page 191: Country

    Examples # Set test as the common name of the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] common-name test country Use country to set the code of the country to which a PKI entity belongs. Use undo country to remove the configuration. Syntax country country-code-string undo country...

  • Page 192: Crl Url

    Views PKI domain view Predefined user roles network-admin Usage guidelines A CRL is a file issued by a CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked.

  • Page 193: Display Pki Certificate Access-control-policy

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the CRL repository belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option. Usage guidelines CRL checking checks whether a certificate is in the CRL.

  • Page 194: Display Pki Certificate Attribute-group

    Parameters policy-name: Specifies the name of a certificate access control policy, a case-insensitive string of 1 to 31 characters. Usage guidelines If no policy name is specified, this command displays information about all certificate access control policies. Examples # Display information about the certificate access control policy mypolicy. <Sysname>...

  • Page 195

    Views Any view Predefined user roles network-admin network-operator Parameters group-name: Specifies the name of a certificate attribute group, a case-insensitive string of 1 to 31 characters. Usage guidelines If no certificate attribute group is specified, this command displays information about all certificate attribute groups.

  • Page 196: Display Pki Certificate Domain

    display pki certificate domain Use display pki certificate domain to display information about certificates. Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator Parameters domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.

  • Page 197

    Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0: 28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40: 4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6: 57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6: 7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6: 6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd: c1:91:18:ff:16:ee:d8:cf:8c:e3:4c:a3:1b:08:5d: 84:7e:11:32:5f:1a:f8:35:25:c0:7e:10:bd:aa:0f: 52:db:7b:cd:5d:2b:66:5a:fb Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 6d:b1:4e:d7:ef:bb:1d:67:53:67:d0:8f:7c:96:1d:2a:03:98: 3b:48:41:08:a4:8f:a9:c1:98:e3:ac:7d:05:54:7c:34:d5:ee: 09:5a:11:e3:c8:7a:ab:3b:27:d7:62:a7:bb:bc:7e:12:5e:9e: 4c:1c:4a:9f:d7:89:ca:20:46:de:c5:b3:ce:36:ca:5e:6e:dc: e7:c6:fe:3f:c5:38:dd:d5:a3:36:ad:f4:3d:e6:32:7f:48:df: 07:f0:a2:32:89:86:72:22:cd:ed:e5:0f:95:df:9c:75:71:e7: fe:34:c5:a0:64:1c:f0:5c:e4:8f:d3:00:bd:fa:90:b6:64:d8: 88:a6 # Display information about the local certificate in the PKI domain aaa. <Sysname>...

  • Page 198

    8a:f0:ea:02:fd:2d:44:7a:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 91:95:51:DD:BF:4F:55:FA:E4:C4:D0:10:C2:A1:C2:99:AF:A5:CB:30 X509v3 Authority Key Identifier:...

  • Page 199

    # Display brief information about all peer certificates in the PKI domain aaa. <Sysname> display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a specific peer certificate in the PKI domain aaa. <Sysname>...

  • Page 200: Display Pki Certificate Request-status

    Full Name: URI:http://s03130.ccc.huawei-3com.com:447/ssl.crl Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5 Related commands pki domain • • pki retrieve-certificate display pki certificate request-status Use display pki certificate request-status to display certificate request status. Syntax display pki certificate request-status [ domain domain-name ] Views Any view Predefined user roles...

  • Page 201: Display Pki Crl

    # Display certificate request statuses for all PKI domains. <Sysname> display pki certificate request-status Certificate Request Transaction 1 Domain name: domain1 Status: Pending Key usage: General Remain polling attempts: 10 Next polling attempt after : 1191 seconds Certificate Request Transaction 2 Domain name: domain2 Status: Pending Key usage: Signature...

  • Page 202

    Predefine d user roles netw ork-admin network-operator Paramete domain d omain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. Usage guid elines Use this command to check whether a certificate has been revoked. Examples # Display information about the locally sa ved CRLs.

  • Page 203: Fqdn

    Table 26 Command output Field Description Version CRL version number. Signature Algorithm Signature algorithm use d by the CA to sign the CRL. Issuer Name of the CA that issues the CRL. Last Update Last CRL update time. Next Update Next CR L update time.

  • Page 204: Ldap-server

    [Sysname] pki entity en [Sysname-pki-entity-en] fqdn abc@pki.domain.com Use ip to configure the IP address for a PKI entity. Use undo ip to remove the configuration. Syntax ip { ip-address | interface interface-type interface-number } undo ip Default No IP address i s configured for a PKI entity.

  • Page 205: Locality

    Default No LDAP server is specified for a domain. Views PKI domain view Predefined user roles network-admin Parameters host host-name: Specifies the host name of an LDAP server, a case-sensitive string of 1 to 255 characters. It can be an IPv4 or IPv6 address or a domain name. port port-number: Specifies the port number of an LDAP server, in the range of 1 to 65535.

  • Page 206: Organization

    Use undo locality to remove the configuration. Syntax locality locality-name undo locality Default No locality is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters. No comma can be included.

  • Page 207: Organization-unit

    Examples # Set abc as the organization name of the PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] organization abc organization-unit Use organization-unit to set the organization unit name for a PKI entity. Use undo organization-unit to remove the configuration. Syntax organization-unit org-unit-name undo organization-unit...

  • Page 208: Pki Certificate Access-control-policy

    Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. Usage guidelines You can abort a certificate request if you want to change some parameters, such as common name, country code, and FQDN, in the certificate request before the CA issues the certificate. Use the display pki certificate request-status command to display the certificate request status.

  • Page 209: Pki Certificate Attribute-group

    [Sysname] pki certificate access-control-policy mypolicy [Sysname-pki-cert-acp-mypolicy] Related commands • display pki certificate access-control-policy rule • pki certificate attribute-group Use pki certificate attribute-group to create a certificate attribute group and enter its view. Use undo pki certificate attribute-group to remove a specified certificate attribute group. Syntax pki certificate attribute-group group-name undo pki certificate attribute-group group-name...

  • Page 210: Pki Delete-certificate

    pki delete-certificate Use pki delete-certificate to remove the certificates in a PKI domain. Syntax pki delete-certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views System view Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.

  • Page 211: Pki Domain

    [Sysname] pki delete-certificate domain aaa peer [Sysname] # Display information about peer certificates in the PKI domain aaa, and remove a peer certificate with the specified serial number. <Sysname> system-view [Sysname] display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=abc...

  • Page 212: Pki Entity

    pki entity Use pki entity to create a PKI entity and enter its view. Use undo pki entity to remove a PKI entity. Syntax pki entity entity-name undo pki entity entity-name Default No PKI entity exists. Views System view Predefined user roles network-admin Parameters entity-name: Specifies the name of a PKI entity, a case-insensitive string of 1 to 31 characters.

  • Page 213

    Views System view Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. der: Specifies the certificate file format as DER. p12: Specifies the certificate file format as PKCS12. pem: Specifies the certificate file format as PEM.

  • Page 214

    • If the key pair of the local certificate is for general use (RSA general, ECDSA, or DSA), the local file name is filename. If the PKI domain has two local certificates, one of the following results occurs: • If you specify a file name, the local certificates are exported to two different files. If you do not specify a file name, the local certificates are displayed on the terminal, separated by •...

  • Page 215

    # Export the local certificates and their private keys in the PKI domain to a file named local.pem in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 1 1 1. <Sysname> system-view [Sysname] pki export domain domain1 pem local des-cbc 111 filename local.pem # Export the all certificates in the PKI domain to a file named all.pem in PEM format.

  • Page 216

    friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIAbfcE+KoYYoCAggA MBEGBSsOAwIHBAjB+UsJM07JRQSCAoABqtASbjGTQbdxL3n4wNHmyWLxbvL9v27C Uu6MjYJDCipVzxHU0rExgn+6cQsK5uK99FPBmy4q9/nnyrooTX8BVlXAjenvgyii WQLwnIg1IuM8j2aPkQ3wbae1+0RACjSLy1u/PCl5sp6CDxI0b9xz6cxIGxKvUOCc /gxdgk97XZSW/0qnOSZkhgeqBZuxq6Va8iRyho7RCStVxQaeiAZpq/WoZbcS5CKI /WXEBQd4AX2UxN0Ld/On7Wc6KFToixROTxWTtf8SEsKGPDfrEKq3fSTW1xokB8nM bkRtU+fUiY27V/mr1RHO6+yEr+/wGGClBy5YDoD4I9xPkGUkmqx+kfYbMo4yxkSi JdL+X3uEjHnQ/rvnPSKBEU/URwXHxMX9CdCTSqh/SajnrGuB/E4JhOEnS/H9dIM+ DN6iz1IwPFklbcK9KMGwV1bosymXmuEbYCYmSmhZb5FnR/RIyE804Jz9ifin3g0Q ZrykfG7LHL7Ga4nh0hpEeEDiHGEMcQU+g0EtfpOLTI8cMJf7kdNWDnI0AYCvBAAM 3CY3BElDVjJq3ioyHSJca8C+3lzcueuAF+lO7Y4Zluq3dqWeuJjE+/1BZJbMmaQA X6NmXKNzmtTPcMtojf+n3+uju0le0d0QYXQz/wPsV+9IYRYasjzoXE5dhZ5sIPOd u9x9hhp5Ns23bwyNP135qTNjx9i/CZMKvLKywm3Yg+Bgg8Df4bBrFrsH1U0ifmmp...

  • Page 217

    dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6 Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12 X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw== -----END CERTIFICATE----- Bag Attributes: <No Attributes> subject=/C=CN/O=OpenCA Labs/OU=software/CN=abcd issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd -----BEGIN CERTIFICATE----- MIIEYTCCA0mgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDTjEU MBIGA1UECgwLT3BlbkNBIExhYnMxETAPBgNVBAsMCHNvZnR3YXJlMQ0wCwYDVQQD DARhYmNkMB4XDTExMDQxODExNDQ0N1oXDTEzMDQxNzExNDQ0N1owRTELMAkGA1UE BhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2FyZTEN MAsGA1UEAwwEYWJjZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1g vomMF8S4u6q51bOwjKFUBwxyvOy4D897LmOSedaCyDt6Lvp+PBEHfwWBYBpsHhk7 kmnSNhX5dZ6NxunHaARZ2VlcctsYKyvAQapuaThy1tuOcphAB+jQQL9dPoqdk0xp jvmPDlW+k832Konn9U4dIivS0n+/KMGh0g5UyzHGqUUOo7s9qFuQf5EjQon40TZg BwUnFYRlvGe7bSQpXjwi8LTyxHPy+dDVjO5CP+rXx5IiToFy1YGWewkyn/WeswDf Yx7ZludNus5vKWTihgx2Qalgb+sqUMwI/WUET7ghO2dRxPUdUbgIYF0saTndKPYd 4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0 LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT 3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE...

  • Page 218

    f9liWQ2CImy/hjgFCD9nqSLN8wUzP7O2SdLVlUb5z4FR6VISZdgTFE8j7ko2HtUs HVSg0nm114EwPtPMMbHefcuQ6b82y1M+dWfVxBN9K03lN4tZNfPWwLSRrPvjUzBG dKtjf3/IFdV7/tUMy9JJSpt4iFt1h7SZPcOoGp1ZW+YUR30I7YnFE+9Yp/46KWT8 bk7j0STRnZX/xMy/9E52uHkLdW1ET3TXralLMYt/4jg4M0jUvoi3GS2Kbo+czsUn gKgqwYnxVfRSvt8d6GBYrpF2tMFS9LEyngPKXExd+m4mAryuT5PhdFTkb1B190Lp UIBjk3IXnr7AdrhvyLkH0UuQE95emXBD/K0HlD73cMrtmogL8F4yS5B2hpIr/v5/ eW35+1QMnJ9FtHFnVsLx9wl9lX8iNfsoBhg6FQ/hNSioN7rNBe7wwIRzxPVfEhO8 5ajQxWlidRn5RkzfUo6HuAcq02QTpSXI6wf2bzsVmr5sk+fRaELD/cwL6VjtXO6x ZBLJcUyAwvScrOtTEK7Q5n0I34gQd4qcF0D1x9yQ4sqvTeU/7Jkm6XCPV05/5uiF RLCfFAwaJMBdIQ6jDQHnpWT67uNDwdEzaPmuTVMme5Woc5zsqE5DY3hWu4oqFdDz kPLnbX74IZ0gOLki9eIJkVswnF5HkBCKS50ejlW6TgbMNZ+JPk2w -----END ENCRYPTED PRIVATE KEY----- # Display the CA certificate in the PKI domain in PEM format. <Sysname> system-view [Sysname]pki export domain domain1 pem ca -----BEGIN CERTIFICATE----- MIIB+TCCAWICEQDMbgjRKygg3vpGFVY6pa3ZMA0GCSqGSIb3DQEBBQUAMD0xCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxETAPBgNVBAsTCGgzYy10ZXN0MQ0wCwYD VQQDEwQ4MDQzMB4XDTExMDMyMjA0NDQyNFoXDTE0MDMyMzA0MzUyNFowPTELMAkG A1UEBhMCY24xDDAKBgNVBAoTA2gzYzERMA8GA1UECxMIaDNjLXRlc3QxDTALBgNV BAMTBDgwNDMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOvDAYQhyc++G7h5 eNDzJs22OQjCn/4JqnNKIdKz1BbaJT8/+IueSn9JIsg64Ex2WBeCd/tcmnSW57ag...

  • Page 219: Pki Import

    -----BEGIN CERTIFICATE----- MIIB8DCCAVkCEQD2PBUx/rvslNw9uTrZB3DlMA0GCSqGSIb3DQEBBQUAMDoxCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEPMA0GA1UEAxMG cm9mdcGNhMB4XDTExMDEwNjAyNTY1OFoXDTEzMTIwNDAzMTMxMFowNzELMAkGA1UE BhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQwwCgYDVQQDEwNhY2Ew gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOeklR7DpeEV72N1OLz+dydIDTx0 zVZDdPxF1gQYWSfIBwwFKJEyQ/4y8VIfDIm0EGTM4dsOX/QFwudhl/Czkio3dWLh Q1y5XCJy68vQKrB82WZ2mah5Nuekus3LSZZBoZKTAOY5MCCMFcULM858dtSq15Sh xF7tKSeAT7ARlJxTAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADJQCo6m0RNup0ewa ItX4XK/tYcJXAQWMA0IuwaWpr+ofqVVgYBPwVpYglhJDOuIZxKdR2pfQOA4f35wM Vz6kAujLATsEA1GW9ACUWa5PHwVgJk9BDEXhKSJ2e7odmrg/iROhJjc1NMV3pvIs CuFiCLxRQcMGhCNHlOn4wuydssc= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB8jCCAVsCEFxy3MSlQ835MrnBkI/dUPYwDQYJKoZIhvcNAQEFBQAwOjELMAkG A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ8wDQYDVQQDEwZy b290Y2EwHhcNMTEwMTA2MDI1MTQxWhcNMTMxMjA3MDMxMjA1WjA6MQswCQYDVQQG EwJjbjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNoM2MxDzANBgNVBAMTBnJvb3Rj YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxP2XLFE230zq6MhwZvAomOxa 7tc1r4bESXZu3UBKno3Ay9kQm2HrDOAizvZXfLu7Gx22ga2Qdz0lIeZ+EQrYHTyO pBcejDjal/ZtvgnjXyHFoG8nS+P7n83BkRj/Fu7Yz4zjTKMbCF2EfhEyXxr4NSXA fhC9qg9S23vNXStmWvsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBtsU7X77sdZ1Nn 0I98lh0qA5g7SEEIpI+pwZjjrH0FVHw01e4JWhHjyHqrOyfXYqe7vH4SXp5MHEqf 14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1 cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg== -----END CERTIFICATE----- # Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format.

  • Page 220

    Predefined user roles network-admin Parameters domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. der: Specifies the certificate format as DER, including PKCS#7. p12: Specifies the certificate format as PKCS12. pem: Specifies the certificate format as PEM. ca: Specifies the CA certificate.

  • Page 221

    • If the local certificates or peer certificates to be imported do not contain the CA certificate chain, but the certificate of the CA that issues the local certificate or peer certificate already exists in a PKI domain, you can directly import the local certificates or peer certificates. When you import the CA certificate: If the CA certificate to be imported is the CA root certificate or contains the certificate chain with the •...

  • Page 222

    # Import the CA certificate file aca_pem.cer in PEM format to the PKI domain bbb. The certificate file does not contain the root certificate. <Sysname> system-view [Sysname] pki import domain bbb pem ca filename aca_pem.cer [Sysname] # Import the local certificate file local-ca.p12 in PKCS12 format to the PKI domain bbb. The certificate file contains a key pair.

  • Page 223: Display Pki Certificate

    MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb 3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHFGNEFx7k zxBp/JPpcFM8hapAfrVHdQ/wstq0pVDdBkrVF6XKIBks6XgCvRl32gcaQt9yrQd9 5RbWdetuBljudjFj25airYO2u7pLeVmdWWx3WVvZBzOo8KU= -----END CERTIFICATE----- Bag Attributes: <Empty Attributes> subject=/C=cn/O=ccc/OU=sec/CN=ssl issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN CERTIFICATE----- MIIB7DCCAVUCEG+jJTPxxiE67pl2ff0SnOMwDQYJKoZIhvcNAQEFBQAwNzELMAkG A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYDVQQDEwNz c2wwHhcNMDkwNzMxMDY0ODQ2WhcNMTIwNzI5MDYyODU4WjA3MQswCQYDVQQGEwJj bjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNzZWMxDDAKBgNVBAMTA3NzbDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8QSMetQ70GONiFh7iJkvGQ8nC15zCF1 cqC/RcJhE/88LkKyQcu9j+Tz8Bk9Qj2UPaZdrk8fOrgtBsa7lZ+UO3j3l30q84l+ HjWq8yxVLRQahU3gqJze6pGR2l0s76u6GRyCX/zizGrHKqYlNnxK44NyRZx2klQ2 tKQAfpXCPIkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBWsaMgRbBMtYNrrYCMjY6g c7PBjvajVOKNUMxaDalePmXfKCxl91+PKM7+i8I/zLcoQO+sHbva26a2/C4sNvoJ 2QZs6GtAOahP6CDqXC5VuNBU6eTKNKjL+mf6uuDeMxrlDNha0iymdrXXVIp5cuIu fl7xgArs8Ks6aXDXM1o4DQ== -----END CERTIFICATE----- Please input the password:******** Local certificate already exist, confirm to overwrite it? [Y/N]:y The PKI domain already has a CA certificate.

  • Page 224: Pki Request-certificate

    • public-key dsa public-key ecdsa • public-key rsa • pki request-certificate Use pki request-certificate to submit a local certificate request or generate a certificate request in PKCS#10 format. Syntax pki request-certificate domain domain-name [ password password ] [ pkcs10 [ filename filename ] ] Views System view Predefined user roles...

  • Page 225: Pki Retrieve-certificate

    ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nmdcu5TED6iN8 4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c -----END NEW CERTIFICATE REQUEST----- # Request the local certificates. [Sysname] pki request-certificate domain openca Start to request the general certificate ... … Request certificate of domain openca successfully Related commands display pki certificate pki retrieve-certificate Use pki retrieve-certificate to obtain a certificate from the certificate distribution server.

  • Page 226: Pki Retrieve-crl

    The obtained CA certificate, local certificates, and peer certificates are automatically verified before they are saved locally. If the verification fails, they are not saved. This command is not saved in the configuration file. Examples # Obtain the CA certificate from the certificate distribution server. (This operation requires the user to confirm the fingerprint of the CA root certificate.) <Sysname>...

  • Page 227: Pki Storage

    • If the specified URL of the CRL repository is in HTTP format, the device obtains CRLs through the HTTP protocol. • If the specified URL of the CRL repository is in LDAP format, the device obtains CRLs through the LDAP protocol.

  • Page 228: Pki Validate-certificate

    dir-path: Specifies a storage path, a case-sensitive string, which cannot start with a slash (/) or contains two dots plus a slash (../). The dir-path argument specifies an absolute path or a relative path, and the path must exist. Usage guidelines The default PKI directory on the device is automatically created when you successfully request, obtain, or import a certificate for the first time.

  • Page 229

    • To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally save CRLs. If a proper CRL is found, the device loads the CRL to the PKI domain. Otherwise, the device obtains the proper CRL from the CA server and saves it locally. To verify the CA certificate, CRL checking is performed for the CA certificate chain from the current •...

  • Page 230: Public-key Dsa

    C=CN O=sec OU=software CN=bca Subject: O=OpenCA Labs OU=Users CN=fips fips-sec Verify result: OK Related commands • crl check pki domain • public-key dsa Use public-key dsa to specify a DSA key pair for certificate request. Use undo public-key to remove the configuration. Syntax public-key dsa name key-name [ length key-length ] undo public-key...

  • Page 231: Public-key Ecdsa

    • Use the pki import command to import a certificate containing a key pair. A PKI domain can have key pairs using only one type of cryptographic algorithms (DSA, ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one key pair. If RSA is used, a PKI domain can have two key pairs: one is the signing key pair, and the other is the encryption key pair.

  • Page 232: Public-key Rsa

    • Use the public-key local create command to generate a key pair. An application triggers to generate a key pair • Use the pki import command to import a certificate containing a key pair. • A PKI domain can have key pairs using only one type of cryptographic algorithms (DSA, ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one key pair.

  • Page 233

    name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters, which can include only letters, digits, and hyphen (-). signature: Specifies a key pair for signing. name signature-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters, which can include only letters, digits, and hyphen (-).

  • Page 234: Root-certificate Fingerprint

    Related commands pki import • public-key local create (see Security Command Reference) • root-certificate fingerprint Use root-certificate fingerprint to set the fingerprint for verifying the validity of the CA root certificate. Use undo root-certificate fingerprint to remove the configuration. Syntax In non-FIPS mode: root-certificate fingerprint { md5 | sha1 } string undo root-certificate fingerprint...

  • Page 235: Rule

    specify the fingerprint in the PKI domain but the CA certificate to be imported or the obtained CA certificate contains a CA root certificate that is not stored locally, the device uses the specified fingerprint in the PKI domain for verification and requires you to confirm the fingerprint. If you specify a wrong fingerprint, you cannot import or obtain the CA certificate.

  • Page 236: Source

    permit: Permits the certificates that match the associated certificate group. group-name: Specifies a certificate attribute group, a case-insensitive string of 1 to 31 characters. Usage guidelines You can associate a nonexistent certificate attribute group when you create a statement. Later you can use the pki certificate attribute-group command to create the certificate attribute group.

  • Page 237: State

    interface interface-type interface-number: Specifies the primary IPv4 address or the lowest IPv6 address of an interface as the source IP address. The interface-type interface-number argument specifies an interface. Usage guidelines Use this command to specify the source IP address for PKI protocol packets so that the CA server accepts the certificate requests from a specific IP address or subnet.

  • Page 238: Usage

    Views PKI entity view Predefined user roles network-admin Parameters state-name: Specifies a state name or a province name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Set countryA as the state name of the PKI entity en. <Sysname>...

  • Page 239

    Examples # Specify the SSL client certificate extension. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] usage ssl-client...

  • Page 240: Ssh Commands

    SSH commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server configuration commands display ssh server Use display ssh server on an SSH server to display the SSH server status or sessions.

  • Page 241: Display Ssh User-information

    Field Description SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. SSH authentication-timeout Authentication timeout timer. SSH server key generating interval SSH server key pair update interval. Maximum number of authentication attempts for SSH SSH authentication retries users.

  • Page 242: Sftp Server Enable

    Views Any view Predefined user roles network-admin network-operator Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users. Usage guidelines This command only displays information about SSH users configured through the ssh user command on the SSH server.

  • Page 243: Sftp Server Idle-timeout

    undo sftp server enable Default The SFTP server function is disabled. Views System view Predefined user roles network-admin Examples # Enable the SFTP server function. <Sysname> system-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default.

  • Page 244: Ssh Server Acl

    [Sysname] sftp server idle-timeout 500 Related commands display ssh server ssh server acl Use ssh server acl to set an ACL for IPv4 SSH clients. Use undo ssh server acl to restore the default. Syntax ssh server acl acl-number undo ssh server acl Default All IPv4 SSH clients are allowed to initiate connections to the device.

  • Page 245: Ssh Server Ipv6 Acl

    ssh server ipv6 acl Use ssh server ipv6 acl to set an ACL for IPv6 SSH clients. Use undo ssh server ipv6 acl to restore the default. Syntax ssh server ipv6 acl [ ipv6 ]acl-number undo ssh server ipv6 acl Default All IPv6 SSH clients are allowed to initiate connections to the device.

  • Page 246: Ssh Server Authentication-retries

    ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries times undo ssh server authentication-retries Default The maximum number of authentication attempts for SSH users is 3. Views System view Predefined user roles...

  • Page 247: Ssh Server Compatible-ssh1x Enable

    Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The authentication timeout timer is 60 seconds. Views System view Predefined user roles network-admin Parameters time-out-value: Specifies an authentication timeout timer, in the range of 1 to 120 seconds. Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection is down.

  • Page 248: Ssh Server Enable

    network-operator Usage guidelines This command is not available in FIPS mode. The configuration only takes effect for the clients at next login. Examples # Enable the SSH server to support SSH1 clients. <Sysname> system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server enable Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate...

  • Page 249: Ssh User

    Syntax ssh server rekey-interval hours undo ssh server rekey-interval Default The interval for updating the RSA server key pair is 0, and the system does not update the RSA server key pair. Views System view Predefined user roles network-admin Parameters hours: Specifies an interval for updating the server key pair, in the range of 1 to 24 hours.

  • Page 250

    undo ssh user username Default No SSH users exist. Views System view Predefined user roles network-admin Parameters username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If the username contains ISP domain name, the form is pureusername@domain. service-type: Specifies a service type for an SSH user: •...

  • Page 251: Ssh Client Configuration Commands

    user-information command to display all SSH users, including the password-only SSH users, for centralized management. If you use the ssh user command to configure a host public key for a user who has already had a host public key, the new one overwrites the old one. You can change the authentication method, service type, and host public key for an SSH user when the user is communicating with the SSH server, but your changes only take effect for the clients at next login.

  • Page 252: Cdup

    Syntax Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye <Sysname> Use cd to change the working path on an SFTP server. Syntax cd [ remote-path ] Views...

  • Page 253: Delete

    Syntax cdup Views SFTP client view Predefined user roles network-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp> cdup Current Directory is:/ sftp>...

  • Page 254

    Syntax dir [ -a | -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters -a: Displays the names of the files and sub-directories under a specified directory. -l: Displays detailed information about the files and sub-directories under a specified directory in the form of a list.

  • Page 255: Display Sftp Client Source

    display sftp client source Use display sftp client source to display the source IP address or source interface configured for the SFTP client. Syntax display sftp client source Views Any view Predefined user roles network-admin network-operator Examples # Display the source IP address configured for the SFTP client. <Sysname>...

  • Page 256: Exit

    Related commands ssh client ipv6 source • ssh client source • exit Use exit to terminate the connection with an SFTP server and return to user view. Syntax exit Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the bye and quit commands. Examples # Terminate the connection with the SFTP server.

  • Page 257: Help

    sftp> get temp1.c temp.c Fetching /temp1.c to temp.c /temp.c 100% 1424 1.4KB/s 00:00 help Use help to display help information of an SFTP client command. Syntax help Views SFTP client view Predefined user roles network-admin Usage guidelines The help command functions as entering the question mark (?). Examples # Display help information.

  • Page 258

    Use ls to display information about the files and sub-directories under a specified directory. Syntax ls [ -a | -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters -a: Displays the names of the files and sub-directories under a specified directory. -l: Displays detailed information about the files and sub-directories under a specified directory in the form of a list.

  • Page 259: Mkdir

    -rw-rw-rw- 301 Jan 2 00:16 pubkey drwxrwxrwx 2048 Jan 1 00:00 seclog -rwxrwxrwx 572 Jan 2 00:17 serverkey -rwxrwxrwx 4481 Sep 28 10:52 startup.cfg mkdir Use mkdir to create a directory on an SFTP server. Syntax mkdir remote-path Views SFTP client view Predefined user roles network-admin Parameters...

  • Page 260: Quit

    sftp> put startup.bak startup01.bak Uploading startup.bak to /startup01.bak startup01.bak 100% 1424 1.4KB/s 00:00 Use pwd to display the current working directory of an SFTP server. Syntax Views SFTP client view Predefined user roles network-admin Examples # Display the current working directory of the SFTP server. sftp>...

  • Page 261: Rename

    Syntax remove remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the files to delete from an SFTP server. Usage guidelines This command functions as the delete command. Examples # Delete the file temp.c from the SFTP server. sftp>...

  • Page 262

    Syntax rmdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the directories to delete from an SFTP server. Examples # Delete the sub-directory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 Use scp to transfer files with an SCP server. Syntax In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name...

  • Page 263

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the server belongs to, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. get: Downloads the file. put: Uploads the file. source-file-path: Specifies the directory of the source file. destination-file-path: Specifies the directory of the target file.

  • Page 264: Scp Ipv6

    publickey keyname: Specifies the host public key of the sever, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. source: Specifies a source IP address or source interface to connect to the server. By default, the device automatically selects a source IP address based on the routing entry.

  • Page 265

    scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 }] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views...

  • Page 266

    • aes256: Specifies the encryption algorithm aes256-cbc. des: Specifies the encryption algorithm des-cbc. • prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm, defaulting to sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. md5: Specifies the HMAC algorithm hmac-md5. •...

  • Page 267: Sftp

    • The preferred client-to-server HMAC algorithm is sha1. The preferred server-to-client HMAC algorithm is sha1-96. • The preferred compression algorithm between the server and client is zlib. • <Sysname> scp ipv6 2000::1 get abc.txt prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey sftp Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view.

  • Page 268

    zlib: Specifies the compression algorithm zlib. prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time. 3des: Specifies the encryption algorithm 3des-cbc. •...

  • Page 269: Sftp Client Ipv6 Source

    specify a public key algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect an SFTP client to the IPv4 SFTP server (10.1.1.2) and specify the public key of the server as svkey.

  • Page 270: Sftp Client Source

    If you use the sftp ipv6 command to connect to an SFTP server and specify another source IPv6 address, the SFTP client uses the new source IPv6 address for the current connection instead of that specified by the sftp client ipv6 source command. The source address specified by the sftp client ipv6 source command applies to all SFTP connections, but the source address specifies by the sftp ipv6 command applies only to the current connection.

  • Page 271: Sftp Ipv6

    The source address specified by the sftp client source command applies to all SFTP connections, but the source address specifies by the sftp command applies only to the current connection. Examples # Specify the source IP address for the SFTP client as 192.168.0.1. <Sysname>...

  • Page 272

    number. This option is only used when the server uses a link-local address, and the specified outgoing interface on the client must have a link-local address. identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified.

  • Page 273: Ssh Client Ipv6 Source

    interface interface-type interface-number: Specifies a source interface. The interface-type interface-number argument specifies a source interface by its type and number. The IPv6 address of this interface is the source IP address to send packets. ipv6 ipv6-address: Specifies a source IPv6 address. Usage guidelines When the server adopts publickey authentication to authenticate a client, the client must get the local private key for digital signature.

  • Page 274: Ssh Client Source

    Parameters interface interface-type interface-number: Specifies the IPv6 address of the interface which matches the destination address of the outbound packets using the longest match criteria as the source IPv6 address. The interface-type interface-number argument specifies a source interface by its type and number. ipv6 ipv6-address: Specifies a source IPv6 address.

  • Page 275: Ssh2

    Parameters interface interface-type interface-number: Specifies the primary IP address of the interface as the source address. The interface-type interface-number argument specifies a source interface by its type and number. ip ip-address: Specifies a source IPv4 address. Usage guidelines The Stelnet client uses the specified source address to communicate with the server. If you execute the ssh client source command multiple times, the most recent configuration takes effect.

  • Page 276

    Predefined user roles network-admin Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 20 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.

  • Page 277: Ssh2 Ipv6

    publickey keyname: Specifies the host public key of the server, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. source: Specifies a source IP address or source interface to connect to the server. By default, the packet to send gets the primary IP address of its outbound interface from the routing table and uses it as the source IP address.

  • Page 278

    ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 }] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views...

  • Page 279

    • sha1: Specifies the HMAC algorithm hmac-sha1. sha1-96: Specifies the HMAC algorithm hmac-sha1-96. • prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS mode and is dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1 •...

  • Page 280: Ssl Commands

    SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. SSL server policy configuration commands ciphersuite Use ciphersuite to specify the cipher suites supported by an SSL server policy. Use undo ciphersuite to restore the default.

  • Page 281

    exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm DES_CBC, and the MAC algorithm SHA. exp_rsa_rc2_md5: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm RC2, and the MAC algorithm MD5. exp_rsa_rc4_md5: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm RC4, and the MAC algorithm MD5.

  • Page 282: Client-verify Enable

    [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] ciphersuite rsa_aes_128_cbc_sha Related commands • display ssl server-policy prefer-cipher • client-verify enable Use client-verify enable to enable the SSL server to use digital certificates to authenticate clients. Use undo client-verify enable to restore the default. Syntax client-verify enable undo client-verify enable...

  • Page 283: Pki-domain (ssl Server Policy View)

    Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, the command displays information about all SSL server policies. Examples # Display information about the SSL server policy policy1.

  • Page 284: Session Cachesize

    Usage guidelines If you use this command to specify a PKI domain for an SSL server policy, the SSL server that references the SSL server policy will obtain its digital certificate through the specified PKI domain. Examples # Specify PKI domain server-domain for the SSL server policy policy1. <Sysname>...

  • Page 285: Ssl Server-policy

    [Sysname-ssl-server-policy-policy1] session cachesize 600 Related commands display ssl server-policy ssl server-policy Use ssl server-policy to create an SSL server policy and enter SSL server policy view. Use undo ssl server-policy to delete an SSL server policy. Syntax ssl server-policy policy-name undo ssl server-policy policy-name Default No SSL server policy exists on the device.

  • Page 286: Pki-domain (ssl Client Policy View)

    Syntax display ssl client-policy [ policy-name ] Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, the command displays information about all SSL client policies. Examples # Display information about the SSL client policy policy1.

  • Page 287: Prefer-cipher

    Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines If you use this command to specify a PKI domain for an SSL client policy, the SSL client that references the SSL client policy will obtain its digital certificate through the specified PKI domain.

  • Page 288

    Parameters dhe_rsa_aes_128_cbc_sha: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES, and the MAC algorithm SHA. dhe_rsa_aes_256_cbc_sha: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES, and the MAC algorithm SHA. exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm DES_CBC, and the MAC algorithm SHA.

  • Page 289: Server-verify Enable

    If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure the SSL client policy policy1 to support the key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA. <Sysname> system-view [Sysname] ssl client-policy policy1 [Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha Related commands •...

  • Page 290: Ssl Client-policy

    ssl client-policy Use ssl client-policy to create an SSL client policy and enter SSL client policy view. Use undo ssl client-policy to delete an SSL client policy. Syntax ssl client-policy policy-name undo ssl client-policy policy-name Default No SSL client policy exists on the device. Views System view Predefined user roles...

  • Page 291

    In FIPS mode: version tls1.0 undo version Default The SSL protocol version for an SSL client policy is TLS 1.0. Views SSL client policy view Predefined user roles network-admin Parameters ssl3.0: Specifies SSL 3.0. tls1.0: Specifies TLS 1.0. Usage guidelines If you execute this command multiple times, the most recent configuration takes effect.

  • Page 292: Ip Source Guard Commands

    IP source guard commands display ip source binding Use display ip source binding to display IPv4 source guard entries. Syntax display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] Views Any view...

  • Page 293: Display Ipv6 Source Binding Static

    Usage guidelines If you do not specify any parameter, the command displays IPv4 source guard entries on all • interfaces on the public network. • If you specify neither an interface nor an IRF member, the command displays IPv4 source guard entries of all interfaces on in the IRF fabric.

  • Page 294

    Views Any view Predefined user roles network-admin network-operator Parameters ip-address ipv6-address: Displays static IPv6 source guard entries for an IPv6 address. mac-address mac-address: Displays static IPv6 source guard entries for a MAC address. The MAC address must be specified in H-H-H format. vlan vlan-id: Displays static IPv6 source guard entries for a VLAN.

  • Page 295: Ip Source Binding

    Related commands ipv6 source binding • ipv6 verify source • ip source binding Use ip source binding to configure a static IPv4 source guard entry. Use undo ip source binding to delete the static IPv4 source guard entries configured on the interface. Syntax ip source binding ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id ] undo ip source binding ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id ]...

  • Page 296: Ip Verify Source

    [Sysname-Ten-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001 Related commands display ip source binding ip verify source Use ip verify source to enable the IPv4 source guard function. Use undo ip verify source to restore the default. Syntax ip verify source ip-address [ mac-address ] undo ip verify source Default The IPv4 source guard function is disabled on an interface.

  • Page 297: Ipv6 Source Binding

    filtering on an interface. The interface filters packets according to the static IPv4 source guard entries configured by the ip source binding command, instead of the keywords specified in the ip verify source command. Examples # Enable IPv4 source guard on Ethernet port Ten-GigabitEthernet 1/0/1 to filter packets received on the port based on the source IPv4 and MAC addresses.

  • Page 298: Ipv6 Verify Source

    Usage guidelines IP source guard does not use the VLAN information (if specified) in static IPv6 source guard entries to filter packets. You do not need to specify the VLAN information for packet filtering. You cannot configure static IPv6 source guard entries on an interface that is in a service loopback group. Examples # On interface Ten-GigabitEthernet 1/0/1, configure a static IPv6 source guard entry to allow only the packets whose source IPv6 address is 2001::1 and source MAC address is 0002-0002-0002 to pass.

  • Page 299: Reset Ip Source Binding

    You cannot enable dynamic IPv6 source guard on a service loopback interface. This command only enables IP source guard packet filtering on a port. The port uses static IPv6 source guard entries to filter packets without considering the keywords specified in the command. Examples # Enable IPv6 source guard on Ethernet port Ten-GigabitEthernet 1/0/1 to filter packets received on the port.

  • Page 300: Reset Ipv6 Source Binding

    <Sysname> reset ip source binding # Clear IPv4 source guard entries with the source IPv4 address being 2.2.2.2. <Sysname> reset ip source binding static ip-address 2.2.2.2 # Clear all dynamic IPv4 source guard entries in VPN 1. <Sysname> reset ip source binding vpn-instance 1 # Clear all dynamic IPv4 source guard entries created by DHCP relay in VPN 1.

  • Page 301

    • ipv6 verify source...

  • Page 302: Arp Attack Protection Commands

    ARP attack protection commands Unresolvable IP attack protection commands arp resolving-route enable Use arp resolving-route enable to enable ARP black hole routing. Use undo arp resolving-route enable to disable ARP black hole routing. Syntax arp resolving-route enable undo arp resolving-route enable Default ARP black hole routing is enabled.

  • Page 303: Arp Source-suppression Enable

    arp source-suppression enable Use arp source-suppression enable to enable the ARP source suppression function. Use undo arp source-suppression enable to restore the default. Syntax arp source-suppression enable undo arp source-suppression enable Default ARP source suppression function is disabled. Views System view Predefined user role network-admin Usage guidelines...

  • Page 304: Display Arp Source-suppression

    Parameters limit-value: Sets the maximum number of unresolvable packets that can be processed in 5 seconds. It is in the range of 2 to 1024. Usage guidelines If the number of unresolvable packets from a host within 5 seconds exceeds the specified threshold, the device stops processing packets from that host until the 5 seconds elapse.

  • Page 305: Arp Packet Rate Limit Commands

    ARP packet rate limit commands arp rate-limit Use arp rate-limit to enable ARP packet rate limit on an interface and configure the rate limit. Exceeded packets will be discarded. Use undo arp rate-limit pps to restore the default value of the ARP packet rate limit. Use undo arp rate-limit to disable ARP packet rate limit function.

  • Page 306: Arp Source-mac Aging-time

    undo arp source-mac [ filter | monitor ] Default The source MAC address based ARP attack detection function is disabled. Views System view Predefined user roles network-admin Parameters filter: Generates log messages and discards subsequent ARP packets from the MAC address. monitor: Only generates log message.

  • Page 307: Arp Source-mac Exclude-mac

    Parameters time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds. Examples # Set the aging time for ARP attack entries to 60 seconds. <Sysname> system-view [Sysname] arp source-mac aging-time 60 arp source-mac exclude-mac Use arp anti-attack source-mac exclude-mac to exclude specific MAC addresses from source MAC address based ARP attack detection.

  • Page 308: Display Arp Source-mac

    Syntax arp source-mac threshold threshold-value undo arp source-mac threshold Default The threshold for source MAC address based ARP attack detection is 30. Views System view Predefined user roles network-admin Parameters threshold-value: Specifies the threshold for source MAC address based ARP attack detection, in the range of 1 to 5000.

  • Page 309: Arp Packet Source Mac Consistency Check Commands

    Examples # Display the ARP attack entries detected by source MAC address based ARP attack detection. <Sysname> display arp source-mac Source-MAC VLAN ID Interface Aging-time 23f3-1122-3344 4094 XGE1/0/1 23f3-1122-3355 4094 XGE1/0/2 23f3-1122-33ff 4094 XGE1/0/3 23f3-1122-33ad 4094 XGE1/0/4 23f3-1122-33ce 4094 XGE1/0/5 ARP packet source MAC consistency check commands arp valid-check enable...

  • Page 310: Arp Active Acknowledgement Commands

    ARP active acknowledgement commands arp active-ack enable Use arp active-ack enable to enable the ARP active acknowledgement function. Use undo arp active-ack enable to restore the default. Syntax arp active-ack enable undo arp active-ack enable Default The ARP active acknowledgement function is disabled. Views System view Predefined user roles...

  • Page 311: Arp Detection Trust

    Predefined user roles network-admin Examples # Enable ARP detection for VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] arp detection enable arp detection trust Use arp detection trust to configure a port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust...

  • Page 312: Arp Restricted-forwarding Enable

    Views System view Predefined user roles network-admin Parameters dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

  • Page 313: Display Arp Detection

    display arp detection Use display arp detection to display the VLANs enabled with ARP detection. Syntax display arp detection Views Any view Predefined user roles network-admin network-operator Examples # Display the VLANs enabled with ARP detection. <Sysname> display arp detection ARP detection is enabled in the following VLANs: 1-2, 4-5 Related commands...

  • Page 314: Reset Arp Detection Statistics

    ARP packets dropped by ARP inspect checking: Interface(State) Src-MAC Dst-MAC Inspect XGE1/0/1(U) XGE1/0/2(U) XGE1/0/3(T) XGE1/0/4(U) Table 35 Command output Field Description State of an interface: State • U—ARP untrusted interface. • T—ARP trusted interface. Interface(State) Inbound interface of ARP packets. State specifies the port state, trusted or untrusted. Number of ARP packets discarded due to invalid source and destination IP addresses.

  • Page 315: Arp Automatic Scanning And Fixed Arp Commands

    ARP automatic scanning and fixed ARP commands arp fixup Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static. Syntax arp fixup Views System view...

  • Page 316: Arp Gateway Protection Commands

    Predefined user roles network-admin Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Usage guidelines If you specify the start and end IP addresses, the device scans the neighbor IP addresses in the specified address range to learn ARP entries.

  • Page 317: Arp Filtering Commands

    undo arp filter source ip-address Default ARP gateway protection is disabled. Views Ethernet interface view, aggregate interface view Predefined user roles network-admin Parameters ip-address: Specifies the IP address of a protected gateway. Usage guidelines You can enable ARP gateway protection for up to eight gateways on an interface. You cannot configure both arp filter source and arp filter binding commands on the same interface.

  • Page 318

    mac-address: Permitted sender MAC address. Usage guidelines You can configure up to eight ARP permitted entries on an interface. You cannot configure both the arp filter source and arp filter binding commands on the same interface. Examples # Configure an ARP permitted entry. <Sysname>...

  • Page 319: Urpf Commands

    uRPF commands ip urpf Use ip urpf to enable uRPF. Use undo ip urpf to disable uRPF. Syntax ip urpf { loose | strict } undo ip urpf Default uRPF is disabled. Views System view Predefined user roles network-admin Parameters loose: Enables loose uRPF check.

  • Page 320: Display Ip Urpf

    <Sysname>system-view [Sysname]ip urpf strict Related commands display ip urpf display ip urpf Use display ip urpf to display uRPF configuration. Syntax display ip urpf [ slot slot-number ] Views Any view Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies an IRF member device. The slot number argument specifies the ID of the IRF member device.

  • Page 321: Fips Commands

    The system automatically uses the specified startup configuration file to reboot after you configure the crypto officer's username and password. HP recommends that you choose this method to log in to the device in FIPS mode through a Console port.

  • Page 322: Fips Self-test

    Save the configuration file and specify it as the next startup configuration file, delete the original next startup configuration file in binary notation, and reboot the device. HP recommends that you choose this method to log in to the device in FIPS mode through remote login.

  • Page 323: Display Fips Status

    Usage guidelines To examine whether the cryptography modules operate properly, you can use a command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. Only when the self-tests on all cryptographic algorithms pass, the whole self-test succeeds. If the self-test fails, the device automatically reboots.

  • Page 324

    Predefined user roles network-admin network-operator Examples # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Related commands fips mode enable...

  • Page 325: Ipsec Commands

    IPsec commands IPsec commands are supported only when the switch is operating in FIPS mode. For more information about FIPS mode, see Security Configuration Guide. ah authentication-algorithm Use ah authentication-algorithm to specify authentication algorithms for the AH protocol. Use undo ah authentication-algorithm to remove all specified authentication algorithms for the AH protocols.

  • Page 326: Description

    • For an IKE-based IPsec policy, the initiator sends all AH authentication algorithms specified in the IPsec transform set to the peer end during the negotiation phase, and the responder matches the received algorithms against its local algorithms starting from the first one until a match is found. To ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must have at least one same AH authentication algorithm.

  • Page 327: Display Ipsec { Ipv6-policy | Policy }

    display ipsec { ipv6-policy | policy } Use display ipsec { ipv6-policy | policy } to display information about IPsec policies. Syntax display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ] Views Any view Predefined user roles network-admin network-operator Parameters...

  • Page 328

    AH SPI: 1200 (0x000004b0) AH string-key: ****** AH authentication hex key: Inbound ESP setting: ESP SPI: 1400 (0x00000578) ESP string-key: ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: 1300 (0x00000514) AH string-key: ****** AH authentication hex key: Outbound ESP setting: ESP SPI: 1500 (0x000005dc) ESP string-key: ******...

  • Page 329

    Description: This is my complete policy Security data flow: 3100 Remote address: 2.2.2.2 Transform set: completetransform Inbound AH setting: AH SPI: 5000 (0x00001388) AH string-key: ****** AH authentication hex key: Inbound ESP setting: ESP SPI: 7000 (0x00001b58) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Outbound AH setting:...

  • Page 330

    Mode: manual ----------------------------- Description: This is my first IPv6 policy Security data flow: 3600 Remote address: 1000::2 Transform set: mytransform Inbound AH setting: AH SPI: 1235 (0x000004d3) AH string-key: ****** AH authentication hex key: Inbound ESP setting: ESP SPI: 1236 (0x000004d4) ESP string-key: ****** ESP encryption hex key: ESP authentication hex key:...

  • Page 331: Display Ipsec { Ipv6-policy-template | Policy-template }

    Field Description Security data flow ACL referenced by the IPsec policy. Data flow protection mode of the IPsec policy: • standard Selector mode • aggregation • per-host Local end IP address of the IPsec tunnel (only available for the Local address IPsec policy using IKE negotiation).

  • Page 332

    policy-template: Displays information about IPv4 IPsec policy templates. template-name: Specifies an IPsec policy template by its name, a case-sensitive string of 1 to 63 characters. seq-number: Specifies an IPsec policy template entry by its sequence number. The value range is 1 to 65535.

  • Page 333: Display Ipsec Profile

    IPsec SA local duration(traffic based): 1843200 kilobytes Table 38 Command output Field Description IPsec Policy Template IPsec policy template name. Sequence number Sequence number of the IPsec policy template entry. Description Description of the IPsec policy template. Security data flow ACL referenced by the IPsec policy template.

  • Page 334: Display Ipsec Sa

    Description: Transform set: prop1 Inbound AH setting: AH SPI: 12345 (0x00003039) AH string-key: AH authentication hex key: ****** Inbound ESP setting: ESP SPI: 23456 (0x00005ba0) ESP string-key: ESP encryption hex-key: ****** ESP authentication hex-key: ****** Outbound AH setting: AH SPI: 12345 (0x00003039) AH string-key: AH authentication hex key: ****** Outbound ESP setting:...

  • Page 335

    network-operator Parameters brief: Displays brief information about all IPsec SAs. count: Displays the number of IPsec SAs. interface interface-type interface-number: Specifies an interface by its type and number. ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy. policy: Displays detailed information about IPsec SAs created by using a specified IPv4 IPsec policy.

  • Page 336

    # Display the number of IPsec SAs. <Sysname> display ipsec sa count Total IPsec SAs count: 4 # Display information about all IPsec SAs. <Sysname> display ipsec sa ------------------------------- Interface: Vlan-interface1 ------------------------------- ----------------------------- IPsec policy: r2 Sequence number: 1 Mode: isakmp ----------------------------- Tunnel id: 3 Encapsulation mode: tunnel...

  • Page 337

    ----------------------------- IPsec profile: profile Mode: manual ----------------------------- Encapsulation mode: transport [Inbound AH SAs] SPI: 1234563 (0x0012d683) Transform set: AH-SHA1 No duration limit for this SA [Outbound AH SAs] SPI: 1234563 (0x002d683) Transform set: AH-SHA1 No duration limit for this SA Table 41 Command output Field Description...

  • Page 338: Display Ipsec Statistics

    Field Description protocol Protocol type. SPI of the IPsec SA. Transform set Security protocol and algorithms used by the IPsec transform set. SA duration (kilobytes/sec) IPsec SA lifetime, in kilobytes or seconds. SA remaining duration (kilobytes/sec) Remaining IPsec SA lifetime, in kilobytes or seco nds.

  • Page 339

    <Sysname> display ipsec statistics IPsec packet statistics: Received/sent packets: 47/64 Received/sent bytes: 3948/5208 Dropped packets (received/se nt): 0/45 Dropped packets statistics No available SA: 0 Wrong SA: 0 Invalid length: 0 Authentication failure: 0 Encapsulation failure Decapsulation failure: Replayed packets: 0 ACL check failure: 45 MTU check failure: 0 Loopback limit exceeded: 0...

  • Page 340: Display Ipsec Transform-set

    Field Description Encapsulation failure Number of dropped packets due to encapsulation failure. Decapsulation failure Number of dropped packets due to dec apsulation failure. Replayed packets Number of dropped replayed packets. ACL check failure Number of dropped packets due to ACL check failure. MTU check failure Number of dropped packets due to MTU check failure.

  • Page 341: Display Ipsec Tunnel

    Field Description State Whether the IPsec transform set is complete. Encapsulation mode Encapsulation mode used by the IPsec transform set: transport or tunnel. Security protocols used by the IPsec transform set: AH, ESP, or both. If both Transform protocols are configured, IPsec uses ESP before AH.

  • Page 342

    1.2.3.1 2.2.2.2 5000 6000 active 7000 8000 Table 44 Command output Field Description Source IP address of the IPsec tunnel. Src Address For IPsec SAs created by using IPsec profile s, "–" is displayed in this field. Destination IP address of the IPsec tunnel. Dst Address For IPsec SAs created by using IPsec profiles, "–"...

  • Page 343: Encapsulation-mode

    remote address: 2.2.2.2 Flow: as defined in ACL 3100 # Display information about IPsec tunnel 1. <Sysname> disp lay ipsec tunnel tunnel-id 1 Tunnel ID: 1 Status: active Perfect for ward secrecy: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound:...

  • Page 344

    Use undo encapsulation-mode to restore the default. Syntax encapsulation-mode { trans port | tunnel } undo encapsulation-mode Default IP packets are encapsulated in tunnel mode. Views IPsec transform set view Predefine d user roles netw ork-admin Paramete transport: Uses the transport mode for IP packet encapsulat ion.

  • Page 345: Esp Authentication-algorithm

    Related commands ipsec transform-set esp authentication-algorithm Use esp authentication-algorithm to specify an authentication algorithm for ESP. Use undo esp authentication-algorithm to remove all authentication algorithms specified for ESP. Syntax In non-FIPS mode: esp authentication-algorithm { md5 | sha1 } * undo esp authentication-algorithm In FIPS mode: esp authentication-algorithm sha1...

  • Page 346: Esp Encryption-algorithm

    Examples # Configure the IPsec transform set tran1 to use HMAC-SHA1 algorithm as the ESP authentication algorithm. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1 Related commands ipsec transform-set esp encryption-algorithm Use esp encryption-algorithm to specify encryption algorithms for ESP. Use undo esp encryption-algorithm to remove all encryption algorithms specified for ESP.

  • Page 347: Ike-profile

    Usage guidelines You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. • For a manual IPsec policy, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.

  • Page 348: Ipsec Anti-replay Check

    An IPsec policy or IPsec policy template can reference only one IKE profile and they cannot reference any IKE profile that is already referenced by another IPsec policy or IPsec policy template. Examples # Configure IPsec policy (policy1) to reference IKE profile (profile1). <Sysname>...

  • Page 349: Ipsec Anti-replay Window

    Related commands ipsec anti-replay window ipsec anti-replay window Use ipsec anti-replay window to set the anti-replay window size. Use undo ipsec anti-replay window to restore the default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The anti-replay window size is 64. Views System view Predefined user roles...

  • Page 350: Ipsec Logging Packet Enable

    undo ipsec decrypt-check enable Default ACL checking for de-encapsulated IPsec packets is enabled. Views System view Predefined user roles network-admin Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy.

  • Page 351: Ipsec Df-bit

    IPsec packets, the packets will not be fragmented. In this case, make sure the MTU on each interface along the forwarding path is larger than the IPsec packet length. Otherwise, the packets are discarded. If you cannot make sure of the MTU value, HP recommends clearing the DF bit. Examples # Set the DF bit for outer IP headers of encapsulated IPsec packets on VLAN-interface 1.

  • Page 352: Ipsec Global-df-bit

    IPsec packets, the packets will not be fragmented. In this case, make sure the MTU on each interface along the forwarding path is larger than the IPsec packet length. Otherwise, the packets are discarded. If you cannot make sure of the MTU value, HP recommends clearing the DF bit. Examples # Set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces.

  • Page 353: Ipsec { Ipv6-policy | Policy } (interface View)

    IPsec policy that is already applied to the interface. An IKE-based IPsec policy can be applied to multiple interfaces, but HP recommends applying an IKE-based IPsec policy to only one interface. A manual IPsec policy can be applied to only one interface.

  • Page 354

    Use undo ipsec { ipv6-policy | policy } to delete the specified IPsec policy. Syntax ipsec { ipv6-policy | policy } policy-name seq-number [ isakmp | manual ] undo ipsec { ipv6-policy | policy } policy-name [ seq-number ] Default No IPsec policy is created.

  • Page 355: Ipsec { Ipv6-policy | Policy } Isakmp Template

    [Sysname] ipsec policy policy1 101 manual [Sysname-ipsec-policy-manual-policy1-101] Related commands • display ipsec { ipv6-policy | policy } ipsec { ipv6-policy | policy } (interface view) • ipsec { ipv6-policy | policy } isakmp template Use ipsec { ipv6-policy | policy } isakmp template to create an IKE-based IPsec policy by referencing an IPsec policy template.

  • Page 356: Ipsec { Ipv6-policy | Policy } Local-address

    Examples # Create an IPsec policy entry by referencing the IPsec policy template temp1, and specify the IPsec policy name as policy2 and the sequence number as 200. <Sysname> system-view [Sysname] ipsec policy policy2 200 isakmp template temp1 Related commands display ipsec { ipv6-policy | policy } •...

  • Page 357: Ipsec { Ipv6-policy-template | Policy-template } Policy-template

    A source interface can be bound to multiple IPsec policies. HP recommends using a stable interface, such as a Loopback interface, as a source interface. Examples # Bind the IPsec policy map to source interface Loopback 1 1.

  • Page 358: Ipsec Profile

    seq-number: Specifies a sequence number for the IPsec policy template, in the range of 1 to 65535. A smaller number indicates a higher priority. Usage guidelines The parameters configurable for an IPsec policy template are the same as those you configure when directly configuring an IKE-based IPsec policy.

  • Page 359: Ipsec Sa Global-duration

    manual: Specifies the IPsec SA setup mode as manual. Usage guidelines When you create an IPsec profile, you must specify the IPsec SA setup mode (manual). When you enter the view of an existing IPsec profile, you do not need to specify the IPsec SA setup mode. An IPsec profile is similar to a manual IPsec policy.

  • Page 360: Ipsec Sa Idle-time

    When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller. An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Before the IPsec SA expires, IKE negotiates a new IPsec SA, which takes over immediately after its creation.

  • Page 361: Ipsec Transform-set

    <Sysname> system-view [Sysname] ipsec sa idle-time 600 Related commands • display ipsec sa sa idle-time • ipsec transform-set Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view. Use undo ipsec transform-set to delete an IPsec transform set. Syntax ipsec transform-set transform-set-name undo ipsec transform-set transform-set-name...

  • Page 362

    Syntax local-address { ipv4-address | ipv6 ipv6-address } undo local-address Default The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address, and the first IPv6 address of the interface to which the IPsec policy is applied is used as the local IPv6 address.

  • Page 363: Protocol

    undo pfs Default The PFS feature is disabled for the IPsec transform set. Views IPsec transform set view Predefined user roles network-admin Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group. dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.

  • Page 364: Qos Pre-classify

    Views IPsec transform set view Predefined user roles network-admin Parameters ah: Specifies the AH protocol. ah-esp: Specifies using the ESP protocol first and then using the AH protocol. ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set. Examples # Specify the AH protocol for the IPsec transform set.

  • Page 365: Remote-address

    [Sysname-ipsec-policy-manual-policy1-100] qos pre-classify remote-address Use remote-address to configure the remote IP address for the IPsec tunnel. Use undo remote-address to restore the default. Syntax remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } undo remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address } Default No remote IP address is specified for the IPsec tunnel.

  • Page 366: Reset Ipsec Sa

    # Configure the remote host name to test for the IPsec tunnel in the IPsec policy policy1. [Sysname] ipsec policy policy1 1 isakmp [Sysname-ipsec-policy-isakmp-policy1-1] remote-address test # Change the IP address for the host test to 2.2.2.2. [Sysname] ip host test 2.2.2.2 In this case, you must reconfigure the remote host name for the IPsec plicy policy1 so that the local end can obtain the latest IP address of the remote host.

  • Page 367

    remote: Clears IPsec SAs for the specified remote address. ipv4-address: Specifies a remote IPv4 address. • ipv6 ipv6-address: Specifies a remote IPv6 address. • spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]: Clears IPsec SAs for the specified SA triplet: the remote address, the security protocol, and the SPI.

  • Page 368: Reset Ipsec Statistics

    Related commands display ipsec sa reset ipsec statistics Use reset ipsec statistics to clear IPsec packet statistics. Syntax reset ipsec statistics[ tunnel-id tunnel-id ] Views User view Predefined user roles network-admin Parameters tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id is 0 to 4294967295.

  • Page 369: Sa Hex-key Authentication

    traffic-based kilobytes: Specifies the traffic-based SA lifetime, in the range of 2560 to 4294967295 kilobytes. Usage guidelines IKE prefers the SA lifetime of the IPsec policy over the global SA lifetime. If the IPsec policy is not configured with the SA lifetime, IKE uses the global SA lifetime configured by the ipsec sa global-duration command for SA negotiation.

  • Page 370: Sa Hex-key Encryption

    outbound: Specifies a hexadecimal authentication key for outbound SAs. ah: Uses AH. esp: Uses ESP. cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters. simple key-value: Sets a plaintext authentication key. The key-value argument is case insensitive and must be a 16-byte hexadecimal string for HMAC-MD5, and a 20-byte hexadecimal string for HMAC-SHA1.

  • Page 371

    Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Specifies a hexadecimal encryption key for inbound SAs. outbound: Specifies a hexadecimal encryption key for outbound SAs. esp: Uses ESP. cipher key-value: Sets a ciphertext encryption key, a case-sensitive string of 1 to 1 17 characters. simple key-value: Sets a plaintext encryption key.

  • Page 372: Sa Idle-time

    sa idle-time Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy or IPsec policy template. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted. Use undo sa idle-time to restore the default. Syntax sa idle-time seconds undo sa idle-time...

  • Page 373: Sa String-key

    undo sa spi { inbound | outbound } { ah | esp } Default No SPI is configured for IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Specifies an SPI for inbound SAs. outbound: Specifies an SPI for outbound SAs.

  • Page 374

    undo sa string-key { inbound | outbound } { ah | esp } Default No key string is configured for IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: Sets a key string for inbound IPsec SAs. outbound: Sets a key string for outbound IPsec SAs.

  • Page 375: Security Acl

    • sa hex-key security acl Use security acl to reference an ACL for an IPsec policy or IPsec policy template. Use undo security acl to remove the ACL referenced by an IPsec policy or IPsec policy template. Syntax security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ] undo security acl Default An IPsec policy or IPsec policy template references no ACL.

  • Page 376: Transform-set

    <Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Sysname-acl-adv-3001] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] security acl 3001 Related commands display ipsec sa • display ipsec tunnel • transform-set Use transform-set to reference an IPsec transform set for an IPsec policy, IPsec policy template, or IPsec profile.

  • Page 377

    Examples # Reference the IPsec transform set prop1 for the IPsec policy policy1. <Sysname> system-view [Sysname] ipsec transform-set prop1 [Sysname-ipsec-transform-set-prop1] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] transform-set prop1 Related commands ipsec { ipv6-policy | policy } (system view) •...

  • Page 378: Ike Commands

    IKE commands IKE commands are supported only when the switch is operating in FIPS mode. For more information about FIPS mode, see Security Configuration Guide. authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default. Syntax In non-FIPS mode: authentication-algorithm { md5 | sha }...

  • Page 379: Authentication-method

    authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default. Syntax authentication-method { dsa-signature | pre-share | rsa-signature } undo authentication-method Default The IKE proposal uses the pre-shared key as the authentication method. Views IKE proposal view Predefined user roles...

  • Page 380: Certificate Domain

    certificate domain Use certificate domain to specify a PKI domain for IKE signatures. Use undo certificate domain to remove the specified PKI domain configuration. Syntax certificate domain domain-name undo certificate domain domain-name Default No PKI domain is specified for IKE negotiation. Views IKE profile view Predefined user roles...

  • Page 381

    Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal. Use undo dh to restore the default. Syntax In non-FIPS mode: dh { group1 | group14 | group2 | group24 | group5 } undo dh In FIPS mode: dh group14...

  • Page 382: Display Ike Proposal

    Related commands display ike proposal display ike proposal Use display ike proposal to display configuration information about all IKE proposals. Syntax display ike proposal Views Any view Predefined user roles network-admin network-operator Usage guidelines This command displays the configuration information about all IKE proposals in the descending order of proposal priorities.

  • Page 383: Display Ike Sa

    Field Description Duration (seconds) IKE SA lifetime (in seconds) of the IKE proposal Related commands ike proposal display ike sa Use display ike sa to display information about the current IKE SAs. Syntax display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-name ] ] ] Views Any view...

  • Page 384

    Table 47 Command output Field Description Connection-ID Identifier of the IKE SA. Remote Remote IP address of the SA. Status of the SA: • RD (READY)—The SA has been established. • RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted later. Flags •...

  • Page 385

    Transmitting entity: Initiator --------------------------------------------- Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: HASH-SHA1 Encryption-algorithm: AES-CBC-192 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 14 NAT traversal: Not detected Table 48 Command output Field...

  • Page 386

    Field Description Exchange-mode IKE negotiation mode in phase 1, main mode or aggressive mode. Diffie-Hellman group DH group used for key negotiation in IKE phase 1. NAT traversal Whether NAT traversal is detected. Use dpd to enable the device to send DPD messages. Use undo dpd to disable the IKE DPD function.

  • Page 387: Encryption-algorithm

    Examples # Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond. <Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] dpd interval 10 retry 5 on-demand Related commands ike dpd encryption-algorithm Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.

  • Page 388: Exchange-mode

    des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses a 56-bit key for encryption. Usage guidelines Different algorithms provide different levels of protection. Generally, an algorithm with a longer key is stronger. A stronger algorithm provides more resistance to decryption but uses more resources. The algorithm strength from low to high is des-cbc, 3des-cbc, aes-cbc-128, aes-cbc-192, and aes-cbc-256.

  • Page 389

    When the user (for example, a dial-up user) at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, HP recommends that you set the IKE negotiation mode to aggressive at the local end.

  • Page 390: Ike Identity

    Usage guidelines DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU. When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply.

  • Page 391: Ike Invalid-spi-recovery Enable

    user-fqdn user-fqdn-name : Uses the user FQDN name as the identity. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, abc@test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN. Usage guidelines The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile.

  • Page 392: Ike Keepalive Interval

    cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA is available, the notification is not sent.

  • Page 393: Ike Keepalive Timeout

    <Sysname> system-view [Sysname] ike keepalive-timer interval 200 Related commands ike keepalive timeout ike keepalive timeout Use ike keepalive timeout to set the IKE keepalive timeout time. Use undo ike keepalive timeout to restore the default. Syntax ike keepalive timeout seconds undo ike keepalive timeout Default The negotiated aging time for the IKE SA applies.

  • Page 394: Ike Limit

    Use undo ike keychain to delete an IKE keychain. Syntax ike keychain keychain-name [ vpn-instance vpn-name ] undo ike keychain keychain-name [ vpn-instance vpn-name ] Default No IKE keychain is configured. Views System view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IKE keychain belongs.

  • Page 395: Ike Nat-keepalive

    Views System view Predefined user roles network-admin Parameters max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs. The value range is 1 to 99999. max-sa sa-limit: Specifies the maximum number of established IKE SAs. The value range is 1 to 99999. Usage guidelines The supported maximum number of half-open IKE SAs depends on the device's processing capability.

  • Page 396: Ike Profile

    Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300. Usage guidelines This command takes effect only for a device behind a NAT server. When the device resides behind a NAT server, the IKE gateway behind the NAT server needs to send NAT keepalive packets to its peer IKE gateway to keep the NAT session alive.

  • Page 397

    Syntax ike proposal proposal-number undo ike proposal proposal-number Default The system has an IKE proposal that is used as the default IKE proposal. This proposal has the lowest priority and uses the following settings: Encryption algorithm—DES-CBC in non-FIPS mode and AES-CBC- 1 28 in FIPS mode. •...

  • Page 398: Ike Signature-identity From-certificate

    Related commands display ike proposal ike signature-identity from-certificate Use ike signature-identity from-certificate to configure the local device to always obtain the identity information from the local certificate for signature authentication. Use undo ike signature-identity from-certificate to restore the default. Syntax ike signature-identity from-certificate undo ike signature-identity from-certificate Default...

  • Page 399: Keychain

    Syntax inside-vpn vpn-instance vpn-name undo inside-vpn Default No inside VPN instance is specified for an IKE profile, and the device forwards protected data to the VPN instance with the same name as the VPN instance on the external network. Views IKE profile view Predefined user roles network-admin...

  • Page 400: Local-identity

    Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines An IKE profile can reference up to six IKE keychains. An IKE keychain specified earlier has a higher priority. Examples # Specify IKE profile 1 for IKE keychain abc. <Sysname>...

  • Page 401: Match Local Address (ike Keychain View)

    user-fqdn user-fqdn-name: Uses a user FQDN as the local ID. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as adc@test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN. Usage guidelines An IKE profile can have only one local ID.

  • Page 402: Match Local Address (ike Profile View)

    Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters.

  • Page 403: Match Remote

    Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters.

  • Page 404

    undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } } Default No peer ID is configured.

  • Page 405: Pre-shared-key

    For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority. Examples # Create IKE profile prof1. <Sysname> system-view [Sysname] ike profile prof1 # Configure a peer ID with the identity type of FQDN and the value of www.test.com. [Sysname-ike-profile-prof1] match remote identity fqdn www.test.com # Configure a peer ID with the identity type of IP address and the value of 10.1.1.1.

  • Page 406: Priority (ike Keychain View)

    key: Specifies a pre-shared key. simple: Specifies a pre-shared key in plain text. simple-key: Specifies a plaintext key string. In non-FIPS mode, it is a case-sensitive string of 1 to 128 characters. In FIPS mode, it is a case-sensitive string of 15 to 128 characters, and the string must contains 4 types of characters including digits, uppercase letters, lowercase letters, and special characters.

  • Page 407: Priority (ike Profile View)

    Predefined user roles network-admin Parameters priority number: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority. Usage guidelines To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number.

  • Page 408: Proposal

    Examples # Set the priority to 10 for IKE profile prof1. <Sysname> system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] priority 10 proposal Use proposal to specify the IKE proposals for an IKE profile to reference. Use undo proposal to remove the IKE proposal references. Syntax proposal proposal-number&<1-6>...

  • Page 409: Sa Duration

    Syntax reset ike sa [ connection-id connection-id ] Views User view Predefined user roles network-admin Parameters connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range 1 to 2000000000. Usage guidelines When you delete an IKE SA, the device automatically sends a notification to the peer. Examples # Display the current IKE SAs.

  • Page 410

    Default The IKE SA lifetime is 86400 seconds. Views IKE proposal view Predefined user roles network-admin Parameters Seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800. Usage guidelines If the communicating peers are configured with different IKE SA lifetime settings, the smaller one takes effect.

  • Page 411: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 412: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 413

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 414: Index

    Index A B C D E F G H I K L M N O P Q R S T U V W authorization-attribute,22 access-limit enable,1 accounting command,2 bind-attribute,23 accounting default,2 bye,239 accounting lan-access,4 accounting login,5 identifier,173 accounting-on enable,33 cd,240 authentication-algorithm,313 cdup,240 arp active-ack...

  • Page 415

    display ip source binding,280 dot1x port-method,101 display ip urpf,308 dot1x quiet-period,102 display ipsec { ipv6-policy | policy },315 dot1x re-authenticate,103 display ipsec { ipv6-policy-template | dot1x retry,103 policy-template },319 dot1x timer,104 display ipsec profile,321 dot1x unicast-trigger,106 display ipsec sa,322 dpd,374 display ipsec statistics,326 display ipsec...

  • Page 416

    urpf,307 match local address (IKE profile view),390 ip verify source,284 match remote,391 ipsec { ipv6-policy | policy } (interface view),341 mkdir,247 ipsec { ipv6-policy | policy } (system view),341 ipsec { ipv6-policy | policy } isakmp template,343 nas-ip (HWTACACS scheme view),66 ipsec { ipv6-policy | policy } local-address,344...

  • Page 417

    pki-domain (SSL server policy view),271 reset arp detection statistics,302 port-security authorization ignore,122 reset dot1x statistics,107 port-security enable,123 reset hwtacacs statistics,71 port-security intrusion-mode,124 reset ike sa,396 port-security mac-address security,125 reset ip source binding,287 port-security max-mac-count,127 reset ipsec sa,354 port-security ntk-mode,127 reset ipsec statistics,356 port-security oui,128...

  • Page 418

    sftp ipv6,259 sftp server enable,230 timer quiet (HWTACACS scheme view),77 sftp server idle-timeout,231 timer quiet (RADIUS scheme view),56 source,224 timer realtime-accounting (HWTACACS scheme ssh client ipv6 source,261 view),77 ssh client source,262 timer realtime-accounting (RADIUS scheme view),56 ssh server acl,232 timer response-timeout (HWTACACS scheme view),78 ssh server authentication-retries,234...

This manual also for:

5900, 5920 series, 5900 series

Comments to this Manuals

Symbols: 0
Latest comments: