Page 1
HP A-U200 Unified Threat Management Products Access Control Command Reference Part number: 5998-2676 Software version: R5116P20 Document version: 6PW100-20111216...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
ACL configuration commands Syntax acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number } View System view Default level 2: System level Parameters number acl-number: Specifies the number of an IPv4 access control list (ACL): •...
[Sysname-acl-basic-2000] # Create IPv4 basic ACL 2001 with the name flow, and enter its view. <Sysname> system-view [Sysname] acl number 2001 name flow [Sysname-acl-basic-2001-flow] acl copy Syntax acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } View System view Default level...
acl name Syntax acl name acl-name View System view Default level 2: System level Parameters acl-name: Specifies an IPv4 ACL name, a case-insensitive string of 1 to 32 characters. It must start with an English letter. The IPv4 ACL must already exist. Description Use the acl name command to enter the view of an IPv4 ACL that has a name.
[Sysname] acl number 2000 [Sysname-acl-basic-2000] description This is an IPv4 basic ACL. display acl Syntax display acl { acl-number | all | name acl-name } View Any view Default level 1: Monitor level Parameters acl-number: Specifies an ACL by its number: 2000 to 2999 for IPv4 basic ACLs •...
Field Description named flow The name of the ACL is flow. "-none-" means the ACL is not named. 3 rules The ACL contains three rules. The match order for the ACL is auto, which sorts ACL rules in depth-first order. match-order is auto This field is not present when the match order is config.
Table 2 Output description Field Description Current time Current system time Configuration and status of the time range, including its name, Time-range status (active or inactive), and start time and end time. reset acl counter Syntax reset acl counter { acl-number | all | name acl-name } View User view Default level...
Page 13
Default level 2: System level Parameters rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0.
Page 15
Parameters Function Description The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 Specifies a DSCP dscp dscp (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), priority cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
Page 16
Parameters Function Description Parameters specific to TCP. { ack ack-value | Specifies one or fin fin-value | psh The value for each argument can be 0 (flag bit not set) or 1 (flag more TCP flags psh-value | rst bit set). including ACK, FIN, rst-value | syn For example, a rule configured with ack 1 psh 0 may match...
Description Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule.
Page 18
undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] * View IPv4 basic ACL view Default level 2: System level Parameters rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID.
Parameters step-value: ACL rule numbering step, in the range of 1 to 20. Description Use the step command to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5.
Page 21
off-day for Saturday and Sunday. • • daily for the whole week. from time1 date1: Specifies the start time and date of an absolute statement. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range of 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the calendar in the range of 1970 to 2100.
Page 22
# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010. <Sysname> system-view [Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010 # Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.
Default level 2: System level Parameters vd-name vd-name: Displays the relationship table entries of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines. Description Use the display session relation-table command to display relationship table entries.
Page 25
View Any view Default level 2: System level Parameters vd-name vd-name: Displays the session statistics of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines.
Field Description Current TCP session(s) Number of TCP sessions Half-Open Number of TCP sessions in the half-open state Half-Close Number of TCP sessions in the half-close state Current UDP session(s) Number of UDP sessions Current ICMP session(s) Number of ICMP sessions Current RAWIP session(s) Number of Raw IP sessions Current relation table(s)
Page 27
verbose: Displays detailed information about sessions. Without this keyword, the command displays brief information about the specified sessions. Description Use the display session table command to display information about sessions. If no argument is specified, the command displays all sessions. •...
Page 28
Pro: TCP(6) App: TELNET State: TCP-EST Start time: 2009-03-17 09:30:33 TTL: 3600s Root Zone(in): Management Zone(out): Local Received packet(s)(Init): 1173 packet(s) 47458 byte(s) Received packet(s)(Reply): 1168 packet(s) 61845 byte(s) Total find: 2 Table 9 Output description Field Description Initiator: Session information of the initiator Responder: Session information of the responder Transport layer protocol, TCP, UDP, ICMP, or Raw IP...
Default level 2: System level Parameters vd-name vd-name: Clears the session statistics of the specified virtual device. The vd-name argument specifies the name of a virtual device. It is a case-insensitive string of 1 to 20 characters, which can be numerals, letters and underlines.
Use the undo session aging-time command to restore the default. If no keyword is specified, the command restores the session aging times for all protocol states to the defaults. The defaults value is 30 seconds. Examples # Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 60 seconds. <Sysname>...
Page 32
Parameters acl-number: ACL number, in the range 2000 to 3999. aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value of the time-value argument is in the range of 0 to 360 and defaults to 24. A value of 0 means the persistent sessions are never aged.
Connection limit configuration commands connection-limit apply policy Syntax connection-limit apply policy policy-number undo connection-limit apply policy policy-number View System view Default level 2: System level Parameters policy-number: Number for an existing connection limit policy, which can only be 0. Description Use the connection-limit apply policy command to apply a connection limit policy.
Description Use the connection-limit policy command to create a connection limit policy and enter connection limit policy view. Use the undo connection-limit policy command to delete a specific or all connection limit policies. A connection limit policy contains a set of rules that limit the number of connections of a specific user. By default, a connection limit policy uses the default connection limit settings.
Connection-limit policy 0, refcount 1, 2 limits limit 0 source any amount dns 100 http 200 tcp 300 other 400 rate 100 shared limit 1 source 1.1.1.0 24 amount tcp 100 bandwidth 200 shared # Display information about all connection limit policies. <Sysname>...
Page 36
Therefore, take the match order into consideration when assigning the rules IDs. HP recommends arranging the rule by limit granularity and limit range in ascending order.
Field Description Authorization ACL of portal ACL. It is displayed only when the Type field has a value of Author ACL dynamic. Authorization ACL number assigned by the server. None indicates that the server did not Number assign any ACL. display portal connection statistics Syntax display portal connection statistics { all | interface interface-type interface-number }...
Page 40
MSG_LOGOUT_ACK MSG_LEAVING_ACK MSG_CUT_REQ MSG_AUTH_REQ MSG_LOGIN_REQ MSG_LOGOUT_REQ MSG_LEAVING_REQ MSG_ARPPKT MSG_TMR_REQAUTH MSG_TMR_AUTHEN MSG_TMR_AUTHOR MSG_TMR_LOGIN MSG_TMR_LOGOUT MSG_TMR_LEAVING MSG_TMR_NEWIP MSG_TMR_USERIPCHANGE MSG_PORT_REMOVE MSG_VLAN_REMOVE MSG_IF_REMOVE MSG_L3IF_SHUT MSG_IP_REMOVE MSG_ALL_REMOVE MSG_IFIPADDR_CHANGE MSG_SOCKET_CHANGE MSG_NOTIFY MSG_SETPOLICY MSG_SETPOLICY_RESULT Table 12 Output description Field Description User state statistics Statistics on portal users State-Name Name of a user state User-Num...
Page 41
Field Description Message statistics Statistics on messages Msg-Name Message type Total Total number of messages Number of erroneous messages Discard Number of discarded messages MSG_AUTHEN_ACK Authentication acknowledgment message MSG_AUTHOR_ACK Authorization acknowledgment message MSG_LOGIN_ACK Accounting acknowledgment message MSG_LOGOUT_ACK Accounting-stop acknowledgment message MSG_LEAVING_ACK Leaving acknowledgment message MSG_CUT_REQ...
display portal free-rule Syntax display portal free-rule [ rule-number ] View Any view Default level 1: Monitor level Parameters rule-number: Number of a portal-free rule, in the range of 0 to 15. Description Use the display portal free-rule command to display information about a specific portal-free rule or all portal-free rules.
display portal interface Syntax display portal interface interface-type interface-number View Any view Default level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by its type and number. Description Use the display portal interface command to display the portal configuration of an interface. Examples # Display the portal configuration of interface GigabitEthernet 0/0.
display portal server Syntax display portal server [ server-name ] View Any view Default level 1: Monitor level Parameters server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. Description Use the display portal server command to display information about a specific portal server or all portal servers.
Page 45
Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. Description Use the display portal server statistics command to display portal server statistics on a specific interface or all interfaces. Note that with the all keyword specified, the command displays portal server statistics by interface and therefore statistics about a portal server referenced by more than one interface may be displayed repeatedly.
Field Description Challenge acknowledgment message the access device sends to the portal ACK_CHALLENGE server REQ_AUTH Authentication request message the portal server sends to the access device Authentication acknowledgment message the access device sends to the portal ACK_AUTH server REQ_LOGOUT Logout request message the portal server sends to the access device ACK_LOGOUT Logout acknowledgment message the access device sends to the portal server Affirmation message the portal server sends to the access device after...
Packets Sent: 0 Packets Retransmitted: 0 Packets Dropped: 0 HTTP Packets Sent: 0 Connection State: SYN_RECVD: 0 ESTABLISHED: 0 CLOSE_WAIT: 0 LAST_ACK: 0 FIN_WAIT_1: 0 FIN_WAIT_2: 0 CLOSING: 0 Table 17 Output description Field Description TCP Cheat Statistic TCP spoofing statistics Total Opens Total number of opened connections Resets Connections...
Page 48
Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and name. Description Use the display portal user command to display information about portal users on a specific interface or all interfaces. Examples # Display information about portal users on all interfaces. <Sysname>...
portal auth-network Syntax portal auth-network network-address { mask-length | mask } undo portal auth-network { network-address | all } View Interface view Default level 2: System level Parameters network-address: IP address of the authentication subnet. mask-length: Length of the subnet mask, in the range of 0 to 32. mask: Subnet mask, in dotted decimal notation.
interface interface-type interface-number: Logs out all users on the specified interface. Description Use the portal delete-user command to log out users. Related commands: display portal user. Examples # Log out user 1.1.1.1. <Sysname> system-view [Sysname] portal delete-user 1.1.1.1 portal domain Syntax portal domain domain-name undo portal domain...
View System view Default level 2: System level Parameters rule-number: Number for the portal-free rule, in the range of 0 to 15. any: Imposes no limitation on the previous keyword. ip ip-address: Specifies an IP address. mask { mask-length | netmask }: Specifies the mask of the IP address, which can be in dotted decimal notation or an integer in the range of 0 to 32.
View System view Default level 2: System level Parameters max-number: Maximum number of online portal users allowed in the system. Description Use the portal max-user command to set the maximum number of online portal users allowed in the system. Use the undo portal max-user command to restore the default. By default, the maximum number of portal users allowed on the device is 512.
<Sysname> system-view [Sysname] interface gigabitethernet 0/0 [Sysname-GigabitEthernet0/0] portal nas-id 0002053110000460 portal nas-id-profile Syntax portal nas-id-profile profile-name undo portal nas-id-profile View Interface Default level 2: System level Parameters profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs. The profile can be configured by using the aaa nas-id profile command.
Parameters ip-address: Source IP address to be specified for portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the portal nas-ip command to configure the source IP address for portal packets to be sent. Use the undo portal nas-ip command to restore the default.
Using the undo portal server server-name command, you remove the specified portal server if the specified portal server exists and there is no user on the interfaces referencing the portal server. The configured portal server and its parameters can be removed or modified only when the portal server is not referenced by an interface.
reset portal connection statistics Syntax reset portal connection statistics { all | interface interface-type interface-number } View User view Default level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. Description Use the reset portal connection statistics command to clear portal connection statistics on a specific interface or all interfaces.
AAA configuration commands AAA configuration commands aaa nas-id profile Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name View System view Default level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters. Description Use the aaa nas-id profile command to create a NAS ID profile and enter its view.
Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Description Use the access-limit enable command to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users will be accepted. Use the undo access-limit enable command to restore the default.
[Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default Syntax accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters.
undo accounting lan-access View ISP domain view Default level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters. Description Use the accounting lan-access command to configure the accounting method for LAN users.
local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters. Description Use the accounting login command to configure the accounting method for login users (users logging in through the console, AUX, or Asyn port or accessing through Telnet).
communication with the current accounting server fails. However, the device will not send real-time accounting updates for the user anymore. The accounting optional feature applies to scenarios where accounting is not important. NOTE: After you configure the accounting optional command, the setting configured by the access-limit command in local user view is not effective.
undo authentication default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters. Description Use the authentication lan-access command to configure the authentication method for LAN users. Use the undo authentication lan-access command to restore the default. By default, the default authentication method for the ISP domain is used for LAN users.
The specified RADIUS or HWTACACS scheme must have been configured. Related commands: local-user, authentication default, hwtacacs scheme, and radius scheme. Examples # Configure ISP domain test to use local authentication for login users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication login local # Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup.
undo authorization command View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. In this case, an authenticated user can access only commands of Level 0.
Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.
Description Use the authorization lan-access command to configure the authorization method for LAN users. Use the undo authorization lan-access command to restore the default. By default, the default authorization method for the ISP domain is used for LAN users. The specified RADIUS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
By default, the default authorization method for the ISP domain is used for login users. The specified RADIUS or HWTACACS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. Related commands: local-user, authorization default, hwtacacs scheme, and radius scheme.
Examples # Configure ISP domain test to use local authorization for portal users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization portal local # Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup.
[Sysname-isp-test] authorization ppp local # Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization ppp radius-scheme rd local authorization-attribute user-profile Syntax authorization-attribute user-profile profile-name undo authorization-attribute user-profile View ISP domain view...
Page 76
View System view Default level 2: System level Parameters access-type: Specifies the user connections of the specified access type. dot1x: Indicates 802.1X authentication. • mac-authentication: Indicates MAC address authentication. • portal: Indicates portal authentication. • all: Specifies all user connections. domain isp-name: Specifies the user connections of an ISP domain.
Page 78
If the username does not contain the character @, the device displays the username in the format • username @mandatory authentication domain name. If the username contains the character @, the device displays the entered username. For example, • if a user entered the username aaa@123 at login and the name of the mandatory authentication domain is dom, the device displays the username aaa@123, rather than aaa@123@dom.
Total 0 connection matched. Table 19 Output description Field Description Username Username of the connection, in the format username@domain MAC address of the user IPv4 address of the user Access User access type ACL Group Authorization ACL group. Disable means no authorization ACL group is assigned. User Profile Authorization user profile CAR(kbps)
Page 80
Default accounting scheme : local Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes : Domain : test State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Lan-access authentication scheme...
Field Description Indicates whether the idle cut function is enabled. With the idle cut function enabled for a domain, the system logs out any user in the Idle-cut domain whose traffic is less than the specified minimum traffic during the idle timeout period. Indicates whether the self service function is enabled.
domain default enable Syntax domain default enable isp-name undo domain default enable View System view Default level 3: Manage level Parameters isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters. Description Use the domain default enable command to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain.
flow: Minimum traffic during the idle timeout period in bytes. It ranges from 1 to 10240000 and defaults to 10240. Description Use the idle-cut enable command to enable the idle cut function and set the relevant parameters. With the idle cut function enabled for a domain, the device checks the traffic of each online user in the domain at the idle timeout interval, and logs out any user in the domain whose traffic during the idle timeout period is less than the specified minimum traffic.
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] ip pool 0 129.102.0.1 129.102.0.10 nas-id bind vlan Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id View NAS ID profile view Default level 2: System level Parameters nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters vlan-id: ID of the VLAN to be bound with the NAS ID, in the range 1 to 4094.
Parameters url-string: URL of the self-service server, a string of 1 to 64 characters that starts with http:// and contains no question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation. Description Use the self-service-url enable command to enable the self-service server location function and specify the URL of the self-service server.
<Sysname> system-view [Sysname] domain test [Sysname-isp-test] state block Local user configuration commands access-limit Syntax access-limit max-user-number undo access-limit View Local user view Default level 3: Manage level Parameters max-user-number: Maximum number of concurrent users of the current local user account, in the range 1 to 1024.
Page 87
Default level 3: Manage level Parameters acl acl-number: Specifies the authorization ACL. The ACL number must be in the range 2000 to 5999. After passing authentication, a local user is authorized to access the network resources specified by this ACL. callback-number callback-number: Specifies the authorization PPP callback number.
A local user can play only one role at a moment. If you perform the role configuration repeatedly, only the last role configuration takes effect. Examples # Configure the authorized VLAN of local user abc as VLAN 2. <Sysname> system-view [Sysname] local-user abc [Sysname-luser-abc] authorization-attribute vlan 2 # Configure the authorized VLAN of user group abc as VLAN 3.
Binding attribute checking does not take the service types of the users into account. A configured binding attribute is effective for all types of users. Be cautious when deciding which binding attributes should be configured for which type of local users. For example, an IP address binding is applicable to only 802.1X authentication that supports IP address upload.
Page 90
Examples # Display information about all local users. <Sysname> display local-user The contents of local user abc: State: Active ServiceType: telnet Access-limit: Enabled Current AccessNum: 0 Max AccessNum: User-group: system Bind attributes: IP address: 1.2.3.4 Bind location: 0/4/1 (SLOT/SUBSLOT/PORT) MAC address: 0001-0002-0003 Vlan ID: Authorization attributes:...
display user-group Syntax display user-group [ group-name ] View Any view Default level 2: System level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the display user-group command to display configuration information about one or all user groups. If you do not specify any user group name, the command displays information about all users groups.
and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals to 02:02:00-2008/02/02. Description Use the expiration-date command to set the expiration time of a local user. Use the undo expiration-date command to remove the configuration.
local-user Syntax local-user user-name undo local-user { user-name | all [ service-type { ftp | lan-access | portal | ppp | ssh | telnet | terminal } ] } View System view Default level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name.
View System view Default level 2: System level Parameters auto: Displays the password of a local user in the mode that is specified for the user by using the password command. cipher-force: Displays the passwords of all local users in cipher text. Description Use the local-user password-display-mode command to set the password display mode for all local users.
must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc. A password in cipher text must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!. Description Use the password command to configure a password for a local user and specify whether to display the password in cipher text or plain text.
Description Use the service-type command to specify the service types that a user can use. Use the undo service-type command to delete one or all service types configured for a user. By default, a user is authorized with no service. You can execute the service-type command repeatedly to specify multiple service types for a user.
View System view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use the user-group command to create a user group and enter its view. Use the undo user-group command to remove a user group. A user group consists of a group of local users and has a set of local user attributes.
Description Use the accounting-on enable command to configure the accounting-on feature. This feature enables the device to, after rebooting, automatically send an accounting-on message to the RADIUS accounting server stipulated by the RADIUS scheme to stop accounting for and log out online users. Use the undo accounting-on enable command to disable the accounting-on feature.
Page 100
Description Use the display radius scheme command to display the configuration information of RADIUS schemes. If you do not specify any RADIUS scheme, the command displays the configuration information of all RADIUS schemes. Related commands: radius scheme. Examples # Display the configuration information of all RADIUS schemes. <Sysname>...
Page 101
Field Description Type Type of the RADIUS server, extended or standard. Primary Auth Server Information about the primary authentication server. Primary Acct Server Information about the primary accounting server. Second Auth Server Information about the secondary authentication server. Second Acct Server Information about the secondary accounting server.
display radius statistics Syntax display radius statistics View Any view Default level 2: System level Parameters None Description Use the display radius statistics command to display statistics about RADIUS packets. Related commands: radius scheme. Examples # Display statistics about RADIUS packets. <Sysname>...
Page 103
Set policy result Num = 0 Err = 0 Succ = 0 RADIUS sent messages statistic: Auth accept Num = 10 Auth reject Num = 14 EAP auth replying Num = 0 Account success Num = 4 Account failure Num = 3 Server ctrl req Num = 0 RecError_MSG_sum = 0...
Page 104
Field Description Succ Number of messages that the device successfully processed Running statistic Statistics for RADIUS messages received and sent by the RADIUS module RADIUS received messages statistic Statistics for received RADIUS messages Normal auth request Counts of normal authentication requests EAP auth request Counts of EAP authentication requests Account request...
display stop-accounting-buffer (for RADIUS) Syntax display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } View Any view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme.
Default level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the nas-ip command to specify a source IP address for outgoing RADIUS packets. Use the undo nas-ip command to restore the default.
Parameters ipv4-address: IPv4 address of the primary accounting server. port-number: Service port number of the primary accounting server, a UDP port number in the range 1 to 65535. The default is 1813. Description Use the primary accounting command to specify the primary RADIUS accounting server. Use the undo primary accounting command to remove the configuration.
port-number: Service port number of the primary authentication/authorization server, a UDP port number in the range 1 to 65535. The default is 1812. Description Use the primary authentication command to specify the primary RADIUS authentication/authorization server. Use the undo primary authentication command to remove the configuration. By default, no primary RADIUS authentication/authorization server is specified.
When the listening port of the RADIUS client is disabled: • No more stop-accounting requests of online users cannot be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still has the user’s record during a certain period of time.
Examples # Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1. <Sysname> system-view [Sysname] radius nas-ip 129.10.10.1 radius scheme Syntax radius scheme radius-scheme-name undo radius scheme radius-scheme-name View System view Default level 3: Manage level Parameters...
authentication-server-down: Sends traps when the reachability of the authentication server changes. Description Use the radius trap command to enable the trap function for RADIUS. Use the undo radius trap command to disable the trap function for RADIUS. By default, the trap function is disabled for RADIUS. With the trap function for RADIUS, a NAS sends a trap message in the following cases: •...
Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters. session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.
Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device considers the request a failure.
NOTE: The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting request packets. Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command).
NOTE: The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets. Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-timeout command), the maximum number of transmission attempts is five (set with the retry command), and the maximum number of stop-accounting attempts is 20 (set with the retry stop-accounting command).
The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails. If you remove a secondary accounting server when the device has already sent a start-accounting request to the server, the communication with the secondary server will time out, and the device will look for a server in active state from the primary server on.
undo secondary authentication command remove secondary RADIUS authentication/authorization server. By default, no secondary RADIUS authentication/authorization server is specified. You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS scheme by executing this command repeatedly. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS authentication/authorization server configured earlier has a higher priority) and tries to communicate with it.
all: Specifies all security policy servers. Description Use the security-policy-server command to specify a security policy server for a RADIUS scheme. Use the undo security-policy-server command to remove one or all security policy servers for a RADIUS scheme. By default, no security policy server is specified for a RADIUS scheme. You can specify up to eight security policy servers for a RADIUS scheme.
state primary Syntax state primary { accounting | authentication } { active | block } View RADIUS scheme view Default level 2: System level Parameters accounting: Sets the status of the primary RADIUS accounting server. authentication: Sets the status of the primary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state.
Parameters accounting: Sets the status of the secondary RADIUS accounting server. authentication: Sets the status of the secondary RADIUS authentication/authorization server. active: Specifies the active state, the normal operation state. block: Specifies the blocked state, the out-of-service state. Description Use the state secondary command to set the status of a secondary RADIUS server. By default, every secondary RADIUS server specified in a RADIUS scheme is in active state.
Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit.
<Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer quiet 10 timer realtime-accounting (RADIUS scheme view) Syntax timer realtime-accounting minutes undo timer realtime-accounting View RADIUS scheme view Default level 2: System level Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range 3 to 60. Description Use the timer realtime-accounting command to set the real-time accounting interval.
timer response-timeout (RADIUS scheme view) Syntax timer response-timeout seconds undo timer response-timeout View RADIUS scheme view Default level 2: System level Parameters seconds: RADIUS server response timeout period in seconds, in the range 1 to 10. Description Use the timer response-timeout command to set the RADIUS server response timeout timer. Use the undo timer response-timeout command to restore the default.
Description Use the user-name-format command to specify the format of the username to be sent to a RADIUS server. By default, the ISP domain name is included in the username. A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs.
Use the undo data-flow-format command to restore the default. By default, the unit for data flows is byte and that for data packets is one-packet. The unit for data flows and that for packets must be consistent with those on the HWTACACS server. Otherwise, accounting cannot be performed correctly.
Description Use the hwtacacs nas-ip command to specify a source IP address for outgoing HWTACACS packets. Use the undo hwtacacs nas-ip command to remove the configuration. By default, the source IP address of a packet sent to the server is the IP address of the outbound interface. The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server.
undo nas-ip View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. Description Use the nas-ip command to specify a source address for outgoing HWTACACS packets.
Parameters ip-address: IP address of the primary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the primary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49. Description Use the primary accounting command to specify the primary HWTACACS accounting server. Use the undo primary accounting command to remove the configuration.
By default, no primary HWTACACS authentication server is specified. The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails. If you configure the command repeatedly, only the last configuration takes effect. You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets.
Examples # Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 reset hwtacacs statistics Syntax reset hwtacacs statistics { accounting | all | authentication | authorization } View User view Default level...
Description Use the reset stop-accounting-buffer command to clear buffered stop-accounting requests that get no responses. Related commands: stop-accounting-buffer enable and display stop-accounting-buffer. Examples # Clear the stop-accounting requests buffered for HWTACACS scheme hwt1. <Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1 retry stop-accounting (HWTACACS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting...
Default level 2: System level Parameters ip-address: IP address of the secondary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0. port-number: Service port number of the secondary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49. Description Use the secondary accounting command to specify the secondary HWTACACS accounting server.
Description Use the secondary authentication command to specify the secondary HWTACACS authentication server. Use the undo secondary authentication command to remove the configuration. By default, no secondary HWTACACS authentication server is specified. The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails.
You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server affects only authorization processes that occur after the remove operation. Related commands: display hwtacacs. Examples # Configure the secondary authorization server 10.163.155.13 with TCP port number 49.
timer quiet (HWTACACS scheme view) Syntax timer quiet minutes undo timer quiet View HWTACACS scheme view Default level 2: System level Parameters minutes: Primary server quiet period, in minutes. It ranges from 1 to 255. Description Use the timer quiet command to set the quiet timer for the primary server. When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until this timer expires.
By default, the real-time accounting interval is 12 minutes. For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval. Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval.
[Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer response-timeout 30 user-name-format (HWTACACS scheme view) Syntax user-name-format { keep-original | with-domain | without-domain } View HWTACACS scheme view Default level 2: System level Parameters keep-original: Sends the username to the HWTACACS server as it is input. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 145
Network topology icons Represents an unified threat management product. Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Index A B C D E G H I K L N P R S T U W aaa nas-id profile,53 data-flow-format (HWTACACS scheme view),1 19 access-limit,80 data-flow-format (RADIUS scheme view),93 access-limit enable,53 description,3 accounting command,54 display acl,4 accounting default,55 display connection,71 accounting...