HP A5500 EI, A5500 SI Command Reference Manual

HP A5500 EI & A5500 SI Switch Series

Part number: 5998-1723 Software version: Release 2208

Document version: 5W100-20110530

Security Command Reference

Abstract

This document describes the commands and command syntax options available for the HP A Series products.

This document is intended for network planners, field technical support and servicing engineers, and network administrators who work with HP A Series products.

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Contents

AAA configuration commands ······································································································································· 1

General AAA configuration commands ························································································································· 1

aaa nas-id profile (available only on the A5500 EI) ··························································································· 1 access-limit enable ··················································································································································· 1 accounting command ·············································································································································· 2 accounting default ···················································································································································· 3 accounting lan-access ·············································································································································· 3 accounting login ······················································································································································· 4 accounting optional ················································································································································· 5 accounting portal ····················································································································································· 6 authentication default ··············································································································································· 7 authentication lan-access ········································································································································· 7 authentication login ·················································································································································· 8 authentication portal ················································································································································ 9 authentication super ·············································································································································· 10 authorization command ········································································································································ 11 authorization default ············································································································································· 11 authorization lan-access ······································································································································· 12 authorization login ················································································································································ 13 authorization portal ··············································································································································· 14 authorization-attribute user-profile ······················································································································· 15 cut connection ························································································································································ 16 display connection ················································································································································ 17 display domain ······················································································································································ 19 domain ··································································································································································· 21 domain default enable ·········································································································································· 21 idle-cut enable ······················································································································································· 22 nas-id bind vlan (available only on the A5500 EI) ··························································································· 23 self-service-url enable ············································································································································ 24 state (ISP domain view)········································································································································· 24

Local user configuration commands ····························································································································· 25

access-limit ····························································································································································· 25 authorization-attribute (local user view/user group view) ················································································ 26 bind-attribute ·························································································································································· 27 display local-user ··················································································································································· 28 display user-group ················································································································································· 30 expiration-date (local user view) ·························································································································· 31 group ······································································································································································ 32 local-user ································································································································································ 33 local-user password-display-mode ······················································································································· 33 password ································································································································································ 34 service-type ···························································································································································· 35 state(local user view) ············································································································································· 36 user-group ······························································································································································ 36

RADIUS configuration commands ································································································································ 37

accounting-on enable············································································································································ 37 attribute 25 car ······················································································································································ 38 data-flow-format (RADIUS scheme view) ············································································································· 39 display radius scheme ·········································································································································· 39

iii

display radius statistics ········································································································································· 42 display stop-accounting-buffer ····························································································································· 45 key (RADIUS scheme view) ·································································································································· 46 nas device-id (available only on the A5500 EI) ································································································ 47 nas-backup-ip (available only on the A5500 EI) ······························································································· 48 nas-ip (RADIUS scheme view) ······························································································································ 49 primary accounting (RADIUS scheme view) ······································································································· 50 primary authentication (RADIUS scheme view) ·································································································· 51 radius client ···························································································································································· 52 radius nas-backup-ip (available only on the A5500 EI) ··················································································· 53 radius nas-ip ·························································································································································· 54 radius scheme ························································································································································ 55 radius trap ······························································································································································ 56 reset radius statistics·············································································································································· 57 reset stop-accounting-buffer ·································································································································· 57 retry ········································································································································································· 58 retry realtime-accounting ······································································································································ 59 retry stop-accounting (RADIUS scheme view) ····································································································· 60 secondary accounting (RADIUS scheme view) ··································································································· 60 secondary authentication (RADIUS scheme view) ····························································································· 62 security-policy-server ············································································································································· 64 server-type ······························································································································································ 64 state primary ·························································································································································· 65 state secondary ······················································································································································ 66 stop-accounting-buffer enable (RADIUS scheme view) ······················································································ 67 timer quiet (RADIUS scheme view) ······················································································································ 67 timer realtime-accounting (RADIUS scheme view) ····························································································· 68 timer response-timeout (RADIUS scheme view) ·································································································· 69 user-name-format (RADIUS scheme view) ··········································································································· 70 vpn-instance (RADIUS scheme view) (available only on the A5500 EI) ·························································· 71

HWTACACS configuration commands ······················································································································· 71

data-flow-format (HWTACACS scheme view) ···································································································· 71 display hwtacacs ··················································································································································· 72 display stop-accounting-buffer ····························································································································· 75 hwtacacs nas-ip ····················································································································································· 75 hwtacacs scheme ·················································································································································· 76 key (HWTACACS scheme view) ························································································································· 77 nas-ip (HWTACACS scheme view) ····················································································································· 78 primary accounting (HWTACACS scheme view) ······························································································ 78 primary authentication (HWTACACS scheme view) ························································································· 79 primary authorization ··········································································································································· 80 reset hwtacacs statistics ········································································································································ 81 reset stop-accounting-buffer ·································································································································· 82 retry stop-accounting (HWTACACS scheme view) ···························································································· 82 secondary accounting (HWTACACS scheme view) ·························································································· 83 secondary authentication (HWTACACS scheme view) ···················································································· 84 secondary authorization ······································································································································· 85 stop-accounting-buffer enable (HWTACACS scheme view) ············································································· 86 timer quiet (HWTACACS scheme view) ············································································································· 87 timer realtime-accounting (HWTACACS scheme view) ···················································································· 87 timer response-timeout (HWTACACS scheme view) ························································································· 88 user-name-format (HWTACACS scheme view) ·································································································· 89 vpn-instance (HWTACACS scheme view) (available only on the A5500 EI) ················································· 89

RADIUS server configuration commands ····················································································································· 90

authorization-attribute (RADIUS-server user view) ······························································································ 90

description (RADIUS-server user view) ················································································································ 91 expiration-date (RADIUS-server user view) ········································································································· 91 password (RADIUS-server user view) ·················································································································· 92 radius-server client-ip············································································································································· 93 radius-server user ··················································································································································· 94

802.1X configuration commands ································································································································ 96

display dot1x ························································································································································· 96 dot1x ······································································································································································ 99 dot1x authentication-method ······························································································································ 100 dot1x auth-fail vlan ············································································································································· 101 dot1x guest-vlan ·················································································································································· 102 dot1x handshake ················································································································································· 103 dot1x handshake secure ···································································································································· 104 dot1x mandatory-domain ··································································································································· 105 dot1x max-user ···················································································································································· 106 dot1x multicast-trigger ········································································································································ 107 dot1x port-control ················································································································································ 107 dot1x port-method ··············································································································································· 109 dot1x quiet-period ··············································································································································· 110 dot1x re-authenticate ·········································································································································· 110 dot1x retry ···························································································································································· 111 dot1x timer ··························································································································································· 112 dot1x unicast-trigger ··········································································································································· 113 reset dot1x statistics ············································································································································ 114

EAD fast deployment configuration commands ······································································································· 115

dot1x free-ip ························································································································································· 115 dot1x timer ead-timeout ······································································································································ 115 dot1x url ······························································································································································· 116

MAC authentication configuration commands ········································································································ 118

display mac-authentication ································································································································· 118 mac-authentication ·············································································································································· 120 mac-authentication domain ································································································································ 121 mac-authentication guest-vlan ···························································································································· 122 mac-authentication max-user ······························································································································ 123 mac-authentication timer ····································································································································· 123 mac-authentication user-name-format ················································································································ 124 reset mac-authentication statistics ······················································································································ 126

Portal configuration commands ································································································································· 127

display portal acl (available only on the A5500 EI) ······················································································· 127 display portal connection statistics (available only on the A5500 EI) ·························································· 129 display portal free-rule ········································································································································ 132 display portal interface ······································································································································· 133 display portal local-server ·································································································································· 135 display portal server (available only on the A5500 EI) ·················································································· 136 display portal server statistics (available only on the A5500 EI) ··································································· 137 display portal tcp-cheat statistics ······················································································································· 139 display portal user ··············································································································································· 141 portal auth-fail vlan ············································································································································· 142 portal auth-network (available only on the A5500 EI) ···················································································· 143 portal backup-group (available only on the A5500 EI) ·················································································· 144 portal delete-user ················································································································································· 144 portal domain ······················································································································································ 145 portal free-rule ····················································································································································· 146

portal local-server ················································································································································ 147 portal local-server enable ··································································································································· 148 portal local-server ip ··········································································································································· 149 portal max-user ···················································································································································· 149 portal move-mode auto ······································································································································· 150 portal nas-id-profile (available only on the A5500 EI) ···················································································· 151 portal nas-ip (available only on the A5500 EI) ······························································································· 152 portal nas-port-type (available only on the A5500 EI) ···················································································· 152 portal offline-detect interval ································································································································ 153 portal redirect-url ················································································································································· 154 portal server (available only on the A5500 EI) ······························································································· 154 portal server banner ············································································································································ 156 portal server method (available only on the A5500 EI) ················································································· 156 portal server server-detect (available only on the A5500 EI) ········································································· 157 portal server user-sync (available only on the A5500 EI) ··············································································· 159 portal web-proxy port ········································································································································· 160 reset portal connection statistics (available only on the A5500 EI) ······························································· 161 reset portal server statistics (available only on the A5500 EI) ······································································· 161 reset portal tcp-cheat statistics ···························································································································· 162

Port security configuration commands ······················································································································ 163

display port-security ············································································································································ 163 display port-security mac-address block ··········································································································· 166 display port-security mac-address security ········································································································ 167 port-security authorization ignore ······················································································································ 169 port-security enable ············································································································································· 170 port-security intrusion-mode ································································································································ 170 port-security mac-address security ····················································································································· 171 port-security max-mac-count ······························································································································· 173 port-security ntk-mode ········································································································································· 174 port-security oui ··················································································································································· 174 port-security port-mode ······································································································································· 175 port-security timer autolearn aging ···················································································································· 177 port-security timer disableport ···························································································································· 178 port-security trap ·················································································································································· 179

User profile configuration commands ······················································································································· 181

display user-profile ·············································································································································· 181 user-profile enable ··············································································································································· 182 user-profile ···························································································································································· 182

Password control configuration commands ············································································································· 184

display password-control ···································································································································· 184 display password-control blacklist ····················································································································· 185 password ······························································································································································ 186 password-control aging ······································································································································ 187 password-control alert-before-expire ················································································································· 188 password-control authentication-timeout ··········································································································· 189 password-control complexity ······························································································································ 189 password-control composition···························································································································· 190 password-control { aging | composition | history | length } enable ···························································· 191 password-control enable ···································································································································· 192 password-control expired-user-login ·················································································································· 192 password-control history ····································································································································· 193 password-control length ······································································································································ 194 password-control login idle-time ························································································································ 194

password-control login-attempt ·························································································································· 195 password-control password update interval ····································································································· 196 password-control super aging ···························································································································· 197 password-control super composition ················································································································· 198 password-control super length ··························································································································· 198 reset password-control blacklist ························································································································· 199 reset password-control history-record ················································································································ 199

HABP configuration commands ································································································································· 201

display habp ························································································································································ 201 display habp table ·············································································································································· 202 display habp traffic ············································································································································· 202 habp client vlan ··················································································································································· 203 habp enable ························································································································································ 204 habp server vlan ·················································································································································· 204 habp timer ···························································································································································· 205

Public key configuration commands ························································································································· 207

display public-key local public ··························································································································· 207 display public-key peer ······································································································································· 208 peer-public-key end ············································································································································· 210 public-key-code begin ········································································································································· 210 public-key-code end ············································································································································ 211 public-key local create ········································································································································ 212 public-key local destroy ······································································································································ 213 public-key local export dsa ································································································································ 213 public-key local export rsa ································································································································· 214 public-key peer ···················································································································································· 215 public-key peer import sshkey ···························································································································· 216

PKI configuration commands ····································································································································· 218

attribute ································································································································································ 218 ca identifier ·························································································································································· 219 certificate request entity ······································································································································ 219 certificate request from ······································································································································· 220 certificate request mode ····································································································································· 220 certificate request polling ··································································································································· 221 certificate request url ··········································································································································· 222 common-name······················································································································································ 223 country ·································································································································································· 223 crl check ······························································································································································· 224 crl update-period ················································································································································· 224 crl url ····································································································································································· 225 display pki certificate ·········································································································································· 225 display pki certificate access-control-policy ······································································································ 227 display pki certificate attribute-group ················································································································ 228 display pki crl domain ········································································································································ 229 fqdn ······································································································································································· 231 ip (PKI entity view) ··············································································································································· 231 ldap-server ···························································································································································· 232 locality ·································································································································································· 232 organization ························································································································································ 233 organization-unit ················································································································································· 233 pki certificate access-control-policy ··················································································································· 234 pki certificate attribute-group ····························································································································· 235 pki delete-certificate ············································································································································ 235

vii

pki domain ··························································································································································· 236 pki entity ······························································································································································· 236 pki import-certificate ············································································································································ 237 pki request-certificate domain ···························································································································· 238 pki retrieval-certificate ········································································································································· 238 pki retrieval-crl domain ······································································································································· 239 pki validate-certificate ········································································································································· 239 root-certificate fingerprint ··································································································································· 240 rule (PKI CERT ACP view) ··································································································································· 241 state······································································································································································· 241

IPsec configuration commands ·································································································································· 243

ah authentication-algorithm ································································································································ 243 display ipsec policy ············································································································································ 244 display ipsec proposal ········································································································································ 246 display ipsec sa ··················································································································································· 247 display ipsec statistics ········································································································································· 249 display ipsec tunnel ············································································································································· 251 encapsulation-mode ············································································································································ 253 esp authentication-algorithm ······························································································································ 253 esp encryption-algorithm ···································································································································· 254 ipsec policy ·························································································································································· 255 ipsec proposal ····················································································································································· 256 proposal ······························································································································································· 256 reset ipsec sa ······················································································································································· 257 reset ipsec statistics ············································································································································· 258 sa authentication-hex ·········································································································································· 258 sa encryption-hex ················································································································································ 259 sa spi ···································································································································································· 260 sa string-key ························································································································································· 261 transform ······························································································································································ 262

SSH2.0 configuration commands ····························································································································· 264

SSH2.0 server configuration commands ··················································································································· 264

display ssh server ················································································································································ 264 display ssh user-information ······························································································································· 265 ssh server authentication-retries ························································································································· 266 ssh server authentication-timeout ······················································································································· 267 ssh server compatible-ssh1x enable ·················································································································· 268 ssh server enable ················································································································································· 268 ssh server rekey-interval ······································································································································ 269 ssh user ································································································································································· 269

SSH2.0 client configuration commands ···················································································································· 271

display ssh client source ····································································································································· 271 display ssh server-info ········································································································································· 271 ssh client authentication server ·························································································································· 272 ssh client first-time enable ··································································································································· 273 ssh client ipv6 source ·········································································································································· 274 ssh client source ··················································································································································· 275 ssh2 ······································································································································································· 275 ssh2 ipv6 ······························································································································································ 276

SFTP configuration commands ·································································································································· 279

SFTP server configuration commands ························································································································ 279

sftp server enable ················································································································································ 279 sftp server idle-timeout ········································································································································ 279

viii

SFTP client configuration commands·························································································································· 280

bye ········································································································································································ 280 cd ·········································································································································································· 280 cdup ······································································································································································ 281 delete ···································································································································································· 281 dir ·········································································································································································· 282 display sftp client source ···································································································································· 283 exit ········································································································································································ 283 get ········································································································································································· 284 help ······································································································································································· 284 ls ············································································································································································ 285 mkdir ····································································································································································· 286 put ········································································································································································· 286 pwd ······································································································································································· 287 quit ········································································································································································ 287 remove ·································································································································································· 288 rename ································································································································································· 288 rmdir ····································································································································································· 289 sftp ········································································································································································ 289 sftp client ipv6 source ········································································································································· 290 sftp client source ·················································································································································· 291 sftp ipv6 ································································································································································ 292

SSL configuration commands····································································································································· 294

ciphersuite ···························································································································································· 294 client-verify enable ·············································································································································· 295 close-mode wait ··················································································································································· 295 display ssl client-policy ······································································································································· 296 display ssl server-policy ······································································································································ 297 handshake timeout ·············································································································································· 298 pki-domain ··························································································································································· 299 prefer-cipher ························································································································································· 299 server-verify enable ············································································································································· 300 session ·································································································································································· 301 ssl client-policy ····················································································································································· 302 ssl server-policy ···················································································································································· 302 version ·································································································································································· 303

TCP attack protection configuration commands ······································································································ 304

display tcp status ················································································································································· 304 tcp syn-cookie enable ········································································································································· 305

IP source guard configuration commands ················································································································ 306

display ip check source ······································································································································ 306 display user-bind ················································································································································· 307 ip check source ···················································································································································· 309 user-bind (Layer 2 Ethernet port view)··············································································································· 310 user-bind (system view) ······································································································································· 311 user-bind uplink ··················································································································································· 312

ARP attack protection configuration commands ······································································································ 313

ARP defense against IP packet attacks configuration commands ··········································································· 313

arp resolving-route enable ·································································································································· 313 arp source-suppression enable ·························································································································· 313 arp source-suppression limit ······························································································································· 314 display arp source-suppression ·························································································································· 315

ARP packet rate limit configuration commands ········································································································ 316

arp rate-limit ························································································································································· 316 arp rate-limit information ···································································································································· 316

Source MAC address based ARP attack detection configuration commands ······················································· 317

arp anti-attack source-mac ································································································································· 317 arp anti-attack source-mac aging-time ·············································································································· 318 arp anti-attack source-mac exclude-mac ··········································································································· 318 arp anti-attack source-mac threshold ················································································································· 319 display arp anti-attack source-mac ···················································································································· 320

ARP packet source MAC address consistency check configuration commands ··················································· 321

arp anti-attack valid-check enable ····················································································································· 321

ARP active acknowledgement configuration commands ························································································· 321

arp anti-attack active-ack enable ······················································································································· 321

ARP detection configuration commands ···················································································································· 322

arp detection enable ··········································································································································· 322 arp detection trust ················································································································································ 323 arp detection validate ········································································································································· 323 arp restricted-forwarding enable ······················································································································· 324 display arp detection ·········································································································································· 324 display arp detection statistics ··························································································································· 325 reset arp detection statistics ······························································································································· 326

ARP automatic scanning and fixed ARP configuration commands ········································································· 327

arp fixup ······························································································································································· 327 arp scan ······························································································································································· 327

ARP gateway protection configuration commands ·································································································· 328

arp filter source···················································································································································· 328

ARP filtering configuration commands ······················································································································· 329

arp filter binding·················································································································································· 329

ND attack defense configuration commands··········································································································· 331

Source MAC consistency check commands ·············································································································· 331

ipv6 nd mac-check enable ································································································································· 331

ND detection configuration commands ····················································································································· 332

display ipv6 nd detection ··································································································································· 332 display ipv6 nd detection statistics ···················································································································· 333 ipv6 nd detection enable ··································································································································· 333 ipv6 nd detection trust ········································································································································ 334 reset ipv6 nd detection statistics ························································································································ 335

URPF configuration commands (available only on the A5500 EI) ········································································ 336

ip urpf ··································································································································································· 336

Support and other resources ····································································································································· 337

Contacting HP ······························································································································································ 337

Subscription service ············································································································································ 337

Related information ······················································································································································ 337

Documents ···························································································································································· 337 Websites ······························································································································································ 337

Conventions ·································································································································································· 338

Index ············································································································································································· 340

AAA configuration commands

NOTE:

The vpn-instance keyword and the vpn-instance

vpn-instance-name

command (in RADIUS or

HWTACACS scheme view) are available only on the A5500 EI Switch Series.

General AAA configuration commands

aaa nas-id profile (available only on the A5500 EI)

Syntax

aaa nas-id profile profile-name

undo aaa nas-id profile profile-name

View

System view

Default level

2: System level

Parameters

profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.

Description

Use the aaa nas-id profile command to create a NAS ID profile and enter its view.

Use the undo aaa nas-id profile command to remove a NAS ID profile.

Related commands: nas-id bind vlan.

Examples

# Create a NAS ID profile named aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa]

access-limit enable

Syntax

access-limit enable max-user-number

undo access-limit enable

View

ISP domain view

Default level

2: System level

Parameters

max-user-number: Maximum number of users, in the range 1 to 2147483646.

Description

Use the access-limit enable command to enable the limit on the number of users in an ISP domain and set the allowed maximum number. After the number of users reaches the maximum number allowed, no more users will be accepted.

Use the undo access-limit enable command to restore the default.

By default, there is no limit to the number of users in an ISP domain.

System resources are limited, and user connections may compete for network resources when there are many users. Setting a proper limit to the number of users helps provide reliable system performance.

Examples

# Set a limit of 500 user connections for ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] access-limit enable 500

accounting command

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

Description

Use the accounting command command to specify the command line accounting method.

Use the undo accounting command command to restore the default.

By default, the default accounting method for the ISP domain is used for command line accounting.

The specified HWTACACS scheme must have been configured.

Examples

Command line accounting can use only a HWTACACS scheme.

Related commands: accounting default and hwtacacs scheme.

# Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

accounting default

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting default

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the accounting default command to configure the default accounting method for an ISP domain.

Use the undo accounting default command to restore the default.

By default, the default accounting method of an ISP domain is local.

The specified RADIUS or HWTACACS scheme must have been configured.

The default accounting method will be used for all users for whom no specific accounting methods are configured.

Local accounting is only for monitoring and controlling the number of local user connections; it does not provide the statistics function that the accounting feature generally provides.

Related commands: hwtacacs scheme and radius scheme.

Examples

# Configure the default accounting method for ISP domain test to use RADIUS accounting scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

accounting lan-access

Syntax

accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

undo accounting lan-access

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the accounting lan-access command to configure the accounting method for LAN users.

Use the undo accounting lan-access command to restore the default.

By default, the default accounting method for the ISP domain is used for LAN users.

The specified RADIUS scheme must have been configured.

Related commands: local-user, accounting default, and radius scheme.

Examples

# Configure ISP domain test to use local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

accounting login

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting login

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and limiting the number of local user connections.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the accounting login command to configure the accounting method for login users.

Use the undo accounting login command to restore the default.

By default, the default accounting method for the ISP domain is used for login users.

The specified RADIUS or HWTACACS scheme must have been configured.

Accounting is not supported for login users that use FTP.

Related commands: local-user, accounting default, hwtacacs scheme, and radius scheme.

Examples

# Configure ISP domain test to use local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Default level

2: System level

Parameters

None

Description

Use the accounting optional command to enable the accounting optional feature.

Use the undo accounting optional command to disable the feature.

By default, the feature is disabled.

After you configure the accounting optional command for a domain, a user that will be disconnected otherwise can continue to use the network resources when no accounting server is available or the communication with the current accounting server fails. However, the device will not send real-time accounting updates for the user anymore. The accounting optional feature applies to scenarios where accounting is not important.

NOTE:

After you configure the accounting optional command, the setting by the access-limit command in local user view is not effective.

Examples

# Enable the accounting optional feature for users in domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting optional

accounting portal

Syntax

accounting portal { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting portal

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the accounting portal command to configure the accounting method for portal users.

Use the undo accounting portal command to restore the default.

By default, the default accounting method for the ISP domain is used for portal users.

The specified RADIUS scheme must have been configured.

Related commands: local-user, accounting default, and radius scheme.

Examples

# Configure ISP domain test to use local accounting for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal local

# Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal radius-scheme rd local

authentication default

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radiusscheme radius-scheme-name [ local ] }

undo authentication default

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the authentication default command to configure the default authentication method for an ISP domain.

Use the undo authentication default command to restore the default.

By default, the default authentication method of an ISP domain is local.

The specified RADIUS or HWTACACS scheme must have been configured.

The default authentication method will be used for all users for whom no specific authentication methods are configured.

Related commands: local-user, hwtacacs scheme, and radius scheme.

Examples

# Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

authentication lan-access

Syntax

authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

View

undo authentication lan-access

ISP domain view

Default level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the authentication lan-access command to configure the authentication method for LAN users.

Use the undo authentication lan-access command to restore the default.

By default, the default authentication method for the ISP domain is used for LAN users.

The specified RADIUS scheme must have been configured.

Related commands: local-user, authentication default, and radius scheme.

Examples

# Configure ISP domain test to use local authentication for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access local

# Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access radius-scheme rd local

authentication login

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication login

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the authentication login command to configure the authentication method for login users (users logging in through the console or AUX port or accessing through Telnet or FTP).

Use the undo authentication login command to restore the default.

By default, the default authentication method for the ISP domain is used for login users.

The specified RADIUS or HWTACACS scheme must have been configured.

Related commands: local-user, authentication default, hwtacacs scheme, and radius scheme.

Examples

# Configure ISP domain test to use local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

authentication portal

Syntax

authentication portal { local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication portal

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32

characters.

Description

Use the authentication portal command to configure the authentication method for portal users.

Use the undo authentication portal command to restore the default.

Examples

By default, the default authentication method for the ISP domain is used for portal users.

The specified RADIUS scheme must have been configured.

Related commands: authentication default and radius scheme.

# Configure ISP domain test to use local authentication for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal local

# Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal radius-scheme rd local

authentication super

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name }

undo authentication super

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-

insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Description

Use the authentication super command to configure the authentication method for user privilege level switching.

Use the undo authentication super command to restore the default.

By default, the default authentication method for the ISP domain is used for user privilege level switching authentication.

The specified RADIUS or HWTACACS authentication scheme must have been configured.

Related commands: hwtacacs scheme and radius scheme; super authentication-mode (Fundamentals Command Reference).

Examples

# Configure ISP domain test to use HWTACACS scheme tac for user privilege level switching authentication.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-domain-test] authentication super hwtacacs-scheme tac

authorization command

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none }

undo authorization command

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange. In this case, an authenticated user can access only

commands of Level 0.

Description

Use the authorization command command to configure the command line authorization method.

Use the undo authorization command command to restore the default.

By default, the default authorization method for the ISP domain is used for command line authorization.

The specified HWTACACS scheme must have been configured.

With command line authorization configured, a user who has logged in to the device can execute only the commands with a level lower than or equal to that of the local user.

Related commands: local-user, authorization default, and hwtacacs scheme.

Examples

# Configure ISP domain test to use local command line authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# Configure ISP domain test to use HWTACACS scheme hwtac for command line authorization and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

authorization default

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization default

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange. After passing authentication, non-login users can

access the network, FTP users can access the root directory of the device, and other login users can access only the commands of Level 0.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description ion

Use the authorization default command to configure the default authorization method for an ISP domain.

Use the undo authorization default command to restore the default.

By default, the default authorization method for the ISP domain of an ISP domain is local.

The specified RADIUS or HWTACACS scheme must have been configured.

The default authorization method will be used for all users for whom no specific authorization methods are configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Related commands: local-user, authentication default, accounting default, hwtacacs scheme, and radius

scheme.

Examples

# Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

authorization lan-access

Syntax

authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

undo authorization lan-access

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access

the network directly.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization lan-access command to configure the authorization method for LAN users.

Use the undo authorization lan-access command to restore the default.

By default, the default authorization method for the ISP domain is used for LAN users.

The specified RADIUS scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Related commands: local-user, authorization default, and radius scheme.

Examples

# Configure ISP domain test to use local authorization for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access local

# Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access radius-scheme rd local

authorization login

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization login

View

ISP domain view

Default level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a

string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange. After passing authentication, FTP users can access

the root directory of the device, and other login users can access only the commands of Level 0.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization login command to configure the authorization method for login users (users logging in through the console or AUX port or accessing through Telnet or FTP).

Use the undo authorization login command to restore the default.

By default, the default authorization method for the ISP domain is used for login users.

The specified RADIUS or HWTACACS scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Related commands: local-user, authorization default, hwtacacs scheme, and radius scheme.

Examples

# Configure ISP domain test to use local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

authorization portal

Syntax

authorization portal { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization portal

View

ISP domain view

Default level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization exchange. In this case, an authenticated portal user can access

the network directly.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization portal command to configure the authorization method for portal users.

Use the undo authorization portal command to restore the default.

By default, the default authorization method for the ISP domain is used for portal users.

The specified RADIUS scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Related commands: local-user, authorization default, and radius scheme.

Examples

# Configure ISP domain test to use local authorization for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal local

# Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal radius-scheme rd local

authorization-attribute user-profile

Syntax

authorization-attribute user-profile profile-name

undo authorization-attribute user-profile

View

ISP domain view

Default level

3: Manage level

Parameters

profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see the Security Configuration Guide.

Description

Use the authorization-attribute user-profile command to specify the default authorization user profile for an ISP domain.

Use the undo authorization-attribute user-profile command to restore the default.

By default, an ISP domain has no default authorization user profile.

After a user of an ISP domain passes authentication, if the server (or the access device in the case of local authentication) does not authorize any user profile to the ISP domain, the system uses the user profile specified by the authorization-attribute user-profile command as that of the ISP domain.

If you configure the authorization-attribute user-profile command repeatedly, only the last one takes effect.

Examples

# Specify the default authorization user profile for domain test as profile1.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization-attribute user-profile profile1

cut connection

Syntax

cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface

interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } [ slot slot-number ]

View

System view

Default level

2: System level

Parameters

access-type: Specifies the user connections of the specified access type.

 dot1x: Indicates 802.1X authentication.  mac-authentication: Indicates MAC address authentication.  portal: Indicates portal authentication.

all: Specifies all user connections.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the

name of an existing ISP domain and is a string of 1 to 24 characters.

interface interface-type interface-number: Specifies user connections on an interface by the interface type and number.

ip ip-address: Specifies the user connections of an IP address.

mac mac-address: Specifies the user connections of a MAC address, with mac-address in the format H-H-

ucibindex ucib-index: Specifies a user connection by connection index. The value ranges from 0 to

4294967295.

user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain or the mandatory authentication domain.

vlan vlan-id: Specifies user connections of a VLAN, with vlan-id ranging from 1 to 4094.

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with

the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF fabric. If no IRF fabric exists, the slot-number argument is the current device number.

Description

Use the cut connection command to tear down the specified connections forcibly.

This command applies to only LAN and portal user connections.

For 802.1X users whose usernames carry the version number or contain spaces, you cannot cut the connections by username.

For 802.1X users whose usernames use a forward slash (/) or backward slash (\) as the domain name delimiter, you cannot cut their connections by username. For example, the cut connection user-name aaa\bbb command cannot cut the connections of the user aaa\bbb.

An interface that is configured with a mandatory authentication domain treats users of the corresponding access type as users in the mandatory authentication domain. For example, if you configure an 802.1X

mandatory authentication domain on an interface, the interface will use the domain’s AAA methods for

all its 802.1X users. To cut connections of such users, use the cut connection domain isp-name command and specify the mandatory authentication domain.

Related commands: display connection and service-type.

Examples

# Tear down all connections of ISP domain test.

<Sysname> system-view

[Sysname] cut connection domain test

display connection

Syntax

display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface

interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

access-type: Specifies the user connections of the specified access type.

 dot1x: Indicates 802.1X authentication.  mac-authentication: Indicates MAC address authentication.  portal: Indicates portal authentication.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.

interface interface-type interface-number: Specifies user connections on an interface by the interface type and number.

ip ip-address: Specifies the user connections of an IP address.

mac mac-address: Specifies the user connections of a MAC address, with mac-address in the format H-H-

ucibindex ucib-index: Specifies all user connections using the specified connection index. The value ranges from 0 to 4294967295.

vlan vlan-id: Specifies user connections of a VLAN, with vlan-id ranging from 1 to 4094.

slot slot-number: Specifies the member number of the switch in the IRF fabric, which you can display with

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display connection command to display information about AAA user connections.

This command does not display information about FTP user connections.

With no parameter specified, this command displays brief information about all AAA user connections.

If you specify the ucibindex ucib-index combination, this command displays detailed information; otherwise, this command displays brief information.

If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), users accessing the interface through the specified access type are treated as users in the mandatory authentication domain. To display connections of such users, specify the mandatory authentication domain for the display connection domain isp-name command.

For 802.1X users whose usernames use a forward slash (/) or backward slash (\) as the domain name delimiter, you cannot query the connections by username. For example, the display connection user-name

aaa\bbb command cannot display the connections of the user aaa\bbb.

Examples

Related commands: cut connection.

# Display information about all AAA user connections.

<Sysname> display connection

Slot: 1

Index=0 , Username=telnet@system

IP=10.0.0.1

IPv6=N/A

Total 1 connection(s) matched on slot 1.

Total 1 connection(s) matched.

# Display information about AAA user connections using the index of 0.

<Sysname> display connection ucibindex 0

Slot: 0

Index=0 , Username=telnet@system

IP=10.0.0.1

IPv6=N/A

Access=Admin ,AuthMethod=PAP

Port Type=Virtual ,Port Name=N/A

Initial VLAN=999, Authorized VLAN=20

ACL Group=Disable

User Profile=N/A

CAR=Disable

Priority=Disable

Start=2011-05-16 10:53:03 ,Current=2011-05-16 10:57:06 ,Online=00h04m03s

Total 1 connection matched.

Field

Description

Username

Username of the connection, in the format username@domain

IPv4 address of the user

IPv6

IPv6 address of the user

Access

User access type

ACL Group

Authorization ACL group. Disable means no authorization ACL group is assigned.

User Profile

Authorization user profile

CAR(kbps)

Authorized CAR parameters

UpPeakRate

Uplink peak rate

DnPeakRate

Downlink peak rate

UpAverageRate

Uplink average rate

DnAverageRate

Downlink average rate

Slot: 1

Total 0 connection matched.

Slot: 2

Total 0 connection matched.

Table 1 Output description

display domain

Syntax

display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see the Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display domain command to display the configuration information of ISP domains.

Examples

Field

Description

Domain

Domain name

State

Status of the domain (active or block)

Access-limit

Limit on the number of user connections

Accounting method

Accounting method (either required or optional)

Default authentication scheme

Default authentication method

Default authorization scheme

Default authorization method

Default accounting scheme

Default accounting method

Lan-access authentication scheme

Authentication method for LAN users

Related commands: access-limit enable, domain, and state.

# Display the configuration information of all ISP domains.

<Sysname> display domain

0 Domain : system

State : Active

Access-limit : Disabled

Accounting method : Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Domain User Template:

Idle-cut : Disabled

Self-service : Disabled

Authorization attributes :

1 Domain : test

State : Active

Access-limit : Disabled

Accounting method : Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Lan-access authentication scheme : radius:test, local

Lan-access authorization scheme : hwtacacs:hw, local

Lan-access accounting scheme : local

Domain User Template:

Idle-cut : Disabled

Self-service : Disabled

Authorization attributes :

User-profile : profile1

Default Domain Name: system

Total 2 domain(s).

Table 2 Output description

+ 324 hidden pages

HP A5500 EI, A5500 SI Command Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

AAA configuration commands

General AAA configuration commands

aaa nas-id profile (available only on the A5500 EI)

access-limit enable

accounting command

accounting default

accounting lan-access

accounting login

accounting optional

accounting portal

authentication default

authentication lan-access

authentication login

authentication portal

authentication super

authorization command

authorization default

authorization lan-access

authorization login

authorization portal

authorization-attribute user-profile

cut connection

display connection

display domain