HP 5920 & 5900 Switch Series

Transcription

1 HP 5920 & 5900 Switch Series Security Command Reference Part number: Software version: Release2208 Document version: 6W

2 Legal and notice information Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

3 Contents AAA commands 1 General AAA commands 1 access-limit enable 1 accounting command 2 accounting default 2 accounting lan-access 4 accounting login 5 authentication default 7 authentication lan-access 8 authentication login 9 authentication super 11 authorization command 12 authorization default 13 authorization lan-access 15 authorization login 16 display domain 18 domain 19 domain default enable 20 state (ISP domain view) 21 Local user commands 22 authorization-attribute 22 bind-attribute 23 display local-user 25 display user-group 26 group 27 local-user 28 password 29 service-type 31 state (local user view) 32 user-group 32 RADIUS commands 33 accounting-on enable 33 data-flow-format (RADIUS scheme view) 34 display radius scheme 35 display radius statistics 37 key (RADIUS scheme view) 39 nas-ip (RADIUS scheme view) 40 primary accounting (RADIUS scheme view) 41 primary authentication (RADIUS scheme view) 42 i

4 radius nas-ip 44 radius scheme 45 radius session-control enable 46 reset radius statistics 46 retry 47 retry realtime-accounting 48 secondary accounting (RADIUS scheme view) 49 secondary authentication (RADIUS scheme view) 51 security-policy-server 53 state primary 53 state secondary 54 timer quiet (RADIUS scheme view) 56 timer realtime-accounting (RADIUS scheme view) 56 timer response-timeout (RADIUS scheme view) 57 user-name-format (RADIUS scheme view) 58 vpn-instance (RADIUS scheme view) 59 HWTACACS commands 60 data-flow-format (HWTACACS scheme view) 60 display hwtacacs scheme 61 hwtacacs nas-ip 63 hwtacacs scheme 64 key (HWTACACS scheme view) 64 nas-ip (HWTACACS scheme view) 66 primary accounting (HWTACACS scheme view) 67 primary authentication (HWTACACS scheme view) 68 primary authorization 70 reset hwtacacs statistics 71 secondary accounting (HWTACACS scheme view) 72 secondary authentication (HWTACACS scheme view) 73 secondary authorization 75 timer quiet (HWTACACS scheme view) 77 timer realtime-accounting (HWTACACS scheme view) 77 timer response-timeout (HWTACACS scheme view) 78 user-name-format (HWTACACS scheme view) 79 vpn-instance (HWTACACS scheme view) 80 LDAP commands 81 authentication-server 81 display ldap scheme 81 ip 83 ipv6 84 ldap scheme 85 ldap server 85 login-dn 86 ii

5 login-password 87 protocol-version 88 search-base-dn 89 search-scope 89 server-timeout 90 user-parameters X commands 93 display dot1x 93 dot1x 95 dot1x authentication-method 96 dot1x handshake 97 dot1x mandatory-domain 98 dot1x max-user 99 dot1x multicast-trigger 100 dot1x port-control 100 dot1x port-method 101 dot1x quiet-period 102 dot1x re-authenticate 103 dot1x retry 103 dot1x timer 104 dot1x unicast-trigger 106 reset dot1x statistics 107 MAC authentication commands 108 display mac-authentication 108 mac-authentication 110 mac-authentication domain 110 mac-authentication max-user 111 mac-authentication timer 112 mac-authentication user-name-format 113 reset mac-authentication statistics 115 Port security commands 116 display port-security 116 display port-security mac-address block 118 display port-security mac-address security 120 port-security authorization ignore 122 port-security enable 123 port-security intrusion-mode 124 port-security mac-address security 125 port-security max-mac-count 127 port-security ntk-mode 127 port-security oui 128 port-security port-mode 129 iii

6 port-security timer autolearn aging 132 port-security timer disableport 132 Password control commands 134 display password-control 134 display password-control blacklist 135 password-control { aging composition history length } enable 136 password-control aging 138 password-control alert-before-expire 139 password-control complexity 139 password-control composition 140 password-control enable 142 password-control expired-user-login 142 password-control history 143 password-control length 144 password-control login idle-time 145 password-control login-attempt 146 password-control super aging 148 password-control super composition 148 password-control super length 149 password-control update-interval 150 reset password-control blacklist 151 reset password-control history-record 152 Public key management commands 153 display public-key local public 153 display public-key peer 157 peer-public-key end 158 public-key local create 159 public-key local destroy 163 public-key local export dsa 164 public-key local export rsa 166 public-key peer 168 public-key peer import sshkey 169 PKI commands 171 attribute 171 ca identifier 173 certificate request entity 173 certificate request from 174 certificate request mode 175 certificate request polling 176 certificate request url 177 common-name 178 country 179 iv

7 crl check 179 crl url 180 display pki certificate access-control-policy 181 display pki certificate attribute-group 182 display pki certificate domain 184 display pki certificate request-status 188 display pki crl 189 fqdn 191 ip 192 ldap-server 192 locality 193 organization 194 organization-unit 195 pki abort-certificate-request 195 pki certificate access-control-policy 196 pki certificate attribute-group 197 pki delete-certificate 198 pki domain 199 pki entity 200 pki export 200 pki import 207 pki request-certificate 212 pki retrieve-certificate 213 pki retrieve-crl 214 pki storage 215 pki validate-certificate 216 public-key dsa 218 public-key ecdsa 219 public-key rsa 220 root-certificate fingerprint 222 rule 223 source 224 state 225 usage 226 SSH commands 228 SSH server configuration commands 228 display ssh server 228 display ssh user-information 229 sftp server enable 230 sftp server idle-timeout 231 ssh server acl 232 ssh server ipv6 acl 233 ssh server authentication-retries 234 v

8 ssh server authentication-timeout 234 ssh server compatible-ssh1x enable 235 ssh server enable 236 ssh server rekey-interval 236 ssh user 237 SSH client configuration commands 239 bye 239 cd 240 cdup 240 delete 241 dir 241 display sftp client source 243 display ssh client source 243 exit 244 get 244 help 245 ls 246 mkdir 247 put 247 pwd 248 quit 248 remove 248 rename 249 rmdir 249 scp 250 scp ipv6 252 sftp 255 sftp client ipv6 source 257 sftp client source 258 sftp ipv6 259 ssh client ipv6 source 261 ssh client source 262 ssh2 263 ssh2 ipv6 265 SSL commands 268 SSL server policy configuration commands 268 ciphersuite 268 client-verify enable 270 display ssl server-policy 270 pki-domain (SSL server policy view) 271 session cachesize 272 ssl server-policy 273 SSL client policy configuration commands 273 vi

9 display ssl client-policy 273 pki-domain (SSL client policy view) 274 prefer-cipher 275 server-verify enable 277 ssl client-policy 278 version 278 IP source guard commands 280 display ip source binding 280 display ipv6 source binding static 281 ip source binding 283 ip verify source 284 ipv6 source binding 285 ipv6 verify source 286 reset ip source binding 287 reset ipv6 source binding 288 ARP attack protection commands 290 Unresolvable IP attack protection commands 290 arp resolving-route enable 290 arp source-suppression enable 291 arp source-suppression limit 291 display arp source-suppression 292 ARP packet rate limit commands 293 arp rate-limit 293 Source MAC based ARP attack detection commands 293 arp source-mac 293 arp source-mac aging-time 294 arp source-mac exclude-mac 295 arp source-mac threshold 295 display arp source-mac 296 ARP packet source MAC consistency check commands 297 arp valid-check enable 297 ARP active acknowledgement commands 298 arp active-ack enable 298 ARP detection commands 298 arp detection enable 298 arp detection trust 299 arp detection validate 299 arp restricted-forwarding enable 300 display arp detection 301 display arp detection statistics 301 reset arp detection statistics 302 ARP automatic scanning and fixed ARP commands 303 arp fixup 303 vii

10 arp scan 303 ARP gateway protection commands 304 arp filter source 304 ARP filtering commands 305 arp filter binding 305 urpf commands 307 ip urpf 307 display ip urpf 308 FIPS commands 309 fips mode enable 309 fips self-test 310 display fips status 311 IPsec commands 313 ah authentication-algorithm 313 description 314 display ipsec { ipv6-policy policy } 315 display ipsec { ipv6-policy-template policy-template } 319 display ipsec profile 321 display ipsec sa 322 display ipsec statistics 326 display ipsec transform-set 328 display ipsec tunnel 329 encapsulation-mode 331 esp authentication-algorithm 333 esp encryption-algorithm 334 ike-profile 335 ipsec anti-replay check 336 ipsec anti-replay window 337 ipsec decrypt-check enable 337 ipsec logging packet enable 338 ipsec df-bit 339 ipsec global-df-bit 340 ipsec { ipv6-policy policy } (interface view) 341 ipsec { ipv6-policy policy } (system view) 341 ipsec { ipv6-policy policy } isakmp template 343 ipsec { ipv6-policy policy } local-address 344 ipsec { ipv6-policy-template policy-template } policy-template 345 ipsec profile 346 ipsec sa global-duration 347 ipsec sa idle-time 348 ipsec transform-set 349 local-address 349 viii

11 pfs 350 protocol 351 qos pre-classify 352 remote-address 353 reset ipsec sa 354 reset ipsec statistics 356 sa duration 356 sa hex-key authentication 357 sa hex-key encryption 358 sa idle-time 360 sa spi 360 sa string-key 361 security acl 363 transform-set 364 IKE commands 366 authentication-algorithm 366 authentication-method 367 certificate domain 368 dh 369 display ike proposal 370 display ike sa 371 dpd 374 encryption-algorithm 375 exchange-mode 376 ike dpd 377 ike identity 378 ike invalid-spi-recovery enable 379 ike keepalive interval 380 ike keepalive timeout 381 ike keychain 381 ike limit 382 ike nat-keepalive 383 ike profile 384 ike proposal 384 ike signature-identity from-certificate 386 inside-vpn 386 keychain 387 local-identity 388 match local address (IKE keychain view) 389 match local address (IKE profile view) 390 match remote 391 pre-shared-key 393 priority (IKE keychain view) 394 ix

12 priority (IKE profile view) 395 proposal 396 reset ike sa 396 sa duration 397 Support and other resources 399 Contacting HP 399 Subscription service 399 Related information 399 Documents 399 Websites 399 Conventions 400 Index 402 x

13 AAA commands The device supports the FIPS mode that complies with NIST FIPS requirements. Support for features, commands, and parameters might differ in FIPS mode and non-fips mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default. access-limit enable max-user-number undo access-limit enable There is no limit to the number of online users in an ISP domain. ISP domain view max-user-number: Maximum number of online users that the ISP domain can accommodate. The value range is 1 to System resources are limited, and user connections may compete for network resources when there are excessive users. Setting a proper limit to the number of online users helps provide reliable system performance. # Set a limit of 500 user connections for ISP domain test. [Sysname] domain test [Sysname-isp-test] access-limit enable 500 1

14 display domain accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command The default accounting method of the ISP domain is used for command line accounting. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. The command line accounting function cooperates with the accounting server to record all commands that have been successfully executed on the device. Command line accounting can use only a remote HWTACACS server. # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default command accounting (Fundamentals Command Reference) hwtacacs scheme accounting default Use accounting default to specify the default accounting method for an ISP domain. Use undo accounting default to restore the default. 2

15 In non-fips mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting default In FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting default The default accounting method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default accounting method is used for all users who support this method and do not have a specific accounting method configured. Local accounting is only used for monitoring and controlling the number of local user connections, but does not provide the statistics function that the accounting feature generally provides. You can specify multiple default accounting methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup accounting methods, local accounting and no accounting. With this command, the device performs RADIUS accounting by default, performs local accounting when the RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid. 3

16 # Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local hwtacacs scheme local-user radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default. In non-fips mode: accounting lan-access { local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting lan-access In FIPS mode: accounting lan-access { local radius-scheme radius-scheme-name [ local ] } undo accounting lan-access The default accounting method for the ISP domain is used for LAN users. ISP domain view local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify multiple accounting methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the 4

17 accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup accounting methods, local accounting and no accounting. With this command, the device performs RADIUS accounting by default, performs local accounting when the RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid. # Configure ISP domain test to use local accounting for LAN users. [Sysname] domain test [Sysname-isp-test] accounting lan-access local # Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting lan-access radius-scheme rd local accounting default local-user radius scheme accounting login Use accounting login to specify the accounting method for login users. Use undo accounting login to restore the default. In non-fips mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login In FIPS mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting login The default accounting method of the ISP domain is used for login users. 5

18 ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Accounting is not supported for login users who use FTP. You can specify multiple default accounting methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup accounting methods, local accounting and no accounting. With this command, the device performs RADIUS accounting by default, performs local accounting when the RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid. # Configure ISP domain test to use local accounting for login users. [Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local accounting default hwtacacs scheme local-user radius scheme 6

19 authentication default Use authentication default to specify the default authentication method for an ISP domain. Use undo authentication default to restore the default. In non-fips mode: authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication default In FIPS mode: authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] ldap-scheme ldap-scheme-name [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default The default authentication method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default authentication method is used for all users who support this method and do not have a specific authentication method configured. You can specify multiple default authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For 7

20 example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup authentication methods, local authentication and no authentication. With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid. # Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local hwtacacs scheme ldap scheme local-user radius scheme authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default. In non-fips mode: authentication lan-access { local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access In FIPS mode: authentication lan-access { local radius-scheme radius-scheme-name [ local ] } undo authentication lan-access The default authentication method for the ISP domain is used for LAN users. ISP domain view local: Performs local authentication. 8

21 none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify multiple authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup authentication methods, local authentication and no authentication. With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid. # Configure ISP domain test to use local authentication for LAN users. [Sysname] domain test [Sysname-isp-test] authentication lan-access local # Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local authentication default local-user radius scheme authentication login Use authentication login to specify the authentication method for login users. Use undo authentication login to restore the default. In non-fips mode: authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication login In FIPS mode: 9

22 authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] ldap-scheme ldap-scheme-name [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication login The default authentication method of the ISP is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify multiple default authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup authentication methods, local authentication and no authentication. With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid. # Configure ISP domain test to use local authentication for login users. [Sysname] domain test [Sysname-isp-test] authentication login local # Configure ISP domain test to use RADIUS scheme rd for login users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication login radius-scheme rd local 10

23 authentication default hwtacacs scheme ldap scheme local-user radius scheme authentication super Use authentication super to specify the authentication method for user role switching. Use undo authentication super to restore the default. authentication super { hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name } * undo authentication super The default authentication method of the ISP domain is used for user role switching authentication. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid. If you specify a scheme to provide the method for user role switching authentication, the method applies only to users whose user role is in the format of level-n. If an HWTACACS scheme is specified, the device uses the entered username for role switching authentication. The username must already exist on the HWTACACS server to represent the highest user level to be switched to. For example, to switch to a level-3 user role whose username is test, the device uses test@domain-name or test for role switching authentication, depending on whether the domain name is required. 11

24 If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role switching authentication, where n is the same as that in the target user role. For example, to switch to a level-3 user role whose username is test, the device uses $enab3@domain-name$ or $enab3$ for role switching authentication, depending on whether the domain name is required. # Configure ISP domain test to use HWTACACS scheme tac for user role switching authentication. [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac authentication default hwtacacs scheme radius scheme authorization command Use authorization command to specify the command authorization method. Use undo authorization command to restore the default. In non-fips mode: authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] local [ none ] none } undo authorization command In FIPS mode: authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] local } undo authorization command The default authorization method of the ISP domain is used for command authorization. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. 12

25 none: Does not perform authorization. An authenticated user gets the default user role. For more information about the default user role, see Fundamentals Configuration Guide. Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted. After login, users can access the command lines permitted by their authorized user roles. You can specify one command authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs HWTACACS authorization by default, performs local authorization when the HWTACACS server is invalid, and does not perform command authorization when both of the previous methods are invalid. # Configure ISP domain test to use local command authorization. [Sysname] domain test [Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command authorization and use local authorization as the backup authorization method. [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local authorization accounting (Fundamentals Command Reference) hwtacacs scheme local-user authorization default Use authorization default to specify the default authorization method for an ISP domain. Use undo authorization default to restore the default. In non-fips mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization default 13

26 In FIPS mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization default The default authorization method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default authorization method is used for all users who support this method and do not have a specific authorization method are configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs RADIUS authorization by default, performs local authorization when the RADIUS server is invalid, and does not perform authorization when both of the previous methods are invalid. # Configure the default authorization method for ISP domain test to use RADIUS scheme rd for user authorization and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local 14

27 hwtacacs scheme local-user radius scheme authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. In non-fips mode: authorization lan-access { local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization lan-access In FIPS mode: authorization lan-access { local radius-scheme radius-scheme-name [ local ] } undo authorization lan-access The default authorization method for the ISP domain is used for LAN users. ISP domain view local: Performs local authorization. none: Does not perform authorization. An authenticated LAN user directly accesses the network. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme. You can specify multiple authorization methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs RADIUS authorization by default, performs local 15

28 authorization when the RADIUS server is invalid, and does not perform authorization when both of the previous methods are invalid. # Configure ISP domain test to use local authorization for LAN users. [Sysname] domain test [Sysname-isp-test] authorization lan-access local # Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization lan-access radius-scheme rd local authorization default local-user radius scheme authorization login Use authorization login to configure the authorization method for login users. Use undo authorization login to restore the default. In non-fips mode: authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization login In FIPS mode: authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization login The default authorization method of the ISP domain is used for login users. ISP domain view 16

29 hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. After passing authentication, FTP users can access the root directory of the device, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs RADIUS authorization by default, performs local authorization when the RADIUS server is invalid, and does not perform authorization when both of the previous methods are invalid. # Configure ISP domain test to use local authorization for login users. [Sysname] domain test [Sysname-isp-test] authorization login local # Configure ISP domain test to use RADIUS scheme rd for login user authorization and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local authorization default hwtacacs scheme local-user radius scheme 17

30 display domain Use display domain to display the ISP domain configuration. display domain [ isp-name ] Any view network-operator isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. If no ISP domain is specified, the command displays the configuration of all ISP domains. # Display the configuration of all ISP domains. <Sysname> display domain Total 2 domain(s) Domain:system State: Active Access-limit: Disable Access-Count: 0 default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local Domain:dm State: Active Access-limit: 2222 Access-Count: 0 login Authentication Scheme: radius: rad login Authorization Scheme: tacacs: hw default Authentication Scheme: ldap: rad, local, none default Authorization Scheme: local default Accounting Scheme: none Domain Name: system 18

31 Table 1 Command output Field Domain State Access-limit Access-Count authentication scheme authorization scheme accounting scheme Login authentication scheme Login authorization scheme Login accounting scheme radius tacacs ldap local none Command Authorization Scheme Command Accounting Scheme Super Authentication Scheme Description ISP domain name. Status of the ISP domain. Limit to the number of user connections. If the number is not limited, this field displays Disabled. Number of online users. authentication method. authorization method. accounting method. Authentication method for login users. Authorization method for login users. Accounting method for login users. RADIUS scheme. HWTACACS scheme. LDAP scheme. Local scheme. No authentication, no authorization, or no accounting. Command line authorization method. Command line accounting method. Authentication method for user role switching. domain Use domain to create an ISP domain and enter its view. Use undo domain to remove an ISP domain. domain isp-name undo domain isp-name There is a system predefined ISP domain named system. System view 19

32 isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain slash (/), back slash (\), vertical bar ( ), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). All ISP domains are in active state when they are created. You cannot delete the system predefined ISP domain system, and can only modify its configuration. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. # Create ISP domain test and enter its view. [Sysname] domain test [Sysname-isp-test] display domain domain default enable state (ISP domain view) domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered in the default domain. Use undo domain default enable to restore the default. domain default enable isp-name undo domain default enable The default ISP domain is the system predefined ISP domain system. System view isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. 20

33 There can be only one default ISP domain. The specified ISP domain must already exist. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. # Create an ISP domain named test, and configure it as the default ISP domain. [Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test display domain domain state (ISP domain view) Use state to set the status of an ISP domain. Use undo state to restore the default. state { active block } undo state An ISP domain is in active state. ISP domain view active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. 21

34 # Place the ISP domain test to blocked state. [Sysname] domain test [Sysname-isp-test] state block display domain Local user commands authorization-attribute Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to restore the default. authorization-attribute { acl acl-number idle-cut minute user-role role-name vlan vlan-id work-directory directory-name } * undo authorization-attribute { acl idle-cut user-role role-name vlan work-directory } * No authorization attribute is configured for a local user or user group. Local user view, user group view acl acl-number: Specifies the authorization ACL. The ACL number must be in the range of 2000 to After passing authentication, a local user can access the network resources specified by this ACL. idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period is logged out. The minute argument must be in the range of 1 to 120 minutes. user-role role-name: Specifies the authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. The default user role for a local user created by a user is network-operator. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view. 22

35 vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument is in the range of 1 to After a passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN. work-directory directory-name: Specifies the work directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 512 characters. The directory must already exist. By default, an FTP, SFTP, or SCP user can access the root directory of the device. Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes: For LAN users, only the authorization attributes acl, idle-cut, and vlan are effective. For Telnet and terminal users, only the authorization attribute user-role is effective. For SSH and FTP users, only the authorization attributes user-role and work-directory are effective. For other types of local users, no authorization attribute is effective. Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. If only one user is playing the role of security log administrator in the system, you cannot delete the user account, or remove or change the user's role, unless you configure another user as a security log administrator first. To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles. # Configure the authorized VLAN of the network access user abc as VLAN 2. [Sysname] local-user abc class network [Sysname-luser-network-abc] authorization-attribute vlan 2 # Configure the authorized VLAN of user group abc as VLAN 3. [Sysname] user-group abc [Sysname-ugroup-abc] authorization-attribute vlan 3 display local-user display user-group bind-attribute Use bind-attribute to configure binding attributes for a local user. Use undo bind-attribute to remove binding attributes of a local user. 23

36 bind-attribute { ip ip-address location port slot-number subslot-number port-number mac mac-address vlan vlan-id } * undo bind-attribute { ip location mac vlan } * No binding attribute is configured for a local user. Local user view ip ip-address: Specifies the IP address of the user. This option applies only to 802.1X users. location port slot-number subslot-number port-number: Specifies the port to which the user is bound. The slot-number argument is in the range of 0 to 255, the subslot-number argument is in the range of 0 to 15, and the port-number argument is in the range of 0 to 255. If the port that the user accesses is not the same as that the user is bound, the authentication fails. This option applies only to LAN users. mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to LAN users. vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to This option applies only to LAN users. Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the user fails the checking and the authentication. Binding attribute checking does not take the service types of the users into account. A configured binding attribute is effective for all types of users. Be cautious when deciding which binding attributes should be configured for which types of local users. For example, an IP address binding applies only to 802.1X authentication that supports IP address upload. If you configure an IP address binding for an authentication method that does not support IP address upload, for example, MAC authentication, the local authentication fails. # Bind IP address with the network access user abc. [Sysname] local-user abc class network [Sysname-luser-network-abc] bind-attribute ip display local-user 24

37 display local-user Use display local-user to display the local user configuration and online user statistics. display local-user [ class { manage network } idle-cut { disable enable } service-type { ftp lan-access ssh telnet terminal } state { active block } user-name user-name vlan vlan-id ] Any view network-operator class: Specifies the local user type. manage: Device management user. network: Network access user. idle-cut { disable enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specified type of service. ftp: FTP users. lan-access: LAN users, mainly users accessing the network through an Ethernet, such as 802.1X users. ssh: SSH users. telnet: Telnet users. terminal: Terminal users, users logging in through a console port. state { active block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot. user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name. vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to If no parameter is specified, the command displays information about all local users. # Display information about all local users <Sysname> display local-user Total 2 local users matched. Device management user root: 25

38 State: Active Service Type: SSH/Telnet/Terminal User Group: system Bind Attributes: Authorization Attributes: Work Directory: flash: User Role List: Network access user jj: State: Active Service Type: Lan-access User Group: system Bind Attributes: IP Address: Location Bound: 3/3/2 (slot/subslot/port) MAC Address: VLAN ID: 2 Authorization Attributes: Idle TimeOut: 33 (min) Work Directory: flash: ACL Number: 2000 User Role List: network-operator, level-0, level-3 Table 2 Command output Field State Service Type User Group Bind attributes Authorization attributes Idle TimeOut Work Directory ACL Number VLAN ID User Role List Description Status of the local user: active or blocked. Service types that the local user can use, including FTP, LAN access, SSH, Telnet, and terminal. Group to which the local user belongs. Binding attributes of the local user. Authorization attributes of the local user. Idle timeout period of the user, in minutes. Directory that the FTP, SFTP, or SCP user can access. Authorization ACL of the local user. Authorized VLAN of the local user. Authorized roles of the local user. display user-group Use display user-group to display the user group configuration. display user-group [ group-name ] 26

39 Any view network-operator group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If no user group name is specified, the command displays the configuration of all user groups. # Display the configuration of all user groups. <Sysname> display user-group Total 2 user groups matched. The contents of user group system: Authorization Attributes: Work Directory: flash: The contents of user group jj: Authorization Attributes: Idle TimeOut: 2 (min) Work Directory: flash:/ ACL Number: 2000 VLAN ID: 2 Table 3 Command output Field Idle TimeOut Work Directory ACL Number VLAN ID Description Idle timeout period, in minutes. Directory that FTP/SFTP/SCP users in the group can access. Authorization ACL. Authorized VLAN. group Use group to assign a local user to a user group. Use undo group to restore the default. group group-name undo group 27