H3C S12500 Series Routing Switches

Transcription

1 H3C S12500 Series Routing Switches Security Command Reference Hangzhou H3C Technologies Co., Ltd. Software version: S12500-CMW710-R7128 Document version: 6W

2 Copyright 2012, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved Trademarks No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. Notice All other trademarks that may be mentioned in this manual are the property of their respective owners The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

3 Preface The H3C S12500 documentation set includes 13 command references, which describe the commands and command syntax options available for the H3C S12500 Series Routing Switches. The Security Command Reference describes the commands for configuring, displaying, and maintaining identity authentication features (such as AAA), secure management features (such as SSH), and attack protection features (such as IP source guard, ARP attack protection, and urpf). This preface includes: Audience Conventions About the H3C S12500 documentation set Obtaining documentation Technical support Documentation feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the S12500 series Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface Italic Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. [ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x y... } [ x y... ] { x y... } * [ x y... ] * &<1-n> Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none. The argument or keyword and argument combination before the ampersand (&) sign can

4 Convention Description be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Convention Boldface Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. > Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention WARNING CAUTION IMPORTANT NOTE TIP Description An alert that calls attention to important information that if not understood or followed can result in personal injury. An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information. An alert that contains additional or supplementary information. An alert that provides helpful information. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your switch. About the H3C S12500 documentation set The H3C S12500 documentation set includes: Category Documents Purposes Marketing brochures Describe product specifications and benefits. Product description and specifications Hardware specifications and installation Technology white papers Card datasheets Regulatory compliance and safety information Installation guide Quick start H3C Pluggable SFP [SFP+][XFP] Transceiver Modules Installation Provide an in-depth description of software features and technologies. Describe card specifications, features, and standards. Provides regulatory information and the safety instructions that must be followed during installation. Provides a complete guide to hardware installation and hardware specifications. Guides you through initial installation and setup procedures to help you quickly set up and use your switch with the minimum configuration. Guides you through installing SFP/SFP+/XFP transceiver modules.

5 Category Documents Purposes Guide Software configuration Operations and maintenance Adjustable Slider Rail Installation Guide H3C High-End Network Products Hot-Swappable Module Manual Configuration guides Command references System log messages Trap messages MIB Companion Release notes Guides you through installing adjustable slider rails to a rack. Describes the hot-swappable modules available for the H3C high-end network products, their external views, and specifications. Describe software features and configuration procedures. Provide a quick reference to all available commands. Explains the system log messages. Explains the trap messages. Describes the MIBs for the software release. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading. Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Technical support service@h3c.com Documentation feedback You can your comments about product documentation to info@h3c.com. We appreciate your comments.

6 Contents AAA commands 1 General AAA commands 1 access-limit enable 1 accounting command 1 accounting default 2 accounting login 3 authentication default 4 authentication login 6 authentication super 7 authorization command 8 authorization default 9 authorization login 10 display domain 11 domain 13 domain default enable 14 state (ISP domain view) 15 Local user commands 15 authorization-attribute (local user view/user group view) 15 display local-user 17 display user-group 19 group 20 local-user 20 password 22 service-type 23 state (local user view) 24 user-group 24 RADIUS commands 25 accounting-on enable 25 display radius scheme 26 display radius statistics 28 key (RADIUS scheme view) 30 nas-ip (RADIUS scheme view) 30 primary accounting (RADIUS scheme view) 31 primary authentication (RADIUS scheme view) 33 radius nas-ip 34 radius scheme 35 radius session-control enable 36 reset radius statistics 36 retry 37 retry realtime-accounting 38 secondary accounting (RADIUS scheme view) 39 secondary authentication (RADIUS scheme view) 40 state primary 42 state secondary 43 timer quiet (RADIUS scheme view) 44 timer realtime-accounting (RADIUS scheme view) 45 timer response-timeout (RADIUS scheme view) 46 user-name-format (RADIUS scheme view) 46 vpn-instance (RADIUS scheme view) 47 i

7 HWTACACS commands 48 display hwtacacs scheme 48 hwtacacs nas-ip 50 hwtacacs scheme 51 key (HWTACACS scheme view) 51 nas-ip (HWTACACS scheme view) 52 primary accounting (HWTACACS scheme view) 53 primary authentication (HWTACACS scheme view) 55 primary authorization 56 reset hwtacacs statistics 57 secondary accounting (HWTACACS scheme view) 58 secondary authentication (HWTACACS scheme view) 59 secondary authorization 61 timer quiet (HWTACACS scheme view) 62 timer realtime-accounting (HWTACACS scheme view) 63 timer response-timeout (HWTACACS scheme view) 64 user-name-format (HWTACACS scheme view) 64 vpn-instance (HWTACACS scheme view) 65 ARP attack protection commands 67 Unresolvable IP attack protection commands 67 arp resolving-route enable 67 arp source-suppression enable 67 arp source-suppression limit 68 display arp source-suppression 69 ARP packet rate limit commands 69 arp rate-limit 69 Source MAC based ARP attack detection commands 70 arp source-mac 70 arp source-mac aging-time 71 arp source-mac exclude-mac 71 arp source-mac threshold 72 display arp source-mac 73 ARP packet source MAC consistency check commands 74 arp valid-check enable 74 ARP active acknowledgement commands 74 arp active-ack enable 74 Authorized ARP commands 75 arp authorized enable 75 ARP detection commands 76 arp detection enable 76 arp detection trust 76 arp detection validate 77 arp restricted-forwarding enable 77 display arp detection 78 display arp detection statistics 78 reset arp detection statistics 79 ARP automatic scanning and fixed ARP commands 80 arp fixup 80 arp scan 81 ARP gateway protection commands 82 arp filter source 82 ARP filtering commands 82 arp filter binding 82 ii

8 IP source guard commands 84 display ip source binding 84 display ipv6 source binding 86 ip source binding 87 ip verify source 88 ipv6 source binding 89 ipv6 verify source 90 reset ip source binding 91 reset ipv6 source binding 92 SSH commands 94 SSH server configuration commands 94 display ssh server 94 display ssh user-information 95 sftp server enable 96 sftp server idle-timeout 97 ssh server acl 97 ssh server ipv6 acl 98 ssh server authentication-retries 99 ssh server authentication-timeout 100 ssh server compatible-ssh1x enable 101 ssh server enable 101 ssh server rekey-interval 102 ssh user 103 SSH client configuration commands 105 bye 105 cd 105 cdup 106 delete 106 dir 107 display sftp client source 108 display ssh client source 108 exit 109 get 109 help 110 ls 111 mkdir 112 put 112 pwd 113 quit 113 remove 113 rename 114 rmdir 114 scp 115 scp ipv6 117 sftp 119 sftp client ipv6 source 120 sftp client source 121 sftp ipv6 122 ssh client ipv6 source 124 ssh client source 125 ssh2 126 ssh2 ipv6 128 iii

9 urpf commands 130 ip urpf strict 130 display ip urpf 130 Public key management commands 132 display public-key local public 132 display public-key peer 136 peer-public-key end 137 public-key local create 138 public-key local destroy 141 public-key local export dsa 142 public-key local export rsa 144 public-key peer 146 public-key peer import sshkey 147 Password control commands 149 display password-control 149 display password-control blacklist 150 password-control { aging composition history length } enable 151 password-control aging 152 password-control alert-before-expire 153 password-control complexity 154 password-control composition 155 password-control enable 156 password-control expired-user-login 157 password-control history 158 password-control length 158 password-control login idle-time 159 password-control login-attempt 160 password-control super aging 162 password-control super composition 162 password-control super length 163 password-control update-interval 164 reset password-control blacklist 165 reset password-control history-record 165 Index 167 iv

10 AAA commands General AAA commands access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default. access-limit enable max-user-number undo access-limit enable There is no limit to the number of online users in an ISP domain. ISP domain view max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to System resources are limited, and user connections may compete for network resources when there are excessive users. Setting a proper limit to the number of online users helps provide reliable system performance. # Set a limit of 500 user connections for ISP domain test. [Sysname] domain test [Sysname-isp-test] access-limit enable 500 display domain accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. 1

11 accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command The default accounting method of the ISP domain is used for command line accounting. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. The command line accounting function cooperates with the accounting server to record all commands that have been successfully executed on the device. Command line accounting can use only a remote HWTACACS server. # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default command accounting (Fundamentals Command Reference) hwtacacs scheme accounting default Use accounting default to specify the default accounting method for an ISP domain. Use undo accounting default to restore the default. accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting default The default accounting method of an ISP domain is local. ISP domain view 2

12 hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default accounting method is used for all users who support this method and do not have a specific accounting method configured. Local accounting is only used for monitoring and controlling the number of local user connections, but does not provide the statistics function that the accounting feature generally provides. You can specify multiple default accounting methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup accounting methods, local accounting and no accounting. With this command, the device performs RADIUS accounting by default, performs local accounting when the RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid. # Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local hwtacacs scheme local-user radius scheme accounting login Use accounting login to specify the accounting method for login users. Use undo accounting login to restore the default. accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login 3

13 The default accounting method of the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Accounting is not supported for login users who use FTP. You can specify multiple default accounting methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup accounting methods, local accounting and no accounting. With this command, the device performs RADIUS accounting by default, performs local accounting when the RADIUS server is invalid, and does not perform accounting when both of the previous methods are invalid. # Configure ISP domain test to use local accounting for login users. [Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local accounting default hwtacacs scheme local-user radius scheme authentication default Use authentication default to specify the default authentication method for an ISP domain. 4

14 Use undo authentication default to restore the default. authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication default The default authentication method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. The switch does not support this parameter. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default authentication method is used for all users who support this method and do not have a specific authentication method configured. You can specify multiple default authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup authentication methods, local authentication and no authentication. With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid. # Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local hwtacacs scheme 5

15 local-user radius scheme authentication login Use authentication login to specify the authentication method for login users. Use undo authentication login to restore the default. authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication login The default authentication method of the ISP is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. The switch does not support this parameter. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify multiple default authentication methods, one primary and multiple backup methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup authentication methods, local authentication and no authentication. With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid. # Configure ISP domain test to use local authentication for login users. [Sysname] domain test [Sysname-isp-test] authentication login local 6

16 # Configure ISP domain test to use RADIUS scheme rd for login users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication login radius-scheme rd local authentication default hwtacacs scheme local-user radius scheme authentication super Use authentication super to specify the authentication method for user role switching. Use undo authentication super to restore the default. authentication super { hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name } * undo authentication super The default authentication method of the ISP domain is used for user role switching authentication. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid. If you specify a scheme to provide the method for user role switching authentication, the method applies only to users whose user role is in the format of level-n. If an HWTACACS scheme is specified, the device uses the entered username for role switching authentication. The username must already exist on the HWTACACS server to represent the highest user level to be switched to. For example, to switch to a level-3 user role whose username is test, the device uses test@domain-name or test for role switching authentication, depending on whether the domain name is required. 7

17 If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role switching authentication, where n is the same as that in the target user role. For example, to switch to a level-3 user role whose username is test, the device uses $enab3@domain-name$ or $enab3$ for role switching authentication, depending on whether the domain name is required. # Configure ISP domain test to use HWTACACS scheme tac for user role switching authentication. [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac authentication default hwtacacs scheme radius scheme authorization command Use authorization command to specify the command authorization method. Use undo authorization command to restore the default. authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] local [ none ] none } undo authorization command The default authorization method of the ISP domain is used for command authorization. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. An authenticated user gets the default user role. For more information about the default user role, see Fundamentals Configuration Guide. Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted. After login, users can access the command lines permitted by their authorized user roles. 8

18 You can specify one command authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs HWTACACS authorization by default, performs local authorization when the HWTACACS server is invalid, and does not perform command authorization when both of the previous methods are invalid. # Configure ISP domain test to use local command authorization. [Sysname] domain test [Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command authorization and use local authorization as the backup authorization method. [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local authorization accounting (Fundamentals Command Reference) hwtacacs scheme local-user authorization default Use authorization default to specify the default authorization method for an ISP domain. Use undo authorization default to restore the default. authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization default The default authorization method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. 9

19 none: Does not perform authorization. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default authorization method is used for all users who support this method and do not have a specific authorization method are configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs RADIUS authorization by default, performs local authorization when the RADIUS server is invalid, and does not perform authorization when both of the previous methods are invalid. # Configure the default authorization method for ISP domain test to use RADIUS scheme rd for user authorization and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local hwtacacs scheme local-user radius scheme authorization login Use authorization login to configure the authorization method for login users. Use undo authorization login to restore the default. authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization login The default authorization method of the ISP domain is used for login users. ISP domain view 10

20 hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. After passing authentication, FTP users can access the root directory of the device, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup authorization methods, local authorization and no authorization. With this command, the device performs RADIUS authorization by default, performs local authorization when the RADIUS server is invalid, and does not perform authorization when both of the previous methods are invalid. # Configure ISP domain test to use local authorization for login users. [Sysname] domain test [Sysname-isp-test] authorization login local # Configure ISP domain test to use RADIUS scheme rd for login user authorization and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local authorization default hwtacacs scheme local-user radius scheme display domain Use display domain to display the ISP domain configuration. display domain [ isp-name ] 11

21 Any view network-operator mdc-operator isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. If no ISP domain is specified, the command displays the configuration of all ISP domains. # Display the configuration of all ISP domains. <Sysname> display domain Total 2 domain(s) Domain:system State: Active Access-limit: Disable Access-Count: 0 default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local Domain:bbb State: Active Access-limit: Disable Access-Count: 0 login Authentication Scheme: tacacs: hwtac login Authorization Scheme: tacacs: hwtac login Accounting Scheme: tacacs: hwtac default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local Domain Name: system Table 1 Command output Field Domain State Access-limit Description ISP domain name. Status of the ISP domain. Limit to the number of user connections. If the number is not limited, this field displays Disabled. 12

22 Field Access-Count authentication scheme authorization scheme accounting scheme Login authentication scheme Login authorization scheme Login accounting scheme radius tacacs local none Command Authorization Scheme Command Accounting Scheme Super Authentication Scheme Description Number of online users. authentication method. authorization method. accounting method. Authentication method for login users. Authorization method for login users. Accounting method for login users. RADIUS scheme. HWTACACS scheme. Local scheme. No authentication, no authorization, or no accounting. Command line authorization method. Command line accounting method. Authentication method for user role switching. domain Use domain to create an ISP domain and enter its view. Use undo domain to remove an ISP domain. domain isp-name undo domain isp-name There is a system predefined ISP domain named system. System view isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain slash (/), back slash (\), vertical bar ( ), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). All ISP domains are in active state when they are created. You cannot delete the system predefined ISP domain system, and can only modify its configuration. 13

23 To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. # Create ISP domain test and enter its view. [Sysname] domain test [Sysname-isp-test] display domain domain default enable state domain default enable Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered in the default domain. Use undo domain default enable to restore the default. domain default enable isp-name undo domain default enable The default ISP domain is the system predefined ISP domain system. System view isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. There can be only one default ISP domain. The specified ISP domain must already exist. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. # Create an ISP domain named test, and configure it as the default ISP domain. [Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test 14

24 display domain domain state (ISP domain view) Use state to set the status of an ISP domain. Use undo state to restore the default. state { active block } undo state An ISP domain is in active state. ISP domain view active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. # Place the ISP domain test to blocked state. [Sysname] domain test [Sysname-isp-test] state block display domain Local user commands authorization-attribute (local user view/user group view) Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user. 15

25 Use undo authorization-attribute to restore the default. authorization-attribute { acl acl-number callback-number callback-number idle-cut minute user-profile profile-name user-role role-name vlan vlan-id work-directory directory-name } * undo authorization-attribute { acl callback-number idle-cut user-profile user-role role-name vlan work-directory } * No authorization attribute is configured for a local user or user group. Local user view, user group view acl acl-number: Specifies an authorization ACL in the range of 2000 to After passing authentication, a local user can access the network resources specified by this ACL. callback-number callback-number: Specifies the authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user. The switch does not support this parameter. idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period is logged out. The value range for the minute argument is 1 to 120 minutes. user-profile profile-name: Specifies the authorization user profile. The profile-name argument is a case-sensitive string of 1 to 32 characters. It must start with an English letter and contain only English letters, digits, and underlines. After a user passes authentication and gets online, the device uses the settings in the user profile to restrict the access behavior of the user. For more information about user profiles, see Security Configuration Guide. The switch does not support this parameter. user-role role-name: Specifies the authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. The default user role for a local user created by a user is network-operator, and the default user role for a local user created by an or level-15 user is mdc-operator. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view. vlan vlan-id: Specifies the authorized VLAN. The value range for the vlan-id argument is 1 to After a passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN. work-directory directory-name: Specifies the work directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 512 characters. The directory must already exist. By default, an FTP, SFTP, or SCP user can access the root directory of the device. Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes: For Telnet and terminal users, only the authorization attribute user-role is effective. 16

26 For SSH and FTP users, only the authorization attributes user-role and work-directory are effective. For other types of local users, no authorization attribute is effective. Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. To make sure that FTP, SFTP, and SCP users can access the directory after a switchover between the main card and the backup card, do not specify slot information for the work directory. To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles. # Configure the authorized VLAN of the device management user abc as VLAN 2. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] authorization-attribute vlan 2 # Configure the authorized VLAN of user group abc as VLAN 3. [Sysname] user-group abc [Sysname-ugroup-abc] authorization-attribute vlan 3 display local-user display user-group display local-user Use display local-user to display the local user configuration and online user statistics. display local-user [ class { manage network } idle-cut { disable enable } service-type { dvpn ftp lan-access pad portal ppp ssh telnet terminal } state { active block } user-name user-name vlan vlan-id ] Any view network-operator mdc-operator class: Specifies the local user type. manage: Device management user. network: Network access user. The switch does not support this keyword. idle-cut { disable enable }: Specifies local users with the idle cut function disabled or enabled. 17

27 service-type: Specifies the local users who use a specified type of service. dvpn: DVPN tunnel users. The switch does not support this keyword. ftp: FTP users. lan-access: LAN users, mainly users accessing the network through an Ethernet, such as 802.1X users. The switch does not support this keyword. pad: X.25 PAD users. The switch does not support this keyword. portal: Portal users. The switch does not support this keyword. ppp: PPP users. The switch does not support this keyword. ssh: SSH users. telnet: Telnet users. terminal: Terminal users, users logging in through a console or AUX port. state { active block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot. user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name. vlan vlan-id: Specifies all local users in a VLAN. The value range for the vlan-id argument is 1 to If no parameter is specified, the command displays information about all local users. # Display information about all local users <Sysname> display local-user Total 2 local users matched. Device management user root: State: Active Service Type: SSH/Telnet/Terminal User Group: system Bind Attributes: Authorization Attributes: Work Directory: flash: User Role List: Device management user jj: State: Active Service Type: FTP/SSH User Group: system Bind Attributes: IP Address: Location Bound: 3/0/2 (slot/subslot/port) MAC Address: VLAN ID: 2 Authorization Attributes: Idle TimeOut: 33 (min) Work Directory: flash: ACL Number:

28 User Role List: network-operator, level-0, level-3 Table 2 Command output Field State Service Type User Group Bind attributes Authorization attributes Idle TimeOut Work Directory ACL Number VLAN ID User Role List Description Status of the local user: active or blocked. Service types that the local user can use, including FTP, SSH, Telnet, and terminal. Group to which the local user belongs. Binding attributes of the local user. Authorization attributes of the local user. Idle timeout period of the user, in minutes. Directory that the FTP, SFTP, or SCP user can access. Authorization ACL of the local user. Authorized VLAN of the local user. Authorized roles of the local user. display user-group Use display user-group to display the user group configuration. display user-group [ group-name ] Any view network-operator mdc-operator group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If no user group name is specified, the command displays the configuration of all user groups. # Display the configuration of all user groups. <Sysname> display user-group Total 2 user groups matched. The contents of user group system: Authorization Attributes: Work Directory: flash: The contents of user group jj: 19

29 Authorization Attributes: Idle TimeOut: 2 (min) Work Directory: flash:/ ACL Number: 2000 VLAN ID: 2 Table 3 Command output Field Idle TimeOut Work Directory ACL Number VLAN ID Description Idle timeout period, in minutes. Directory that FTP/SFTP users in the group can access. Authorization ACL. Authorized VLAN. group Use group to assign a local user to a user group. Use undo group to restore the default. group group-name undo group A local user belongs to the system predefined user group system. Local user view group-name: User group name, a case-insensitive string of 1 to 32 characters. # Assign device management user 111 to user group abc. [Sysname] local-user 111 class manage [Sysname-luser-manage-111] group abc display local-user local-user Use local-user to add a local user and enter local user view. Use undo local-user to remove local users. 20

30 local-user user-name [ class { manage network } ] undo local-user { user-name class { manage network } all [ service-type { dvpn ftp lan-access pad portal ppp ssh telnet terminal } class { manage network } ] } No local user exists. System view user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain back slash (\), slash (/), vertical bar ( ), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@), and cannot be a, al, or all. class: Specifies the local user type. manage: Device management user, who can configure and monitor the device after login. Device management users can use FTP, Telnet, SSH, and terminal services. network: Network access user, who accesses network resources through the device. Network access users can use DVPN, LAN, portal, and PPP services. The switch does not support this keyword. all: Specifies all users. service-type: Specifies the local users who use a specified type of service. dvpn: DVPN tunnel users. The switch does not support this keyword. ftp: FTP users. lan-access: LAN users, mainly users accessing the network through an Ethernet, such as 802.1X users. The switch does not support this keyword. pad: X.25 PAD users. The switch does not support this keyword. portal: Portal users. The switch does not support this keyword. ppp: PPP users. The switch does not support this keyword. ssh: SSH users. telnet: Telnet users. terminal: Terminal users, users logging in through a console or AUX port. # Add a device management user named user1. [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] display local-user 21

31 password service-type Use password to configure a password for a local user. Use undo password to delete the password of a local user. password [ { cipher hash simple } password ] undo password There is no password configured for a local user and a local user can pass authentication after entering the correct username and passing attribute checks. Local user view cipher: Sets a ciphertext password. The switch does not support this keyword. hash: Sets a hashed password. simple: Sets a plaintext password. password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If hash is specified, it must be a string of 1 to 110 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters. If none of the parameters is specified, you enter the interactive mode to set a plaintext password. A local user with no password configured directly passes authentication after providing the valid local username and attributes. To enhance security, configure a password for each local user. For secrecy, all passwords, including passwords configured in plain text, are saved in hashed cipher text. # Set the password of the device management user user1 to in plain text. [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] password simple # Set the password of the device management user test in interactive mode. [Sysname] local-user test class manage [Sysname-luser-manage-test] password Password: Confirm : Updating user information. Please wait

32 # Set the password of the network access user user2 to getapp in plain text. [Sysname] local-user user2 class network [Sysname-luser-network-user2] password simple getapp display local-user local-user password-display-mode service-type Use service-type to specify the service types that a local user can use. Use undo service-type to delete service types configured for a local user. service-type { dvpn ftp lan-access { pad ssh telnet terminal } * portal ppp } undo service-type { dvpn ftp lan-access { pad ssh telnet terminal } * portal ppp } A local user is authorized with no service and cannot use any service. Local user view dvpn: Authorizes the user to use the DVPN service. The switch does not support this keyword. ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. The authorized directory can be modified by using the authorization-attribute work-directory command. lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users, for example, 802.1X users. The switch does not support this keyword. pad: Authorizes the user to use the PAD service. The switch does not support this keyword. ssh: Authorizes the user to use the SSH service. telnet: Authorizes the user to use the Telnet service. terminal: Authorizes the user to use the terminal service, allowing the user to log in from a console or AUX port. portal: Authorizes the user to use the portal service. The switch does not support this keyword. ppp: Authorizes the user to use the PPP service. The switch does not support this keyword. You can assign multiple service types to a user. 23

33 # Authorize the device management user user1 to use the Telnet and FTP services. [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] service-type telnet [Sysname-luser-manage-user1] service-type ftp display local-user state (local user view) Use state to set the status of a local user. Use undo state to restore the default. state { active block } undo state A local user is in active state. Local user view active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services. This command only applies to the local user. It affects no other users. # Place the device management user user1 to the blocked state. [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] state block display local-user user-group Use user-group to create a user group and enter its view. Use undo user-group to delete a user group. 24

34 user-group group-name undo user-group group-name There is a user group named system in the system. System view group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes. A user group with one or more local users cannot be deleted. The system predefined user group system cannot be deleted but you can modify its configuration. # Create a user group named abc and enter its view. [Sysname] user-group abc [Sysname-ugroup-abc] display user-group RADIUS commands accounting-on enable Use accounting-on enable to configure the accounting-on feature. Use undo accounting-on enable to disable the accounting-on feature. accounting-on enable [ interval seconds send send-times ] * undo accounting-on enable The accounting-on feature is disabled. RADIUS scheme view 25