H3C S5830V2 & S5820V2 Switch Series

Transcription

1 H3C S5830V2 & S5820V2 Switch Series Security Command Reference Hangzhou H3C Technologies Co., Ltd. Software version: Release2108 Document version: 6W

2 Copyright 2012, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved Trademarks No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. Notice All other trademarks that may be mentioned in this manual are the property of their respective owners The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

3 Preface The H3C S5830V2 & S5820V2 documentation set includes 10 command references, which describe the commands and command syntax options available for the H3C S5830V2 & S5820V2 Switch Series. The Security Command Reference describes security configuration commands. It covers the commands for configuring identity authentication feature (AAA), secure management features (Public key management and SSH ), and attack protection features (IP source guard and ARP attack protection). This preface includes: Audience Conventions About the H3C S5830V2 & S5820V2 documentation set Obtaining documentation Technical support Documentation feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the S5830V2 & S5820V2 series Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface Italic Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. [ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x y... } [ x y... ] { x y... } * [ x y... ] * &<1-n> Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none. The argument or keyword and argument combination before the ampersand (&) sign can

4 be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Convention Description < > Button names are inside angle brackets. For example, click <OK>. [ ] Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window. / Multi-level menus are separated by forward slashes. For example, [File/Create/Folder]. Symbols Convention WARNING CAUTION IMPORTANT NOTE TIP Description An alert that calls attention to important information that if not understood or followed can result in personal injury. An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information. An alert that contains additional or supplementary information. An alert that provides helpful information. About the H3C S5830V2 & S5820V2 documentation set The H3C S5830V2&S5820V2 documentation set includes: Category Documents Purposes Compliance and safety manual Provides regulatory information and the safety instructions that must be followed during installation. Hardware specifications and installation Software configuration Installation quick start Installation guide Fan assemblies installation manual Power modules user manual Configuration guides Command references Provides basic installation instructions. Provides a complete guide to hardware installation and hardware specifications. Describes the appearance, specifications, and installation and removal of hot-swappable fan assemblies. Describes the appearance, specifications, and installation and removal of hot-swappable power modules. Describe software features and configuration procedures. Provide a quick reference to all available commands.

5 Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Technical support Documentation feedback You can your comments about product documentation to We appreciate your comments.

6 Contents AAA commands 1 General AAA commands 1 access-limit enable 1 accounting command 1 accounting default 2 accounting login 3 authentication default 4 authentication login 6 authentication super 7 authorization command 8 authorization default 9 authorization login 10 display domain 11 domain 13 domain default enable 14 state (ISP domain view) 14 Local user commands 15 authorization-attribute (local user view/user group view) 15 bind-attribute 17 display local-user 18 display user-group 19 group 20 local-user 21 password 22 service-type 22 state (local user view) 23 user-group 24 RADIUS commands 25 accounting-on enable 25 display radius scheme 26 display radius statistics 28 key (RADIUS scheme view) 29 nas-ip (RADIUS scheme view) 30 primary accounting (RADIUS scheme view) 31 primary authentication (RADIUS scheme view) 32 radius nas-ip 34 radius scheme 35 reset radius statistics 35 retry 36 retry realtime-accounting 36 secondary accounting (RADIUS scheme view) 38 secondary authentication (RADIUS scheme view) 39 security-policy-server 41 state primary 41 state secondary 42 timer quiet (RADIUS scheme view) 43 timer realtime-accounting (RADIUS scheme view) 44 timer response-timeout (RADIUS scheme view) 45 user-name-format (RADIUS scheme view) 46 i

7 vpn-instance (RADIUS scheme view) 47 HWTACACS commands 47 display hwtacacs scheme 47 hwtacacs nas-ip 50 hwtacacs scheme 50 key (HWTACACS scheme view) 51 nas-ip (HWTACACS scheme view) 52 primary accounting (HWTACACS scheme view) 53 primary authentication (HWTACACS scheme view) 54 primary authorization 55 reset hwtacacs statistics 57 secondary accounting (HWTACACS scheme view) 57 secondary authentication (HWTACACS scheme view) 58 secondary authorization 60 timer quiet (HWTACACS scheme view) 61 timer realtime-accounting (HWTACACS scheme view) 62 timer response-timeout (HWTACACS scheme view) 63 user-name-format (HWTACACS scheme view) 63 vpn-instance (HWTACACS scheme view) 64 LDAP commands 65 authentication-server 65 display ldap scheme 66 ip 67 ldap scheme 68 ldap server 69 login-dn 69 login-password 70 protocol-version 71 search-base-dn 71 search-scope 72 server-timeout 73 user-parameters 73 Public key management commands 75 display public-key local public 75 display public-key peer 78 peer-public-key end 80 public-key local create 81 public-key local destroy 84 public-key local export dsa 85 public-key local export rsa 87 public-key peer 89 public-key peer import sshkey 90 SSH commands 91 SSH server configuration commands 91 display ssh server 91 display ssh user-information 92 sftp server enable 93 sftp server idle-timeout 94 ssh server acl 94 ssh server authentication-retries 95 ssh server authentication-timeout 96 ssh server compatible-ssh1x enable 97 ssh server enable 97 ii

8 ssh server rekey-interval 98 ssh user 99 SSH client configuration commands 100 bye 100 cd 101 cdup 101 delete 102 dir 102 display sftp client source 103 display ssh client source 104 exit 104 get 105 help 105 ls 106 mkdir 107 put 107 pwd 108 quit 108 remove 109 rename 109 rmdir 110 sftp 110 sftp client ipv6 source 112 sftp client source 113 sftp ipv6 113 ssh client ipv6 source 115 ssh client source 116 ssh2 117 ssh2 ipv6 119 IP source guard commands 121 display ip source binding 121 display ipv6 source binding 122 ip source binding 123 ip verify source 124 ipv6 source binding 125 ipv6 verify source 125 reset ip source binding 126 reset ipv6 source binding 127 ARP attack protection commands 128 Unresolvable IP attack protection configuration commands 128 arp resolving-route enable 128 arp source-suppression enable 128 arp source-suppression limit 129 display arp source-suppression 130 ARP packet rate limit configuration commands 130 arp rate-limit 130 Source MAC based ARP attack detection configuration commands 131 arp source-mac 131 arp source-mac aging-time 132 arp source-mac exclude-mac 132 arp source-mac threshold 133 display arp source-mac 134 ARP packet source MAC consistency check configuration commands 134 iii

9 arp valid-check enable 134 ARP active acknowledgement configuration commands 135 arp active-ack enable 135 ARP detection configuration commands 136 arp detection enable 136 arp detection trust 136 arp detection validate 137 display arp detection 137 display arp detection statistics 138 reset arp detection statistics 139 ARP automatic scanning and fixed ARP configuration commands 139 arp fixup 139 arp scan 140 ARP gateway protection configuration commands 141 arp filter source 141 ARP filtering configuration commands 141 arp filter binding 141 Index 143 iv

10 AAA commands General AAA commands access-limit enable Use the access-limit enable command to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users will be accepted. Use the undo access-limit enable command to restore the default. access-limit enable max-user-number undo access-limit enable There is no limit to the number of online users in an ISP domain. ISP domain view max-user-number: Maximum number of online users that the ISP domain can accommodate. The value ranges from 1 to System resources are limited, and user connections may compete for network resources when there are excessive users. Setting a proper limit to the number of online users helps provide reliable system performance. # Set a limit of 500 user connections for ISP domain test. [Sysname] domain test [Sysname-isp-test] access-limit enable 500 display domain accounting command Use the accounting command command to specify the command line accounting method. Use the undo accounting command command to restore the default. 1

11 accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command The default accounting method of the ISP domain is used for command line accounting. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. The command line accounting function cooperates with the accounting server to record all commands that have been successfully executed on the device. Command line accounting can use only a remote HWTACACS server. # Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default hwtacacs scheme accounting default Use the accounting default command to specify the default accounting method for an ISP domain. Use the undo accounting default command to restore the default. accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting default The default accounting method of an ISP domain is local. ISP domain view 2

12 hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default accounting method will be used for all users who support this method and have no specific accounting method configured. Local accounting is only used for monitoring and controlling the number of local user connections; it does not provide the statistics function that the accounting feature generally provides. You can configure local accounting (local) or no accounting (none) as the backup for remote accounting that is used when the remote accounting server is unavailable. You can also configure no accounting (none) as the backup for local accounting (local). For example, you can specify radius-scheme radius-scheme-name local none for the command, so that the device performs accounting as follows: When the RADIUS server is available, the device performs RADIUS accounting. When the RADIUS server is unavailable but local accounting is available, the device performs local accounting. When both the RADIUS server and local accounting are unavailable, the device performs no accounting. # Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local local-user hwtacacs scheme radius scheme accounting login Use the accounting login command to specify the accounting method for login users. Use the undo accounting login command to restore the default. accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting login The default accounting method of the ISP domain is used for login users. 3

13 ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Accounting is not supported for login users that use FTP. You can configure local accounting (local) or no accounting (none) as the backup for remote accounting that is used when the remote accounting server is unavailable. You can also configure no accounting (none) as the backup for local accounting (local). For example, you can specify radius-scheme radius-scheme-name local none for the command, so that the device performs accounting as follows: When the RADIUS server is available, the device performs RADIUS accounting. When the RADIUS server is unavailable but local accounting is available, the device performs local accounting. When both the RADIUS server and local accounting are unavailable, the device does not perform accounting. # Configure ISP domain test to use local accounting for login users. [Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local local-user accounting default hwtacacs scheme radius scheme authentication default Use the authentication default command to specify the default authentication method for an ISP domain. Use the undo authentication default command to restore the default. 4

14 authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication default The default authentication method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default authentication method will be used for all users who support this method and have no specific authentication method configured. You can configure local authentication (local) or no authentication (none) as the backup for remote authentication that is used when the remote authentication server is unavailable. You can also configure no authentication (none) as the backup for local authentication (local). For example, you can specify radius-scheme radius-scheme-name local none for the command, so that the device performs authentication as follows: When the RADIUS server is available, the device performs RADIUS authentication. When the RADIUS server is unavailable but local authentication is available, the device performs local authentication. When both the RADIUS server and local authentication are unavailable, the device does not perform authentication. # Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local local-user 5

15 hwtacacs scheme radius scheme ldap scheme authentication login Use the authentication login command to specify the authentication method for login users. Use the undo authentication login command to restore the default. authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication login The default authentication method of the ISP is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can configure local authentication (local) or no authentication (none) as the backup for remote authentication that is used when the remote authentication server is unavailable. You can also configure no authentication (none) as the backup for local authentication (local). For example, you can specify radius-scheme radius-scheme-name local none for the command, so that the device performs authentication as follows: When the RADIUS server is available, the device performs RADIUS authentication. When the RADIUS server is unavailable but local authentication is available, the device performs local authentication. When both the RADIUS server and local authentication are unavailable, the device does not perform authentication. # Configure ISP domain test to use local authentication for login users. 6

16 [Sysname] domain test [Sysname-isp-test] authentication login local # Configure ISP domain test to use RADIUS scheme rd for login users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication login radius-scheme rd local local-user authentication default hwtacacs scheme radius scheme ldap scheme authentication super Use the authentication super command to specify the authentication method for user role switching. Use the undo authentication super command to restore the default. authentication super { hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name } undo authentication super The default authentication method of the ISP domain is used for user role switching authentication. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. # Configure ISP domain test to use HWTACACS scheme tac for user role switching authentication. [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac 7

17 authentication default hwtacacs scheme radius scheme authorization command Use the authorization command command to specify the command line authorization method. Use the undo authorization command command to restore the default. authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] local [ none ] none } undo authorization command The default authorization method of the ISP domain is used for command line authorization. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. An authenticated user gets the default user role. For more information about the default user role, see Fundamentals Configuration Guide. After login, users can access the command lines permitted by their authorized user roles. You can configure local authorization (local) or no authorization (none) as the backup for remote authorization that is used when the remote authorization server is unavailable. You can also configure no authorization (none) as the backup for local authorization (local). For example, you can specify hwtacacs-scheme hwtacacs-scheme-name local none for the command, so that the device performs authorization as follows: When the HWTACACS server is available, the device performs HWTACACS authorization. When the HWTACACS server is unavailable but local authorization is available, the device performs local authorization. When both the HWTACACS server and local authorization are unavailable, the device does not perform authorization. # Configure ISP domain test to use local command line authorization. [Sysname] domain test 8

18 [Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command line authorization and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local local-user authorization default hwtacacs scheme authorization default Use the authorization default command to specify the default authorization method for an ISP domain. Use the undo authorization default command to restore the default. authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization default The default authorization method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default authorization method will be used for all users who support this method and have no specific authorization method are configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. 9

19 You can configure local authorization (local) or no authorization (none) as the backup for remote authorization that is used when the remote authorization server is unavailable. You can also configure no authorization (none) as the backup for local authorization (local). For example, you can specify radius-scheme radius-scheme-name local none for the command, so that the device performs authorization as follows: When the RADIUS server is available, the device performs RADIUS authorization. When the RADIUS server is unavailable but local authorization is available, the device performs local authorization. When both the RADIUS server and local authorization are unavailable, the device does not perform authorization. # Configure the default authorization method for ISP domain test to use RADIUS scheme rd for user authorization and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local local-user hwtacacs scheme radius scheme authorization login Use the authorization login command to configure the authorization method for login users. Use the undo authorization login command to restore the default. authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization login The default authorization method of the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, FTP users can access the root directory of the device, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide. 10

20 radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can configure local authorization (local) or no authorization (none) as the backup for remote authorization that is used when the remote authorization server is unavailable. You can also configure no authorization (none) as the backup for local authorization (local). For example, you can specify radius-scheme radius-scheme-name local none for the command, so that the device performs authorization as follows: When the RADIUS server is available, the device performs RADIUS authorization. When the RADIUS server is unavailable but local authorization is available, the device performs local authorization. When both the RADIUS server and local authorization are unavailable, the device does not perform authorization. # Configure ISP domain test to use local authorization for login users. [Sysname] domain test [Sysname-isp-test] authorization login local # Configure ISP domain test to use RADIUS scheme rd for login user authorization and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local local-user authorization default hwtacacs scheme radius scheme display domain Use the display domain command to display the configuration of ISP domains. display domain [ isp-name ] Any view network-operator 11

21 isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. If no ISP domain is specified, the command displays the configuration of all ISP domains. # Display the configuration of all ISP domains. <Sysname> display domain Total 2 domains. Domain:system State: Active Access-limit: Disable Access-Count: 0 default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local Domain:dm State: Active Access-limit: 2222 Access-Count: 0 login Authentication Scheme: radius: rad login Authorization Scheme: tacacs: hw default Authentication Scheme: ldap: rad, local, none default Authorization Scheme: local default Accounting Scheme: none Domain Name: system Table 1 Output description Field Domain State Access-limit Access-Count authentication scheme authorization scheme accounting scheme Login authentication scheme Login authorization scheme Login accounting scheme radius Description ISP domain name. Status of the ISP domain. Limit to the number of user connections. If the number is not limited, this field displays Disabled. Number of online users authentication method. authorization method. accounting method. Authentication method for login users. Authorization method for login users. Accounting method for login users. RADIUS scheme 12

22 Field tacacs ldap local none Command Authorization Scheme Command Accounting Scheme Super Authentication Scheme Description HWTACACS scheme LDAP scheme Local scheme No authentication, no authorization, or no accounting Command line authorization method Command line accounting method Authentication method for user role switching domain Use the domain isp-name command to create an ISP domain and enter its view. Use the undo domain command to remove an ISP domain. domain isp-name undo domain isp-name There is a system predefined ISP domain named system. System view isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that contains no forward slash (/), backward slash (\), vertical bar ( ), double-quotation mark ("), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@). All ISP domains are in active state when they are created. The system predefined ISP domain system cannot be deleted; you can only modify its configuration. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. # Create ISP domain test and enter its view. [Sysname] domain test [Sysname-isp-test] state display domain 13

23 domain default enable domain default enable Use the domain default enable command to specify the default ISP domain. Users without any domain name carried in the usernames are considered in the default domain. Use the undo domain default enable command to restore the default. domain default enable isp-name undo domain default enable The default ISP domain is the system predefined ISP domain system. System view isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. There can be only one default ISP domain. The specified ISP domain must already exist. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. # Create an ISP domain named test, and configure it as the default ISP domain. [Sysname] domain test [Sysname-isp-test] quit [Sysname] domain default enable test domain display domain state (ISP domain view) Use the state command to set the status of an ISP domain. Use the undo state command to restore the default. state { active block } undo state 14

24 An ISP domain is in active state. ISP domain view active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected. # Place the ISP domain test to blocked state. [Sysname] domain test [Sysname-isp-test] state block display domain Local user commands authorization-attribute (local user view/user group view) Use the authorization-attribute command to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device will assign these attributes to the user. Use the undo authorization-attribute command to restore the default. authorization-attribute { acl acl-number callback-number callback-number idle-cut minute user-profile profile-name user-role role-name vlan vlan-id work-directory directory-name } * undo authorization-attribute { acl callback-number idle-cut user-profile user-role role-name vlan work-directory } * No authorization attribute is configured for a local user or user group. Local user view, user group view 15

25 acl acl-number: Specifies the authorization ACL. The ACL number must be in the range of 2000 to After passing authentication, a local user can access the network resources specified by this ACL. callback-number callback-number: Specifies the authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user. idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period will be logged out. The minute argument must be in the range of 1 to 120 minutes. user-profile profile-name: Specifies the authorization user profile. The profile-name argument is a case-sensitive string of 1 to 32 characters. It must start with an English letter and contain only English letters, digits, and underlines. After a user passes authentication and gets online, the device uses the settings in the user profile to restrict the access behavior of the user. For more information about user profiles, see Security Configuration Guide. user-role role-name: Specifies the authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. The default user role for a local user created by a or level-15 user is network-operator. Up to 64 user roles can be specified for a user. For user role-related commands, see the chapter "RBAC commands" in Fundamentals Command Reference. This option is only available in local user view; it is not available in user group view. vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument is in the range of 1 to After a passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN. work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service. The directory-name argument is a case-insensitive string of 1 to 232 characters. The directory must already exist. By default, an FTP or SFTP user can access the root directory of the device. Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes: For ppp users, the authorization attributes acl, callback-number, idle-cut, and user-profile are effective. For LAN and portal users, the authorization attributes acl, idle-cut, user-profile, and vlan are effective. For SSH, Telnet, and terminal users, only the authorization attribute user-role is effective. For FTP users, the authorization attributes user-role and work-directory are effective. For other types of local users, no authorization attribute is effective. Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles. 16

26 # Configure the authorized user role of local user abc as role1. [Sysname] local-user abc [Sysname-luser-abc] authorization-attribute user-role role1 # Configure the authorized user role of user group abc as role2. [Sysname] user-group abc [Sysname-ugroup-abc] authorization-attribute user-role role2 display local-user display user-group bind-attribute Use the bind-attribute command to configure binding attributes for a local user. Use the undo bind-attribute command to remove binding attributes of a local user. bind-attribute { call-number call-number [ : subcall-number ] ip ip-address location port slot-number subslot-number port-number mac mac-address vlan vlan-id } * undo bind-attribute { call-number ip location mac vlan } * No binding attribute is configured for a local user. Local user view call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters. This option is applicable to only PPP users. subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters. ip ip-address: Specifies the IP address of the user. This option is applicable to only 802.1X users. location port slot-number subslot-number port-number: Specifies the port to which the user is bound. The slot-number argument is in the range of 0 to 255, the subslot-number argument is in the range of 0 to 15, and the port-number argument is in the range of 0 to 255. If the port that the user accesses is not the same as that the user is bound, the authentication fails. This option is applicable to only LAN users. mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option is applicable to only LAN users. vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to This option is applicable to only LAN users. 17

27 Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the user fails the checking and the authentication. Binding attribute checking does not take the service types of the users into account. A configured binding attribute is effective for all types of users. Be cautious when deciding which binding attributes should be configured for which types of local users. For example, an IP address binding is applicable to only 802.1X authentication that supports IP address upload. If you configure an IP address binding for an authentication method that does not support IP address upload, for example, MAC authentication, the local authentication fails. # Bind IP address with local user abc. [Sysname] local-user abc [Sysname-luser-abc] bind-attribute ip display local-user display local-user Use the display local-user command to display the local user configuration and online user statistics. display local-user [ idle-cut { disable enable } service-type { ftp ssh telnet terminal } state { active block } user-name user-name vlan vlan-id ] Any view network-operator idle-cut { disable enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specified type of service. ftp FTP users. ssh SSH users. telnet Telnet users. terminal Terminal users, users logging in through the console port, or AUX port. state { active block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot. user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name. vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to

28 If no parameter is specified, the command displays information about all local users. # Display information about all local users <Sysname> display local-user Total 1 local users matched. The contents of local user abc: State: Active Service Type: ftp User Group: system Bind Attributes: Authorization Attributes: Work Directory: flash: User Role List: network-operator, Table 2 Output description Field State Service Type User Group Bind attributes Authorization attributes Idle TimeOut Callback-number Work Directory ACL Number VLAN ID User Profile User Role List Description Status of the local user, active or blocked Service types that the local user can use, including FTP, SSH, Telnet, and terminal Group to which the local user belongs. Binding attributes of the local user Authorization attributes of the local user Idle timeout period of the user, in minutes Authorized PPP callback number of the local user Directory that the FTP/SFTP user can access Authorization ACL of the local user. Authorized VLAN of the local user Authorization user profile of the local user Authorized roles of the local user display user-group Use the display user-group command to display the user group configuration. display user-group [ group-name ] Any view network-operator 19

29 group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If no user group name is specified, the command displays the configuration of all users groups. # Display the configuration of all user groups. <Sysname> display user-group Total 1 user groups matched. The contents of user group system: Authorization Attributes: Work Directory: flash: Table 3 Output description Field Idle TimeOut Callback-number Work Directory ACL Number VLAN ID User Profile Description Idle timeout period, in minutes Authorized PPP callback number Directory that FTP/SFTP users in the group can access Authorization ACL. Authorized VLAN Authorization user profile group Use the group command to assign a local user to a user group. Use the undo group command to restore the default. group group-name undo group A local user belongs to the system predefined user group system. Local user view group-name: User group name, a case-insensitive string of 1 to 32 characters. # Assign local user 111 to user group abc. 20

30 [Sysname] local-user 111 [Sysname-luser-111] group abc local-user display local-user Use the local-user command to add a local user and enter local user view. Use the undo local-user command to remove local users. local-user user-name undo local-user { user-name all [ service-type { ftp ssh telnet terminal } ] } No local user exists. System view user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical bar ( ), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@), and cannot be a, al, or all. all: Specifies all users. service-type: Specifies the users of a type. ftp FTP users. ssh SSH users. telnet Telnet users. terminal Terminal users, users logging in through the console port, or AUX port. # Add a local user named user1. [Sysname] local-user user1 [Sysname-luser-user1] display local-user service-type 21

31 password Use the password command to configure a password for a local user and specify whether to display the password in cipher text or plain text. Use the undo password command to delete the password of a local user. password { cipher simple } password undo password There is no password configured for a local user and a local user can pass authentication after entering the correct username and passing attribute checks. Local user view cipher: Sets a ciphertext password. simple: Sets a plaintext password. password: Sets a password for the local user. A plaintext password is a case-sensitive string of 1 to 63 characters. A ciphertext password is a case-sensitive string of 1 to 117 characters. If you do not configure any password for a local user, the local user does not need to provide any password during authentication, and can pass authentication after entering the correct local user name and passing attribute checks. To achieve higher security, configure a password for each local user. # Set the password to in plain text for local user user1. [Sysname] local-user user1 [Sysname-luser-user1] password simple display local-user service-type Use the service-type command to specify the service types that a local user can use. Use the undo service-type command to delete service types configured for a local user. service-type { ftp { ssh telnet terminal } * } undo service-type { ftp { ssh telnet terminal } * } 22

32 A local user is authorized with no service and cannot use any service. Local user view ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. The authorized directory can be modified by using the authorization-attribute work-directory command. ssh: Authorizes the user to use the SSH service. Support for this keyword depends on the device model. telnet: Authorizes the user to use the Telnet service. terminal: Authorizes the user to use the terminal service, allowing the user to log in from the console, or AUX port. You can execute the service-type command repeatedly to assign multiple service types for a user. # Authorize user user1 to use the Telnet and FTP services. [Sysname] local-user user1 [Sysname-luser-user1] service-type telnet [Sysname-luser-user1] service-type ftp display local-user state (local user view) Use the state command to set the status of a local user. Use the undo state command to restore the default. state { active block } undo state A local user is in active state. Local user view 23

33 active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services. This command only applies to the local user. It affects no other users. # Place local user user1 to the blocked state. [Sysname] local-user user1 [Sysname-luser-user1] state block user-group display local-user Use the user-group command to create a user group and enter its view. Use the undo user-group command to delete a user group. user-group group-name undo user-group group-name There is a user group named system in the system. System view group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters. A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes. A user group with one or more local users cannot be deleted. The system predefined user group system cannot be deleted but you can modify its configuration. # Create a user group named abc and enter its view. [Sysname] user-group abc [Sysname-ugroup-abc] 24

34 display user-group RADIUS commands accounting-on enable Use the accounting-on enable command to configure the accounting-on feature. Use the undo accounting-on enable command to disable the accounting-on feature. accounting-on enable [ interval seconds send send-times ] * undo accounting-on enable The accounting-on feature is disabled. RADIUS scheme view interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds, in the range of 1 to 15. The default is 3. send send-times: Specifies the maximum number of accounting-on packet transmission attempts, in the range of 1 to 255. The default is 50. The accounting-on feature enables the device to, after rebooting, automatically send an accounting-on packet to the RADIUS accounting server indicated by the RADIUS scheme to stop accounting for and log out online users. After executing the accounting-on enable command, issue the save command to make sure that the command takes effect after the device reboots. For information about the save command, see Fundamentals Command Reference. set with the accounting-on enable command take effect immediately. # Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15. [Sysname] radius scheme radius1 [Sysname-radius-radius1] accounting-on enable interval 5 send 15 display radius scheme 25

35 display radius scheme Use the display radius scheme command to display the configuration of RADIUS schemes. display radius scheme [ radius-scheme-name ] Any view network-operator radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If no RADIUS scheme is specified, the command displays the configuration of all RADIUS schemes. # Display the configuration of all RADIUS schemes. <Sysname> display radius scheme Total 1 RADIUS schemes RADIUS Scheme Name : radius1 Index : 0 Primary Auth Server: IP : Port: 1812 State: Active VPN : vpn1 Key : ****** Primary Acct Server: IP: Port: 1813 State: Active VPN : vpn1 Key : ****** Second Auth Server: IP: Not configured Port: 1812 State: Block VPN : Not configured Key : Not configured Second Acct Server: IP: Not configured Port: 1813 State: Block VPN : Not configured Key : Not configured Security Policy Server: Server: 0 IP: VPN: Not configured Server: 1 IP: VPN: 2 Authentication Server Key : ****** 26

36 Accounting Server Key : Not configured Accounting-On function : Enabled retransmission times : 5 retransmission interval(seconds) : 2 Timeout Interval(seconds) : 3 Retransmission Times : 3 Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) : 5 Realtime Accounting Interval(minutes) : 22 NAS IP Address : VPN : Not configured User Name Format : with-domain Table 4 Output description Field Index Primary Auth Server Primary Acct Server Second Auth Server Second Acct Server IP Port State VPN Key Server: n IP VPN Authentication Server Key Accounting Server Key Accounting-On function retransmission times retransmission interval Description Index number of the RADIUS scheme. Information about the primary authentication server. Information about the primary accounting server. Information about the secondary authentication server. Information about the secondary accounting server. IP address of the server. If no server is configured, this field displays Not configured. Service port number of the server. If no port number is specified, this field displays the default port number. Status of the server, active or blocked. VPN that the server belongs to. If no VPN is specified for the server, this field displays Not configured. Shared key for secure communication with the server, displayed as a series of asterisks (******). If no key is configured, this field displays Not configured. Member ID of the security policy server. IP address of the security policy server. VPN that the security policy server belongs to. If no VPN is specified for the server, this field displays Not configured. Shared key for secure communication with the authentication/authorization server, displayed as a series of asterisks (******). If no key is configured, this field displays Not configured. Shared key for secure communication with the accounting server, displayed as a series of asterisks (******). If no key is configured, this field displays Not configured. Whether the accounting-on feature is enabled. Number of accounting-on packet transmission attempts. Interval at which the device retransmits accounting-on packets, in seconds. 27