HP Unified Wired-WLAN Products
|
|
|
- Bruno Lester
- 6 years ago
- Views:
Transcription
1 HP Unified Wired-WLAN Products Security Command Reference HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/ G Unified Wired-WLAN Module Part number: Software version: 3507P22 (HP 830 PoE+ Switch Series) 2607P22 (HP 850 Appliance) 2607P22 (HP 870 Appliance) 2507P22 (HP 11900/10500/ G Module) Document version: 6W
2 Legal and notice information Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
3 Contents AAA configuration commands 1 General AAA configuration commands 1 aaa nas-id profile 1 access-limit enable 1 accounting command 2 accounting default 3 accounting lan-access 4 accounting login 5 accounting optional 6 accounting portal 6 accounting ppp 7 attribute 4 8 authentication default 9 authentication lan-access 10 authentication login 11 authentication portal 12 authentication ppp 13 authentication super 14 authentication wlan-ap 15 authorization command 16 authorization default 17 authorization lan-access 18 authorization login 19 authorization portal 20 authorization ppp 21 authorization-attribute user-profile 22 cut connection 22 display connection 24 display domain 27 domain 29 domain default enable 30 domain if-unknown 30 eap-profile 31 idle-cut enable 32 ip pool 33 local-server authentication eap-profile 34 method 34 nas device-id 35 user-credentials 36 nas-id bind vlan 37 self-service-url enable 37 session-time include-idle-time 38 ssl-server-policy 39 state (ISP domain view) 39 Local user configuration commands 40 access-limit 40 authorization-attribute (local user view/user group view) 41 bind-attribute 42 display local-user 43 i
4 display user-group 46 expiration-date (local user view) 47 group 48 group-attribute allow-guest 48 local-user 49 password 50 service-type 51 state (local user view) 52 user-group 53 validity-date 53 RADIUS configuration commands 54 accounting-on enable 54 attribute 25 car 55 data-flow-format (RADIUS scheme view) 56 display radius scheme 57 display radius statistics 59 display stop-accounting-buffer (for RADIUS) 63 eap offload 64 key (RADIUS scheme view) 64 nas-backup-ip 66 nas-ip (RADIUS scheme view) 67 primary accounting (RADIUS scheme view) 68 primary authentication (RADIUS scheme view) 70 radius client 71 radius log packet 72 radius nas-backup-ip 73 radius nas-ip 74 radius scheme 74 radius trap 75 reset radius statistics 76 reset stop-accounting-buffer (for RADIUS) 76 retry 77 retry realtime-accounting 78 retry stop-accounting (RADIUS scheme view) 79 secondary accounting (RADIUS scheme view) 80 secondary authentication (RADIUS scheme view) 82 security-policy-server 84 server-type (RADIUS scheme view) 85 state primary 85 state secondary 86 stop-accounting-buffer enable (RADIUS scheme view) 87 timer quiet (RADIUS scheme view) 88 timer realtime-accounting 89 timer response-timeout (RADIUS scheme view) 90 user-name-format (RADIUS scheme view) 91 HWTACACS configuration commands 92 data-flow-format (HWTACACS scheme view) 92 display hwtacacs 92 display stop-accounting-buffer (for HWTACACS) 96 hwtacacs nas-ip 96 hwtacacs scheme 97 key (HWTACACS scheme view) 98 nas-ip (HWTACACS scheme view) 99 primary accounting (HWTACACS scheme view) 100 ii
5 primary authentication (HWTACACS scheme view) 101 primary authorization 102 reset hwtacacs statistics 103 reset stop-accounting-buffer (for HWTACACS) 103 retry stop-accounting (HWTACACS scheme view) 104 secondary accounting (HWTACACS scheme view) 104 secondary authentication (HWTACACS scheme view) 105 secondary authorization 106 stop-accounting-buffer enable (HWTACACS scheme view) 107 timer quiet (HWTACACS scheme view) 108 timer response-timeout (HWTACACS scheme view) 108 user-name-format (HWTACACS scheme view) 109 LDAP configuration commands 110 authentication-server 110 authorization-server 111 display ldap scheme 111 group-parameters 113 ldap scheme 114 login-dn 115 login-password 116 protocol-version 117 server-timeout 118 server-type (LDAP scheme view) 118 user-parameters X commands 121 display dot1x 121 display dot1x synchronization 126 dot1x accounting-delay 130 dot1x authentication-method 131 dot1x auth-fail vlan 132 dot1x domain-delimiter 133 dot1x guest-vlan 133 dot1x handshake 135 dot1x handshake secure 135 dot1x mandatory-domain 136 dot1x max-user 137 dot1x multicast-trigger 138 dot1x port-control 139 dot1x port-method 140 dot1x quiet-period 141 dot1x re-authenticate 142 dot1x retry 142 dot1x timer 143 dot1x unicast-trigger 144 reset dot1x statistics 145 reset dot1x synchronization statistics 146 MAC authentication configuration commands 147 display mac-authentication 147 mac-authentication 149 mac-authentication domain 150 mac-authentication guest-vlan 151 mac-authentication max-user 152 mac-authentication timer 152 iii
6 mac-authentication trigger after-portal 153 mac-authentication user-name-format 154 reset mac-authentication statistics 156 Portal configuration commands 157 access-user detect 157 display portal acl 158 display portal connection statistics 162 display portal free-rule 165 display portal interface 166 display portal local-server 168 display portal server 169 display portal server statistics 170 display portal tcp-cheat statistics 173 display portal user 174 portal auth-network 176 portal backup-group 177 portal control-mode 177 portal delete-user 178 portal domain 179 portal forbidden-rule 180 portal free-rule 181 portal host-check dhcp-snooping 182 portal local-server 183 portal local-server bind 184 portal log packet 185 portal mac-trigger enable 186 portal mac-trigger nas-port-type 187 portal mac-trigger server 187 portal max-user 188 portal nas-id 189 portal nas-id-profile 190 portal nas-ip 190 portal nas-port-id 191 portal nas-port-type 192 portal redirect-url 192 portal server 193 portal server banner 195 portal server method 195 portal server server-detect 197 portal server user-sync 199 portal url-param include 200 portal web-proxy port 201 portal wlan ssid 202 portal wlan ssid-switch 203 reset portal connection statistics 203 reset portal server statistics 204 reset portal tcp-cheat statistics 204 web-redirect 204 Port security configuration commands 206 display port-security 206 display port-security mac-address block 208 display port-security preshared-key user 209 port-security authorization ignore 210 iv
7 port-security enable 211 port-security intrusion-mode 212 port-security max-mac-count 212 port-security nas-id-profile 213 port-security ntk-mode 214 port-security oui 215 port-security port-mode 216 port-security preshared-key 218 port-security synchronization enable 219 port-security timer disableport 220 port-security trap 221 port-security tx-key-type 11key 222 User profile configuration commands 223 display user-profile 223 user-profile enable 223 user-profile 224 Password control commands 226 display password-control 226 display password-control blacklist 227 password 228 password-control { aging composition history length } enable 230 password-control aging 231 password-control alert-before-expire 232 password-control authentication-timeout 233 password-control complexity 233 password-control composition 234 password-control enable 235 password-control expired-user-login 236 password-control history 236 password-control length 237 password-control login idle-time 238 password-control login-attempt 239 password-control password update interval 240 password-control super aging 241 password-control super composition 242 password-control super length 243 reset password-control blacklist 243 reset password-control history-record 244 Public key configuration commands 245 display public-key local public 245 display public-key peer 246 peer-public-key end 248 public-key-code begin 248 public-key-code end 249 public-key local create 250 public-key local destroy 251 public-key local export dsa 251 public-key local export rsa 253 public-key peer 254 public-key peer import sshkey 255 PKI configuration commands 256 attribute 256 v
8 ca identifier 257 certificate request entity 257 certificate request from 258 certificate request mode 259 certificate request polling 260 certificate request url 260 common-name 261 country 262 crl check 262 crl update-period 263 crl url 263 display pki certificate 264 display pki certificate access-control-policy 266 display pki certificate attribute-group 267 display pki crl domain 268 fqdn 269 ip (PKI entity view) 270 ldap-server 270 locality 271 organization 272 organization-unit 272 pki certificate access-control-policy 273 pki certificate attribute-group 273 pki delete-certificate 274 pki domain 274 pki entity 275 pki import-certificate 276 pki request-certificate domain 276 pki retrieval-certificate 277 pki retrieval-crl domain 278 pki validate-certificate 278 root-certificate fingerprint 279 rule (PKI CERT ACP view) 280 state 280 SSH configuration commands 282 SSH server configuration commands 282 display ssh server 282 display ssh user-information 284 sftp server enable 285 sftp server idle-timeout 285 ssh server authentication-retries 286 ssh server authentication-timeout 287 ssh server compatible-ssh1x enable 287 ssh server enable 288 ssh server rekey-interval 288 ssh user 289 SSH client configuration commands 291 bye 291 cd 292 cdup 292 delete 292 dir 293 display sftp client source 294 display ssh client source 294 vi
9 display ssh server-info 295 exit 296 get 297 help 297 ls 298 mkdir 298 put 299 pwd 299 quit 299 remove 300 rename 301 rmdir 301 scp 301 sftp 303 sftp client ipv6 source 305 sftp client source 306 sftp ipv6 307 ssh client authentication server 308 ssh client first-time enable 309 ssh client ipv6 source 310 ssh client source 311 ssh2 311 ssh2 ipv6 313 SSL configuration commands 316 ciphersuite 316 client-verify enable 317 client-verify weaken 317 close-mode wait 318 display ssl client-policy 319 display ssl server-policy 320 handshake timeout 321 pki-domain 322 prefer-cipher 323 server-verify enable 324 session 324 ssl client-policy 325 ssl server-policy 326 version 326 TCP attack protection configuration commands 328 display tcp status 328 tcp syn-cookie enable 329 ARP attack protection configuration commands 330 IP flood protection configuration commands 330 arp resolving-route enable 330 arp source-suppression enable 330 arp source-suppression limit 331 display arp source-suppression 331 ARP packet rate limit configuration commands 332 arp rate-limit 332 Source MAC-based ARP attack detection configuration commands 333 arp anti-attack source-mac 333 arp anti-attack source-mac aging-time 334 arp anti-attack source-mac exclude-mac 334 vii
10 arp anti-attack source-mac threshold 335 display arp anti-attack source-mac 335 ARP packet source MAC consistency check configuration commands 336 arp anti-attack valid-ack enable 336 ARP active acknowledgement configuration commands 337 arp anti-attack active-ack enable 337 Authorized ARP configuration commands 338 arp authorized enable 338 ARP detection configuration commands 338 arp detection 338 arp detection enable 339 arp detection trust 340 arp detection validate 340 arp restricted-forwarding enable 341 display arp detection 342 display arp detection statistics 342 reset arp detection statistics 343 ARP gateway protection configuration commands 344 arp filter source 344 ARP filtering configuration commands 344 arp filter binding 344 IPsec configuration commands 346 ah authentication-algorithm 346 connection-name 347 display ipsec policy 347 display ipsec policy-template 349 display ipsec sa 351 display ipsec statistics 354 display ipsec transform-set 356 display ipsec tunnel 357 encapsulation-mode 359 esp authentication-algorithm 360 esp encryption-algorithm 361 ike-peer (IPsec policy view/ipsec policy template view) 361 ipsec anti-replay check 362 ipsec anti-replay window 362 ipsec invalid-spi-recovery enable 363 ipsec policy (interface view) 364 ipsec policy (system view) 364 ipsec policy isakmp template 365 ipsec policy-template 366 ipsec sa global-duration 367 ipsec synchronization enable 368 ipsec transform-set 368 policy enable 369 reset ipsec sa 370 reset ipsec statistics 371 sa authentication-hex 372 sa duration 373 sa encryption-hex 374 sa spi 375 sa string-key 376 security acl 377 synchronization anti-replay-interval 378 viii
11 transform 379 transform-set 380 tunnel local 381 tunnel remote 382 IKE configuration commands 383 authentication-algorithm 383 authentication-method 383 certificate domain 384 dh 385 display ike dpd 385 display ike peer 386 display ike proposal 387 display ike sa 389 dpd 392 encryption-algorithm 393 exchange-mode 394 id-type 395 ike dpd 395 ike local-name 396 ike next-payload check disabled 397 ike peer (system view) 398 ike proposal 398 ike sa keepalive-timer interval 399 ike sa keepalive-timer timeout 400 ike sa nat-keepalive-timer interval 400 interval-time 401 local 401 local-address 402 local-name 403 nat traversal 403 peer 404 pre-shared-key 405 proposal 405 remote-address 406 remote-name 407 reset ike sa 408 sa duration 410 time-out 410 ALG configuration commands 412 alg 412 Firewall configuration commands 414 Packet-filter firewall configuration commands 414 display firewall ipv6 statistics 414 display firewall-statistics 415 firewall default 416 firewall enable 416 firewall ipv6 default 417 firewall ipv6 enable 417 firewall packet-filter (interface view) 418 firewall packet-filter (user-profile view) 419 firewall packet-filter ipv6 419 reset firewall ipv6 statistics 420 reset firewall-statistics 421 ix
12 ASPF configuration commands 421 aspf-policy 421 display aspf all 422 display aspf interface 423 display aspf policy 424 display port-mapping 425 firewall aspf (interface) 426 firewall aspf (user-profile view) 426 icmp-error drop 427 port-mapping 428 tcp syn-check 428 Session management commands 430 application aging-time 430 display application aging-time 431 display session aging-time 431 display session relation-table 432 display session statistics 434 display session table 435 reset session 438 reset session statistics 439 session aging-time 439 session checksum 440 session log bytes-active 441 session log enable (interface view) 441 session log packets-active 442 session log time-active 443 session mode hybrid 443 session persist acl 444 Web filtering configuration commands 446 display firewall http activex-blocking 446 display firewall http java-blocking 447 display firewall http url-filter host 448 display firewall http url-filter parameter 450 firewall http activex-blocking acl 451 firewall http activex-blocking enable 452 firewall http activex-blocking suffix 452 firewall http java-blocking acl 453 firewall http java-blocking enable 454 firewall http java-blocking suffix 454 firewall http url-filter host acl 455 firewall http url-filter host default 456 firewall http url-filter host enable 456 firewall http url-filter host ip-address 457 firewall http url-filter host url-address 458 firewall http url-filter parameter 459 firewall http url-filter parameter enable 460 reset firewall http 461 User isolation commands 462 display user-isolation statistics 462 reset user-isolation statistics 463 user-isolation enable 463 user-isolation permit broadcast 463 user-isolation vlan enable 464 x
13 user-isolation vlan permit-mac 465 Source IP address verification commands 466 display wlan client source binding 466 ip verify source 467 ipv6 verify source 468 FIPS configuration commands 469 display fips status 469 fips mode enable 469 fips self-test 470 Protocol packet rate limit configuration commands 472 anti-attack enable 472 anti-attack protocol enable 472 anti-attack protocol threshold 473 anti-attack protocol flow-threshold 473 display anti-attack 474 Support and other resources 477 Contacting HP 477 Subscription service 477 Related information 477 Documents 477 Websites 477 Conventions 478 Index 480 xi
14 AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. aaa nas-id profile profile-name undo aaa nas-id profile profile-name System view profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters. # Create a NAS ID profile named aaa. [Sysname] aaa nas-id profile aaa [Sysname-nas-id-prof-aaa] nas-id bind vlan access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. Users are not accepted after the number of online users reaches the allowed maximum number. Use undo access-limit enable to restore the default. access-limit enable max-user-number undo access-limit enable There is no limit to the number of online users in an ISP domain. 1
15 ISP domain view max-user-number: Maximum number of online users that the ISP domain will accept, in the range of 1 to Because system resources can be limited, and user connections might compete for network resources, setting a limit for online users helps provide reliable system performance. # Set a limit of 500 user connections for ISP domain test. [Sysname] domain test [Sysname-isp-test] access-limit enable 500 display domain accounting command Use accounting command to specify the command-line accounting method. Use undo accounting command to restore the default. accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command The default accounting method for the ISP domain is used for command-line accounting. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified HWTACACS scheme must have been configured. Command-line accounting can use only an HWTACACS scheme. # Configure ISP domain test to use HWTACACS scheme hwtac for command-line accounting. 2
16 [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default hwtacacs scheme accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default. accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo accounting default The default accounting method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS or HWTACACS scheme must have been configured. The default accounting method is used for all users who support the specified accounting method and have no specific accounting method configured. Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that a typical accounting feature provides. # Configure the default accounting method for ISP domain test to use RADIUS accounting scheme rd and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local 3
17 local-user hwtacacs scheme radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default. accounting lan-access { local none radius-scheme radius-scheme-name [ local none ] } undo accounting lan-access The default accounting method for the ISP domain is used for LAN users. ISP domain view local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. # Configure ISP domain test to use local accounting for LAN users. [Sysname] domain test [Sysname-isp-test] accounting lan-access local # Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting lan-access radius-scheme rd local local-user accounting default radius scheme 4
18 accounting login Use accounting login to configure the accounting method for login users through the console port, AUX port, or Telnet. Use undo accounting login to restore the default. accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo accounting login The default accounting method for the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS or HWTACACS scheme must have been configured. Accounting is not supported for login users who use FTP. # Configure ISP domain test to use local accounting for login users. [Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local local-user accounting default hwtacacs scheme radius scheme 5
19 accounting optional Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature. accounting optional undo accounting optional The feature is disabled. ISP domain view After you configure the accounting optional command for a domain, a user who would otherwise be disconnected can continue to use the network resources when no accounting server is available or when communication with the current accounting server fails. However, the device no longer sends users' real-time accounting updates. After you configure the accounting optional command, the setting configured by the access-limit command in local user view has no effect. # Enable the accounting optional feature for users in domain test. [Sysname] domain test [Sysname-isp-test] accounting optional accounting portal Use accounting portal to configure the accounting method for portal users. Use undo accounting portal to restore the default. accounting portal { local none radius-scheme radius-scheme-name [ local ] } undo accounting portal The default accounting method for the ISP domain is used for portal users. ISP domain view 6
20 local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. # Configure ISP domain test to use local accounting for portal users. [Sysname] domain test [Sysname-isp-test] accounting portal local # Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting portal radius-scheme rd local local-user accounting default radius scheme accounting ppp Use accounting ppp to configure the accounting method for PPP users. Use undo accounting ppp to restore the default. accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo accounting ppp The default accounting method for the ISP domain is used for PPP users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. 7
21 none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Support for this command depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. The specified RADIUS or HWTACACS scheme must have been configured. # Configure ISP domain test to use local accounting for PPP users. [Sysname] domain test [Sysname-isp-test] accounting ppp local # Configure ISP domain test to use RADIUS accounting scheme rd for PPP users and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting ppp radius-scheme rd local attribute 4 local-user accounting default hwtacacs scheme radius scheme Use attribute 4 to configure the NAS-IP-Address attribute (attribute number 4) for RADIUS Access-Request packets. Use undo attribute 4 to restore the default. attribute 4 ip-address undo attribute 4 The NAS-IP-Address attribute takes the source IP address of the RADIUS Access-Request packet. RADIUS scheme view ip-address: Specifies the IP address in the NAS-IP-Address attribute for RADIUS Access-Request packets. It must be a valid IPv4 address, and you cannot specify one of the following IP addresses: 8
22 IP addresses of full 0s. IP addresses of full 1s. D-class IP addresses. E-class IP addresses. Loopback IP addresses. In a MAC-BAC network, the NAS-IP-Address attribute (attribute number 4) in a RADIUS Access-Request packet must take the IP address of the master AC. This command does not change the source IP address of a RADIUS Access-Request packet. # Configure the NAS-IP-Address attribute (attribute number 4) as for RADIUS Access-Request packets. [Sysname] radius scheme aaa [Sysname-radius-aaa] attribute radius nas-ip nas-ip (RADIUS scheme view) authentication default Use authentication default to configure the default authentication method for an ISP domain. Use undo authentication default to restore the default. authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authentication default The default authentication method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. 9
23 radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured. # Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local local-user hwtacacs scheme radius scheme ldap scheme authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default. authentication lan-access { local none radius-scheme radius-scheme-name [ local none ] } undo authentication lan-access The default authentication method for the ISP domain is used for LAN users. ISP domain view local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. 10
24 # Configure ISP domain test to use local authentication for LAN users. [Sysname] domain test [Sysname-isp-test] authentication lan-access local # Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local local-user authentication default radius scheme authentication login Use authentication login to configure the authentication method for login users through the console port, AUX port, Telnet, or FTP. Use undo authentication login to restore the default. authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authentication login The default authentication method for the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. 11
25 The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. # Configure ISP domain test to use local authentication for login users. [Sysname] domain test [Sysname-isp-test] authentication login local # Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication login radius-scheme rd local local-user authentication default hwtacacs scheme radius scheme ldap scheme authentication portal Use authentication portal to configure the authentication method for portal users. Use undo authentication portal to restore the default. authentication portal { ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authentication portal The default authentication method for the ISP domain is used for portal users. ISP domain view ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. 12
26 The specified LDAP or RADIUS scheme must have been configured. Only PAP is supported for LDAP authentication of portal users. # Configure ISP domain test to use local authentication for portal users. [Sysname] domain test [Sysname-isp-test] authentication portal local # Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication portal radius-scheme rd local local-user authentication default ldap scheme radius scheme authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default. authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authentication ppp Support for this command depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. The default authentication method for the ISP domain is used for PPP users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. 13
27 radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS or HWTACACS scheme must have been configured. # Configure ISP domain test to use local authentication for PPP users. [Sysname] domain test [Sysname-isp-test] authentication ppp local # Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication ppp radius-scheme rd local local-user authentication default hwtacacs scheme radius scheme authentication super Use authentication super to configure the authentication method for user privilege level switching. Use undo authentication super to restore the default. authentication super { hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name } undo authentication super The default authentication method for the ISP domain is used for user privilege level switching authentication. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. 14
28 The specified RADIUS or HWTACACS authentication scheme must have been configured. # Configure ISP domain test to use HWTACACS scheme tac for user privilege level switching authentication. [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac hwtacacs scheme radius scheme super authentication-mode (Fundamentals Command Reference) authentication wlan-ap Use authentication wlan-ap to configure the authentication method for APs in a WLAN and specify the authentication RADIUS scheme. Use undo authentication wlan-ap to restore the default. authentication wlan-ap radius-scheme radius-scheme-name undo authentication wlan-ap The default authentication method for the ISP domain is used for AP authentication. ISP domain view Predefined command level radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must exist. # Configure the APs to use RADIUS scheme rd for authentication in ISP domain named system. [Sysname] domain system [Sysname-isp-system] authentication wlan-ap radius-scheme rd authentication default radius scheme 15
29 authorization command Use authorization command to configure the command-line authorization method. Use undo authorization command to restore the default. authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local none ] local none } undo authorization command The default authorization method for the ISP domain is used for command-line authorization. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange, and an authenticated user can access only Level 0 commands. The specified HWTACACS scheme must have been configured. With command-line authorization configured, a user who has logged in to the device can execute only the commands with a level lower than or equal to that of the local user. # Configure ISP domain test to use local command-line authorization. [Sysname] domain test [Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command-line authorization and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local local-user authorization default hwtacacs scheme 16
30 authorization default Use authorization default to configure the default authorization method for an ISP domain. Use undo authorization default to restore the default. authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authorization default The default authorization method for the ISP domain of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and non-ftp users can access only the Level 0 commands. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. The default authorization method is used for all users who support the specified authorization method and have no specific authorization method configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local local-user hwtacacs scheme 17
31 radius scheme ldap scheme authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. authorization lan-access { local none radius-scheme radius-scheme-name [ local none ] } undo authorization lan-access The default authorization method for the ISP domain is used for LAN users. ISP domain view local: Performs local authorization. none: Does not perform any authorization exchange, and an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure ISP domain test to use local authorization for LAN users. [Sysname] domain test [Sysname-isp-test] authorization lan-access local # Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization lan-access radius-scheme rd local local-user authorization default radius scheme 18
32 authorization login Use authorization login to configure the authorization method for login users through the console port, AUX port, Telnet, or FTP. Use undo authorization login to restore the default. authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authorization login The default authorization method for the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, FTP users can access the root directory of the device, and other login users can access only the Level 0 commands. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure ISP domain test to use local authorization for login users. [Sysname] domain test [Sysname-isp-test] authorization login local # Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local 19
33 local-user authorization default hwtacacs scheme radius scheme ldap scheme authorization portal Use authorization portal to configure the authorization method for portal users. Use undo authorization portal to restore the default. authorization portal { local none radius-scheme radius-scheme-name [ local ] } undo authorization portal The default authorization method for the ISP domain is used for portal users. ISP domain view local: Performs local authorization. none: Does not perform any authorization exchange, and an authenticated portal user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure ISP domain test to use local authorization for portal users. [Sysname] domain test [Sysname-isp-test] authorization portal local # Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization portal radius-scheme rd local 20
34 local-user authorization default radius scheme authorization ppp Use authorization ppp to configure the authorization method for PPP users. Use undo authorization ppp to restore the default. authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authorization ppp The default authorization method for the ISP domain is used for PPP users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange, and an authenticated PPP user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Support for this command depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. The specified RADIUS or HWTACACS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure ISP domain test to use local authorization for PPP users. [Sysname] domain test [Sysname-isp-test] authorization ppp local # Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local authorization as the backup. 21
35 [Sysname] domain test [Sysname-isp-test] authorization ppp radius-scheme rd local local-user authorization default hwtacacs scheme radius scheme authorization-attribute user-profile Use authorization-attribute user-profile to specify the default authorization user profile for an ISP domain. Use undo authorization-attribute user-profile to restore the default. authorization-attribute user-profile profile-name undo authorization-attribute user-profile An ISP domain has no default authorization user profile. ISP domain view 3: Manage level profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. If the server (or the access device for local authentication) does not authorize a user profile to the ISP domain after an ISP domain user passes authentication, the system uses the user profile specified by the authorization-attribute user-profile command. If you configure the authorization-attribute user-profile command multiple times, only the most recent configuration takes effect. # Specify the default authorization user profile for domain test as profile1. [Sysname] domain test [Sysname-isp-test] authorization-attribute user-profile profile1 cut connection Use cut connection to tear down the specified user connections. 22
36 cut connection { access-type { dot1x mac-authentication portal } all domain isp-name interface interface-type interface-number ip ip-address mac mac-address ucibindex ucib-index user-name user-name vlan vlan-id } System view access-type: Specifies the user connections for the specified access type. dot1x: Indicates 802.1X authentication. mac-authentication: Indicates MAC address authentication. portal: Indicates portal authentication. all: Specifies all user connections. domain isp-name: Specifies the user connections for an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a string of 1 to 24 characters. interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces and WLAN virtual interfaces are supported. ip ip-address: Specifies the user connections for an IP address. mac mac-address: Specifies the user connections for a MAC address, with mac-address in the format H-H-H. ucibindex ucib-index: Specifies the user connection that uses the connection index, in the range of 0 to user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username without a domain name, the system considers that the user is in the default domain or the mandatory authentication domain. vlan vlan-id: Specifies the user connections of a VLAN, in the range of 1 to This command applies to only LAN access, portal, and PPP user connections. You cannot cut the connections by username for 802.1X users whose usernames include the version number or spaces, or use a slash (/) or backslash (\) as the domain name delimiter. For example, the cut connection user-name aaa\bbb command cannot cut the connections of the user aaa\bbb. An interface that is configured with a mandatory authentication domain considers users of the corresponding access type as users in the mandatory authentication domain. For example, if you configure an 802.1X mandatory authentication domain on an interface, the interface uses the domain's AAA methods for all its 802.1X users. To cut connections of these users, use the cut connection domain isp-name command, and specify the mandatory authentication domain. # Tear down all connections of ISP domain test. [Sysname] cut connection domain test 23
37 display connection service-type display connection Use display connection to display information about AAA user connections. display connection [ access-type { dot1x mac-authentication portal } domain isp-name interface interface-type interface-number ip ip-address mac mac-address ucibindex ucib-index user-name user-name vlan vlan-id ] [ { begin exclude include } regular-expression ] Any view 1: Monitor level access-type: Specifies the user connections for the specified access type. dot1x: Indicates 802.1X authentication. mac-authentication: Indicates MAC address authentication. portal: Indicates portal authentication. domain isp-name: Specifies the user connections for an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters. interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces and WLAN virtual interfaces are supported. ip ip-address: Specifies the user connections for an IP address. mac mac-address: Specifies the user connections for a MAC address, with mac-address in the format H-H-H. ucibindex ucib-index: Specifies the user connection for the connection index, in the range of 0 to user-name user-name: Specifies the user connections for the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain name or the mandatory authentication domain. vlan vlan-id: Specifies the user connections for a VLAN, in the range of 1 to : Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. 24
38 This command does not display information about FTP user connections. With no parameter specified, this command displays brief information about all AAA user connections. If you specify the ucibindex ucib-index option, this command displays detailed information. Otherwise, this command displays brief information. If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), the device uses the mandatory authentication domain to perform authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain. The device displays the username of a user on an interface configured with a mandatory authentication domain depending on the format of the username entered by the user at login: If the username does not contain the at sign (@), the device displays the username in the format username@mandatory authentication domain name. If the username contains the at sign (@), the device displays the entered username. For example, if a user entered the username aaa@123 at login and the name of the mandatory authentication domain is dom, the device displays the username aaa@123, rather than aaa@123@dom. You cannot query the connections by username for 802.1X users whose usernames use a slash (/) or backslash (\) as the domain name delimiter. For example, the display connection user-name aaa\bbb command cannot display the connections of the user aaa\bbb. # Display information about all AAA user connections. <Sysname> display connection Index=1,Username=user1@system MAC=00-15-E9-A6-7C-FE IP= Online=00h00m53s Total 1 connection(s) matched. # Display information about AAA user connections with an index of 0. <Sysname> display connection ucibindex 0 Index=0, Username=user1@system MAC=00-15-E9-A6-7C-FE IP= IPv6=N/A Access=Admin,AuthMethod=PAP Port Type=Virtual,Port Name=N/A Initial VLAN=999, Authorized VLAN=20 ACL Group=Disable User Profile=N/A CAR=Disable Traffic Statistic: InputOctets = OutputOctets =12120 InputGigawords=1 OutputGigawords=0 Priority=Disable 25
HP FlexFabric 5700 Switch Series
HP FlexFabric 5700 Switch Series Security Command Reference Part number: 5998-6695 Software version: Release 2416 Document version: 6W100-20150130 Legal and notice information Copyright 2015 Hewlett-Packard
HP 5920 & 5900 Switch Series
HP 5920 & 5900 Switch Series Security Command Reference Part number: 5998-2887 Software version: Release2208 Document version: 6W100-20130228 Legal and notice information Copyright 2013 Hewlett-Packard
HP Unified Wired-WLAN Products
HP Unified Wired-WLAN Products Security Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G
H3C S5830V2 & S5820V2 Switch Series
H3C S5830V2 & S5820V2 Switch Series Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release2108 Document version: 6W101-20120531 Copyright 2012, Hangzhou
H3C S12500 Series Routing Switches
H3C S12500 Series Routing Switches Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S12500-CMW710-R7128 Document version: 6W710-20121130 Copyright 2012,
About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module
About the HP 830 Series Switch and HP 10500/7500 20G Unified Module s Part number: 5998-3903 Software version: 3308P29 (HP 830 Series Switch) 2308P29 (HP 10500/7500 20G Unified Module) Document version:
Appendix A Command Index
Appendix A Command Index The command index includes all the commands in the Command Manual, which are arranged alphabetically. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A aaa nas-id profile 21-AAA
About the Configuration Guides for HP Unified
About the Configuration Guides for HP Unified Wired-W Products HP 830 Unified Wired-W PoE+ Switch Series HP 850 Unified Wired-W Appliance HP 870 Unified Wired-W Appliance HP 11900/10500/7500 20G Unified
HP 5120 SI Switch Series
HP 5120 SI Switch Series Security Configuration Guide Part number: 5998-1815 Software version: Release 1505 Document version: 6W102-20121111 Legal and notice information Copyright 2012 Hewlett-Packard
HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract
HP A5820X & A5800 Switch Series Security Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures.
HP Unified Wired-WLAN Products
HP Unified Wired-WLAN Products WLAN Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified
HP Load Balancing Module
HP Load Balancing Module Load Balancing Configuration Guide Part number: 5998-4218 Software version: Feature 3221 Document version: 6PW100-20130326 Legal and notice information Copyright 2013 Hewlett-Packard
HP Load Balancing Module
HP Load Balancing Module System Management Configuration Guide Part number: 5998-4216 Software version: Feature 3221 Document version: 6PW100-20130326 Legal and notice information Copyright 2013 Hewlett-Packard
Appendix A Command Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
The command index includes all the commands in the Comware Command Manual, which are arranged alphabetically. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A access-limit accounting accounting optional
HP VSR1000 Virtual Services Router
HP VSR1000 Virtual Services Router Layer 2 - WAN Access Configuration Guide Part number: 5998-6023 Software version: VSR1000_HP-CMW710-R0202-X64 Document version: 6W100-20140418 Legal and notice information
HP Load Balancing Module
HP Load Balancing Module Security Configuration Guide Part number: 5998-2686 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part
Contents. Configuring SSH 1
Contents Configuring SSH 1 Overview 1 How SSH works 1 SSH authentication methods 2 SSH support for Suite B 3 FIPS compliance 3 Configuring the device as an SSH server 4 SSH server configuration task list
HP 6125 Blade Switch Series
HP 6125 Blade Switch Series About the HP 6125 Blade Command s Part number: 5998-3163 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright 2012 Hewlett-Packard
HP 6125 Blade Switch Series
HP 6125 Blade Switch Series About the HP 6125 Blade s Part number: 5998-3152 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright 2012 Hewlett-Packard
HP High-End Firewalls
HP High-End Firewalls Access Control Configuration Guide Part number: 5998-2648 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
HP 3600 v2 Switch Series
HP 3600 v2 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-2351 Software version: Release 2108P01 Document version: 6W100-20131130 Legal and notice information Copyright 2013
HP 5120 SI Switch Series
HP 5120 SI Switch Series Network Management and Monitoring Configuration Guide Part number: 5998-1813 Software version: Release 1505 Document version: 6W102-20121111 Legal and notice information Copyright
Operation Manual Security. Table of Contents
Table of Contents Table of Contents Chapter 1 802.1x Configuration... 1-1 1.1 802.1x Overview... 1-1 1.1.1 802.1x Standard Overview... 1-1 1.1.2 802.1x System Architecture... 1-1 1.1.3 802.1x Authentication
Controlled/uncontrolled port and port authorization status
Contents 802.1X fundamentals 1 802.1X architecture 1 Controlled/uncontrolled port and port authorization status 1 802.1X-related protocols 2 Packet formats 2 EAP over RADIUS 4 Initiating 802.1X authentication
Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents
Table of Contents Table of Contents... 1-1 1.1 AAA/RADIUS/HWTACACS Over... 1-1 1.1.1 Introduction to AAA... 1-1 1.1.2 Introduction to RADIUS... 1-3 1.1.3 Introduction to HWTACACS... 1-9 1.1.4 Protocols
HP 5820X & 5800 Switch Series Network Management and Monitoring. Configuration Guide. Abstract
HP 5820X & 5800 Switch Series Network Management and Monitoring Configuration Guide Abstract This document describes the software features for the HP 5820X & 5800 Series products and guides you through
Table of Contents X Configuration 1-1
Table of Contents 1 802.1X Configuration 1-1 802.1X Overview 1-1 Architecture of 802.1X 1-2 Authentication Modes of 802.1X 1-2 Basic Concepts of 802.1X 1-3 EAP over LAN 1-4 EAP over RADIUS 1-5 802.1X Authentication
Appendix A Command Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
The command index includes all the commands in the VRP Command Manual, which are arranged alphabetically. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A access-limit 1-1 accounting QoS 2-1 accounting
Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1
Table of Contents 1 802.1x Configuration 1-1 Introduction to 802.1x 1-1 Architecture of 802.1x Authentication 1-1 The Mechanism of an 802.1x Authentication System 1-3 Encapsulation of EAPoL Messages 1-3
HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine
HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine Network Management and Monitoring Configuration Guide Part number: 5998-3936 Software version: 3308P26 Document version: 6W101-20130628 Legal
HP A5500 EI & A5500 SI Switch Series Network Management and Monitoring. Configuration Guide. Abstract
HP A5500 EI & A5500 SI Switch Series Network Management and Monitoring Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the
Operation Manual 802.1x. Table of Contents
Table of Contents Table of Contents... 1-1 1.1 802.1x Overview... 1-1 1.1.1 Architecture of 802.1x... 1-1 1.1.2 Operation of 802.1x... 1-3 1.1.3 EAP Encapsulation over LANs... 1-4 1.1.4 EAP Encapsulation
HP 6125G & 6125G/XG Blade Switches
HP 6125G & 6125G/XG Blade Switches Network Management and Monitoring Configuration Guide Part number: 5998-3162b Software version: Release 2103 and later Document version: 6W103-20151020 Legal and notice
Table of Contents 1 AAA Overview AAA Configuration 2-1
Table of Contents 1 AAA Overview 1-1 Introduction to AAA 1-1 Authentication 1-1 Authorization 1-1 Accounting 1-2 Introduction to ISP Domain 1-2 Introduction to AAA Services 1-3 Introduction to RADIUS 1-3
About the HP MSR Router Series
About the HP MSR Router Series Command (V7) Part number: 5998-7731b Software version: CMW710-R0304 Document version: 6PW104-20150914 Legal and notice information Copyright 2015 Hewlett-Packard Development
HP 6125 Blade Switch Series
HP 6125 Blade Switch Series Network Management and Monitoring Configuration Guide Part number: 5998-3162 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright
HP FlexFabric 5930 Switch Series
HP FlexFabric 5930 Switch Series Layer 3 IP Services Command Reference Part number: 5998-4568 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information
TECHNICAL NOTE UWW & CLEARPASS HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS. Version 2
HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS Version 2 CONTENTS Introduction... 7 Background information... 7 Requirements... 7 Network diagram... 7 VLANs... 8 Switch configuration... 8 Initial setup...
HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls
HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls VPN Configuration Guide Part number:5998-2652 Document version: 6PW100-20110909 Legal and notice information Copyright 2011 Hewlett-Packard Development Company,
HP 5920 & 5900 Switch Series
HP 5920 & 5900 Switch Series OpenFlow Command Reference Part number: 5998-4679a Software version: Release 23xx Document version: 6W101-20150320 Legal and notice information Copyright 2015 Hewlett-Packard
H3C SecPath Series Firewalls and UTM Devices
H3C SecPath Series Firewalls and UTM Devices Attack Protection Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: F100 series: ESS 5132 F1000-A-EI: Feature 3722
HP Routing Switch Series
HP 12500 Routing Switch Series EVI Configuration Guide Part number: 5998-3419 Software version: 12500-CMW710-R7128 Document version: 6W710-20121130 Legal and notice information Copyright 2012 Hewlett-Packard
Table of Contents 1 AAA Overview AAA Configuration 2-1
Table of Contents 1 AAA Overview 1-1 Introduction to AAA 1-1 Authentication 1-1 Authorization 1-1 Accounting 1-2 Introduction to ISP Domain 1-2 Introduction to AAA Services 1-2 Introduction to RADIUS 1-2
HP 6125 Blade Switch Series
HP 6125 Blade Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-3156 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright 2012
HP 5120 SI Switch Series
HP 5120 SI Switch Series Layer 2 - LAN Switching Configuration Guide Part number: 5998-1807 Software version: Release 1513 Document version: 6W100-20130830 Legal and notice information Copyright 2013 Hewlett-Packard
HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified
HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN Module WLAN Configuration Guide Part number: 5998-3905 Software version: 3308P29 (HP 830 Series PoE+ Unified Wired-WLAN
HP VPN Firewall Appliances
HP VPN Firewall Appliances High Availability Configuration Guide Part number: 5998-4169 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C
HP Firewalls and UTM Devices
HP Firewalls and UTM Devices Access Control Command Reference Part number: 5998-4175 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall
Fundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
HP FlexFabric 5930 Switch Series
HP FlexFabric 5930 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-4571 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information
HP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
HP A3100 v2 Switch Series
HP A3100 v2 Switch Series Layer 3 - IP Services Configuration Guide HP A3100-8 v2 SI Switch (JG221A) HP A3100-16 v2 SI Switch (JG222A) HP A3100-24 v2 SI Switch (JG223A) HP A3100-8 v2 EI Switch (JD318B)
HP 5120 SI Switch Series
HP 5120 SI Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-1807 Software version: Release 1513 Document version: 6W100-20130830 Legal and notice information Copyright 2013 Hewlett-Packard
Table of Contents X Configuration 1-1
Table of Contents 1 802.1X Configuration 1-1 802.1X Overview 1-1 Architecture of 802.1X 1-1 Authentication Modes of 802.1X 1-2 Basic Concepts of 802.1X 1-2 EAP over LAN 1-3 EAP over RADIUS 1-5 802.1X Authentication
HP 6125G & 6125G/XG Blade Switches
HP 6125G & 6125G/XG Blade Switches Layer 2 - LAN Switching Configuration Guide Part number:5998-3155a Software version: Release 2103 and later Document version: 6W102-20141218 Legal and notice information
HP U200 Unified Threat Management (UTM) Appliance Series
Data sheet HP U200 Unified Threat Management (UTM) Appliance Series Key features Flexible security zone and virtual firewall Advanced VPN Comprehensive threat protection Antivirus, antispam, and URL filtering
Configuration - Security
Release: Document Revision: 5.3 01.01 www.nortel.com NN46240-600 324564-A Rev01 Release: 5.3 Publication: NN46240-600 Document Revision: 01.01 Document status: Standard Document release date: 30 March
PPP configuration commands
Contents PPP configuration commands 1 ip address ppp-negotiate 1 ip pool 1 link-protocol ppp 2 ppp authentication-mode 2 ppp chap password 4 ppp chap user 5 ppp ipcp remote-address forced 5 ppp pap local-user
HP A3100 v2 Switch Series
HP A3100 v2 Switch Series Layer 2 - LAN Switching Configuration Guide HP A3100-8 v2 SI Switch (JG221A) HP A3100-16 v2 SI Switch (JG222A) HP A3100-24 v2 SI Switch (JG223A) HP A3100-8 v2 EI Switch (JD318B)
HP Load Balancing Module
HP Load Balancing Module High Availability Configuration Guide Part number: 5998-2687 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company,
HP A5830 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract
HP A5830 Switch Series Layer 3 - IP Services Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures.
HP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
HPE FlexFabric 5940 Switch Series
HPE FlexFabric 5940 Switch Series Layer 3 IP Services Configuration Guide Part number: 5200-1022a Software version: Release 2508 and later verison Document version: 6W101-20161101 Copyright 2016 Hewlett
WLAN high availability
Technical white paper WLAN high availability Table of contents Overview... 2 WLAN high availability implementation... 3 Fundamental high availability technologies... 3 AP connection priority... 3 AC selection...
DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window
9. Security DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide Port Security 802.1X AAA RADIUS TACACS IMPB DHCP Server Screening ARP Spoofing Prevention MAC Authentication Web-based
Table of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
HPE FlexNetwork MSR Router Series
HPE FlexNetwork MSR Router Series About the HPE MSR Router Series Configuration Part number: 5998-8821 Software version: CMW710-R0305 Document version: 6PW106-20160308 Copyright 2016 Hewlett Packard Enterprise
HPE FlexFabric 5950 Switch Series
HPE FlexFabric 5950 Switch Series About the HPE FlexFabric 5950 Configuration Guides Part number: 5200-0808 Software version: Release 6106 and later Document version: 6W100-20160513 Copyright 2016 Hewlett
Portal configuration commands
Contents Portal configuration commands 1 display portal acl 1 display portal connection statistics 5 display portal free-rule 7 display portal interface 9 display portal-roaming 11 display portal server
HP High-End Firewalls
HP High-End Firewalls NAT and ALG Command Reference Part number: 5998-2639 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
Overview 1. Service Features 1
Table of Contents Overview 1 Service Features 1 Introduction 1 Feature List 1 Feature Introduction 3 Firewall Web Manual 3 Security Volume 12 Access Volume 14 IP Services Volume 15 IP Routing Volume 16
Retired. Models HP U200-A UTM Appliance
Overview (Retired) Models HP U200-S UTM Appliance HP U200-A UTM Appliance JD273A JD275A Key features Flexible security zone and virtual firewall Advanced VPN Comprehensive threat protection Antivirus,
HP A5820X & A5800 Switch Series MPLS. Configuration Guide. Abstract
HP A5820X & A5800 Switch Series MPLS Configuration Guide Abstract This document describes the software features for the HP 5820X & 5800 Series products and guides you through the software configuration
HP High-End Firewalls
HP High-End Firewalls Getting Started Guide Part number: 5998-2646 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719 Legal
HP MSR Router Series. EVI Configuration Guide(V7) Part number: b Software version: CMW710-R0304 Document version: 6PW
HP MSR Router Series EVI Configuration Guide(V7) Part number: 5998-7360b Software version: CMW710-R0304 Document version: 6PW104-20150914 Legal and notice information Copyright 2015 Hewlett-Packard Development
HPE FlexNetwork MSR Router Series
HPE FlexNetwork MSR Router Series About the HPE MSR Router Series Command s Part number: 5998-8799 Software version: CMW710-R0305 Document version: 6PW106-20160308 Copyright 2016 Hewlett Packard Enterprise
User authentication configuration example 11 Command authorization configuration example 13 Command accounting configuration example 14
Contents Logging in to the CLI 1 Login methods 1 Logging in through the console or AUX port 2 Logging in through Telnet 5 Telnetting to the switch 5 Telnetting from the switch to another device 7 Logging
Operation Manual Login and User Interface. Table of Contents
Table of Contents Table of Contents Chapter 1 Switch Login... 1-1 1.1 Setting Up Configuration Environment Through the Console Port... 1-1 1.2 Setting Up Configuration Environment Through Telnet... 1-2
HP 5920 & 5900 Switch Series
HP 5920 & 5900 Switch Series Network Management and Monitoring Configuration Guide Part number: 5998-2900 Software version: Release 2210 Document version: 6W100-20131105 Legal and notice information Copyright
Logging in to the CLI
Contents Logging in to the CLI 1 Login methods 1 Logging in through the console port 2 Introduction 2 Configuration procedure 2 Logging in through the AUX port 5 Configuration prerequisites 5 Configuration
HP Load Balancing Module
HP Load Balancing Module System Maintenance Configuration Guide Part number: 5998-4221 Software version: Feature 3221 Document version: 6PW100-20130326 Legal and notice information Copyright 2013 Hewlett-Packard
Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0
Configuration Guide TL-ER5120/TL-ER6020/TL-ER6120 1910012186 REV3.0.0 June 2017 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Viewing Status Information... 2 System
HPE FlexFabric 7900 Switch Series
HPE FlexFabric 7900 Switch Series VXLAN Configuration Guide Part number: 5998-8254R Software version: Release 213x Document version: 6W101-20151113 Copyright 2015 Hewlett Packard Enterprise Development
HP A5120 EI Switch Series IRF. Command Reference. Abstract
HP A5120 EI Switch Series IRF Command Reference Abstract This document describes the commands and command syntax options available for the HP A Series products. This document is intended for network planners,
High Availability Synchronization PAN-OS 5.0.3
High Availability Synchronization PAN-OS 5.0.3 Revision B 2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Device Configuration... 4 Network Configuration... 9 Objects Configuration...
DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0
DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any
Release Notes: Version Operating System
Release Notes: Version 2.0.29 Operating System for the HP ProCurve Wireless Access Point 420 These release notes include information on the following: Downloading access point software and documentation
User Guide TL-R470T+/TL-R480T REV9.0.2
User Guide TL-R470T+/TL-R480T+ 1910012468 REV9.0.2 September 2018 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Accessing the Router Overview... 3 Web Interface
HP A3100 v2 Switch Series
HP A3100 v2 Switch Series Fundamentals Command Reference HP A3100-8 v2 SI Switch (JG221A) HP A3100-16 v2 SI Switch (JG222A) HP A3100-24 v2 SI Switch (JG223A) HP A3100-8 v2 EI Switch (JD318B) HP A3100-16
User Role Firewall Policy
User Role Firewall Policy An SRX Series device can act as an Infranet Enforcer in a UAC network where it acts as a Layer 3 enforcement point, controlling access by using IP-based policies pushed down from
HP MSR Router Series. Layer 2 LAN Switching Command Reference(V7)
HP MSR Router Series Layer 2 LAN Switching Command Reference(V7) Part number: 5998-7738b Software version: CMW710-R0304 Document version: 6PW104-20150914 Legal and notice information Copyright 2015 Hewlett-Packard
Table of Contents 1 PPP Configuration Commands PPPoE Configuration Commands 2-1
Table of Contents 1 PPP Configuration Commands 1-1 PPP Configuration Commands 1-1 ip address ppp-negotiate 1-1 link-protocol ppp 1-2 mtu 1-2 ppp account-statistics enable 1-3 ppp authentication-mode 1-3
H3C S5120-SI Series Ethernet Switches Security Configuration Guide
H3C S5120-SI Series Ethernet Switches Security Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Copyright 2003-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All
SSL VPN - IPv6 Support
The feature implements support for IPv6 transport over IPv4 SSL VPN session between a client, such as Cisco AnyConnect Mobility Client, and SSL VPN. Finding Feature Information, on page 1 Prerequisites
HP 3600 v2 Switch Series
HP 3600 v2 Switch Series Fundamentals Command Reference Part number: 5998-7608 Software version: Release 2110P02 Document version: 6W100-20150305 Legal and notice information Copyright 2015 Hewlett-Packard
HP MSR Router Series. Network Management and Monitoring Configuration Guide(V7)
HP MSR Router Series Network Management and Monitoring Configuration Guide(V7) Part number: 5998-7724b Software version: CMW710-R0304 Document version: 6PW104-20150914 Legal and notice information Copyright
DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0
DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help,
HP FlexFabric 5700 Switch Series
HP FlexFabric 5700 Switch Series Layer 3 - IP Routing Configuration Guide Part number: 5998-6688 Software version: Release 2416 Document version: 6W100-20150130 Legal and notice information Copyright 2015
SSL VPN - IPv6 Support
The feature implements support for IPv6 transport over IPv4 SSL VPN session between a client, such as Cisco AnyConnect Mobility Client, and SSL VPN. Finding Feature Information, page 1 Prerequisites for,
HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls
HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls NAT Configuration Guide Part number:5998-2649 Document version: 6PW100-20110909 Legal and notice information Copyright 2011 Hewlett-Packard Development Company,