HP FlexFabric 5700 Switch Series
|
|
|
- Ross Owen
- 6 years ago
- Views:
Transcription
1 HP FlexFabric 5700 Switch Series Security Command Reference Part number: Software version: Release 2416 Document version: 6W
2 Legal and notice information Copyright 2015 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
3 Contents AAA commands 1 General AAA commands 1 aaa nas-id profile 1 aaa session-limit 2 accounting command 2 accounting default 3 accounting lan-access 4 accounting login 6 accounting portal 7 authentication default 8 authentication lan-access 9 authentication login 11 authentication portal 12 authentication super 13 authorization command 14 authorization default 16 authorization lan-access 17 authorization login 18 authorization portal 20 authorization-attribute (ISP domain view) 21 display domain 22 domain 23 domain default enable 24 nas-id bind vlan 25 state (ISP domain view) 26 Local user commands 26 access-limit 26 authorization-attribute (local user view/user group view) 27 bind-attribute 29 display local-user 30 display user-group 33 group 34 local-user 35 password 36 service-type 37 state (local user view) 39 user-group 39 RADIUS commands 40 accounting-on enable 40 attribute 15 check-mode 41 data-flow-format (RADIUS scheme view) 42 display radius scheme 42 display radius statistics 45 key (RADIUS scheme view) 46 nas-ip (RADIUS scheme view) 47 primary accounting (RADIUS scheme view) 49 primary authentication (RADIUS scheme view) 50 radius nas-ip 51 radius scheme 52 i
4 radius session-control enable 53 reset radius statistics 54 retry 54 retry realtime-accounting 55 secondary accounting (RADIUS scheme view) 56 secondary authentication (RADIUS scheme view) 58 security-policy-server 59 snmp-agent trap enable radius 60 state primary 61 state secondary 62 timer quiet (RADIUS scheme view) 63 timer realtime-accounting (RADIUS scheme view) 64 timer response-timeout (RADIUS scheme view) 65 user-name-format (RADIUS scheme view) 66 HWTACACS commands 67 data-flow-format (HWTACACS scheme view) 67 display hwtacacs scheme 67 hwtacacs nas-ip 70 hwtacacs scheme 71 key (HWTACACS scheme view) 72 nas-ip (HWTACACS scheme view) 73 primary accounting (HWTACACS scheme view) 74 primary authentication (HWTACACS scheme view) 75 primary authorization 77 reset hwtacacs statistics 78 secondary accounting (HWTACACS scheme view) 79 secondary authentication (HWTACACS scheme view) 80 secondary authorization 82 timer quiet (HWTACACS scheme view) 83 timer realtime-accounting (HWTACACS scheme view) 84 timer response-timeout (HWTACACS scheme view) 85 user-name-format (HWTACACS scheme view) 85 LDAP commands 86 authentication-server 86 display ldap scheme 87 ip 88 ipv6 89 ldap scheme 90 ldap server 91 login-dn 91 login-password 92 protocol-version 93 search-base-dn 93 search-scope 94 server-timeout 95 user-parameters X commands 97 display dot1x 97 display dot1x connection 100 dot1x 102 dot1x authentication-method 103 dot1x auth-fail vlan 104 dot1x critical vlan 105 dot1x domain-delimiter 105 ii
5 dot1x ead-assistant enable 106 dot1x ead-assistant free-ip 107 dot1x ead-assistant url 108 dot1x guest-vlan 109 dot1x handshake 109 dot1x handshake secure 110 dot1x mandatory-domain 111 dot1x max-user 112 dot1x multicast-trigger 112 dot1x port-control 113 dot1x port-method 114 dot1x quiet-period 114 dot1x re-authenticate 115 dot1x re-authenticate server-unreachable keep-online 116 dot1x retry 116 dot1x timer 117 dot1x unicast-trigger 119 reset dot1x guest-vlan 120 reset dot1x statistics 120 MAC authentication commands 122 display mac-authentication 122 display mac-authentication connection 124 mac-authentication 126 mac-authentication critical vlan 127 mac-authentication domain 127 mac-authentication guest-vlan 128 mac-authentication host-mode 129 mac-authentication max-user 130 mac-authentication re-authenticate server-unreachable keep-online 131 mac-authentication timer 131 mac-authentication timer auth-delay 132 mac-authentication user-name-format 133 reset mac-authentication critical-vlan 135 reset mac-authentication guest-vlan 135 reset mac-authentication statistics 136 Portal commands 137 display portal interface 137 display portal packet statistics 139 display portal rule 141 display portal server 144 display portal user 145 display portal web-server 146 ip 148 ipv6 149 port 150 portal { bas-ip bas-ipv6 } 150 portal apply web-server 151 portal delete-user 152 portal domain 153 portal enable method 154 portal fail-permit server 155 portal free-all except destination 155 portal free-rule 156 iii
6 portal free-rule source 158 portal ipv6 free-all except destination 159 portal ipv6 layer3 source 160 portal ipv6 user-detect 160 portal layer3 source 162 portal nas-id profile 163 portal max-user 163 portal roaming enable 164 portal server 165 portal user-detect 166 portal web-server 167 reset portal packet statistics 168 server-detect (portal authentication server view) 168 server-detect (portal Web server view) 169 url 170 url-parameter 171 user-sync 172 Port security commands 174 display port-security 174 display port-security mac-address block 176 display port-security mac-address security 178 port-security authorization ignore 179 port-security authorization-fail offline 180 port-security enable 181 port-security intrusion-mode 182 port-security mac-address aging-type inactivity 182 port-security mac-address dynamic 183 port-security mac-address security 184 port-security mac-move permit 186 port-security max-mac-count 186 port-security nas-id-profile 187 port-security ntk-mode 188 port-security oui 189 port-security port-mode 190 port-security timer autolearn aging 192 port-security timer disableport 193 Password control commands 195 display password-control 195 display password-control blacklist 196 password-control { aging composition history length } enable 197 password-control aging 198 password-control alert-before-expire 200 password-control complexity 200 password-control composition 201 password-control enable 203 password-control expired-user-login 204 password-control history 205 password-control length 206 password-control login idle-time 207 password-control login-attempt 208 password-control super aging 210 password-control super composition 210 password-control super length 211 iv
7 password-control update-interval 212 reset password-control blacklist 213 reset password-control history-record 213 Public key management commands 215 display public-key local public 215 display public-key peer 219 peer-public-key end 220 public-key local create 221 public-key local destroy 225 public-key local export dsa 226 public-key local export ecdsa 228 public-key local export rsa 229 public-key peer 231 public-key peer import sshkey 232 PKI commands 234 attribute 234 ca identifier 235 certificate request entity 236 certificate request from 237 certificate request mode 238 certificate request polling 239 certificate request url 240 common-name 240 country 241 crl check 241 crl url 242 display pki certificate access-control-policy 243 display pki certificate attribute-group 244 display pki certificate domain 245 display pki certificate request-status 250 display pki crl 251 fqdn 253 ip 253 ldap-server 254 locality 255 organization 255 organization-unit 256 pki abort-certificate-request 257 pki certificate access-control-policy 257 pki certificate attribute-group 258 pki delete-certificate 259 pki domain 260 pki entity 261 pki export 261 pki import 268 pki request-certificate 272 pki retrieve-certificate 274 pki retrieve-crl 275 pki storage 276 pki validate-certificate 276 public-key dsa 278 public-key rsa 279 root-certificate fingerprint 281 v
8 rule 282 source 283 state 284 usage 285 IPsec commands 287 ah authentication-algorithm 287 description 288 display ipsec { ipv6-policy policy } 288 display ipsec { ipv6-policy-template policy-template } 293 display ipsec profile 295 display ipsec sa 296 display ipsec statistics 299 display ipsec transform-set 301 display ipsec tunnel 302 encapsulation-mode 305 esp authentication-algorithm 306 esp encryption-algorithm 307 ike-profile 308 ipsec anti-replay check 309 ipsec anti-replay window 309 ipsec apply 310 ipsec decrypt-check enable 311 ipsec logging packet enable 311 ipsec df-bit 312 ipsec global-df-bit 313 ipsec { ipv6-policy policy } 314 ipsec { ipv6-policy policy } isakmp template 315 ipsec { ipv6-policy policy } local-address 316 ipsec { ipv6-policy-template policy-template } policy-template 317 ipsec profile 318 ipsec redundancy enable 319 ipsec sa global-duration 319 ipsec sa idle-time 320 ipsec transform-set 321 local-address 322 pfs 322 protocol 323 qos pre-classify 324 redundancy replay-interval 325 remote-address 326 reset ipsec sa 327 reset ipsec statistics 328 sa duration 329 sa hex-key authentication 330 sa hex-key encryption 331 sa idle-time 332 sa spi 333 sa string-key 334 security acl 335 snmp-agent trap enable ipsec 336 transform-set 338 IKE commands 339 authentication-algorithm 339 vi
9 authentication-method 340 certificate domain 341 dh 342 display ike proposal 343 display ike sa 344 dpd 347 encryption-algorithm 348 exchange-mode 349 ike dpd 349 ike identity 350 ike invalid-spi-recovery enable 352 ike keepalive interval 352 ike keepalive timeout 353 ike keychain 354 ike limit 354 ike nat-keepalive 355 ike profile 356 ike proposal 356 ike signature-identity from-certificate 357 keychain 358 local-identity 359 match local address (IKE keychain view) 360 match local address (IKE profile view) 361 match remote 362 pre-shared-key 363 priority (IKE keychain view) 364 priority (IKE profile view) 365 proposal 366 reset ike sa 366 reset ike statistics 367 sa duration 368 snmp-agent trap enable ike 368 SSH commands 371 SSH server commands 371 display ssh server 371 display ssh user-information 372 scp server enable 374 sftp server enable 374 sftp server idle-timeout 375 ssh server acl 375 ssh server authentication-retries 376 ssh server authentication-timeout 377 ssh server compatible-ssh1x enable 378 ssh server dscp 378 ssh server enable 379 ssh server ipv6 acl 379 ssh server ipv6 dscp 380 ssh server rekey-interval 381 ssh user 382 SSH client commands 384 bye 384 cd 385 cdup 385 delete 386 vii
10 dir 386 display sftp client source 387 display ssh client source 388 exit 388 get 389 help 389 ls 390 mkdir 391 put 391 pwd 392 quit 392 remove 393 rename 393 rmdir 394 scp 394 scp ipv6 396 sftp 398 sftp client ipv6 source 400 sftp client source 401 sftp ipv6 402 ssh client ipv6 source 404 ssh client source 404 ssh2 405 ssh2 ipv6 407 SSL commands 410 SSL server policy configuration commands 410 ciphersuite 410 client-verify enable 412 display ssl server-policy 412 pki-domain (SSL server policy view) 413 session cachesize 414 ssl server-policy 414 SSL client policy configuration commands 415 display ssl client-policy 415 pki-domain (SSL client policy view) 416 prefer-cipher 416 server-verify enable 418 ssl client-policy 419 version 420 IP source guard commands 421 display ip source binding 421 display ipv6 source binding 422 ip source binding (interface view) 423 ip source binding (system view) 424 ip verify source 425 ipv6 source binding (interface view) 426 ipv6 source binding (system view) 427 ipv6 verify source 428 ARP attack protection commands 429 Unresolvable IP attack protection commands 429 arp resolving-route enable 429 arp resolving-route probe-count 429 arp resolving-route probe-interval 430 viii
11 arp source-suppression enable 430 arp source-suppression limit 431 display arp source-suppression 432 ARP packet rate limit commands 432 arp rate-limit 432 arp rate-limit log enable 433 arp rate-limit log interval 434 snmp-agent trap enable arp 434 Source MAC-based ARP attack detection commands 435 arp source-mac 435 arp source-mac aging-time 436 arp source-mac exclude-mac 436 arp source-mac threshold 437 display arp source-mac 438 ARP packet source MAC consistency check commands 438 arp valid-check enable 438 ARP active acknowledgement commands 439 arp active-ack enable 439 Authorized ARP commands 440 arp authorized enable 440 ARP detection commands 440 arp detection enable 440 arp detection rule 441 arp detection trust 442 arp detection validate 442 arp restricted-forwarding enable 443 display arp detection 443 display arp detection statistics 444 reset arp detection statistics 445 ARP scanning and fixed ARP commands 445 arp fixup 445 arp scan 446 ARP gateway protection commands 447 arp filter source 447 ARP filtering commands 448 arp filter binding 448 MFF commands 449 display mac-forced-forwarding interface 449 display mac-forced-forwarding vlan 450 mac-forced-forwarding 450 mac-forced-forwarding gateway probe 451 mac-forced-forwarding network-port 452 mac-forced-forwarding server 453 Crypto engine commands 455 display crypto-engine 455 display crypto-engine statistics 456 reset crypto-engine statistics 457 FIPS commands 458 display fips status 458 fips mode enable 458 fips self-test 460 ix
12 User profile commands 462 display user-profile 462 user-profile 463 Attack detection and prevention commands 464 attack-defense tcp fragment enable 464 ND attack defense commands 465 ipv6 nd check log enable 465 ipv6 nd mac-check enable 465 Support and other resources 467 Contacting HP 467 Subscription service 467 Related information 467 Documents 467 Websites 467 Conventions 468 Index 470 x
13 AAA commands The device supports the FIPS mode that complies with NIST FIPS requirements. Support for features, commands, and parameters might differ in FIPS mode and non-fips mode. For more information about FIPS mode, see Security Configuration Guide. General AAA commands aaa nas-id profile Use aaa nas-id profile to create a NAS-ID profile and enter NAS-ID profile view. Use undo aaa nas-id profile to remove a NAS-ID profile. aaa nas-id profile profile-name undo aaa nas-id profile profile-name No NAS-ID profile exists. System view profile-name: Specifies the NAS-ID profile name, a case-insensitive string of 1 to 31 characters. Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device. # Create a NAS-ID profile named aaa. [Sysname] aaa nas-id profile aaa [Sysname-nas-id-prof-aaa] nas-id bind vlan port-security nas-id-profile portal nas-id-profile 1
14 aaa session-limit Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method. Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method. In non-fips mode: aaa session-limit { ftp http https ssh telnet } max-sessions undo aaa session-limit { ftp http https ssh telnet } In FIPS mode: aaa session-limit { https ssh } max-sessions undo aaa session-limit { https ssh } The maximum number of concurrent users is 32 for each user type. System view ftp: FTP users. http: HTTP users. https: HTTPS users. ssh: SSH users. telnet: Telnet users. max-sessions: Specifies the maximum number of concurrent login users, in the range of 1 to 32. After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type. # Set the maximum number of concurrent FTP users to 4. [Sysname] aaa session-limit ftp 4 accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. 2
15 accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command The default accounting method of the ISP domain is used for command line accounting. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. The command line accounting feature works with the accounting server to record all commands that have been successfully executed on the device. Command line accounting can use only a remote HWTACACS server. # In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac. [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default command accounting (Fundamentals Command Reference) hwtacacs scheme accounting default Use accounting default to specify the default accounting method for an ISP domain. Use undo accounting default to restore the default. In non-fips mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting default In FIPS mode: accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } 3
16 undo accounting default The default accounting method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default accounting method is used for all users who support this method and do not have an accounting method configured. Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides. You can specify one primary default accounting method and multiple backup default accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid. # In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local hwtacacs scheme local-user radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. 4
17 Use undo accounting lan-access to restore the default. In non-fips mode: accounting lan-access { local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting lan-access In FIPS mode: accounting lan-access { local radius-scheme radius-scheme-name [ local ] } undo accounting lan-access The default accounting method for the ISP domain is used for LAN users. ISP domain view local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify one primary accounting method and multiple backup accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid. # In ISP domain test, perform local accounting for LAN users. [Sysname] domain test [Sysname-isp-test] accounting lan-access local # In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting lan-access radius-scheme rd local accounting default local-user radius scheme 5
18 accounting login Use accounting login to specify the accounting method for login users. Use undo accounting login to restore the default. In non-fips mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login In FIPS mode: accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting login The default accounting method of the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Accounting is not supported for FTP, SFTP, and SCP users. You can specify one primary accounting method and multiple backup accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid. # In ISP domain test, perform local accounting for login users. 6
19 [Sysname] domain test [Sysname-isp-test] accounting login local # In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local accounting default hwtacacs scheme local-user radius scheme accounting portal Use accounting portal to specify the accounting method for portal users. Use undo accounting portal to restore the default. In non-fips mode: accounting portal { local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting portal In FIPS mode: accounting portal { local radius-scheme radius-scheme-name [ local ] } undo accounting portal The default accounting method of the ISP domain is used for portal users. ISP domain view local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify one primary accounting method and multiple backup accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a 7
20 primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid. # In ISP domain test, perform local accounting for portal users. [Sysname] domain test [Sysname-isp-test] accounting portal local # In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting portal radius-scheme rd local accounting default local-user radius schem authentication default Use authentication default to specify the default authentication method for an ISP domain. Use undo authentication default to restore the default. In non-fips mode: authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication default In FIPS mode: authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] ldap-scheme ldap-scheme-name [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication default The default authentication method of an ISP domain is local. ISP domain view 8
21 hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The default authentication method is used for all users who support this method and do not have an authentication method configured. You can specify one primary default authentication method and multiple backup default authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid. # In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local hwtacacs scheme ldap scheme local-user radius scheme authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default. In non-fips mode: authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication lan-access 9
22 In FIPS mode: authentication lan-access { ldap-scheme ldap-scheme-name [ local ] local radius-scheme radius-scheme-name [ local ] } undo authentication lan-access The default authentication method for the ISP domain is used for LAN users. ISP domain view ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid. # In ISP domain test, perform local authentication for LAN users. [Sysname] domain test [Sysname-isp-test] authentication lan-access local # In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local authentication default hwtacacs scheme ldap scheme local-user radius scheme 10
23 authentication login Use authentication login to specify the authentication method for login users. Use undo authentication login to restore the default. In non-fips mode: authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authentication login In FIPS mode: authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] ldap-scheme ldap-scheme-name [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication login The default authentication method of the ISP is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid. # In ISP domain test, perform local authentication for login users. 11
24 [Sysname] domain test [Sysname-isp-test] authentication login local # In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication login radius-scheme rd local authentication default hwtacacs scheme ldap scheme local-user radius scheme authentication portal Use authentication portal to specify the authentication method for portal users. Use undo authentication portal to restore the default. In non-fips mode: authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication portal In FIPS mode: authentication portal { ldap-scheme ldap-scheme-name [ local ] local radius-scheme radius-scheme-name [ local ] } undo authentication portal The default authentication method of the ISP is used for portal users. ISP domain view ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. 12
25 radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid. # In ISP domain test, perform local authentication for portal users. [Sysname] domain test [Sysname-isp-test] authentication portal local # In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication portal radius-scheme rd local authentication default ldap scheme local-user radius scheme authentication super Use authentication super to specify a method for user role authentication. Use undo authentication super to restore the default. authentication super { hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name } * undo authentication super The default authentication method of the ISP domain is used for user role authentication. ISP domain view 13
26 hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid. If you specify a scheme to provide the method for user role authentication, the method applies only to users whose user role is in the format of level-n. If an HWTACACS scheme is specified, the device uses the entered username for role authentication. The username must already exist on the HWTACACS server to represent the highest user level that a user can obtain. For example, to obtain a level-3 user role whose username is test, the device uses the test@domain-name or test string for role authentication, depending on whether the domain name is required. If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication of any usernames. The variable n has the same value as the level of the target user role. For example, to obtain a level-3 user role, the device uses the $enab3$@domain-name or $enab3$ string, depending on whether the domain name is required. # In ISP domain test, perform user role authentication based on HWTACACS scheme tac. [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac authentication default hwtacacs scheme radius scheme authorization command Use authorization command to specify the command authorization method. Use undo authorization command to restore the default. In non-fips mode: authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] local [ none ] none } undo authorization command In FIPS mode: authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] local } undo authorization command 14
27 The default authorization method of the ISP domain is used for command authorization. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands. Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted. The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed. When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user roles. You can specify one primary command authorization method and multiple backup command authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid. # In ISP domain test, configure the device to perform local command authorization. [Sysname] domain test [Sysname-isp-test] authorization command local # In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local 15
28 authorization accounting (Fundamentals Command Reference) hwtacacs scheme local-user authorization default Use authorization default to specify the default authorization method for an ISP domain. Use undo authorization default to restore the default. In non-fips mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization default In FIPS mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization default The default authorization method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The following default authorization information applies after users pass authentication: Non-login users can access the network. Login users are assigned the default user role. For more information about the default user role feature, see Fundamentals Configuration Guide. FTP, SFTP, and SCP login users also have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. 16
29 The default authorization method is used for all users who support this method and do not have an authorization method configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one primary default authorization method and multiple backup default authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid. # In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local hwtacacs scheme local-user radius scheme authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. In non-fips mode: authorization lan-access { local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization lan-access In FIPS mode: authorization lan-access { local radius-scheme radius-scheme-name [ local ] } undo authorization lan-access The default authorization method for the ISP domain is used for LAN users. ISP domain view 17
30 local: Performs local authorization. none: Does not perform authorization. An authenticated LAN user directly accesses the network. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid. # In ISP domain test, perform local authorization for LAN users. [Sysname] domain test [Sysname-isp-test] authorization lan-access local # In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization lan-access radius-scheme rd local authorization default local-user radius scheme authorization login Use authorization login to configure the authorization method for login users. Use undo authorization login to restore the default. In non-fips mode: authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] local [ none ] none radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization login In FIPS mode: 18
31 authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] local radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authorization login The default authorization method of the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The following default authorization information applies after users pass authentication: Login users are assigned the default user role. For more information about the default user role feature, see Fundamentals Configuration Guide. FTP, SFTP, and SCP login users also have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid. # In ISP domain test, perform local authorization for login users. [Sysname] domain test [Sysname-isp-test] authorization login local # In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local 19
32 authorization default hwtacacs scheme local-user radius scheme authorization portal Use authorization portal to configure the authorization method for portal users. Use undo authorization portal to restore the default. In non-fips mode: authorization portal { local [ none ] none radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization portal In FIPS mode: authorization portal { local radius-scheme radius-scheme-name [ local ] } undo authorization portal The default authorization method of the ISP domain is used for portal users. ISP domain view local: Performs local authorization. none: Does not perform authorization. An authenticated portal user directly accesses the network. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. You can specify one primary authorization method and multiple backup authorization methods. When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid. 20
33 # In ISP domain test, perform local authorization for portal users. [Sysname] domain test [Sysname-isp-test] authorization portal local # In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization portal radius-scheme rd local authorization default local-user radius scheme authorization-attribute (ISP domain view) Use authorization-attribute to specify an authorization user profile for users in an ISP domain. Use undo authorization-attribute to restore the default. authorization-attribute user-profile profile-name undo authorization-attribute user-profile No user profile is specified for users in the ISP domain. ISP domain view user-profile profile-name: Specifies an authorization user profile. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_), and it must start with a letter. If the server or NAS does not authorize a user profile to an authenticated user, the device assigns the authorization user profile in the ISP domain to the user. If you execute the command multiple times, the most recent configuration takes effect. # Specify user profile profile1 for users in ISP domain test. [Sysname] domain test [Sysname-isp-test] authorization-attribute user-profile profile1 21
34 display domain display domain Use display domain to display the ISP domain configuration. display domain [ isp-name ] Any view network-operator isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 24 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains. # Display the configuration of all ISP domains. <Sysname> display domain Total 2 domain(s) Domain: system State: Active default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local Authorization attributes : Idle-cut : Disable Domain: dm State: Active login Authentication Scheme: radius: rad login Authorization Scheme: tacacs: hw default Authentication Scheme: radius: rad, local, none default Authorization Scheme: local default Accounting Scheme: none Authorization attributes : Idle-cut : Disable User profile: test Domain Name: system 22
35 Table 1 Command output Field Domain State default Authentication Scheme default Authorization Scheme default Accounting Scheme login Authentication Scheme login Authorization Scheme login Accounting Scheme Authorization attributes Idle-cut Idle Timeout Flow radius tacacs ldap local none Command Authorization Scheme Command Accounting Scheme Super Authentication Scheme User profile Description ISP domain name. Status of the ISP domain. authentication method. authorization method. accounting method. Authentication method for login users. Authorization method for login users. Accounting method for login users. Authorization attributes for users in the ISP domain. Idle cut function status: Disable The function is disabled. It is the default idle cut state. Idle timeout period, in minutes. Minimum traffic that a login user must generate in an idle cut period, in bytes. RADIUS scheme. HWTACACS scheme. LDAP scheme. Local scheme. No authentication, no authorization, or no accounting. Command line authorization method. Command line accounting method. Authentication method for obtaining a temporary user role. Name of the authorization user profile. domain Use domain to create an ISP domain and enter ISP domain view. Use undo domain to remove an ISP domain. domain isp-name undo domain isp-name There is a system-defined ISP domain named system. System view 23
HP 5920 & 5900 Switch Series
HP 5920 & 5900 Switch Series Security Command Reference Part number: 5998-2887 Software version: Release2208 Document version: 6W100-20130228 Legal and notice information Copyright 2013 Hewlett-Packard
HP Unified Wired-WLAN Products
HP Unified Wired-WLAN Products Security Command Reference HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified
H3C S12500 Series Routing Switches
H3C S12500 Series Routing Switches Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S12500-CMW710-R7128 Document version: 6W710-20121130 Copyright 2012,
H3C S5830V2 & S5820V2 Switch Series
H3C S5830V2 & S5820V2 Switch Series Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release2108 Document version: 6W101-20120531 Copyright 2012, Hangzhou
Contents. Configuring SSH 1
Contents Configuring SSH 1 Overview 1 How SSH works 1 SSH authentication methods 2 SSH support for Suite B 3 FIPS compliance 3 Configuring the device as an SSH server 4 SSH server configuration task list
HP 5120 SI Switch Series
HP 5120 SI Switch Series Security Configuration Guide Part number: 5998-1815 Software version: Release 1505 Document version: 6W102-20121111 Legal and notice information Copyright 2012 Hewlett-Packard
HP Unified Wired-WLAN Products
HP Unified Wired-WLAN Products Security Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G
HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract
HP A5820X & A5800 Switch Series Security Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures.
HP 6125 Blade Switch Series
HP 6125 Blade Switch Series About the HP 6125 Blade Command s Part number: 5998-3163 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright 2012 Hewlett-Packard
Appendix A Command Index
Appendix A Command Index The command index includes all the commands in the Command Manual, which are arranged alphabetically. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A aaa nas-id profile 21-AAA
HP 6125 Blade Switch Series
HP 6125 Blade Switch Series About the HP 6125 Blade s Part number: 5998-3152 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright 2012 Hewlett-Packard
About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module
About the HP 830 Series Switch and HP 10500/7500 20G Unified Module s Part number: 5998-3903 Software version: 3308P29 (HP 830 Series Switch) 2308P29 (HP 10500/7500 20G Unified Module) Document version:
HP Load Balancing Module
HP Load Balancing Module Load Balancing Configuration Guide Part number: 5998-4218 Software version: Feature 3221 Document version: 6PW100-20130326 Legal and notice information Copyright 2013 Hewlett-Packard
HP Unified Wired-WLAN Products
HP Unified Wired-WLAN Products WLAN Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified
About the Configuration Guides for HP Unified
About the Configuration Guides for HP Unified Wired-W Products HP 830 Unified Wired-W PoE+ Switch Series HP 850 Unified Wired-W Appliance HP 870 Unified Wired-W Appliance HP 11900/10500/7500 20G Unified
HP 6125G & 6125G/XG Blade Switches
HP 6125G & 6125G/XG Blade Switches Network Management and Monitoring Configuration Guide Part number: 5998-3162b Software version: Release 2103 and later Document version: 6W103-20151020 Legal and notice
HP High-End Firewalls
HP High-End Firewalls Access Control Configuration Guide Part number: 5998-2648 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
HP 6125 Blade Switch Series
HP 6125 Blade Switch Series Network Management and Monitoring Configuration Guide Part number: 5998-3162 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright
HP VSR1000 Virtual Services Router
HP VSR1000 Virtual Services Router Layer 2 - WAN Access Configuration Guide Part number: 5998-6023 Software version: VSR1000_HP-CMW710-R0202-X64 Document version: 6W100-20140418 Legal and notice information
HP 3600 v2 Switch Series
HP 3600 v2 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-2351 Software version: Release 2108P01 Document version: 6W100-20131130 Legal and notice information Copyright 2013
HP Load Balancing Module
HP Load Balancing Module System Management Configuration Guide Part number: 5998-4216 Software version: Feature 3221 Document version: 6PW100-20130326 Legal and notice information Copyright 2013 Hewlett-Packard
HP 5820X & 5800 Switch Series Network Management and Monitoring. Configuration Guide. Abstract
HP 5820X & 5800 Switch Series Network Management and Monitoring Configuration Guide Abstract This document describes the software features for the HP 5820X & 5800 Series products and guides you through
HP 5120 SI Switch Series
HP 5120 SI Switch Series Network Management and Monitoring Configuration Guide Part number: 5998-1813 Software version: Release 1505 Document version: 6W102-20121111 Legal and notice information Copyright
HP Load Balancing Module
HP Load Balancing Module Security Configuration Guide Part number: 5998-2686 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part
Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1
Table of Contents 1 802.1x Configuration 1-1 Introduction to 802.1x 1-1 Architecture of 802.1x Authentication 1-1 The Mechanism of an 802.1x Authentication System 1-3 Encapsulation of EAPoL Messages 1-3
Appendix A Command Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
The command index includes all the commands in the VRP Command Manual, which are arranged alphabetically. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A access-limit 1-1 accounting QoS 2-1 accounting
HP A5500 EI & A5500 SI Switch Series Network Management and Monitoring. Configuration Guide. Abstract
HP A5500 EI & A5500 SI Switch Series Network Management and Monitoring Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the
HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine
HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine Network Management and Monitoring Configuration Guide Part number: 5998-3936 Software version: 3308P26 Document version: 6W101-20130628 Legal
HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls
HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls VPN Configuration Guide Part number:5998-2652 Document version: 6PW100-20110909 Legal and notice information Copyright 2011 Hewlett-Packard Development Company,
Appendix A Command Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
The command index includes all the commands in the Comware Command Manual, which are arranged alphabetically. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A access-limit accounting accounting optional
HP Firewalls and UTM Devices
HP Firewalls and UTM Devices Access Control Command Reference Part number: 5998-4175 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall
About the HP MSR Router Series
About the HP MSR Router Series Command (V7) Part number: 5998-7731b Software version: CMW710-R0304 Document version: 6PW104-20150914 Legal and notice information Copyright 2015 Hewlett-Packard Development
HP FlexFabric 5930 Switch Series
HP FlexFabric 5930 Switch Series Layer 3 IP Services Command Reference Part number: 5998-4568 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information
Operation Manual Security. Table of Contents
Table of Contents Table of Contents Chapter 1 802.1x Configuration... 1-1 1.1 802.1x Overview... 1-1 1.1.1 802.1x Standard Overview... 1-1 1.1.2 802.1x System Architecture... 1-1 1.1.3 802.1x Authentication
HP 6125 Blade Switch Series
HP 6125 Blade Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-3156 Software version: Release 2103 Document version: 6W100-20120907 Legal and notice information Copyright 2012
HP 5920 & 5900 Switch Series
HP 5920 & 5900 Switch Series Network Management and Monitoring Configuration Guide Part number: 5998-2900 Software version: Release 2210 Document version: 6W100-20131105 Legal and notice information Copyright
Configuring ARP attack protection 1
Contents Configuring ARP attack protection 1 ARP attack protection configuration task list 1 Configuring unresolvable IP attack protection 1 Configuring ARP source suppression 2 Configuring ARP blackhole
HP Load Balancing Module
HP Load Balancing Module High Availability Configuration Guide Part number: 5998-2687 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company,
Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents
Table of Contents Table of Contents... 1-1 1.1 AAA/RADIUS/HWTACACS Over... 1-1 1.1.1 Introduction to AAA... 1-1 1.1.2 Introduction to RADIUS... 1-3 1.1.3 Introduction to HWTACACS... 1-9 1.1.4 Protocols
HPE FlexFabric 5950 Switch Series
HPE FlexFabric 5950 Switch Series About the HPE FlexFabric 5950 Configuration Guides Part number: 5200-0808 Software version: Release 6106 and later Document version: 6W100-20160513 Copyright 2016 Hewlett
HP 5120 SI Switch Series
HP 5120 SI Switch Series Layer 2 - LAN Switching Configuration Guide Part number: 5998-1807 Software version: Release 1513 Document version: 6W100-20130830 Legal and notice information Copyright 2013 Hewlett-Packard
Table of Contents 1 AAA Overview AAA Configuration 2-1
Table of Contents 1 AAA Overview 1-1 Introduction to AAA 1-1 Authentication 1-1 Authorization 1-1 Accounting 1-2 Introduction to ISP Domain 1-2 Introduction to AAA Services 1-3 Introduction to RADIUS 1-3
Controlled/uncontrolled port and port authorization status
Contents 802.1X fundamentals 1 802.1X architecture 1 Controlled/uncontrolled port and port authorization status 1 802.1X-related protocols 2 Packet formats 2 EAP over RADIUS 4 Initiating 802.1X authentication
HP VPN Firewall Appliances
HP VPN Firewall Appliances High Availability Configuration Guide Part number: 5998-4169 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C
HPE FlexFabric 5950 Switch Series
HPE FlexFabric 5950 Switch Series Security Configuration Guide Part number: 5200-0833 Software version: Release 6106 and later Document version: 6W100-20160513 Copyright 2016 Hewlett Packard Enterprise
Portal configuration commands
Contents Portal configuration commands 1 display portal acl 1 display portal connection statistics 5 display portal free-rule 7 display portal interface 9 display portal-roaming 11 display portal server
HP Routing Switch Series
HP 12500 Routing Switch Series EVI Configuration Guide Part number: 5998-3419 Software version: 12500-CMW710-R7128 Document version: 6W710-20121130 Legal and notice information Copyright 2012 Hewlett-Packard
HP FlexFabric 5930 Switch Series
HP FlexFabric 5930 Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-4571 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information
Table of Contents 1 AAA Overview AAA Configuration 2-1
Table of Contents 1 AAA Overview 1-1 Introduction to AAA 1-1 Authentication 1-1 Authorization 1-1 Accounting 1-2 Introduction to ISP Domain 1-2 Introduction to AAA Services 1-2 Introduction to RADIUS 1-2
Operation Manual 802.1x. Table of Contents
Table of Contents Table of Contents... 1-1 1.1 802.1x Overview... 1-1 1.1.1 Architecture of 802.1x... 1-1 1.1.2 Operation of 802.1x... 1-3 1.1.3 EAP Encapsulation over LANs... 1-4 1.1.4 EAP Encapsulation
HP A6600 Routers Network Management and Monitoring. Command Reference. Abstract
HP A6600 Routers Network Management and Monitoring Command Reference Abstract This document describes the commands and command syntax options available for the HP A Series products. This document is intended
HP A3100 v2 Switch Series
HP A3100 v2 Switch Series Layer 3 - IP Services Configuration Guide HP A3100-8 v2 SI Switch (JG221A) HP A3100-16 v2 SI Switch (JG222A) HP A3100-24 v2 SI Switch (JG223A) HP A3100-8 v2 EI Switch (JD318B)
Configuring ARP attack protection 1
Contents Configuring ARP attack protection 1 ARP attack protection configuration task list 1 Configuring unresolvable IP attack protection 1 Configuring ARP source suppression 2 Configuring ARP blackhole
HP A5820X & A5800 Switch Series MPLS. Configuration Guide. Abstract
HP A5820X & A5800 Switch Series MPLS Configuration Guide Abstract This document describes the software features for the HP 5820X & 5800 Series products and guides you through the software configuration
Configuration - Security
Release: Document Revision: 5.3 01.01 www.nortel.com NN46240-600 324564-A Rev01 Release: 5.3 Publication: NN46240-600 Document Revision: 01.01 Document status: Standard Document release date: 30 March
Table of Contents X Configuration 1-1
Table of Contents 1 802.1X Configuration 1-1 802.1X Overview 1-1 Architecture of 802.1X 1-2 Authentication Modes of 802.1X 1-2 Basic Concepts of 802.1X 1-3 EAP over LAN 1-4 EAP over RADIUS 1-5 802.1X Authentication
HP FlexFabric 5930 Switch Series
HP FlexFabric 5930 Switch Series Network Management and Monitoring Configuration Guide Part number: 5998-7772b Software version: Release 241x Document version: 6W102-20171117 Legal and notice information
HP 6125G & 6125G/XG Blade Switches
HP 6125G & 6125G/XG Blade Switches Layer 2 - LAN Switching Configuration Guide Part number:5998-3155a Software version: Release 2103 and later Document version: 6W102-20141218 Legal and notice information
HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls
HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls NAT Configuration Guide Part number:5998-2649 Document version: 6PW100-20110909 Legal and notice information Copyright 2011 Hewlett-Packard Development Company,
HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified
HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/7500 20G Unified Wired-WLAN Module WLAN Configuration Guide Part number: 5998-3905 Software version: 3308P29 (HP 830 Series PoE+ Unified Wired-WLAN
High Availability Synchronization PAN-OS 5.0.3
High Availability Synchronization PAN-OS 5.0.3 Revision B 2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Device Configuration... 4 Network Configuration... 9 Objects Configuration...
H3C SecPath Series Firewalls and UTM Devices
H3C SecPath Series Firewalls and UTM Devices Attack Protection Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: F100 series: ESS 5132 F1000-A-EI: Feature 3722
HP High-End Firewalls
HP High-End Firewalls NAT and ALG Command Reference Part number: 5998-2639 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
HP FlexFabric 5700 Switch Series
HP FlexFabric 5700 Switch Series Layer 3 - IP Routing Configuration Guide Part number: 5998-6688 Software version: Release 2416 Document version: 6W100-20150130 Legal and notice information Copyright 2015
HP 3100 v2 Switch Series
HP 3100 v2 Switch Series ACL and QoS Configuration Guide HP 3100-8 v2 SI Switch (JG221A) HP 3100-16 v2 SI Switch (JG222A) HP 3100-24 v2 SI Switch (JG223A) HP 3100-8 v2 EI Switch (JD318B) HP 3100-16 v2
HP 5920 & 5900 Switch Series
HP 5920 & 5900 Switch Series OpenFlow Command Reference Part number: 5998-4679a Software version: Release 23xx Document version: 6W101-20150320 Legal and notice information Copyright 2015 Hewlett-Packard
HP A3100 v2 Switch Series
HP A3100 v2 Switch Series Layer 2 - LAN Switching Configuration Guide HP A3100-8 v2 SI Switch (JG221A) HP A3100-16 v2 SI Switch (JG222A) HP A3100-24 v2 SI Switch (JG223A) HP A3100-8 v2 EI Switch (JD318B)
Table of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
HP Load Balancing Module
HP Load Balancing Module System Maintenance Configuration Guide Part number: 5998-4221 Software version: Feature 3221 Document version: 6PW100-20130326 Legal and notice information Copyright 2013 Hewlett-Packard
HP MSR Router Series. EVI Configuration Guide(V7) Part number: b Software version: CMW710-R0304 Document version: 6PW
HP MSR Router Series EVI Configuration Guide(V7) Part number: 5998-7360b Software version: CMW710-R0304 Document version: 6PW104-20150914 Legal and notice information Copyright 2015 Hewlett-Packard Development
Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]
![Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]](/thumbs/79/80167168.jpg "Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]")
s@lm@n Cisco Exam 210-260 Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ] Cisco 210-260 : Practice Test Question No : 1 When an IPS detects an attack, which action can the IPS
HP 5120 SI Switch Series
HP 5120 SI Switch Series Layer 3 - IP Services Configuration Guide Part number: 5998-1807 Software version: Release 1513 Document version: 6W100-20130830 Legal and notice information Copyright 2013 Hewlett-Packard
HP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
HP MSR Router Series. Layer 2 LAN Switching Command Reference(V7)
HP MSR Router Series Layer 2 LAN Switching Command Reference(V7) Part number: 5998-7738b Software version: CMW710-R0304 Document version: 6PW104-20150914 Legal and notice information Copyright 2015 Hewlett-Packard
Fundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
CCNA Security 1.0 Student Packet Tracer Manual
1.0 Student Packet Tracer Manual This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors
HP 3600 v2 Switch Series
HP 3600 v2 Switch Series Fundamentals Command Reference Part number: 5998-7608 Software version: Release 2110P02 Document version: 6W100-20150305 Legal and notice information Copyright 2015 Hewlett-Packard
Identity Firewall. About the Identity Firewall
This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History
Table of Contents X Configuration 1-1
Table of Contents 1 802.1X Configuration 1-1 802.1X Overview 1-1 Architecture of 802.1X 1-1 Authentication Modes of 802.1X 1-2 Basic Concepts of 802.1X 1-2 EAP over LAN 1-3 EAP over RADIUS 1-5 802.1X Authentication
Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) First Published: January 29, 2013 Last Modified: January 29, 2013 Americas Headquarters Cisco Systems,
Table of Contents 1 SSH Configuration 1-1
Table of Contents 1 SSH Configuration 1-1 SSH Overview 1-1 Introduction to SSH 1-1 Algorithm and Key 1-1 Asymmetric Key Algorithm 1-2 SSH Operating Process 1-2 Configuring the SSH Server 1-4 SSH Server
DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0
DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any
HP 6125XLG Blade Switch
HP 6125XLG Blade Switch Network Management and Monitoring Configuration Guide Part number: 5998-5376a Software version: Release 240x Document version: 6W101-20150515 Legal and notice information Copyright
HP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
Defining IPsec Networks and Customers
CHAPTER 4 Defining the IPsec Network Elements In this product, a VPN network is a unique group of targets; a target can be a member of only one network. Thus, a VPN network allows a provider to partition
HP FlexFabric 7900 Switch Series
HP FlexFabric 7900 Switch Series MCE Configuration Guide Part number: 5998-6188 Software version: Release 2117 and Release 2118 Document version: 6W100-20140805 Legal and notice information Copyright 2014
DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window
9. Security DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide Port Security 802.1X AAA RADIUS TACACS IMPB DHCP Server Screening ARP Spoofing Prevention MAC Authentication Web-based
HP 5920 & 5900 Switch Series
HP 5920 & 5900 Switch Series MCE Configuration Guide Part number: 5998-2896 Software version: Release2207 Document version: 6W100-20121130 Legal and notice information Copyright 2012 Hewlett-Packard Development
HP 6125G & 6125G/XG Blade Switches
HP 6125G & 6125G/XG Blade Switches Layer 3 - IP Routing Command Reference Part number: 5998-3168a Software version: Release 2103 and later Document version: 6W102-20141218 Legal and notice information
HP MSR Router Series. Network Management and Monitoring Configuration Guide(V7)
HP MSR Router Series Network Management and Monitoring Configuration Guide(V7) Part number: 5998-7724b Software version: CMW710-R0304 Document version: 6PW104-20150914 Legal and notice information Copyright
HPE FlexNetwork MSR Router Series
HPE FlexNetwork MSR Router Series About the HPE MSR Router Series Configuration Part number: 5998-8821 Software version: CMW710-R0305 Document version: 6PW106-20160308 Copyright 2016 Hewlett Packard Enterprise
HPE FlexNetwork MSR Router Series
HPE FlexNetwork MSR Router Series About the HPE MSR Router Series Command s Part number: 5998-8799 Software version: CMW710-R0305 Document version: 6PW106-20160308 Copyright 2016 Hewlett Packard Enterprise
HP FlexFabric 5930 Switch Series
HP FlexFabric 5930 Switch Series MCE Configuration Guide Part number: 5998-4625 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information Copyright
Release Notes: Version Operating System
Release Notes: Version 2.0.29 Operating System for the HP ProCurve Wireless Access Point 420 These release notes include information on the following: Downloading access point software and documentation
HP A5830 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract
HP A5830 Switch Series Layer 3 - IP Services Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures.
HP 5920 & 5900 Switch Series
HP 5920 & 5900 Switch Series Network Management and Monitoring Command Reference Part number: 5998-2889 Software version: Release 2210 Document version: 6W100-20131105 Legal and notice information Copyright
Logging in to the CLI
Contents Logging in to the CLI 1 Login methods 1 Logging in through the console port 2 Introduction 2 Configuration procedure 2 Logging in through the AUX port 5 Configuration prerequisites 5 Configuration
User authentication configuration example 11 Command authorization configuration example 13 Command accounting configuration example 14
Contents Logging in to the CLI 1 Login methods 1 Logging in through the console or AUX port 2 Logging in through Telnet 5 Telnetting to the switch 5 Telnetting from the switch to another device 7 Logging
Identity Firewall. About the Identity Firewall. This chapter describes how to configure the ASA for the Identity Firewall.
This chapter describes how to configure the ASA for the. About the, page 1 Guidelines for the, page 7 Prerequisites for the, page 9 Configure the, page 10 Collect User Statistics, page 19 Examples for
HP 3600 v2 Switch Series
HP 3600 v2 Switch Series ACL and QoS Configuration Guide Part number: 5998-2354 Software version: Release 2101 Document version: 6W101-20130930 Legal and notice information Copyright 2013 Hewlett-Packard