HP Unified Wired-WLAN Products

Similar documents
HP FlexFabric 5700 Switch Series

HP 5920 & 5900 Switch Series

HP Unified Wired-WLAN Products

H3C S5830V2 & S5820V2 Switch Series

H3C S12500 Series Routing Switches

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module

Appendix A Command Index

About the Configuration Guides for HP Unified

HP 5120 SI Switch Series

HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract

HP Unified Wired-WLAN Products

HP Load Balancing Module

HP Load Balancing Module

Appendix A Command Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

HP VSR1000 Virtual Services Router

HP Load Balancing Module

Contents. Configuring SSH 1

HP 6125 Blade Switch Series

HP 6125 Blade Switch Series

HP High-End Firewalls

HP 3600 v2 Switch Series

HP 5120 SI Switch Series

Operation Manual Security. Table of Contents

Controlled/uncontrolled port and port authorization status

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

HP 5820X & 5800 Switch Series Network Management and Monitoring. Configuration Guide. Abstract

Table of Contents X Configuration 1-1

Appendix A Command Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine

HP A5500 EI & A5500 SI Switch Series Network Management and Monitoring. Configuration Guide. Abstract

Operation Manual 802.1x. Table of Contents

HP 6125G & 6125G/XG Blade Switches

Table of Contents 1 AAA Overview AAA Configuration 2-1

About the HP MSR Router Series

HP 6125 Blade Switch Series

HP FlexFabric 5930 Switch Series

TECHNICAL NOTE UWW & CLEARPASS HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS. Version 2

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

HP 5920 & 5900 Switch Series

H3C SecPath Series Firewalls and UTM Devices

HP Routing Switch Series

Table of Contents 1 AAA Overview AAA Configuration 2-1

HP 6125 Blade Switch Series

HP 5120 SI Switch Series

HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified

HP VPN Firewall Appliances

HP Firewalls and UTM Devices

Fundamentals of Network Security v1.1 Scope and Sequence

HP FlexFabric 5930 Switch Series

HP High-End Firewalls

HP A3100 v2 Switch Series

HP 5120 SI Switch Series

Table of Contents X Configuration 1-1

HP 6125G & 6125G/XG Blade Switches

HP U200 Unified Threat Management (UTM) Appliance Series

Configuration - Security

PPP configuration commands

HP A3100 v2 Switch Series

HP Load Balancing Module

HP A5830 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract

HP High-End Firewalls

HPE FlexFabric 5940 Switch Series

WLAN high availability

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Table of Contents 1 IKE 1-1

HPE FlexNetwork MSR Router Series

HPE FlexFabric 5950 Switch Series

Portal configuration commands

HP High-End Firewalls

Overview 1. Service Features 1

Retired. Models HP U200-A UTM Appliance

HP A5820X & A5800 Switch Series MPLS. Configuration Guide. Abstract

HP High-End Firewalls

HP MSR Router Series. EVI Configuration Guide(V7) Part number: b Software version: CMW710-R0304 Document version: 6PW

HPE FlexNetwork MSR Router Series

User authentication configuration example 11 Command authorization configuration example 13 Command accounting configuration example 14

Operation Manual Login and User Interface. Table of Contents

HP 5920 & 5900 Switch Series

Logging in to the CLI

HP Load Balancing Module

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

HPE FlexFabric 7900 Switch Series

HP A5120 EI Switch Series IRF. Command Reference. Abstract

High Availability Synchronization PAN-OS 5.0.3

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Release Notes: Version Operating System

User Guide TL-R470T+/TL-R480T REV9.0.2

HP A3100 v2 Switch Series

User Role Firewall Policy

HP MSR Router Series. Layer 2 LAN Switching Command Reference(V7)

Table of Contents 1 PPP Configuration Commands PPPoE Configuration Commands 2-1

H3C S5120-SI Series Ethernet Switches Security Configuration Guide

SSL VPN - IPv6 Support

HP 3600 v2 Switch Series

HP MSR Router Series. Network Management and Monitoring Configuration Guide(V7)

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

HP FlexFabric 5700 Switch Series

SSL VPN - IPv6 Support

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Transcription:

HP Unified Wired-WLAN Products Security Command Reference HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified Wired-WLAN Module Part number: 5998-4797 Software version: 3507P22 (HP 830 PoE+ Switch Series) 2607P22 (HP 850 Appliance) 2607P22 (HP 870 Appliance) 2507P22 (HP 11900/10500/7500 20G Module) Document version: 6W101-20140418

Legal and notice information Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Contents AAA configuration commands 1 General AAA configuration commands 1 aaa nas-id profile 1 access-limit enable 1 accounting command 2 accounting default 3 accounting lan-access 4 accounting login 5 accounting optional 6 accounting portal 6 accounting ppp 7 attribute 4 8 authentication default 9 authentication lan-access 10 authentication login 11 authentication portal 12 authentication ppp 13 authentication super 14 authentication wlan-ap 15 authorization command 16 authorization default 17 authorization lan-access 18 authorization login 19 authorization portal 20 authorization ppp 21 authorization-attribute user-profile 22 cut connection 22 display connection 24 display domain 27 domain 29 domain default enable 30 domain if-unknown 30 eap-profile 31 idle-cut enable 32 ip pool 33 local-server authentication eap-profile 34 method 34 nas device-id 35 user-credentials 36 nas-id bind vlan 37 self-service-url enable 37 session-time include-idle-time 38 ssl-server-policy 39 state (ISP domain view) 39 Local user configuration commands 40 access-limit 40 authorization-attribute (local user view/user group view) 41 bind-attribute 42 display local-user 43 i

display user-group 46 expiration-date (local user view) 47 group 48 group-attribute allow-guest 48 local-user 49 password 50 service-type 51 state (local user view) 52 user-group 53 validity-date 53 RADIUS configuration commands 54 accounting-on enable 54 attribute 25 car 55 data-flow-format (RADIUS scheme view) 56 display radius scheme 57 display radius statistics 59 display stop-accounting-buffer (for RADIUS) 63 eap offload 64 key (RADIUS scheme view) 64 nas-backup-ip 66 nas-ip (RADIUS scheme view) 67 primary accounting (RADIUS scheme view) 68 primary authentication (RADIUS scheme view) 70 radius client 71 radius log packet 72 radius nas-backup-ip 73 radius nas-ip 74 radius scheme 74 radius trap 75 reset radius statistics 76 reset stop-accounting-buffer (for RADIUS) 76 retry 77 retry realtime-accounting 78 retry stop-accounting (RADIUS scheme view) 79 secondary accounting (RADIUS scheme view) 80 secondary authentication (RADIUS scheme view) 82 security-policy-server 84 server-type (RADIUS scheme view) 85 state primary 85 state secondary 86 stop-accounting-buffer enable (RADIUS scheme view) 87 timer quiet (RADIUS scheme view) 88 timer realtime-accounting 89 timer response-timeout (RADIUS scheme view) 90 user-name-format (RADIUS scheme view) 91 HWTACACS configuration commands 92 data-flow-format (HWTACACS scheme view) 92 display hwtacacs 92 display stop-accounting-buffer (for HWTACACS) 96 hwtacacs nas-ip 96 hwtacacs scheme 97 key (HWTACACS scheme view) 98 nas-ip (HWTACACS scheme view) 99 primary accounting (HWTACACS scheme view) 100 ii

primary authentication (HWTACACS scheme view) 101 primary authorization 102 reset hwtacacs statistics 103 reset stop-accounting-buffer (for HWTACACS) 103 retry stop-accounting (HWTACACS scheme view) 104 secondary accounting (HWTACACS scheme view) 104 secondary authentication (HWTACACS scheme view) 105 secondary authorization 106 stop-accounting-buffer enable (HWTACACS scheme view) 107 timer quiet (HWTACACS scheme view) 108 timer response-timeout (HWTACACS scheme view) 108 user-name-format (HWTACACS scheme view) 109 LDAP configuration commands 110 authentication-server 110 authorization-server 111 display ldap scheme 111 group-parameters 113 ldap scheme 114 login-dn 115 login-password 116 protocol-version 117 server-timeout 118 server-type (LDAP scheme view) 118 user-parameters 119 802.1X commands 121 display dot1x 121 display dot1x synchronization 126 dot1x accounting-delay 130 dot1x authentication-method 131 dot1x auth-fail vlan 132 dot1x domain-delimiter 133 dot1x guest-vlan 133 dot1x handshake 135 dot1x handshake secure 135 dot1x mandatory-domain 136 dot1x max-user 137 dot1x multicast-trigger 138 dot1x port-control 139 dot1x port-method 140 dot1x quiet-period 141 dot1x re-authenticate 142 dot1x retry 142 dot1x timer 143 dot1x unicast-trigger 144 reset dot1x statistics 145 reset dot1x synchronization statistics 146 MAC authentication configuration commands 147 display mac-authentication 147 mac-authentication 149 mac-authentication domain 150 mac-authentication guest-vlan 151 mac-authentication max-user 152 mac-authentication timer 152 iii

mac-authentication trigger after-portal 153 mac-authentication user-name-format 154 reset mac-authentication statistics 156 Portal configuration commands 157 access-user detect 157 display portal acl 158 display portal connection statistics 162 display portal free-rule 165 display portal interface 166 display portal local-server 168 display portal server 169 display portal server statistics 170 display portal tcp-cheat statistics 173 display portal user 174 portal auth-network 176 portal backup-group 177 portal control-mode 177 portal delete-user 178 portal domain 179 portal forbidden-rule 180 portal free-rule 181 portal host-check dhcp-snooping 182 portal local-server 183 portal local-server bind 184 portal log packet 185 portal mac-trigger enable 186 portal mac-trigger nas-port-type 187 portal mac-trigger server 187 portal max-user 188 portal nas-id 189 portal nas-id-profile 190 portal nas-ip 190 portal nas-port-id 191 portal nas-port-type 192 portal redirect-url 192 portal server 193 portal server banner 195 portal server method 195 portal server server-detect 197 portal server user-sync 199 portal url-param include 200 portal web-proxy port 201 portal wlan ssid 202 portal wlan ssid-switch 203 reset portal connection statistics 203 reset portal server statistics 204 reset portal tcp-cheat statistics 204 web-redirect 204 Port security configuration commands 206 display port-security 206 display port-security mac-address block 208 display port-security preshared-key user 209 port-security authorization ignore 210 iv

port-security enable 211 port-security intrusion-mode 212 port-security max-mac-count 212 port-security nas-id-profile 213 port-security ntk-mode 214 port-security oui 215 port-security port-mode 216 port-security preshared-key 218 port-security synchronization enable 219 port-security timer disableport 220 port-security trap 221 port-security tx-key-type 11key 222 User profile configuration commands 223 display user-profile 223 user-profile enable 223 user-profile 224 Password control commands 226 display password-control 226 display password-control blacklist 227 password 228 password-control { aging composition history length } enable 230 password-control aging 231 password-control alert-before-expire 232 password-control authentication-timeout 233 password-control complexity 233 password-control composition 234 password-control enable 235 password-control expired-user-login 236 password-control history 236 password-control length 237 password-control login idle-time 238 password-control login-attempt 239 password-control password update interval 240 password-control super aging 241 password-control super composition 242 password-control super length 243 reset password-control blacklist 243 reset password-control history-record 244 Public key configuration commands 245 display public-key local public 245 display public-key peer 246 peer-public-key end 248 public-key-code begin 248 public-key-code end 249 public-key local create 250 public-key local destroy 251 public-key local export dsa 251 public-key local export rsa 253 public-key peer 254 public-key peer import sshkey 255 PKI configuration commands 256 attribute 256 v

ca identifier 257 certificate request entity 257 certificate request from 258 certificate request mode 259 certificate request polling 260 certificate request url 260 common-name 261 country 262 crl check 262 crl update-period 263 crl url 263 display pki certificate 264 display pki certificate access-control-policy 266 display pki certificate attribute-group 267 display pki crl domain 268 fqdn 269 ip (PKI entity view) 270 ldap-server 270 locality 271 organization 272 organization-unit 272 pki certificate access-control-policy 273 pki certificate attribute-group 273 pki delete-certificate 274 pki domain 274 pki entity 275 pki import-certificate 276 pki request-certificate domain 276 pki retrieval-certificate 277 pki retrieval-crl domain 278 pki validate-certificate 278 root-certificate fingerprint 279 rule (PKI CERT ACP view) 280 state 280 SSH configuration commands 282 SSH server configuration commands 282 display ssh server 282 display ssh user-information 284 sftp server enable 285 sftp server idle-timeout 285 ssh server authentication-retries 286 ssh server authentication-timeout 287 ssh server compatible-ssh1x enable 287 ssh server enable 288 ssh server rekey-interval 288 ssh user 289 SSH client configuration commands 291 bye 291 cd 292 cdup 292 delete 292 dir 293 display sftp client source 294 display ssh client source 294 vi

display ssh server-info 295 exit 296 get 297 help 297 ls 298 mkdir 298 put 299 pwd 299 quit 299 remove 300 rename 301 rmdir 301 scp 301 sftp 303 sftp client ipv6 source 305 sftp client source 306 sftp ipv6 307 ssh client authentication server 308 ssh client first-time enable 309 ssh client ipv6 source 310 ssh client source 311 ssh2 311 ssh2 ipv6 313 SSL configuration commands 316 ciphersuite 316 client-verify enable 317 client-verify weaken 317 close-mode wait 318 display ssl client-policy 319 display ssl server-policy 320 handshake timeout 321 pki-domain 322 prefer-cipher 323 server-verify enable 324 session 324 ssl client-policy 325 ssl server-policy 326 version 326 TCP attack protection configuration commands 328 display tcp status 328 tcp syn-cookie enable 329 ARP attack protection configuration commands 330 IP flood protection configuration commands 330 arp resolving-route enable 330 arp source-suppression enable 330 arp source-suppression limit 331 display arp source-suppression 331 ARP packet rate limit configuration commands 332 arp rate-limit 332 Source MAC-based ARP attack detection configuration commands 333 arp anti-attack source-mac 333 arp anti-attack source-mac aging-time 334 arp anti-attack source-mac exclude-mac 334 vii

arp anti-attack source-mac threshold 335 display arp anti-attack source-mac 335 ARP packet source MAC consistency check configuration commands 336 arp anti-attack valid-ack enable 336 ARP active acknowledgement configuration commands 337 arp anti-attack active-ack enable 337 Authorized ARP configuration commands 338 arp authorized enable 338 ARP detection configuration commands 338 arp detection 338 arp detection enable 339 arp detection trust 340 arp detection validate 340 arp restricted-forwarding enable 341 display arp detection 342 display arp detection statistics 342 reset arp detection statistics 343 ARP gateway protection configuration commands 344 arp filter source 344 ARP filtering configuration commands 344 arp filter binding 344 IPsec configuration commands 346 ah authentication-algorithm 346 connection-name 347 display ipsec policy 347 display ipsec policy-template 349 display ipsec sa 351 display ipsec statistics 354 display ipsec transform-set 356 display ipsec tunnel 357 encapsulation-mode 359 esp authentication-algorithm 360 esp encryption-algorithm 361 ike-peer (IPsec policy view/ipsec policy template view) 361 ipsec anti-replay check 362 ipsec anti-replay window 362 ipsec invalid-spi-recovery enable 363 ipsec policy (interface view) 364 ipsec policy (system view) 364 ipsec policy isakmp template 365 ipsec policy-template 366 ipsec sa global-duration 367 ipsec synchronization enable 368 ipsec transform-set 368 policy enable 369 reset ipsec sa 370 reset ipsec statistics 371 sa authentication-hex 372 sa duration 373 sa encryption-hex 374 sa spi 375 sa string-key 376 security acl 377 synchronization anti-replay-interval 378 viii

transform 379 transform-set 380 tunnel local 381 tunnel remote 382 IKE configuration commands 383 authentication-algorithm 383 authentication-method 383 certificate domain 384 dh 385 display ike dpd 385 display ike peer 386 display ike proposal 387 display ike sa 389 dpd 392 encryption-algorithm 393 exchange-mode 394 id-type 395 ike dpd 395 ike local-name 396 ike next-payload check disabled 397 ike peer (system view) 398 ike proposal 398 ike sa keepalive-timer interval 399 ike sa keepalive-timer timeout 400 ike sa nat-keepalive-timer interval 400 interval-time 401 local 401 local-address 402 local-name 403 nat traversal 403 peer 404 pre-shared-key 405 proposal 405 remote-address 406 remote-name 407 reset ike sa 408 sa duration 410 time-out 410 ALG configuration commands 412 alg 412 Firewall configuration commands 414 Packet-filter firewall configuration commands 414 display firewall ipv6 statistics 414 display firewall-statistics 415 firewall default 416 firewall enable 416 firewall ipv6 default 417 firewall ipv6 enable 417 firewall packet-filter (interface view) 418 firewall packet-filter (user-profile view) 419 firewall packet-filter ipv6 419 reset firewall ipv6 statistics 420 reset firewall-statistics 421 ix

ASPF configuration commands 421 aspf-policy 421 display aspf all 422 display aspf interface 423 display aspf policy 424 display port-mapping 425 firewall aspf (interface) 426 firewall aspf (user-profile view) 426 icmp-error drop 427 port-mapping 428 tcp syn-check 428 Session management commands 430 application aging-time 430 display application aging-time 431 display session aging-time 431 display session relation-table 432 display session statistics 434 display session table 435 reset session 438 reset session statistics 439 session aging-time 439 session checksum 440 session log bytes-active 441 session log enable (interface view) 441 session log packets-active 442 session log time-active 443 session mode hybrid 443 session persist acl 444 Web filtering configuration commands 446 display firewall http activex-blocking 446 display firewall http java-blocking 447 display firewall http url-filter host 448 display firewall http url-filter parameter 450 firewall http activex-blocking acl 451 firewall http activex-blocking enable 452 firewall http activex-blocking suffix 452 firewall http java-blocking acl 453 firewall http java-blocking enable 454 firewall http java-blocking suffix 454 firewall http url-filter host acl 455 firewall http url-filter host default 456 firewall http url-filter host enable 456 firewall http url-filter host ip-address 457 firewall http url-filter host url-address 458 firewall http url-filter parameter 459 firewall http url-filter parameter enable 460 reset firewall http 461 User isolation commands 462 display user-isolation statistics 462 reset user-isolation statistics 463 user-isolation enable 463 user-isolation permit broadcast 463 user-isolation vlan enable 464 x

user-isolation vlan permit-mac 465 Source IP address verification commands 466 display wlan client source binding 466 ip verify source 467 ipv6 verify source 468 FIPS configuration commands 469 display fips status 469 fips mode enable 469 fips self-test 470 Protocol packet rate limit configuration commands 472 anti-attack enable 472 anti-attack protocol enable 472 anti-attack protocol threshold 473 anti-attack protocol flow-threshold 473 display anti-attack 474 Support and other resources 477 Contacting HP 477 Subscription service 477 Related information 477 Documents 477 Websites 477 Conventions 478 Index 480 xi

AAA configuration commands General AAA configuration commands aaa nas-id profile Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the bindings between NAS IDs and VLANs. Use undo aaa nas-id profile to remove a NAS ID profile. aaa nas-id profile profile-name undo aaa nas-id profile profile-name System view profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters. # Create a NAS ID profile named aaa. [Sysname] aaa nas-id profile aaa [Sysname-nas-id-prof-aaa] nas-id bind vlan access-limit enable Use access-limit enable to set the maximum number of online users in an ISP domain. Users are not accepted after the number of online users reaches the allowed maximum number. Use undo access-limit enable to restore the default. access-limit enable max-user-number undo access-limit enable There is no limit to the number of online users in an ISP domain. 1

ISP domain view max-user-number: Maximum number of online users that the ISP domain will accept, in the range of 1 to 2147483646. Because system resources can be limited, and user connections might compete for network resources, setting a limit for online users helps provide reliable system performance. # Set a limit of 500 user connections for ISP domain test. [Sysname] domain test [Sysname-isp-test] access-limit enable 500 display domain accounting command Use accounting command to specify the command-line accounting method. Use undo accounting command to restore the default. accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command The default accounting method for the ISP domain is used for command-line accounting. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified HWTACACS scheme must have been configured. Command-line accounting can use only an HWTACACS scheme. # Configure ISP domain test to use HWTACACS scheme hwtac for command-line accounting. 2

[Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default hwtacacs scheme accounting default Use accounting default to configure the default accounting method for an ISP domain. Use undo accounting default to restore the default. accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo accounting default The default accounting method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS or HWTACACS scheme must have been configured. The default accounting method is used for all users who support the specified accounting method and have no specific accounting method configured. Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that a typical accounting feature provides. # Configure the default accounting method for ISP domain test to use RADIUS accounting scheme rd and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local 3

local-user hwtacacs scheme radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the default. accounting lan-access { local none radius-scheme radius-scheme-name [ local none ] } undo accounting lan-access The default accounting method for the ISP domain is used for LAN users. ISP domain view local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. # Configure ISP domain test to use local accounting for LAN users. [Sysname] domain test [Sysname-isp-test] accounting lan-access local # Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting lan-access radius-scheme rd local local-user accounting default radius scheme 4

accounting login Use accounting login to configure the accounting method for login users through the console port, AUX port, or Telnet. Use undo accounting login to restore the default. accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo accounting login The default accounting method for the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS or HWTACACS scheme must have been configured. Accounting is not supported for login users who use FTP. # Configure ISP domain test to use local accounting for login users. [Sysname] domain test [Sysname-isp-test] accounting login local # Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local local-user accounting default hwtacacs scheme radius scheme 5

accounting optional Use accounting optional to enable the accounting optional feature. Use undo accounting optional to disable the feature. accounting optional undo accounting optional The feature is disabled. ISP domain view After you configure the accounting optional command for a domain, a user who would otherwise be disconnected can continue to use the network resources when no accounting server is available or when communication with the current accounting server fails. However, the device no longer sends users' real-time accounting updates. After you configure the accounting optional command, the setting configured by the access-limit command in local user view has no effect. # Enable the accounting optional feature for users in domain test. [Sysname] domain test [Sysname-isp-test] accounting optional accounting portal Use accounting portal to configure the accounting method for portal users. Use undo accounting portal to restore the default. accounting portal { local none radius-scheme radius-scheme-name [ local ] } undo accounting portal The default accounting method for the ISP domain is used for portal users. ISP domain view 6

local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. # Configure ISP domain test to use local accounting for portal users. [Sysname] domain test [Sysname-isp-test] accounting portal local # Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting portal radius-scheme rd local local-user accounting default radius scheme accounting ppp Use accounting ppp to configure the accounting method for PPP users. Use undo accounting ppp to restore the default. accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo accounting ppp The default accounting method for the ISP domain is used for PPP users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local accounting. 7

none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Support for this command depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. The specified RADIUS or HWTACACS scheme must have been configured. # Configure ISP domain test to use local accounting for PPP users. [Sysname] domain test [Sysname-isp-test] accounting ppp local # Configure ISP domain test to use RADIUS accounting scheme rd for PPP users and use local accounting as the backup. [Sysname] domain test [Sysname-isp-test] accounting ppp radius-scheme rd local attribute 4 local-user accounting default hwtacacs scheme radius scheme Use attribute 4 to configure the NAS-IP-Address attribute (attribute number 4) for RADIUS Access-Request packets. Use undo attribute 4 to restore the default. attribute 4 ip-address undo attribute 4 The NAS-IP-Address attribute takes the source IP address of the RADIUS Access-Request packet. RADIUS scheme view ip-address: Specifies the IP address in the NAS-IP-Address attribute for RADIUS Access-Request packets. It must be a valid IPv4 address, and you cannot specify one of the following IP addresses: 8

IP addresses of full 0s. IP addresses of full 1s. D-class IP addresses. E-class IP addresses. Loopback IP addresses. In a MAC-BAC network, the NAS-IP-Address attribute (attribute number 4) in a RADIUS Access-Request packet must take the IP address of the master AC. This command does not change the source IP address of a RADIUS Access-Request packet. # Configure the NAS-IP-Address attribute (attribute number 4) as 192.168.0.2 for RADIUS Access-Request packets. [Sysname] radius scheme aaa [Sysname-radius-aaa] attribute 4 192.168.0.2 radius nas-ip nas-ip (RADIUS scheme view) authentication default Use authentication default to configure the default authentication method for an ISP domain. Use undo authentication default to restore the default. authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authentication default The default authentication method of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. 9

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured. # Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication default radius-scheme rd local local-user hwtacacs scheme radius scheme ldap scheme authentication lan-access Use authentication lan-access to configure the authentication method for LAN users. Use undo authentication lan-access to restore the default. authentication lan-access { local none radius-scheme radius-scheme-name [ local none ] } undo authentication lan-access The default authentication method for the ISP domain is used for LAN users. ISP domain view local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. 10

# Configure ISP domain test to use local authentication for LAN users. [Sysname] domain test [Sysname-isp-test] authentication lan-access local # Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication lan-access radius-scheme rd local local-user authentication default radius scheme authentication login Use authentication login to configure the authentication method for login users through the console port, AUX port, Telnet, or FTP. Use undo authentication login to restore the default. authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authentication login The default authentication method for the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. 11

The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. # Configure ISP domain test to use local authentication for login users. [Sysname] domain test [Sysname-isp-test] authentication login local # Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication login radius-scheme rd local local-user authentication default hwtacacs scheme radius scheme ldap scheme authentication portal Use authentication portal to configure the authentication method for portal users. Use undo authentication portal to restore the default. authentication portal { ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authentication portal The default authentication method for the ISP domain is used for portal users. ISP domain view ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. 12

The specified LDAP or RADIUS scheme must have been configured. Only PAP is supported for LDAP authentication of portal users. # Configure ISP domain test to use local authentication for portal users. [Sysname] domain test [Sysname-isp-test] authentication portal local # Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication portal radius-scheme rd local local-user authentication default ldap scheme radius scheme authentication ppp Use authentication ppp to configure the authentication method for PPP users. Use undo authentication ppp to restore the default. authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authentication ppp Support for this command depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. The default authentication method for the ISP domain is used for PPP users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. 13

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS or HWTACACS scheme must have been configured. # Configure ISP domain test to use local authentication for PPP users. [Sysname] domain test [Sysname-isp-test] authentication ppp local # Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local authentication as the backup. [Sysname] domain test [Sysname-isp-test] authentication ppp radius-scheme rd local local-user authentication default hwtacacs scheme radius scheme authentication super Use authentication super to configure the authentication method for user privilege level switching. Use undo authentication super to restore the default. authentication super { hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name } undo authentication super The default authentication method for the ISP domain is used for user privilege level switching authentication. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. 14

The specified RADIUS or HWTACACS authentication scheme must have been configured. # Configure ISP domain test to use HWTACACS scheme tac for user privilege level switching authentication. [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac hwtacacs scheme radius scheme super authentication-mode (Fundamentals Command Reference) authentication wlan-ap Use authentication wlan-ap to configure the authentication method for APs in a WLAN and specify the authentication RADIUS scheme. Use undo authentication wlan-ap to restore the default. authentication wlan-ap radius-scheme radius-scheme-name undo authentication wlan-ap The default authentication method for the ISP domain is used for AP authentication. ISP domain view Predefined command level radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must exist. # Configure the APs to use RADIUS scheme rd for authentication in ISP domain named system. [Sysname] domain system [Sysname-isp-system] authentication wlan-ap radius-scheme rd authentication default radius scheme 15

authorization command Use authorization command to configure the command-line authorization method. Use undo authorization command to restore the default. authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local none ] local none } undo authorization command The default authorization method for the ISP domain is used for command-line authorization. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange, and an authenticated user can access only Level 0 commands. The specified HWTACACS scheme must have been configured. With command-line authorization configured, a user who has logged in to the device can execute only the commands with a level lower than or equal to that of the local user. # Configure ISP domain test to use local command-line authorization. [Sysname] domain test [Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command-line authorization and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization command hwtacacs-scheme hwtac local local-user authorization default hwtacacs scheme 16

authorization default Use authorization default to configure the default authorization method for an ISP domain. Use undo authorization default to restore the default. authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authorization default The default authorization method for the ISP domain of an ISP domain is local. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and non-ftp users can access only the Level 0 commands. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. The default authorization method is used for all users who support the specified authorization method and have no specific authorization method configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local local-user hwtacacs scheme 17

radius scheme ldap scheme authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. authorization lan-access { local none radius-scheme radius-scheme-name [ local none ] } undo authorization lan-access The default authorization method for the ISP domain is used for LAN users. ISP domain view local: Performs local authorization. none: Does not perform any authorization exchange, and an authenticated LAN user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure ISP domain test to use local authorization for LAN users. [Sysname] domain test [Sysname-isp-test] authorization lan-access local # Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization lan-access radius-scheme rd local local-user authorization default radius scheme 18

authorization login Use authorization login to configure the authorization method for login users through the console port, AUX port, Telnet, or FTP. Use undo authorization login to restore the default. authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] ldap-scheme ldap-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authorization login The default authorization method for the ISP domain is used for login users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange. After passing authentication, FTP users can access the root directory of the device, and other login users can access only the Level 0 commands. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS, HWTACACS, or LDAP scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure ISP domain test to use local authorization for login users. [Sysname] domain test [Sysname-isp-test] authorization login local # Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization login radius-scheme rd local 19

local-user authorization default hwtacacs scheme radius scheme ldap scheme authorization portal Use authorization portal to configure the authorization method for portal users. Use undo authorization portal to restore the default. authorization portal { local none radius-scheme radius-scheme-name [ local ] } undo authorization portal The default authorization method for the ISP domain is used for portal users. ISP domain view local: Performs local authorization. none: Does not perform any authorization exchange, and an authenticated portal user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure ISP domain test to use local authorization for portal users. [Sysname] domain test [Sysname-isp-test] authorization portal local # Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup. [Sysname] domain test [Sysname-isp-test] authorization portal radius-scheme rd local 20

local-user authorization default radius scheme authorization ppp Use authorization ppp to configure the authorization method for PPP users. Use undo authorization ppp to restore the default. authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } undo authorization ppp The default authorization method for the ISP domain is used for PPP users. ISP domain view hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform any authorization exchange, and an authenticated PPP user can access the network directly. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Support for this command depends on the device model. For more information, see About the Command References for HP Unified Wired-WLAN Products. The specified RADIUS or HWTACACS scheme must have been configured. The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme. # Configure ISP domain test to use local authorization for PPP users. [Sysname] domain test [Sysname-isp-test] authorization ppp local # Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local authorization as the backup. 21

[Sysname] domain test [Sysname-isp-test] authorization ppp radius-scheme rd local local-user authorization default hwtacacs scheme radius scheme authorization-attribute user-profile Use authorization-attribute user-profile to specify the default authorization user profile for an ISP domain. Use undo authorization-attribute user-profile to restore the default. authorization-attribute user-profile profile-name undo authorization-attribute user-profile An ISP domain has no default authorization user profile. ISP domain view 3: Manage level profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. If the server (or the access device for local authentication) does not authorize a user profile to the ISP domain after an ISP domain user passes authentication, the system uses the user profile specified by the authorization-attribute user-profile command. If you configure the authorization-attribute user-profile command multiple times, only the most recent configuration takes effect. # Specify the default authorization user profile for domain test as profile1. [Sysname] domain test [Sysname-isp-test] authorization-attribute user-profile profile1 cut connection Use cut connection to tear down the specified user connections. 22

cut connection { access-type { dot1x mac-authentication portal } all domain isp-name interface interface-type interface-number ip ip-address mac mac-address ucibindex ucib-index user-name user-name vlan vlan-id } System view access-type: Specifies the user connections for the specified access type. dot1x: Indicates 802.1X authentication. mac-authentication: Indicates MAC address authentication. portal: Indicates portal authentication. all: Specifies all user connections. domain isp-name: Specifies the user connections for an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a string of 1 to 24 characters. interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces and WLAN virtual interfaces are supported. ip ip-address: Specifies the user connections for an IP address. mac mac-address: Specifies the user connections for a MAC address, with mac-address in the format H-H-H. ucibindex ucib-index: Specifies the user connection that uses the connection index, in the range of 0 to 4294967295. user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username without a domain name, the system considers that the user is in the default domain or the mandatory authentication domain. vlan vlan-id: Specifies the user connections of a VLAN, in the range of 1 to 4094. This command applies to only LAN access, portal, and PPP user connections. You cannot cut the connections by username for 802.1X users whose usernames include the version number or spaces, or use a slash (/) or backslash (\) as the domain name delimiter. For example, the cut connection user-name aaa\bbb command cannot cut the connections of the user aaa\bbb. An interface that is configured with a mandatory authentication domain considers users of the corresponding access type as users in the mandatory authentication domain. For example, if you configure an 802.1X mandatory authentication domain on an interface, the interface uses the domain's AAA methods for all its 802.1X users. To cut connections of these users, use the cut connection domain isp-name command, and specify the mandatory authentication domain. # Tear down all connections of ISP domain test. [Sysname] cut connection domain test 23

display connection service-type display connection Use display connection to display information about AAA user connections. display connection [ access-type { dot1x mac-authentication portal } domain isp-name interface interface-type interface-number ip ip-address mac mac-address ucibindex ucib-index user-name user-name vlan vlan-id ] [ { begin exclude include } regular-expression ] Any view 1: Monitor level access-type: Specifies the user connections for the specified access type. dot1x: Indicates 802.1X authentication. mac-authentication: Indicates MAC address authentication. portal: Indicates portal authentication. domain isp-name: Specifies the user connections for an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters. interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces and WLAN virtual interfaces are supported. ip ip-address: Specifies the user connections for an IP address. mac mac-address: Specifies the user connections for a MAC address, with mac-address in the format H-H-H. ucibindex ucib-index: Specifies the user connection for the connection index, in the range of 0 to 4294967295. user-name user-name: Specifies the user connections for the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain name or the mandatory authentication domain. vlan vlan-id: Specifies the user connections for a VLAN, in the range of 1 to 4094. : Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. 24

This command does not display information about FTP user connections. With no parameter specified, this command displays brief information about all AAA user connections. If you specify the ucibindex ucib-index option, this command displays detailed information. Otherwise, this command displays brief information. If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), the device uses the mandatory authentication domain to perform authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain. The device displays the username of a user on an interface configured with a mandatory authentication domain depending on the format of the username entered by the user at login: If the username does not contain the at sign (@), the device displays the username in the format username@mandatory authentication domain name. If the username contains the at sign (@), the device displays the entered username. For example, if a user entered the username aaa@123 at login and the name of the mandatory authentication domain is dom, the device displays the username aaa@123, rather than aaa@123@dom. You cannot query the connections by username for 802.1X users whose usernames use a slash (/) or backslash (\) as the domain name delimiter. For example, the display connection user-name aaa\bbb command cannot display the connections of the user aaa\bbb. # Display information about all AAA user connections. <Sysname> display connection Index=1,Username=user1@system MAC=00-15-E9-A6-7C-FE IP=10.0.0.1 Online=00h00m53s Total 1 connection(s) matched. # Display information about AAA user connections with an index of 0. <Sysname> display connection ucibindex 0 Index=0, Username=user1@system MAC=00-15-E9-A6-7C-FE IP=10.0.0.1 IPv6=N/A Access=Admin,AuthMethod=PAP Port Type=Virtual,Port Name=N/A Initial VLAN=999, Authorized VLAN=20 ACL Group=Disable User Profile=N/A CAR=Disable Traffic Statistic: InputOctets =12121212 OutputOctets =12120 InputGigawords=1 OutputGigawords=0 Priority=Disable 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback