09-Security Command Reference

HomeSupportResource CenterReference GuidesCommand ReferencesH3C S12500-X & S12500X-AF Switch Series Command References-Release 113x-6W10109-Security Command Reference
Table of Contents
Related Documents
01-Text
Title Size Download
01-Text 1.47 MB

Contents

AAA commands· 1

General AAA commands· 1

aaa session-limit 1

accounting command· 2

accounting default 2

accounting login· 3

authentication default 5

authentication login· 6

authentication super 7

authorization command· 8

authorization default 9

authorization login· 11

display domain· 12

domain· 13

domain default enable· 14

state (ISP domain view) 15

Local user commands· 16

access-limit 16

authorization-attribute· 17

display local-user 18

display user-group· 20

group· 21

local-user 22

password· 23

service-type· 24

state (local user view) 25

user-group· 26

RADIUS commands· 26

accounting-on enable· 26

attribute 15 check-mode· 27

data-flow-format (RADIUS scheme view) 28

display radius scheme· 29

display radius statistics· 31

key (RADIUS scheme view) 33

nas-ip (RADIUS scheme view) 34

primary accounting (RADIUS scheme view) 35

primary authentication (RADIUS scheme view) 36

radius nas-ip· 38

radius session-control enable· 39

radius scheme· 39

reset radius statistics· 40

retry· 41

retry realtime-accounting· 41

secondary accounting (RADIUS scheme view) 42

secondary authentication (RADIUS scheme view) 44

security-policy-server 46

snmp-agent trap enable radius· 46

state primary· 47

state secondary· 48

timer quiet (RADIUS scheme view) 49

timer realtime-accounting (RADIUS scheme view) 50

timer response-timeout (RADIUS scheme view) 51

user-name-format (RADIUS scheme view) 52

vpn-instance (RADIUS scheme view) 53

HWTACACS commands· 53

data-flow-format (HWTACACS scheme view) 53

display hwtacacs scheme· 54

hwtacacs nas-ip· 57

hwtacacs scheme· 58

key (HWTACACS scheme view) 59

nas-ip (HWTACACS scheme view) 60

primary accounting (HWTACACS scheme view) 61

primary authentication (HWTACACS scheme view) 62

primary authorization· 64

reset hwtacacs statistics· 65

secondary accounting (HWTACACS scheme view) 66

secondary authentication (HWTACACS scheme view) 67

secondary authorization· 69

timer quiet (HWTACACS scheme view) 70

timer realtime-accounting (HWTACACS scheme view) 71

timer response-timeout (HWTACACS scheme view) 72

user-name-format (HWTACACS scheme view) 73

vpn-instance (HWTACACS scheme view) 73

Password control commands· 75

display password-control 75

display password-control blacklist 76

password-control { aging | composition | history | length } enable· 77

password-control aging· 78

password-control alert-before-expire· 79

password-control complexity· 80

password-control composition· 81

password-control enable· 83

password-control expired-user-login· 84

password-control history· 85

password-control length· 85

password-control login idle-time· 87

password-control login-attempt 87

password-control super aging· 89

password-control super composition· 90

password-control super length· 91

password-control update-interval 92

reset password-control blacklist 92

reset password-control history-record· 93

Public key management commands· 94

display public-key local public· 94

display public-key peer 97

peer-public-key end· 99

public-key local create· 100

public-key local destroy· 103

public-key local export dsa· 104

public-key local export rsa· 106

public-key peer 108

public-key peer import sshkey· 109

PKI commands· 111

attribute· 111

ca identifier 112

certificate request entity· 113

certificate request from·· 114

certificate request mode· 115

certificate request polling· 116

certificate request url 117

common-name· 117

country· 118

crl check· 119

crl url 119

display pki certificate access-control-policy· 120

display pki certificate attribute-group· 122

display pki certificate domain· 123

display pki certificate request-status· 127

display pki crl 129

fqdn· 130

ip· 131

ldap-server 132

locality· 133

organization· 133

organization-unit 134

pki abort-certificate-request 134

pki certificate access-control-policy· 135

pki certificate attribute-group· 136

pki delete-certificate· 136

pki domain· 138

pki entity· 138

pki export 139

pki import 146

pki request-certificate· 150

pki retrieve-certificate· 151

pki retrieve-crl 152

pki storage· 153

pki validate-certificate· 154

public-key dsa· 155

public-key rsa· 157

root-certificate fingerprint 158

rule· 159

source· 160

state· 161

usage· 162

SSL commands· 163

ciphersuite· 163

client-verify enable· 164

display ssl client-policy· 165

display ssl server-policy· 166

pki-domain· 167

prefer-cipher 167

server-verify enable· 169

session cachesize· 170

ssl client-policy· 170

ssl server-policy· 171

ssl version ssl3.0 disable· 172

version· 173

IPsec commands· 174

ah authentication-algorithm·· 174

description· 175

display ipsec policy· 175

display ipsec sa· 178

display ipsec statistics· 180

display ipsec transform-set 182

display ipsec tunnel 183

encapsulation-mode· 186

esp authentication-algorithm·· 187

esp encryption-algorithm·· 188

ike-profile· 189

ipsec anti-replay check· 189

ipsec anti-replay window· 190

ipsec apply policy· 191

ipsec decrypt-check enable· 192

ipsec logging packet enable· 192

ipsec df-bit 193

ipsec global-df-bit 194

ipsec policy· 194

ipsec policy local-address· 195

ipsec sa global-duration· 196

ipsec sa idle-time· 197

ipsec transform-set 198

local-address· 199

pfs· 199

protocol 200

qos pre-classify· 201

remote-address· 201

reset ipsec sa· 203

reset ipsec statistics· 204

sa duration· 204

sa hex-key authentication· 205

sa hex-key encryption· 206

sa idle-time· 207

sa spi 208

sa string-key· 209

security acl 210

snmp-agent trap enable ipsec· 211

transform-set 212

IKE commands· 214

authentication-algorithm·· 214

authentication-method· 214

certificate domain· 215

dh· 217

display ike proposal 217

display ike sa· 218

dpd· 221

encryption-algorithm·· 222

exchange-mode· 223

ike dpd· 224

ike identity· 225

ike invalid-spi-recovery enable· 226

ike keepalive interval 227

ike keepalive timeout 227

ike keychain· 228

ike limit 229

ike nat-keepalive· 230

ike profile· 230

ike proposal 231

ike signature-identity from-certificate· 232

keychain· 232

local-identity· 233

match local address (IKE keychain view) 234

match local address (IKE profile view) 235

match remote· 236

pre-shared-key· 237

priority (IKE keychain view) 238

priority (IKE profile view) 239

proposal 240

reset ike sa· 240

reset ike statistics· 241

sa duration· 242

snmp-agent trap enable ike· 242

SSH commands· 244

SSH server commands· 244

display ssh server 244

display ssh user-information· 245

scp server enable· 246

sftp server enable· 247

sftp server idle-timeout 247

ssh server acl 248

ssh server authentication-retries· 249

ssh server authentication-timeout 250

ssh server compatible-ssh1x enable· 250

ssh server dscp· 251

ssh server enable· 252

ssh server rekey-interval 252

ssh user 253

SSH client commands· 255

bye· 255

cd· 255

cdup· 256

delete· 257

dir 257

display sftp client source· 258

display ssh client source· 259

exit 259

get 260

help· 260

ls· 261

mkdir 262

put 262

pwd· 263

quit 263

remove· 264

rename· 264

rmdir 265

scp· 265

sftp· 267

sftp client source· 269

ssh client source· 270

ssh2· 270

IP source guard commands· 273

display ip source binding· 273

ip source binding (interface view) 274

ip source binding (system view) 275

ip verify source· 276

ARP attack protection commands· 278

Unresolvable IP attack protection commands· 278

arp resolving-route enable· 278

arp resolving-route probe-count 278

arp resolving-route probe-interval 279

arp source-suppression enable· 279

arp source-suppression limit 280

display arp source-suppression· 281

ARP packet rate limit commands· 281

arp rate-limit 281

arp rate-limit log enable· 282

arp rate-limit log interval 283

snmp-agent trap enable arp· 283

Source MAC-based ARP attack detection commands· 284

arp source-mac· 284

arp source-mac aging-time· 285

arp source-mac exclude-mac· 285

arp source-mac threshold· 286

display arp source-mac· 287

ARP packet source MAC consistency check commands· 287

arp valid-check enable· 287

ARP active acknowledgement commands· 288

arp active-ack enable· 288

Authorized ARP commands· 289

arp authorized enable· 289

ARP detection commands· 289

arp detection enable· 289

arp detection log enable· 290

arp detection trust 290

arp detection validate· 291

arp restricted-forwarding enable· 292

display arp detection· 292

display arp detection statistics· 293

reset arp detection statistics· 294

ARP scanning and fixed ARP commands· 294

arp fixup· 294

arp scan· 295

ARP gateway protection commands· 296

arp filter source· 296

ARP filtering commands· 297

arp filter binding· 297

uRPF commands· 298

display ip urpf 298

ip urpf 298

FIPS commands· 300

display fips status· 300

fips mode enable· 300

fips self-test 302

Attack detection and prevention commands· 304

attack-defense tcp fragment enable· 304

Index· 305


AAA commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

General AAA commands

aaa session-limit

Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.

Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.

Syntax

In non-FIPS mode:

aaa session-limit { ftp | ssh | telnet } max-sessions

undo aaa session-limit { ftp | ssh | telnet }

In FIPS mode:

aaa session-limit ssh max-sessions

undo aaa session-limit ssh

Default

The maximum number of concurrent users is 32 for each user type.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ftp: FTP users.

ssh: SSH users.

telnet: Telnet users.

max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to 32.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting method of the ISP domain is used for command line accounting.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting feature works with the accounting server to record all commands that have been successfully executed on the device.

Command line accounting can use only a remote HWTACACS server.

Examples

# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

·     accounting default

·     command accounting (Fundamentals Command Reference)

·     hwtacacs scheme

accounting default

Use accounting default to specify the default accounting method for an ISP domain.

Use undo accounting default to restore the default.

Syntax

In non-FIPS mode:

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

In FIPS mode:

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting method is used for all users who support this method and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

·     hwtacacs scheme

·     local-user

·     radius scheme

accounting login

Use accounting login to specify the accounting method for login users.

Use undo accounting login to restore the default.

Syntax

In non-FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

In FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo accounting login

Default

The default accounting method of the ISP domain is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

·     accounting default

·     hwtacacs scheme

·     local-user

·     radius scheme

authentication default

Use authentication default to specify the default authentication method for an ISP domain.

Use undo authentication default to restore the default.

Syntax

In non-FIPS mode:

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

In FIPS mode:

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication method is used for all users who support this method and do not have an authentication method configured.

You can specify one primary default authentication method and multiple backup default authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

·     hwtacacs scheme

·     local-user

·     radius scheme

authentication login

Use authentication login to specify the authentication method for login users.

Use undo authentication login to restore the default.

Syntax

In non-FIPS mode:

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

In FIPS mode:

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authentication login

Default

The default authentication method of the ISP is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

·     authentication default

·     hwtacacs scheme

·     local-user

·     radius scheme

authentication super

Use authentication super to specify a method for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication method of the ISP domain is used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

If you specify a scheme to provide the method for user role authentication, the method applies only to users whose user role is in the format of level-n.

·     If an HWTACACS scheme is specified, the device uses the entered username for role authentication. The username must already exist on the HWTACACS server to represent the highest user level that a user can obtain. For example, to obtain a level-3 user role whose username is test, the device uses the string test@domain-name or test for role authentication, depending on whether the domain name is required.

·     If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication of any usernames. The variable n has the same value as the level of the target user role. For example, to obtain a level-3 user role, the device uses the username string $enab3$@domain-name or $enab3$, depending on whether the domain name is required.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-domain-test] authentication super hwtacacs-scheme tac

Related commands

·     authentication default

·     hwtacacs scheme

·     radius scheme

authorization command

Use authorization command to specify the command authorization method.

Use undo authorization command to restore the default.

Syntax

In non-FIPS mode:

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

In FIPS mode:

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }

undo authorization command

Default

The default authorization method of the ISP domain is used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.

After login, users can access the command lines permitted by their authorized user roles.

You can specify one primary command authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

·     authorization accounting (Fundamentals Command Reference)

·     hwtacacs scheme

·     local-user

authorization default

Use authorization default to specify the default authorization method for an ISP domain.

Use undo authorization default to restore the default.

Syntax

In non-FIPS mode:

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

In FIPS mode:

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. After passing authentication, FTP, SFTP and SCP users use the root directory of the device as the working directory but cannot access to it, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization method is used for all users who support this method and do not have an authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# Configure the default authorization method for ISP domain test to use RADIUS scheme rd for user authorization and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

·     hwtacacs scheme

·     local-user

·     radius scheme

authorization login

Use authorization login to configure the authorization method for login users.

Use undo authorization login to restore the default.

Syntax

In non-FIPS mode:

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

In FIPS mode:

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authorization login

Default

The default authorization method of the ISP domain is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. After passing authentication, FTP, SFTP, and SCP users use the root directory of the device as the working directory but cannot access it, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

·     authorization default

·     hwtacacs scheme

·     local-user

·     radius scheme

display domain

Use display domain to display the ISP domain configuration.

Syntax

display domain [ isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 24 characters. If you do not specify an ISP domain, the command displays the configuration of all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domain(s)

 

Domain:system

 State: Active

  Access-limit: Disable

  Access-Count: 0

  default Authentication Scheme:  local

  default Authorization  Scheme:  local

  default Accounting     Scheme:  local

  Authorization attributes :

   Idle-cut : Disable

 

Domain:dm

 State: Active

 Access-limit: 2222

 Access-Count: 0

 login   Authentication Scheme:  radius: rad

 login   Authorization  Scheme:  tacacs: hw

 default Authentication Scheme:  radius: rad, local, none

 default Authorization  Scheme:  local

 default Accounting     Scheme:  none

 Authorization attributes :

  Idle-cut : Disable

 

Default Domain Name: system

Table 1 Command output

Field

Description

Domain

ISP domain name.

State

Status of the ISP domain.

Access-limit

Limit to the number of user connections. If the number is not limited, this field displays Disabled.

Access-Count

Number of online users.

default Authentication Scheme

Default authentication method.

default Authorization Scheme

Default authorization method.

default Accounting Scheme

Default accounting method.

login Authentication Scheme

Authentication method for login users.

login Authorization Scheme

Authorization method for login users.

login Accounting Scheme

Accounting method for login users.

Authorization attributes

Authorization attributes for users in the ISP domain.

Idle-cut

Idle cut feature is disabled. The feature cannot be enabled in ISP domain view.

radius

RADIUS scheme.

tacacs

HWTACACS scheme.

local

Local scheme.

none

No authentication, no authorization, or no accounting.

Command Authorization Scheme

Command line authorization method.

Command Accounting Scheme

Command line accounting method.

Super Authentication Scheme

Authentication method for obtaining a temporary user role.

 

domain

Use domain to create an ISP domain and enter ISP domain view.

Use undo domain to remove an ISP domain.

Syntax

domain isp-name

undo domain isp-name

Default

There is a system-defined ISP domain named system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

All ISP domains are in active state when they are created.

The system has a predefined ISP domain named system. You can modify but not remove its configuration.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Examples

# Create ISP domain test and enter ISP domain view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

Related commands

·     display domain

·     domain default enable

·     state (ISP domain view)

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system-defined ISP domain system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.

Usage guidelines

There can be only one default ISP domain.

The specified ISP domain must already exist.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Examples

# Create an ISP domain named test, and configure the domain as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

·     display domain

·     domain

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.

Usage guidelines

By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected.

Examples

# Place the ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Related commands

display domain

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users, who do not support accounting.

Examples

# Set the maximum number of concurrent logins to 5 using the local user name abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

display local-user

authorization-attribute

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default.

Syntax

authorization-attribute { acl acl-number | idle-cut minute | user-role role-name | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | idle-cut | user-role role-name | vlan | work-directory } *

Default

FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.

The network-operator user role is assigned to local users that are created by a network-admin or level-15 user on the default MDC.

The mdc-operator user role is assigned to local users that are created by an mdc-admin or level-15 user on a non-default MDC.

Views

Local user view, user group view

Predefined user roles

network-admin

mdc-admin

Parameters

acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 120. When the idle cut feature is enabled, an online user whose idle period exceeds the specified idle timeout period is logged out.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

·     For Telnet and terminal users, only the authorization attributes idle-cut and user-role are effective.

·     For SSH users, only the authorization attributes idle-cut, user-role, and work-directory are effective.

·     For FTP users, only the authorization attributes user-role and work-directory are effective.

·     For other types of local users, no authorization attribute is effective.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

To make sure FTP, SFTP, and SCP users can access the directory after a switchover between the active MPU and the standby MPU, do not specify slot information for the working directory.

To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles.

Examples

# Configure the authorized user role of the device management user abc as network-admin.

<Sysname> system-view

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] authorization-attribute user-role network-admin

Related commands

·     display local-user

·     display user-group

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class manage | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

class manage: Specifies the device management users.

idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.

service-type: Specifies the local users who use a specific type of service.

·     ftp: FTP users.

·     ssh: SSH users.

·     telnet: Telnet users.

·     terminal: Terminal users who log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The value range for the vlan-id argument is 1 to 4094.

Usage guidelines

If you do not specify any parameters, the command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Total 1 local users matched.

 

Device management user root:

 State:                    Active

 Service Type:             SSH/Telnet/Terminal

 Access limit:             Enabled           Max access number: 3

 Current access number:    1

 User Group:               system

 Bind Attributes:

 Authorization Attributes:

  Work Directory:          flash:

  User Role List:          network-admin

 Password control configurations:

  Password aging:          Enabled (3 days)

Table 2 Command output

Field

Description

State

Status of the local user: active or blocked.

Service Type

Service types that the local user can use, including FTP, SSH, Telnet, and terminal.

Access limit

Whether the concurrent login limit is enabled.

Max access number

Maximum number of concurrent logins using the local user name.

Current access number

Current number of concurrent logins using the local user name.

User Group

Group to which the local user belongs.

Bind attributes

Binding attributes of the local user. The device does not support binding attributes.

Authorization attributes

Authorization attributes of the local user.

Idle TimeOut

Idle timeout period of the user, in minutes.

Work Directory

Directory that the FTP, SFTP, or SCP user can access.

ACL Number

Authorization ACL of the local user.

VLAN ID

Authorized VLAN of the local user.

User Role List

Authorized roles of the local user.

Password aging

This field appears only when password aging is enabled. The aging time is displayed in parentheses.

Password length

This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.

Password composition

This field appears only when password composition checking is enabled. The field also displays the following information in parentheses:

·     Minimum number of character types that the password must contain.

·     Minimum number of characters from each type in the password.

Password complexity

This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses:

·     Whether the password can contain the username or the reverse of the username.

·     Whether the password can contain any character repeated consecutively three or more times.

Maximum login attempts

Maximum number of consecutive failed login attempts.

Action for exceeding login attempts

Action to take on the user who failed to log in after using up all login attempts.

 

display user-group

Use display user-group to display the user group configuration.

Syntax

display user-group [ group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a user group, the command displays the configuration of all user groups.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group

Total 2 user groups matched.

 

The contents of user group system:

 Authorization Attributes:

  Work Directory:          flash:

The contents of user group jj:

 Authorization Attributes:

  Idle TimeOut:            2 (min)

  Work Directory:          flash:/

  ACL Number:              2000

  VLAN ID:                 2

Password control configurations:

  Password aging:          Enabled (2 days)

Table 3 Command output

Field

Description

Idle TimeOut

Idle timeout period, in minutes.

Work Directory

Directory that FTP, SFTP, or SCP users in the group can access.

ACL Number

Authorization ACL.

VLAN ID

Authorized VLAN.

Password control configurations

Password control attributes that are configured for the user group.

Password aging

This field appears only when password aging is enabled. The aging time is displayed in parentheses.

Password length

This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.

Password composition

This field appears only when password composition checking is enabled. The field also displays the following information in parentheses:

·     Minimum number of character types that the password must contain.

·     Minimum number of characters from each type in the password.

Password complexity

This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses:

·     Whether the password can contain the username or the reverse of the username.

·     Whether the password can contain any character repeated consecutively three or more times.

Maximum login attempts

Maximum number of consecutive failed login attempts.

Action for exceeding login attempts

Action to take on the user who failed to log in after using up all login attempts.

 

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to the system-defined user group system.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-user

Use local-user to add a local user and enter local user view.

Use undo local-user to remove local users.

Syntax

local-user user-name [ class manage ]

undo local-user { user-name class manage | all [ service-type { ftp | ssh | telnet | terminal } | class manage ] }

Default

No local user exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

user-name: Specifies a name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. A local user name cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name cannot be a, al, or all, either.

class manage: Specifies the device management user. Device management users can configure and monitor the device after login. They can use FTP, Telnet, SSH, and terminal services.

all: Specifies all users.

service-type: Specifies the local users who use a specific type of service.

·     ftp: FTP users.

·     ssh: SSH users.

·     telnet: Telnet users.

·     terminal: Terminal users who log in through console ports.

Examples

# Add a device management user named user1.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

Related commands

·     display local-user

·     service-type

password

Use password to configure a password for a local user.

Use undo password to delete the password of a local user.

Syntax

In non-FIPS mode:

password [ { hash | simple } password ]

undo password

In FIPS mode:

password

Default

·     In non-FIPS mode, there is no password configured for a local user. A local user can pass authentication after entering the correct username and passing attribute checks.

·     In FIPS mode, there is no password configured for a local user. A local user cannot pass authentication.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

hash: Sets a hashed password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive.

·     In non-FIPS mode:

¡     A hashed password is a string of 1 to 110 characters.

¡     A plaintext password is a string of 1 to 63 characters.

·     In FIPS mode, a password is a plaintext string of 15 to 63 characters and must contain digits, uppercase letters, lowercase letters, and special characters (see "Password control commands").

Usage guidelines

If you do not specify any parameters or the device operates in FIPS mode, you enter the interactive mode to set a plaintext password.

In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication.

Device management users support plaintext and hashed passwords. For security purposes, all passwords, including passwords configured in plain text, are saved in hashed text.

Examples

# Set the password of the device management user user1 to 123456TESTplat&! in plain text.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Set the password of the device management user test in interactive mode.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm :

Related commands

·     display local-user

·     local-user password-display-mode

service-type

Use service-type to specify the service types that a local user can use.

Use undo service-type to delete service types configured for a local user.

Syntax

In non-FIPS mode:

service-type { ftp | { ssh | telnet | terminal } * }

undo service-type { ftp | { ssh | telnet | terminal } * }

In FIPS mode:

service-type { ssh | terminal } *

undo service-type { ssh | terminal } *

Default

A local user is not authorized to use any service.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

ftp: Authorizes the user to use the FTP service. By default, the user can use the root directory of the FTP, SFTP, or SCP server. The authorized directory can be modified by using the authorization-attribute work-directory command.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console port.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize the device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Usage guidelines

This command applies only to the local user.

Examples

# Place the device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter user group view.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

There is a user group named system in the system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes.

A user group with one or more local users cannot be deleted.

The system has a predefined user group named system. You can modify but not remove its configuration.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

RADIUS commands

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to restore the default.

Syntax

accounting-on enable [ interval seconds | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.

Usage guidelines

The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device or card reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.

Execute the save command to make sure the accounting-on enable command takes effect at the next reboot. For information about the save command, see Fundamentals Command Reference.

Parameters set with the accounting-on enable command take effect immediately.

Examples

# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

attribute 15 check-mode

Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.

Use undo attribute 15 check-mode to restore the default.

Syntax

attribute 15 check-mode { loose | strict }

undo attribute 15 check-mode

Default

The strict check method applies for SSH, FTP, and terminal users.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

Usage guidelines

Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Examples

# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 15 check-mode loose

Related commands

display radius scheme

data-flow-format (RADIUS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display radius scheme

display radius scheme

Use display radius scheme to display the configuration of RADIUS schemes.

Syntax

display radius scheme [ radius-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, the command displays the configuration of all RADIUS schemes.

Examples

# Display the configuration of all RADIUS schemes.

<Sysname> display radius scheme

Total 2 RADIUS schemes

 

------------------------------------------------------------------

RADIUS Scheme Name  : rad

  Index : 0

  Primary Auth Server:

    Host name: radius.com

    IP  : 82.0.0.37                                Port: 1812   State: Active

    VPN : Not configured

  Primary Acct Server:

    Host name: radius.com

    IP  : 82.0.0.37                                Port: 1813   State: Active

    VPN : Not configured

 

  Accounting-On function                     : Disabled

    retransmission times                     : 50

    retransmission interval(seconds)         : 3

  Timeout Interval(seconds)                  : 3

  Retransmission Times                       : 3

  Retransmission Times for Accounting Update : 5

  Server Quiet Period(minutes)               : 5

  Realtime Accounting Interval(minutes)      : 12

  NAS IP Address                             : Not configured

  VPN                                        : Not configured

  User Name Format                           : without-domain

------------------------------------------------------------------

RADIUS Scheme Name  : rad2

  Index : 1

  Primary Auth Server:

    Host name: radius.com

    IP  : 82.0.0.37                                Port: 1812   State: Active

    VPN : 1

  Primary Acct Server:

    Host name: radius.com

    IP  : 82.0.0.37                                Port: 1813   State: Active

    VPN : 1

 

  Accounting-On function                     : Disabled

    retransmission times                     : 50

    retransmission interval(seconds)         : 3

  Timeout Interval(seconds)                  : 3

  Retransmission Times                       : 3

  Retransmission Times for Accounting Update : 5

  Server Quiet Period(minutes)               : 5

  Realtime Accounting Interval(minutes)      : 12

  NAS IP Address                             : Not configured

  VPN                                        : Not configured

  User Name Format                           : without-domain

  Attribute 15 check-mode                    : Strict

------------------------------------------------------------------

Table 4 Command output

Field

Description

Index

Index number of the RADIUS scheme.

Primary Auth Server

Information about the primary authentication server.

Primary Acct Server

Information about the primary accounting server.

Second Auth Server

Information about the secondary authentication server.

Second Acct Server

Information about the secondary accounting server.

Host name

Hostname of the server.

The field displays Not configured in the following situations:

·     The server is not configured.

·     The server is specified by IP address.

IP

IP address of the server.

This field displays Not configured in the following situations:

·     The server is not configured.

·     The server is specified by hostname, and the hostname is not resolved.

Port

Service port number of the server. If no port number is specified, this field displays the default port number.

State

Status of the server: active or blocked.

VPN

VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured.

Server: n

Member ID of the security policy server.

IP

IP address of the security policy server.

VPN

VPN to which the security policy server belongs. If no VPN is specified for the server, this field displays Not configured.

Accounting-On function

Whether the accounting-on feature is enabled.

retransmission times

Number of accounting-on packet transmission attempts.

retransmission interval(seconds)

Interval at which the device retransmits accounting-on packets, in seconds.

Timeout Interval(seconds)

RADIUS server response timeout period, in seconds.

Retransmission Times

Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Retransmission Times for Accounting Update

Maximum number of accounting attempts.

Server Quiet Period(minutes)

Quiet period for the servers, in minutes.

Realtime Accounting Interval(minutes)

Interval for sending real-time accounting updates, in minutes.

NAS IP Address

Source IP address for outgoing RADIUS packets.

VPN

VPN to which the RADIUS scheme belongs. If no VPN is specified for the server, this field displays Not configured.

User Name Format

Format for the usernames sent to the RADIUS server. Possible values include:

·     with-domain—Includes the domain name.

·     without-domain—Excludes the domain name.

·     keep-original—Forwards the username as the username is entered.

Attribute 15 check-mode

RADIUS Login-Service attribute check method for SSH, FTP, and terminal users:

·     StrictMatches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

·     Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

 

display radius statistics

Use display radius statistics to display RADIUS packet statistics.

Syntax

display radius statistics

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display RADIUS packet statistics.

<Sysname> display radius statistics

 

                                 Auth.         Acct.       SessCtrl.

          Request Packet:          0             0             0

            Retry Packet:          0             0             -

          Timeout Packet:          0             0             -

        Access Challenge:          0             -             -

           Account Start:          -             0             -

          Account Update:          -             0             -

            Account Stop:          -             0             -

       Terminate Request:          -             -             0

              Set Policy:          -             -             0

    Packet With Response:          0             0             0

 Packet Without Response:          0             0             -

          Access Rejects:          0             -             -

          Dropped Packet:          0             0             0

          Check Failures:          0             0             0

Table 5 Command output

Field

Description

Auth.

Authentication packets.

Acct.

Accounting packets.

SessCtrl.

Session-control packets.

Request Packet

Number of request packets.

Retry Packet

Number of retransmitted request packets.

Timeout Packet

Number of request packets timed out.

Access Challenge

Number of access challenge packets.

Account Start

Number of start-accounting packets.

Account Update

Number of accounting update packets.

Account Stop

Number of stop-accounting packets.

Terminate Request

Number of packets for logging off users forcibly.

Set Policy

Number of packets for updating user authorization information.

Packet With Response

Number of packets for which responses were received.

Packet Without Response

Number of packets for which no responses were received.

Access Rejects

Number of Access-Reject packets.

Dropped Packet

Number of discarded packets.

Check Failures

Number of packets with checksum errors.

 

Related commands

reset radius statistics

key (RADIUS scheme view)

Use key to set the shared key for secure RADIUS communication.

Use undo key to restore the default.

Syntax

key { accounting | authentication } { cipher | simple } string

undo key { accounting | authentication }

Default

No shared key is configured.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the shared key for secure RADIUS accounting communication.

authentication: Sets the shared key for secure RADIUS authentication communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key string. This argument is case sensitive.

·     In non-FIPS mode:

¡     A ciphertext shared key is a string of 1 to 117 characters.

¡     A plaintext shared key is a string of 1 to 64 characters.

·     In FIPS mode:

¡     A ciphertext shared key is a string of 15 to 117 characters.

¡     A plaintext shared key is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters.

Usage guidelines

The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.

The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting simple ok

Related commands

display radius scheme

nas-ip (RADIUS scheme view)

Use nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

nas-ip ipv4-address

undo nas-ip

Default

The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view.

If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

Usage guidelines

The source IP address of the RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

When you use both the nas-ip and radius nas-ip commands, the following guidelines apply:

·     The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

·     The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

·     The setting in RADIUS scheme view takes precedence over the setting in system view.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. As a best practice, configure a loopback interface address as the source IP address for outgoing RADIUS packets.

A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new address overwrites the old one.

Examples

# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands

·     display radius scheme

·     radius nas-ip

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo primary accounting

Default

No primary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.

port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 117 characters.

¡     In FIPS mode, the key is a string of 15 to 117 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 64 characters.

¡     In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary RADIUS accounting server must be the same as the settings configured on the server.

The shared key configured by using this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for accounting.

If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests, either. The device might generate incorrect accounting results.

Examples

# Specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&! for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     secondary accounting (RADIUS scheme view)

·     vpn-instance (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo primary authentication

Default

No primary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535, and the default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS authentication server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 117 characters.

¡     In FIPS mode, the key is a string of 15 to 117 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 64 characters.

¡     In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The service port and shared key settings of the primary RADIUS authentication server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for authentication.

Examples

# Specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&! for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     secondary authentication (RADIUS scheme view)

·     vpn-instance (RADIUS scheme view)

radius nas-ip

Use radius nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo radius nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

radius nas-ip ipv4-address [ vpn-instance vpn-instance-name ]

undo radius nas-ip ipv4-address [ vpn-instance vpn-instance-name ]

Default

The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error.

You can specify a maximum of 16 source IP addresses, including the following IP addresses:

·     Zero or one public-network source IPv4 address.

·     Private-network source IPv4 addresses.

A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address.

When you use both the nas-ip and radius nas-ip commands, the following guidelines apply:

·     The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

·     The setting configured by the radius nas-ip command in system view applies to all RADIUS schemes.

·     The setting in RADIUS scheme view takes precedence over the setting in system view.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

Related commands

nas-ip (RADIUS scheme view)

radius session-control enable

Use radius session-control enable to enable the RADIUS session-control feature.

Use undo radius session-control enable to restore the default.

Syntax

radius session-control enable

undo radius session-control enable

Default

The RADIUS session-control feature is disabled and the UDP port 1812 is closed.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The RADIUS session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.

Examples

# Enable the RADIUS session-control feature.

<Sysname> system-view

[Sysname] radius session-control enable

radius scheme

Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view.

Use undo radius scheme to delete a RADIUS scheme.

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

Default

No RADIUS scheme is defined.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A RADIUS scheme can be used by more than one ISP domain at the same time.

The device supports a maximum of 16 RADIUS schemes.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

Related commands

display radius scheme

reset radius statistics

Use reset radius statistics to clear RADIUS statistics.

Syntax

reset radius statistics

Views

User view

Predefined user roles

network-admin

mdc-admin

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

Related commands

display radius statistics

retry

Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use undo retry to restore the default.

Syntax

retry retry-times

undo retry

Default

The maximum number of RADIUS packet transmission attempts is 3.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.

Usage guidelines

Because RADIUS uses UDP packets to transmit data, the communication is not reliable.

·     If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.

·     If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.

The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.

Examples

# Set the maximum number of RADIUS packet transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

Related commands

·     radius scheme

·     timer response-timeout (RADIUS scheme view)

retry realtime-accounting

Use retry realtime-accounting to set the maximum number of accounting attempts.

Use undo retry realtime-accounting to restore the default.

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

Default

The maximum number of accounting attempts is 5.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255.

Usage guidelines

Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period from the NAS, it considers that a line or device failure has occurred, and stops accounting for the user. To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.

For example, the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.

Examples

# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

Related commands

·     retry

·     timer realtime-accounting (RADIUS scheme view)

·     timer response-timeout (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

Use undo secondary accounting to remove a secondary RADIUS accounting server.

Syntax

secondary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo secondary accounting [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.

port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 117 characters.

¡     In FIPS mode, the key is a string of 15 to 117 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 64 characters.

¡     In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary RADIUS accounting servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary RADIUS accounting server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for accounting.

If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.

Examples

# For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

# For RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813

[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     primary accounting (RADIUS scheme view)

·     vpn-instance (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication server.

Use undo secondary authentication to remove a secondary RADIUS authentication server.

Syntax

secondary authentication { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo secondary authentication [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.

port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535, and the default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS authentication server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 117 characters.

¡     In FIPS mode, the key is a string of 15 to 117 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 64 characters.

¡     In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary RADIUS authentication servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary RADIUS authentication server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for authentication.

Examples

# For RADIUS scheme radius1, specify a secondary authentication server with the IP address 10.110.1.2 and the UDP port 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

# Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1812.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     primary authentication (RADIUS scheme view)

·     vpn-instance (RADIUS scheme view)

security-policy-server

Use security-policy-server to specify a security policy server.

Use undo security-policy-server to remove a security policy server.

Syntax

security-policy-server ipv4-address [ vpn-instance vpn-instance-name ]

undo security-policy-server { ipv4-address [ vpn-instance vpn-instance-name ] | all }

Default

No security policy server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the security policy server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the security policy server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the security policy server is on the public network, do not specify this option.

all: Specifies all security policy servers.

Usage guidelines

You can specify a maximum of eight security policy servers for a RADIUS scheme.

Examples

# Specify the security policy server 10.110.1.2 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] security-policy-server 10.110.1.2

Related commands

display radius scheme

snmp-agent trap enable radius

Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.

Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.

Syntax

snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

Default

All types of notifications for RADIUS are enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable.

accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable.

authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100 and the default value is 30. This threshold can only be configured through the MIB.

authentication-server-down: Sends a notification when the RADIUS authentication server becomes unreachable.

authentication-server-up: Sends a notification when the RADIUS authentication server becomes reachable.

Usage guidelines

If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.

When SNMP notifications for RADIUS are enabled, the SNMP agent supports the following notifications generated by RADIUS:

·     RADIUS server unreachable notificationThe RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.

·     RADIUS server reachable notificationThe RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.

·     Excessive authentication failures notification—The number of authentication failures to the total number of authentication attempts exceeds the specified threshold.

Examples

# Enable the SNMP agent to send RADIUS accounting server unreachable notifications.

<Sysname> system-view

[Sysname] snmp-agent trap enable radius accounting-server-down

state primary

Use state primary to set the status of a primary RADIUS server.

Syntax

state primary { accounting | authentication } { active | block }

Default

The primary RADIUS server specified for a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the status of the primary RADIUS accounting server.

authentication: Sets the status of the primary RADIUS authentication server.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:

·     Changes the status of the primary server to blocked.

·     Starts a quiet timer for the server.

·     Tries to communicate with a secondary server in active state.

When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.

When the primary server and all secondary servers are in blocked state, authentication or accounting fails.

Examples

# Set the status of the primary authentication server in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

Related commands

·     display radius scheme

·     state secondary

state secondary

Use state secondary to set the status of a secondary RADIUS server.

Syntax

state secondary { accounting | authentication } [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }

Default

Every secondary RADIUS server specified in a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the status of a secondary RADIUS accounting server.

authentication: Sets the status of a secondary RADIUS authentication server.

host-name: Specifies the hostname of a secondary RADIUS server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.

port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.

If the device finds that a secondary server in active state is unreachable, the device performs the following operations:

·     Changes the status of the secondary server to blocked.

·     Starts a quiet timer for the server.

·     Tries to communicate with another secondary server in active state.

When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

Examples

# Set the status of all the secondary authentication servers in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

Related commands

·     display radius scheme

·     state primary

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet timer period is 5 minutes in a RADIUS scheme.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Usage guidelines

Make sure the server quiet timer is set correctly.

·     A timer that is too short might result in frequent authentication or accounting failures. The reason is that the device will continue to attempt to communicate with an unreachable server that is in active state.

·     A timer that is too long might temporarily block a reachable server that has recovered from a failure. The reason is that the server will remain in blocked state until the timer expires.

Examples

# Set the quiet timer for the servers to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer quiet 10

Related commands

display radius scheme

timer realtime-accounting (RADIUS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60.

Usage guidelines

When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.

When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.

A short interval helps improve accounting precision but requires many system resources.

Table 6 Recommended real-time accounting intervals

Number of users

Real-time accounting interval

1 to 99

3 minutes

100 to 499

6 minutes

500 to 999

12 minutes

1000 or more

15 minutes or longer

 

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

Related commands

retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The RADIUS server response timeout period is 3 seconds.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.

Usage guidelines

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

Related commands

·     display radius scheme

·     retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of the username to be sent to a RADIUS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to a RADIUS server.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

keep-original: Sends the username to the RADIUS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.

If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.

Examples

# Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

Related commands

display radius scheme

vpn-instance (RADIUS scheme view)

Use vpn-instance to specify a VPN for a RADIUS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The RADIUS scheme belongs to the public network.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN specified by using this command applies to all servers in the RADIUS scheme for which no VPN is specified.

Examples

# Specify VPN test for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] vpn-instance test

Related commands

display radius scheme

HWTACACS commands

data-flow-format (HWTACACS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display hwtacacs scheme

display hwtacacs scheme

Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.

Syntax

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, the command displays the configuration of all HWTACACS schemes.

statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the HWTACACS scheme.

Examples

# Display the configuration of all HWTACACS schemes.

<Sysname> display hwtacacs scheme

Total 2 TACACS schemes

 

------------------------------------------------------------------

HWTACACS Scheme Name  : tac

  Index : 0

  Primary Auth Server:

    Host name: tacacs.com

    IP  : 82.0.0.37       Port: 49     State: Active

    VPN Instance: Not configured

    Single-connection: Disabled

  Primary Author Server:

    Host name: tacacs.com

    IP  : 82.0.0.37       Port: 49     State: Active

    VPN Instance: Not configured

    Single-connection: Disabled

  Primary Acct Server:

    Host name: tacacs.com

    IP  : 82.0.0.37       Port: 49     State: Active

    VPN Instance: Not configured

    Single-connection: Disabled

 

  VPN Instance                          : Not configured

  NAS IP Address                        : Not configured

  Server Quiet Period(minutes)          : 5

  Realtime Accounting Interval(minutes) : 12

  Response Timeout Interval(seconds)    : 5

  Username Format                       : without-domain

------------------------------------------------------------------

HWTACACS Scheme Name  : tac2

  Index : 1

  Primary Auth Server:

    Host name: tacacs.com

    IP  : 82.0.0.37       Port: 49     State: Active

    VPN Instance: 1

    Single-connection: Disabled

  Primary Author Server:

    Host name: tacacs.com

    IP  : 82.0.0.37       Port: 49     State: Active

    VPN Instance: 1

    Single-connection: Disabled

  Primary Acct Server:

    Host name: tacacs.com

    IP  : 82.0.0.37       Port: 49     State: Active

    VPN Instance: 1

    Single-connection: Disabled

 

  VPN Instance                          : Not configured

  NAS IP Address                        : Not configured

  Server Quiet Period(minutes)          : 5

  Realtime Accounting Interval(minutes) : 12

  Response Timeout Interval(seconds)    : 5

  Username Format                       : without-domain

------------------------------------------------------------------

Table 7 Command output

Field

Description

Index

Index number of the HWTACACS scheme.

Primary Auth Server

Primary HWTACACS authentication server.

Primary Author Server

Primary HWTACACS authorization server.

Primary Acct Server

Primary HWTACACS accounting server.

Secondary Auth Server

Secondary HWTACACS authentication server.

Secondary Author Server

Secondary HWTACACS authorization server.

Secondary Acct Server

Secondary HWTACACS accounting server.

Host name

Hostname of the HWTACACS server.

The field displays Not configured in the following situations:

·     The server is not configured.

·     The server is specified by IP address.

IP

IP address of the HWTACACS server.

This field displays Not configured in the following situations:

·     The server is not configured.

·     The server is specified by hostname, and the hostname is not resolved.

Port

Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number.

Single-connection

Single connection status:

·     Enabled—Establish only one TCP connection for all users to communicate with the server.

·     Disabled—Establish a TCP connection for each user to communicate with the server.

State

Status of the HWTACACS server: active or blocked.

VPN Instance

MPLS L3VPN to which the HWTACACS server or scheme belongs. If no VPN is specified for the server or scheme, this field displays Not configured.

NAS IP Address

Source IP address for outgoing HWTACACS packets.

Server Quiet Period(minutes)

Quiet period for the primary servers, in minutes.

Realtime Accounting Interval(minutes)

Real-time accounting interval, in minutes.

Response Timeout Interval(seconds)

HWTACACS server response timeout period, in seconds.

Username Format

Format for the usernames sent to the HWTACACS server. Possible values include:

·     with-domain—Includes the domain name.

·     without-domain—Excludes the domain name.

·     keep-original—Forwards the username as the username is entered.

 

Related commands

reset hwtacacs statistics

hwtacacs nas-ip

Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

hwtacacs nas-ip ipv4-address [ vpn-instance vpn-instance-name ]

undo hwtacacs nas-ip ipv4-address [ vpn-instance vpn-instance-name ]

Default

The source IP address of an HWTACACS packet sent to the server is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

You can specify a maximum of 16 source IP addresses, including the following IP addresses:

·     Zero or one public-network source IPv4 address.

·     Private-network source IPv4 addresses.

A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address.

When you use both the nas-ip and hwtacacs nas-ip commands, the following guidelines apply:

·     The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

·     The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

·     The setting in HWTACACS scheme view takes precedence over the setting in system view.

Examples

# Set the IP address for the device to use as the source address for HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands

nas-ip (HWTACACS scheme view)

hwtacacs scheme

Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view.

Use undo hwtacacs scheme to delete an HWTACACS scheme.

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

Default

No HWTACACS scheme exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An HWTACACS scheme can be used by more than one ISP domain at the same time.

You can configure a maximum of 16 HWTACACS schemes.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Use undo key to remove the configuration.

Syntax

key { accounting | authentication | authorization } { cipher | simple } string

undo key { accounting | authentication | authorization }

Default

No shared key is configured.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the shared key for secure HWTACACS accounting communication.

authentication: Sets the shared key for secure HWTACACS authentication communication.

authorization: Sets the shared key for secure HWTACACS authorization communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key string. This argument is case sensitive.

·     In non-FIPS mode:

¡     A ciphertext shared key is a string of 1 to 373 characters.

¡     A plaintext shared key is a string of 1 to 255 characters.

·     In FIPS mode:

¡     A ciphertext shared key is a string of 15 to 373 characters.

¡     A plaintext shared key is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters.

Usage guidelines

The shared keys configured on the device must match those configured on the HWTACACS servers.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# Set the shared key for secure HWTACACS authentication communication to 123456TESTauth&! in plain text for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!

# Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text.

[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!

# Set the shared key for secure HWTACACS accounting communication to 123456TESTacct&! in plain text.

[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!

Related commands

display hwtacacs scheme

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

nas-ip ipv4-address

undo nas-ip

Default

The source IP address of an outgoing HWTACACS packet is the IP address configured by using the hwtacacs nas-ip command in system view.

If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

Usage guidelines

The source IP address of the HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

When you use both the nas-ip and hwtacacs nas-ip commands, the following guidelines apply:

·     The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

·     The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

·     The setting in HWTACACS scheme view takes precedence over the setting in system view.

If you execute the command multiple times, the most recent configuration takes effect.

Examples

# Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands

hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary accounting

Default

No primary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.

port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS accounting server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 373 characters.

¡     In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 255 characters.

¡     In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# Specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme test1.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     secondary accounting (HWTACACS scheme view)

·     vpn-instance (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authentication

Default

No primary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.

port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 373 characters.

¡     In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 255 characters.

¡     In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# Specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     secondary authentication (HWTACACS scheme view)

·     vpn-instance (HWTACACS scheme view)

primary authorization

Use primary authorization to specify the primary HWTACACS authorization server.

Use undo primary authorization to remove the configuration.

Syntax

primary authorization { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authorization

Default

No primary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.

port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authorization server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 373 characters.

¡     In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 255 characters.

¡     In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# Specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     secondary authorization

·     vpn-instance (HWTACACS scheme view)

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Clears the HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears the HWTACACS authentication statistics.

authorization: Clears the HWTACACS authorization statistics.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

Related commands

display hwtacacs scheme

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.

Use undo secondary accounting to remove a secondary HWTACACS accounting server.

Syntax

secondary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary accounting [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.

port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.

key { cipher | simple } string: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 373 characters.

¡     In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 255 characters.

¡     In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary HWTACACS accounting servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# Specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     primary accounting (HWTACACS scheme view)

·     vpn-instance (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.

Use undo secondary authentication to remove a secondary HWTACACS authentication server.

Syntax

secondary authentication { host-name | ipv4-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authentication [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.

port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authentication server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 373 characters.

¡     In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 255 characters.

¡     In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary HWTACACS authentication servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     primary authentication (HWTACACS scheme view)

·     vpn-instance (HWTACACS scheme view)

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove a secondary HWTACACS authorization server.

Syntax

secondary authorization { host-name | ipv4-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authorization [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.

port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authorization server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 373 characters.

¡     In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡     In non-FIPS mode, the key is a string of 1 to 255 characters.

¡     In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary HWTACACS authorization servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     primary authorization

·     vpn-instance (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet timer period is 5 minutes in an HWTACACS scheme.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Examples

# Set the server quiet timer to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands

display hwtacacs scheme

timer realtime-accounting (HWTACACS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.

Usage guidelines

For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.

A short interval helps improve accounting precision but requires many system resources.

Table 8 Recommended real-time accounting intervals

Number of users

Real-time accounting interval

1 to 99

3 minutes

100 to 499

6 minutes

500 to 999

12 minutes

1000 or more

15 minutes or longer

 

Examples

# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

Related commands

display hwtacacs scheme

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The HWTACACS server response timeout time is 5 seconds.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.

Usage guidelines

HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands

display hwtacacs scheme

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of the username to be sent to an HWTACACS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to an HWTACACS server.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

keep-original: Sends the username to the HWTACACS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.

Examples

# Configure the device to remove the ISP domain name from the username sent to the HWTACACS servers specified in HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

Related commands

display hwtacacs scheme

vpn-instance (HWTACACS scheme view)

Use vpn-instance to specify a VPN for an HWTACACS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The HWTACACS scheme belongs to the public network.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN specified by using this command takes effect on all servers in the HWTACACS scheme for which no VPN is specified.

Examples

# Specify VPN test for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] vpn-instance test

Related commands

display hwtacacs scheme


Password control commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

display password-control

Use display password-control to display password control configuration.

Syntax

display password-control [ super ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

super: Displays the password control information for the super passwords. If you do not specify this keyword, the command displays the global password control configuration.

Examples

# Display the global password control configuration.

<Sysname> display password-control

 Global password control configurations:

 Password control:                     Disabled

 Password aging:                       Enabled (90 days)

 Password length:                      Enabled (10 characters)

 Password composition:                 Enabled (1 types, 1 characters per type)

 Password history:                     Enabled (max history records:4)

 Early notice on password expiration:  7 days

 Maximum login attempts:               3

 Action for exceeding login attempts:  Lock user for 1 minutes

 Minimum interval between two updates: 24 hours

 User account idle time:               90 days

 Logins with aged password:            3 times in 30 days

 Password complexity:                  Disabled (username checking)

                                       Disabled (repeated characters checking)

# Display the password control configuration for super passwords.

<Sysname> display password-control super

 Super password control configurations:

 Password aging:                       Enabled (90 days)

 Password length:                      Enabled (10 characters)

 Password composition:                 Enabled (1 types, 1 characters per type)

Table 9 Command output

Field

Description

Password control

Whether the password control feature is enabled.

Password aging

Whether password expiration is enabled and, if enabled, the expiration time.

Password length

Whether the minimum password length restriction feature is enabled and, if enabled, the setting.

Password composition

Whether the password composition restriction feature is enabled and, if enabled, the settings.

Password history

Whether the password history feature is enabled and, if enabled, the setting.

Early notice on password expiration

Number of days during which the user is notified of the pending password expiration.

Maximum login attempts

Allowed maximum number of consecutive failed login attempts for FTP and VTY users.

Action for exceeding login attempts

Action to be taken after a user fails to log in after the specified number of attempts.

Minimum interval between two updates

Minimum password update interval.

Login with aged password

Number of times and maximum number of days a user can log in using an expired password.

Password complexity

Whether the following password complexity checking is enabled:

·     username checking—Checks whether a password contains the username or the reverse of the username.

·     repeated characters checking—Checks whether a password contains any character that appears consecutively three or more times.

 

display password-control blacklist

Use display password-control blacklist to display password control blacklist information. The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication.

Syntax

display password-control blacklist [ user-name name | ip ipv4-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

user-name name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters.

ip ipv4-address: Specifies the IPv4 address of a user.

Usage guidelines

If you do not specify any arguments, this command displays information about all users in the password control blacklist.

If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.

Users accessing the system through the console ports are not blacklisted, because the system is unable to obtain the IP addresses of these users and these users are privileged and therefore relatively secure to the system.

Examples

# Display password control blacklist information.

<Sysname> display password-control blacklist

 

 Username: test

    IP: 192.168.44.1        Login failures: 1      Lock flag: unlock

 

 Blacklist items matched: 1.

Table 10 Command output

Field

Description

IP

IP address of the user.

Login failed times

Number of login failures.

Lock flag

Whether the user is prohibited from logging in:

·     unlock—Not prohibited.

·     lock—Prohibited temporarily or permanently, depending on the password-control login-attempt command.

Blacklist items matched

Number of blacklisted users.

 

password-control { aging | composition | history | length } enable

Use password-control { aging | composition | history | length } enable to enable the password expiration, composition restriction, history, or minimum length restriction feature.

Use undo password-control { aging | composition | history | length } enable to disable a password control feature.

Syntax

password-control { aging | composition | history | length } enable

undo password-control { aging | composition | history | length } enable

Default

The password control features (aging, composition, history, and length) are all enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

aging: Enables the password expiration feature.

composition: Enables the password composition restriction feature.

history: Enables the password history feature.

length: Enables the minimum password length restriction feature.

Usage guidelines

To enable a specific password control feature, first enable the global password control feature.

The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.

If the global password control feature is enabled but the minimum password length restriction feature is disabled, the following rules apply:

·     In non-FIPS mode, a password must contain at least 4 characters and at least 4 characters must be different.

·     In FIPS mode, a password must contain at least 15 characters and at least 4 characters must be different.

Examples

# Enable the password control feature globally.

<Sysname> system-view

[Sysname] password-control enable

# Enable the password composition restriction feature.

[Sysname] password-control composition enable

# Enable the password expiration feature.

[Sysname] password-control aging enable

# Enable the minimum password length restriction feature.

[Sysname] password-control length enable

# Enable the password history feature.

[Sysname] password-control history enable

Related commands

·     display password-control

·     password-control enable

password-control aging

Use password-control aging to set the password expiration time.

Use undo password-control aging to restore the default.

Syntax

password-control aging aging-time

undo password-control aging

Default

A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs.

Views

System view, user group view, local user view

Predefined user roles

network-admin

mdc-admin

Parameters

aging-time: Specifies the password expiration time in days, in the range of 1 to 365.

Usage guidelines

The expiration time depends on the view:

·     The time in system view has global significance and applies to all user groups.

·     The time in user group view applies to all local users in the user group.

·     The time in local user view applies only to the local user.

A password expiration time with a smaller application scope has higher priority. The system prefers to use the password expiration time in local user view for a local user.

·     If no password expiration time is configured for the local user, the system uses the password expiration time for the user group to which the local user belongs.

·     If no password expiration time is configured for the user group, the system uses the global password expiration time.

Examples

# Globally set the passwords to expire after 80 days.

<Sysname> system-view

[Sysname] password-control aging 80

# Set the passwords for user group test to expire after 90 days.

[Sysname] user-group test

[Sysname-ugroup-test] password-control aging 90

[Sysname-ugroup-test] quit

# Set the password for device management user abc to expire after 100 days.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password-control aging 100

Related commands

·     display local-user

·     display password-control

·     display user-group

·     password-control aging enable

password-control alert-before-expire

Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.

Use undo password-control alert-before-expire to restore the default.

Syntax

password-control alert-before-expire alert-time

undo password-control alert-before-expire

Default

The default is 7 days.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.

Usage guidelines

This command is effective only for non-FTP users. FTP users can only have their passwords changed by the administrator.

Examples

# Configure the device to notify a user about pending password expiration 10 days before the user's password expires.

<Sysname> system-view

[Sysname] password-control alert-before-expire 10

Related commands

display password-control

password-control complexity

Use password-control complexity to configure the password complexity checking policy.

Use undo password-control complexity to remove a password complexity checking item.

Syntax

password-control complexity { same-character | user-name } check

undo password-control complexity { same-character | user-name } check

Default

The global password complexity checking policy is that both username checking and repeated character checking are disabled. The password complexity checking policy for a user group equals the global setting. The password complexity checking policy for a local user equals that of the user group to which the local user belongs.

Views

System view, user group view, local user view

Predefined user roles

network-admin

mdc-admin

Parameters

same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough.

user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.

Usage guidelines

The password complexity checking policy depends on the view:

·     The policy in system view has global significance and applies to all user groups.

·     The policy in user group view applies to all local users in the user group.

·     The policy in local user view applies only to the local user.

A password complexity checking policy with a smaller application scope has higher priority. The system prefers to use the password complexity checking policy in local user view for a local user.

·     If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.

·     If no policy is configured for the user group, the system uses the global policy.

You can enable both username checking and repeated character checking.

After the password complexity checking is enabled, complexity-incompliant passwords will be refused.

Examples

# Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.

<Sysname> system-view

[Sysname] password-control complexity user-name check

Related commands

·     display local-user

·     display password-control

·     display user-group

password-control composition

Use password-control composition to configure the password composition policy.

Use undo password-control composition to restore the default.

Syntax

password-control composition type-number type-number [ type-length type-length ]

undo password-control composition

Default

In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type.

In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type.

In both non-FIPS and FIPS modes, the password composition policy for a user group is the same as the global policy. The password composition policy for a local user is the same as that of the user group to which the local user belongs.

Views

System view, user group view, local user view

Predefined user roles

network-admin

mdc-admin

Parameters

type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. The following character types are available:

·     Uppercase letters A to Z.

·     Lowercase letters a to z.

·     Digits 0 to 9.

·     Special characters in Table 11.

Table 11 Special characters

Character name

Symbol

Character name

Symbol

Ampersand sign

&

Apostrophe

'

Asterisk

*

At sign

@

Back quote

`

Back slash

\

Blank space

N/A

Caret

^

Colon

:

Comma

,

Dollar sign

$

Dot

.

Equal sign

=

Exclamation point

!

Left angle bracket

Left brace

{

Left bracket

[

Left parenthesis

(

Minus sign

-

Percent sign

%

Plus sign

+

Pound sign

#

Quotation marks

"

Right angle bracket

Right brace

}

Right bracket

]

Right parenthesis

)

Semi-colon

;

Slash

/

Tilde

~

Underscore

_

Vertical bar

|

 

type-length type-length: Specifies the minimum number of characters for each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.

Usage guidelines

The password composition policy depends on the view:

·     The policy in system view has global significance and applies to all user groups.

·     The policy in user group view applies to all local users in the user group.

·     The policy in local user view applies only to the local user.

A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user.

·     If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.

·     If no policy is configured for the user group, the system uses the global policy.

The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of passwords.

Examples

# Specify that all passwords must each contain at least four character types and at least five characters for each type.

<Sysname> system-view

[Sysname] password-control composition type-number 4 type-length 5

# Specify that passwords in user group test must contain at least four character types and at least five characters for each type.

[Sysname] user-group test

[Sysname-ugroup-test] password-control composition type-number 4 type-length 5

[Sysname-ugroup-test] quit

# Specify that the password of device management user abc must contain at least four character types and at least five characters for each type.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5

Related commands

·     display local-user

·     display password-control

·     display user-group

·     password-control composition enable

password-control enable

Use password-control enable to enable the password control feature globally.

Use undo password-control enable to disable the password control feature globally.

Syntax

password-control enable

undo password-control enable

Default

In non-FIPS mode, the password control feature is disabled globally.

In FIPS mode, the password control feature is enabled globally and cannot be disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

A specific password control feature takes effect only after the global password control feature is enabled.

After the global password control feature is enabled, you cannot display the password and super password configurations for device management users by using the corresponding display commands. The configuration for network access user passwords can be displayed. The first password configured for device management users must contain at least four different characters.

Examples

# Enable the password control feature globally.

<Sysname> system-view

[Sysname] password-control enable

Related commands

·     display password-control

·     password-control { aging | composition | history | length } enable

password-control expired-user-login

Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.

Use undo password-control expired-user-login to restore the defaults.

Syntax

password-control expired-user-login delay delay times times

undo password-control expired-user-login

Default

A user can log in three times within 30 days after the password expires.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

delay delay: Sets the maximum number of days during which a user can log in using an expired password. The value range for the delay argument is 1 to 90.

times times: Sets the maximum number of times a user can log in after the password expires. The value range is 0 to 10, and 0 means that a user cannot log in after the password expires.

Usage guidelines

This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.

Examples

# Specify that a user can log in five times within 60 days after the password expires.

<Sysname> system-view

[Sysname] password-control expired-user-login delay 60 times 5

Related commands

display password-control

password-control history

Use password-control history to set the maximum number of history password records for each user.

Use undo password-control history to restore the default.

Syntax

password-control history max-record-num

undo password-control history

Default

The maximum number of history password records for each user is 4.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

max-record-num: Specifies the maximum number of history password records for each user. The value range is 2 to 15.

Usage guidelines

When the number of history password records reaches the set maximum number, the subsequent history record overwrites the earliest one.

The system stops recording passwords after you execute the undo password-control history enable command, but it does not delete the prior records.

To delete the existing records, use one of the following methods:

·     Use the undo password-control enable command to disable the password control feature globally.

·     Use the reset password-control history-record command to clear the passwords manually.

Examples

# Set the maximum number of history password records for each user to 10.

<Sysname> system-view

[Sysname] password-control history 10

Related commands

·     display password-control

·     password-control history enable

·     reset password-control blacklist

password-control length

Use password-control length to set the minimum password length.

Use undo password-control length to restore the default.

Syntax

password-control length length

undo password-control length

Default

In non-FIPS mode, the global minimum password length is 10 characters.

In FIPS mode, the global minimum password length is 15 characters.

In both non-FIPS and FIPS modes, the minimum password length for a user group equals the global setting. The minimum password length for a local user equals that of the user group to which the local user belongs.

Views

System view, user group view, local user view

Predefined user roles

network-admin

mdc-admin

Parameters

length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode.

Usage guidelines

Before you execute this command, make sure the global password control feature and the minimum length feature are enabled. Otherwise, your configuration cannot take effect.

The minimum length setting depends on the view:

·     The setting in system view has global significance and applies to all user groups.

·     The setting in user group view applies to all local users in the user group.

·     The setting in local user view applies only to the local user.

A minimum password length with a smaller application scope has higher priority. The system prefers to use the minimum password length in local user view for a local user.

·     If no minimum password length is configured for the local user, the system uses the minimum password length for the user group to which the local user belongs.

·     If no minimum password length is configured for the user group, the system uses the global minimum password length.

Examples

# Set the global minimum password length to 16 characters.

<Sysname> system-view

[Sysname] password-control length 16

# Set the minimum password length to 16 characters for user group test.

[Sysname] user-group test

[Sysname-ugroup-test] password-control length 16

[Sysname-ugroup-test] quit

# Set the minimum password length to 16 characters for device management user abc.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password-control length 16

Related commands

·     display local-user

·     display password-control

·     display user-group

·     password-control length enable

password-control login idle-time

Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device.

Use undo password-control login idle-time to restore the default.

Syntax

password-control login idle-time idle-time

undo password-control login idle-time

Default

You cannot use a user account to log in to the device if the account has been idle for 90 days.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

idle-time: Specifies the maximum account idle time in days in the range of 0 to 365. 0 means no restriction for account idle time.

Usage guidelines

If a user has not been logged in within the specified idle time since the last successful login, the user account becomes invalid.

Examples

# Set the maximum account idle time to 30 days.

<Sysname> system-view

[Sysname] password-control login idle-time 30

Related commands

display password-control

password-control login-attempt

Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached.

Use undo password-control login-attempt to restore the default.

Syntax

password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

undo password-control login-attempt

Default

The global login-attempt settings:

·     The maximum number of consecutive login failures is 3.

·     The locking period is 1 minute.

The login-attempt settings for a user group equal the global settings.

The login-attempt settings for a local user equal those for the user group to which the local user belongs.

Views

System view, user group view, local user view

Predefined user roles

network-admin

mdc-admin

Parameters

login-times: Specifies the maximum number of consecutive failed login attempts. The value range is 2 to 10.

exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts.

·     lock: Disables the user account permanently.

·     lock-time time: Disables the user account for a period of time. The user can uses this user account when the timer expires. The value range for the time argument is 1 to 360 minutes.

·     unlock: Allows the user account to continue using this account to perform login attempts.

Usage guidelines

The login-attempt policy depends on the view:

·     The policy in system view has global significance and applies to all user groups.

·     The policy in user group view applies to all local users in the user group.

·     The policy in local user view applies only to the local user.

A login-attempt policy with a smaller application scope has higher priority. The system prefers to use the login-attempt policy in local user view for a local user.

·     If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.

·     If no policy is configured for the user group, the system uses the global policy.

If an FTP or VTY user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the maximum number of consecutive login failures is reached, the login attempt limit feature is triggered.

Whether a blacklisted user and user account are locked depends on the locking setting:

·     If a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-control blacklist command.

·     To use a temporarily locked user account, the user can perform either of the following tasks:

¡     Wait until the locking timer expires.

¡     Remove the user account from the password control blacklist.

·     If the user account and the user are blacklisted but not locked, the user can continue using this account to log in. The account and the user's IP address are removed from the password control blacklist when the user uses the account to successfully log in to the device.

 

 

NOTE:

This account is locked only for this user. Other users can still use this account, and the blacklisted user can use other user accounts.

 

The password-control login-attempt command takes effect immediately after being executed, and can affect the users already in the password control blacklist.

Examples

# Allow a maximum of four consecutive login failures on a user account, and disable the user account if the limit is reached.

<Sysname> system-view

[Sysname] password-control login-attempt 4 exceed lock

# Use the user account test to log in to the device, and enter incorrect password for four times.

# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock.

[Sysname] display password-control blacklist

 

 Username: test

    IP: 192.168.44.1        Login failures: 4      Lock flag: lock

 

 Blacklist items matched: 1.

# Verify that the user at 192.168.44.1 cannot use this user account to log in.

# Allow a maximum of two consecutive login failures on a user account, and disable the account for 3 minutes if the limit is reached.

<Sysname> system-view

[Sysname] password-control login-attempt 2 exceed lock-time 3

# Use the user account test to log in to the device, and enter incorrect password for two attempts.

# Display the password control blacklist. The output shows that the user account is on the blacklist and its status is lock.

[Sysname] display password-control blacklist

 

 Username: test

    IP: 192.168.44.1        Login failures: 2      Lock flag: lock

 

 Blacklist items matched: 1.

# Verify that after 3 minutes, the user account is removed from the password control blacklist and the user at 192.168.44.1 can use this account.

Related commands

·     display local-user

·     display password-control

·     display password-control blacklist

·     display user-group

·     reset password-control blacklist

password-control super aging

Use password-control super aging to set the expiration time for super passwords.

Use undo password-control super aging to restore the default.

Syntax

password-control super aging aging-time

undo password-control super aging

Default

A super password expires after 90 days.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

aging-time: Specifies the super password expiration time in days in the range of 1 to 365.

Examples

# Set the super passwords to expire after 10 days.

<Sysname> system-view

[Sysname] password-control super aging 10

Related commands

·     display password-control

·     password-control aging

password-control super composition

Use password-control super composition to configure the composition policy for super passwords.

Use undo password-control super composition to restore the default.

Syntax

password-control super composition type-number type-number [ type-length type-length ]

undo password-control super composition

Default

In non-FIPS mode, a super password must contain at least one character type and at least one character for each type.

In FIPS mode, a super password must contain at least four character types and at least one character for each type.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode.

type-length type-length: Specifies the minimum number of characters for each character type. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.

Usage guidelines

The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of the super password.

Examples

# Specify that a super password must contain at least four character types and at least five characters for each type.

<Sysname> system-view

[Sysname] password-control super composition type-number 4 type-length 5

Related commands

·     display password-control

·     password-control composition

password-control super length

Use password-control super length to set the minimum length for super passwords.

Use undo password-control super length to restore the default.

Syntax

password-control super length length

undo password-control super length

Default

In non-FIPS mode, the minimum super password length is 10 characters.

In FIPS mode, the minimum super password length is 15 characters.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode.

Examples

# Set the minimum length of super passwords to 16 characters.

<Sysname> system-view

[Sysname] password-control super length 16

Related commands

·     display password-control

·     password-control length

password-control update-interval

Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords.

Use undo password-control update-interval to restore the default.

Syntax

password-control update-interval interval

undo password-control update-interval

Default

The minimum password update interval is 24 hours.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

interval: Specifies the minimum password update interval in hours in the range of 0 to 168. 0 means no requirements for password update interval.

Usage guidelines

The set minimum interval is not effective on a user who is prompted to change the password at the first login or after the password expires.

Examples

# Set the minimum password update interval to 36 hours.

<Sysname> system-view

[Sysname] password-control update-interval 36

Related commands

display password-control

reset password-control blacklist

Use reset password-control blacklist to remove blacklisted users.

Syntax

reset password-control blacklist [ user-name name ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

user-name name: Specifies the username of a user account to be removed from the password control blacklist. The name argument is a case-sensitive string of 1 to 55 characters.

Usage guidelines

You can use this command to remove a user account that is blacklisted due to excessive login failures. Then the blacklisted user can use this user account to log in.

Examples

# Remove the user account named test from the password control blacklist.

<Sysname> reset password-control blacklist user-name test

Are you sure to delete the specified user in blacklist? [Y/N]:

Related commands

display password-control blacklist

reset password-control history-record

Use reset password-control history-record to delete history password records.

Syntax

reset password-control history-record [ super [ role role name ] | user-name name ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

super: Deletes the history records of a specified super password or all super passwords.

role role name: Specifies a user role in the range of 1 to 63.

user-name name: Specifies the username of the user whose password records are to be deleted. The name argument is a case-sensitive string of 1 to 55 characters.

Usage guidelines

If you do not specify any arguments or keywords, this command deletes the history password records of all local users.

If you do not specify the role role name option, this command deletes the history records of all super passwords.

Examples

# Clear the history password records of all local users (enter Y to confirm).

<Sysname> reset password-control history-record

Are you sure to delete all local user's history records? [Y/N]:y

Related commands

password-control history


Public key management commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

display public-key local public

Use display public-key local public to display local public keys.

Syntax

display public-key local { dsa | ecdsa | rsa } public [ name key-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

dsa: Specifies the DSA key pair type.

ecdsa: Specifies the ECDSA key pair type.

rsa: Specifies the RSA key pair type.

name key-name: Specifies the name of a local asymmetric key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-) If no name is specified, the command displays public key for all local asymmetric key pairs of the specified type.

Usage guidelines

You can copy and distribute the public key of a local asymmetric key pair to peer devices.

Examples

# Display all local RSA public keys.

<Sysname> display public-key local rsa public

 

=============================================

Key name: hostkey (default)

Key type: RSA

Time when key pair created: 15:40:48 2013/05/12

Key code:

   30819F300D06092A864886F70D010101050003818D0030818902818100DAA4AAFEFE04C2C9

   667269BB8226E26331E30F41A8FF922C7338208097E84332610632B49F75DABF6D871B80CE

   C1BA2B75020077C74745C933E2F390DC0B39D35B88283D700A163BB309B19F8F87216A44AB

   FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1

   2DA4C04EF5AE0835090203010001

=============================================

Key name: serverkey (default)

Key type: RSA

Time when key pair created: 15:40:48 2013/05/12

Key code:

   307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442

   762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64

   DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E

   9D85C13413996ECD093B0203010001

=============================================

Key name: rsa1

Key type: RSA

Time when key pair created: 15:42:26 2013/05/12

Key code:

   30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D

   426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA

   1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7

   9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03

   92D8C6D940890BF4290203010001

# Display all local DSA public keys.

<Sysname> display public-key local dsa public

 

=============================================

Key name: dsakey (default)

Key type: DSA

Time when key pair created: 15:41:37 2013/05/12

Key code:

   308201B73082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD

   96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E

   DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D

   DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038

   7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1

   4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD

   35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123

   91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1

   585DA7F42519718CC9B09EEF0381840002818041912CE34D12BCD2157E7AB1C2F03B3EF395

   100F3DB4A9E2FDFE860C1BD663D676438F7DA40A9406D61CA9079AF13E330489F1C76785DE

   52DA649AC8BC04B6D39CD7C52CD0A14F75F7491A91D31D6AC22340B5981B27A915CDEC4F09

   887E541EC1E5302D500F68E7AC29A084463C60F9EE266985A502FC92193E1CF4D265C4BA

=============================================

Key name: dsa1

Key type: DSA

Time when key pair created: 15:35:42 2013/05/12

Key code:

   308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD

   96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E

   DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D

   DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038

   7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1

   4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD

   35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123

   91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1

   585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8

   3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74

   0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7

   15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A

# Display all local ECDSA public keys.

<Sysname> display public-key local ecdsa public

 

=============================================

Key name: ecdsakey (default)

Key type: ECDSA

Time when key pair created: 15:42:04 2013/05/12

Key code:

   3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF

   68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B

   1D

=============================================

Key name: ecdsa1

Key type: ECDSA

Time when key pair created: 15:43:33 2013/05/12

Key code:

   3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1

   AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58

   4D

# Display the public key of the local RSA key pair rsa1.

<Sysname> display public-key local rsa public name rsa1

 

=============================================

Key name: rsa1

Key type: RSA

Time when key pair created: 15:42:26 2013/05/12

Key code:

   30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D

   426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA

   1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7

   9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03

   92D8C6D940890BF4290203010001

# Display the public key of the local DSA key pair dsa1.

<Sysname> display public-key local dsa public name dsa1

 

=============================================

Key name: dsa1

Key type: DSA

Time when key pair created: 15:35:42 2013/05/12

Key code:

   308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD

   96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E

   DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D

   DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038

   7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1

   4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD

   35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123

   91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1

   585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8

   3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74

   0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7

   15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A

# Display the public key of the local ECDSA key pair ecdsa1.

<Sysname> display public-key local ecdsa public name ecdsa1

 

=============================================

Key name: ecdsa1

Key type: ECDSA

Time when key pair created: 15:43:33 2013/05/12

Key code:

   3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1

   AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58

   4D

Table 12 Command output

Field

Description

Key name

Name of the local key pair.

If you did not specify a name when creating the key pair, the word default in brackets follows the key pair name.

The following is the default key pair name for each key algorithm:

·     hostkey—Default RSA host key pair name.

·     serverkey—Default RSA server key pair name.

·     dsakey—Default DSA host key pair name.

·     ecdsakey—Default ECDSA host key pair name.

Key type

Options include:

·     RSA.

·     DSA.

·     ECDSA.

Time when key pair created

Date and time when the local key pair was created.

Key code

Public key string.

 

Related commands

public-key local create

display public-key peer

Use display public-key peer to display information about peer public keys.

Syntax

display public-key peer [ brief | name publickey-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name.

name publickey-name: Displays detailed information about a peer public key, including its key code. The publickey-name argument specifies the peer public key name, a case-sensitive string of 1 to 64 characters.

Usage guidelines

If none of the parameters is specified, the command displays detailed information about all peer public keys you have configured on the local device.

You can use the public-key peer command or the public-key peer import sshkey command to configure a peer public key on the local device.

Examples

# Display detailed information about the peer host public key idrsa.

<Sysname> display public-key peer name idrsa

 

=============================================

Key name: idrsa

Key type: RSA

Key modulus: 1024

Key code:

   30819F300D06092A864886F70D010101050003818D0030818902818100C5971581A78B5388

   B3C9063EC6B53D395A6704D9752B6F9B7B1F734EEB5DD509F0B050662C46FFB8D27F797E37

   918F6270C5793F1FC63638970A0E4D51A3CEF7CFF6E92BFAFD73F530E0BDE27056E81F2525

   6D0883836FD8E68031B2C272FE2EA75C87734A7B8F85B8EBEB3BD51CC26916AF3B3FDC32C3

   42C142D41BB4884FEB0203010001

Table 13 Command output

Field

Description

Key name

Name of the peer public key.

Key type

Key type: RSA, DSA or ECDSA.

Key modulus

Key modulus length in bits.

Key code

Public key string.

 

# Display brief information about all peer public keys.

<Sysname> display public-key peer brief

Type  Modulus  Name

---------------------------

RSA   1024    idrsa

DSA   1024    10.1.1.1

Table 14 Command output

Field

Description

Type

Key type: RSA, DSA or ECDSA.

Modulus

Key modulus length in bits.

Name

Name of the peer public key.

 

Related commands

·     public-key peer

·     public-key peer import sshkey

peer-public-key end

Use peer-public-key end to exit public key view to system view and save the configured peer public key.

Syntax

peer-public-key end

Views

Public key view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

After you type the peer public key on the local device, use this command to exit public key view and to save the public key.

The system verifies the public key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, for example, the key displayed by the display public-key local public command, the system saves the key.

Examples

# Exit public key view and save the configured public key.

<Sysname> system-view

[Sysname] public-key peer key1

Public key view: return to System View with "peer-public-key end".

[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC8014F82515F6335A0A

[Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D1643135877E13B1C531B4

[Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80EB5F52698FCF3D6

[Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE675AC30CB020301

[Sysname-pkey-public-key-key1]0001

[Sysname-pkey-public-key-key1] peer-public-key end

[Sysname]

Related commands

·     display public-key local public

·     display public-key peer

·     public-key peer

public-key local create

Use public-key local create to create local asymmetric key pairs.

Syntax

public-key local create { dsa | ecdsa | rsa } [ name key-name ]

Default

No local asymmetric key pair exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

dsa: Creates a DSA key pair.

ecdsa: Creates an ECDSA key pair.

rsa: Creates an RSA key pair.

name key-name: Assigns a name to the key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is assigned, the public key pair takes the default name.

Table 15 Default local key pair names

Type

Default name

RSA

·     Host key pair: hostkey

·     Server key pair: serverkey

DSA

dsakey

ECDSA

ecdsakey

 

Usage guidelines

The key algorithm must be the same as required by the security application.

The key modulus length must be appropriate (see Table 16). The longer the key modulus length, the higher the security, and the longer the key generation time.

If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default.

The name of a key pair must be unique among all manually named key pairs that use the same key algorithm, but can be the same as a key pair that uses a different key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair.

The key pairs are automatically saved and can survive system reboots.

Table 16 A comparison of different types of asymmetric key algorithms

Type

Generated key pairs

Modulus length

RSA

·     In non-FIPS mode:

¡     One host key pair, if you specify a key pair name.

¡     One server key pair and one host key pair, if you do not specify a key pair name.
Both key pairs use their default names.

·     In FIPS mode: One host key pair.

NOTE:

Only SSH 1.5 uses the RSA server key pair.

·     In non-FIPS mode: 512 to 2048 bits, 1024 bits by default.
To ensure security, use a minimum of 768 bits.

·     In FIPS mode: 2048 bits.

DSA

One host key pair.

·     In non-FIPS mode: 512 to 2048 bits, 1024 bits by default.
To ensure security, use a minimum of 768 bits.

·     In FIPS mode: 2048 bits.

ECDSA

One host key pair.

192 bits.

 

Examples

# Create local RSA key pairs with default names.

<Sysname> system-view

[Sysname] public-key local create rsa

The range of public key modulus is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

...++++++

.++++++

..++++++++

....++++++++

Create the key pair successfully.

# Create a local DSA key pair with the default name.

<Sysname> system-view

[Sysname] public-key local create dsa

The range of public key modulus is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

.++++++++++++++++++++++++++++++++++++++++++++++++++*

........+......+.....+......................................+..+................

.......+..........+..............+.............+...+.....+...............+..+...

...+.................+..........+...+....+.......+.....+............+.........+.

........................+........+..........+..............+.....+...+..........

..............+.........+..........+...........+........+....+..................

.....+++++++++++++++++++++++++++++++++++++++++++++++++++*

Create the key pair successfully.

# Create a local ECDSA key pair with the default name.

<Sysname> system-view

[Sysname] public-key local create ecdsa

Generating Keys...

Create the key pair successfully.

# Create a local RSA key pair with the name rsa1.

<Sysname> system-view

[Sysname] public-key local create rsa name rsa1

The range of public key modulus is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

...++++++

...............................++++++

Create the key pair successfully.

# Create a local DSA key pair with the name dsa1.

<Sysname> system-view

[Sysname] public-key local create dsa name dsa1

The range of public key modulus is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

.++++++++++++++++++++++++++++++++++++++++++++++++++*

........+......+.....+......................................+..+................

.......+..........+..............+.............+...+.....+...............+..+...

...+.................+..........+...+....+.......+.....+............+.........+.

........................+........+..........+..............+.....+...+..........

..............+.........+..........+...........+........+....+..................

.....+++++++++++++++++++++++++++++++++++++++++++++++++++*

Create the key pair successfully.

# Create a local ECDSA key pair with the name ecdsa1.

<Sysname> system-view

[Sysname] public-key local create ecdsa name ecdsa1

Generating Keys...

Create the key pair successfully.

# In FIPS mode, create a local RSA key pair with the default name.

<Sysname> system-view

[Sysname] public-key local create rsa

The range of public key modulus is (2048 ~ 2048).

It will take a few minutes.Press CTRL+C to abort.

Input the modulus length [default = 2024]:

Generating Keys...

...++++++

.++++++

..++++++++

....++++++++

Create the key pair successfully.

# In FIPS mode, create a local DSA key pair with the default name.

<Sysname> system-view

[Sysname] public-key local create dsa

The range of public key modulus is (2048 ~ 2048).

It will take a few minutes.Press CTRL+C to abort.

Input the modulus length [default = 2024]:

.++++++++++++++++++++++++++++++++++++++++++++++++++*

........+......+.....+......................................+..+................

.......+..........+..............+.............+...+.....+...............+..+...

...+.................+..........+...+....+.......+.....+............+.........+.

........................+........+..........+..............+.....+...+..........

..............+.........+..........+...........+........+....+..................

.....+++++++++++++++++++++++++++++++++++++++++++++++++++*

Create the key pair successfully.

Related commands

·     display public-key local public

·     public-key local destroy

public-key local destroy

Use public-key local destroy to destroy local key pairs.

Syntax

public-key local destroy { dsa | ecdsa | rsa } [ name key-name ]

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

dsa: Specifies the DSA type.

ecdsa: Specifies the ECDSA type.

rsa: Specifies the RSA type.

name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.

Usage guidelines

To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs:

·     An intrusion event has occurred.

·     The storage media of the device is replaced.

·     The local certificate has expired. For more information about local certificates, see Security Configuration Guide.

Examples

# Destroy the local RSA key pairs with the default names.

<Sysname> system-view

[Sysname] public-key local destroy rsa

Confirm to destroy the key pair? [Y/N]:y

# Destroy the local DSA key pair with the default name.

<Sysname> system-view

[Sysname] public-key local destroy dsa

Confirm to destroy the key pair? [Y/N] :y

# Destroy the local ECDSA key pair with the default name.

<Sysname> system-view

[Sysname] public-key local destroy ecdsa

Confirm to destroy the key pair? [Y/N]:y

# Destroy the local RSA key pair rsa1.

<Sysname> system-view

[Sysname] public-key local destroy rsa name rsa1

Confirm to destroy the key pair? [Y/N]:y

# Destroy the local DSA key pair dsa1.

<Sysname> system-view

[Sysname] public-key local destroy dsa name dsa1

Confirm to destroy the key pair? [Y/N] :y

# Destroy the local ECDSA key pair ecdsa1.

<Sysname> system-view

[Sysname] public-key local destroy ecdsa name ecdsa1

Confirm to destroy the key pair? [Y/N]:y

Related commands

public-key local create

public-key local export dsa

Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file.

Syntax

public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ]

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

name key-name: Specifies the name of a local DSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name.

openssh: Uses the format of OpenSSH.

ssh2: Uses the format of SSH2.0.

filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide.

Usage guidelines

Whether the command exports or displays the local DSA host public key depends on the presence of the filename argument.

You can use the command to display or export the local DSA host public key before distributing it to a peer device.

1.     Save the local host public key to a file with one of the following methods:

¡     Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } command to display the local host public key in the specific format, copy and paste it to a file.

¡     Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey or its subfolders.

2.     Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode.

3.     On the peer device, use the public-key peer import sshkey command to import the host public key from the file.

SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key.

Examples

# Export the host public key of the local DSA key pair with the default name in OpenSSH format to a file named key.pub.

<Sysname> system-view

[Sysname] public-key local export dsa openssh key.pub

# Display the host public key of the local DSA key pair with the default name in SSH2.0 format.

<Sysname> system-view

[Sysname] public-key local export dsa ssh2

---- BEGIN SSH2 PUBLIC KEY ----

Comment: "dsa-key-2013/05/12"

AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxwvA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakdMdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo=

---- END SSH2 PUBLIC KEY ----

# Display the host public key of the local DSA key pair with the default name in OpenSSH format.

<Sysname> system-view

[Sysname] public-key local export dsa openssh

ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxwvA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakdMdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= dsa-key

# Export the host public key of the local DSA key pair dsa1 in OpenSSH format to the file dsa1.pub.

<Sysname> system-view

[Sysname] public-key local export dsa name dsa1 openssh dsa1.pub

# Display the host public key of the local DSA key pair dsa1 in SSH2.0 format.

<Sysname> system-view

[Sysname] public-key local export dsa name dsa1 ssh2

---- BEGIN SSH2 PUBLIC KEY ----

Comment: "dsa-key-2013/05/12"

AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEYZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq

---- END SSH2 PUBLIC KEY ----

# Display the host public key of the local DSA key pair dsa1 in OpenSSH format.

<Sysname> system-view

[Sysname] public-key local export dsa name dsa1 openssh

ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEYZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq dsa-key

Related commands

·     public-key local create

·     public-key peer import sshkey

public-key local export rsa

Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file.

Syntax

In non-FIPS mode:

public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ]

In FIPS mode:

public-key local export rsa [ name key-name ] { openssh | ssh2 } [ filename ]

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

name key-name: Specifies the name of a local RSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name.

openssh: Uses the format of OpenSSH.

ssh1: Uses the format of SSH1.5.

ssh2: Uses the format of SSH2.0.

filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide.

Usage guidelines

Whether the command exports or displays the host public key depends on the presence of the filename argument.

You can use the command to display or export the local RSA host public keys before distributing it to a peer device.

1.     Save the local host public key to a file with one of the following methods:

¡     Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } command to display the host public key in the specified format, copy and paste it to a file.

¡     Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey and its subfolders.

2.     Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode.

3.     On the peer device, use the public-key peer import sshkey command to import the host public key from the file.

SSH1.5, SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key. In FIPS mode, the device only supports SSH2.0 and OpenSSH.

Examples

# Export the host public key of the local RSA key pair with the default name in OpenSSH format to the file key.pub.

<Sysname> system-view

[Sysname] public-key local export rsa openssh key.pub

# Display the host public key of the local RSA key pair with the default name in SSH2.0 format.

<Sysname> system-view

[Sysname] public-key local export rsa ssh2

---- BEGIN SSH2 PUBLIC KEY ----

Comment: "rsa-key-2013/05/12"

AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/bYcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xdv4tlas+mLNloY0dImbwS2kwE71rgg1CQ==

---- END SSH2 PUBLIC KEY ----

# Display the host public key of the local RSA key pair with the default name in OpenSSH format.

<Sysname> system-view

[Sysname] public-key local export rsa openssh

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/bYcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xdv4tlas+mLNloY0dImbwS2kwE71rgg1CQ== rsa-key

# Export the host public key of the local RSA key pair rsa1 in OpenSSH format to the file rsa1.pub.

<Sysname> system-view

[Sysname] public-key local export rsa name rsa1 openssh rsa1.pub

# Display the host public key of the local RSA key pair rsa1 in SSH2.0 format.

<Sysname> system-view

[Sysname] public-key local export rsa name rsa1 ssh2

---- BEGIN SSH2 PUBLIC KEY ----

Comment: "rsa-key-2013/05/12"

AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8ba8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ==

---- END SSH2 PUBLIC KEY ----

# Display the host public key of the local RSA key pair rsa1 in OpenSSH format.

<Sysname> system-view

[Sysname] public-key local export rsa name rsa1 openssh

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8ba8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key

Related commands

·     public-key local create

·     public-key peer import sshkey

public-key peer

Use public-key peer to specify a name for a peer public key and enter public key view.

Use undo public-key peer to delete a peer public key.

Syntax

public-key peer keyname

undo public-key peer keyname

Default

The local device has no peer public key.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.

Usage guidelines

After you execute the command to enter the public key view, type the public key. Spaces and carriage returns are allowed, but are not saved.

To manually specify a peer public key on the local device, obtain the public key in hexadecimal from the peer device beforehand, and perform the following configurations on the local device:

1.     Execute the public-key peer command to enter public key view.

2.     Type the public key.

3.     Execute the peer-public-key end command to save the public key and return to system view.

The public key you type in the public key view must be in a correct format. If your device is an H3C device, use the display public-key local public command to display and record its public key.

Examples

# Specify the name key1 for a peer public key and enter public key view.

<Sysname> system-view

[Sysname] public-key peer key1

[Sysname-pkey-public-key-key1]

Related commands

·     display public-key local public

·     display public-key peer

·     peer-public-key end

public-key peer import sshkey

Use public-key peer import sshkey to import a peer host public key from the public key file.

Use undo public-key peer to remove the specified peer host public key.

Syntax

public-key peer keyname import sshkey filename

undo public-key peer keyname

Default

The device has no peer public key.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.

filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide.

Usage guidelines

After you configure this command, the system automatically transforms the host public key to the PKCS format, and saves the key. This operation requires that you get a copy of the public key file from the peer device through FTP or TFTP in binary mode in advance.

In non-FIPS mode, the device supports importing public keys in the format of SSH1.5, SSH2.0, and OpenSSH.

In FIPS mode, the device supports importing public keys in the format of SSH2.0 and OpenSSH.

Examples

# Import the peer host public key key2 from the public key file key.pub.

<Sysname> system-view

[Sysname] public-key peer key2 import sshkey key.pub

Related commands

·     display public-key peer

·     public-key local export dsa

·     public-key local export rsa


PKI commands

The PKI feature is available in Release 1138P01 and later versions.

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

attribute

Use attribute to configure a rule to filter certificates based on an attribute in the certificate issuer name, subject name, or alternative subject name field.

Use undo attribute to remove an attribute rule.

Syntax

attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value

undo attribute id

Default

No attribute rules exist.

Views

Certificate attribute group view

Predefined user roles

network-admin

mdc-admin

Parameters

id: Specifies a rule ID in the range of 1 to 16.

alt-subject-name: Specifies the alternative subject name.

fqdn: Specifies an FQDN of the PKI entity.

ip: Specifies an IP address of the PKI entity.

dn: Specifies the DN of the PKI entity.

issuer-name: Specifies the issuer name.

subject-name: Specifies the subject name.

ctn: Specifies the contain operation.

equ: Specifies the equal operation.

nctn: Specifies the not-contain operation.

nequ: Specifies the not-equal operation.

attribute-value: Sets an attribute value, a case-insensitive string of 1 to 128 characters.

Usage guidelines

The issuer name, subject name, and alternative subject name field can contain the following attributes in a certificate:

·     Each subject name and the issuer name can contain a single DN, multiple FQDNs, and multiple IP addresses.

·     The alternative subject name can contain multiple FQDNs and IP addresses but zero DNs.

An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in Table 17.

Table 17 Combinations of attribute-value pairs and operation keywords

Operation

DN

FQDN/IP

ctn

The DN contains the specified attribute value.

Any FQDN or IP address contains the specified attribute value.

nctn

The DN does not contain the specified attribute value.

None of the FQDNs or IP addresses contain the specified attribute value.

equ

The DN is the same as the specified attribute value.

Any FQDN or IP address is the same as the specified attribute value.

nequ

The DN is not the same as the specified attribute value.

None of the FQDNs or IP addresses are the same as the specified attribute value.

 

A certificate matches an attribute rule only if it contains an attribute that matches the criterion defined in the rule. For example, an attribute rule defines a criterion that the DN of the subject name contains the abc string. All certificates that have the DN in the subject name containing the abc string match the rule.

A certificate matches an attribute group if it matches all attribute rules in the group.

Examples

# Create a certificate attribute group and enter its view.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

# Specify an attribute rule to match certificates that contain the abc string in the subject DN.

[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc

# Specify an attribute rule to match certificates that do not contain FQDN abc in the issuer name field.

[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc

# Specify an attribute rule to match certificates that do not contain IP address 10.0.0.1 in the alternative subject name field.

[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1

Related commands

·     display pki certificate attribute-group

·     rule

ca identifier

Use ca identifier to specify the trusted CA.

Use undo ca identifier to remove the trusted CA.

Syntax

ca identifier name

undo ca identifier

Default

No trusted CA is specified.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Parameters

name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters.

Usage guidelines

To obtain a CA certificate, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the same CA server. The CA server's URL is specified by using the certificate request url command.

When you use this command, make sure the specified CA name is consistent with the name of the CA that owns the CA certificate to be obtained.

Examples

# Specify the trusted CA as new-ca.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] ca identifier new-ca

certificate request entity

Use certificate request entity to specify the PKI entity for certificate request.

Use undo certificate request entity to remove the PKI entity for certificate request.

Syntax

certificate request entity entity-name

undo certificate request entity

Default

No PKI entity is specified for certificate request.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Parameters

entity-name: Specifies a PKI entity by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A PKI entity describes the identity attributes of an entity for certificate request, including the following information:

·     Common name.

·     Organization.

·     Unit in the organization.

·     Locality.

·     State and country where the entity resides.

·     FQDN.

·     IP address.

You can specify only one PKI entity for a PKI domain. If you configure this command for a PKI domain multiple times, the most recent configuration takes effect.

Examples

# Specify PKI entity en1 for certificate request in PKI domain aaa.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] certificate request entity en1

Related commands

pki entity

certificate request from

Use certificate request from to specify the type of certificate request reception authority.

Use undo certificate request from to remove the configuration.

Syntax

certificate request from { ca | ra }

undo certificate request from

Default

The type of certificate request reception authority is not specified.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Parameters

ca: Specifies the CA to accept certificate requests.

ra: Specifies the RA to accept certificate requests.

Usage guidelines

The CA server determines whether CA or RA accepts certificate requests. This authority setting must be consistent with the setting on the CA server.

Examples

# Specify the RA to accept certificate requests.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] certificate request from ra

certificate request mode

Use certificate request mode to set the certificate request mode.

Use undo certificate request mode to restore the default.

Syntax

certificate request mode { auto [ password { cipher | simple } password ] | manual }

undo certificate request mode

Default

The certificate request mode is manual.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Parameters

auto: Specifies the auto certificate request mode.

password: Specifies a password for certificate revocation as required by the CA policy.

cipher: Sets a ciphertext password for certificate revocation.

simple: Sets a plaintext password for certificate revocation. For security purposes, all keys, including keys configured in plain text, are saved in cipher text.

password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 31 characters. If cipher is specified, it must be a ciphertext string of 1 to 73 characters.

manual: Specifies the manual certificate request mode.

Usage guidelines

A certificate request can be submitted to a CA in offline or online mode. In online mode, a certificate request can be automatically or manually submitted:

·     Auto request mode—A PKI entity automatically obtains the CA certificate and submits a certificate request to the CA when both of the following conditions exist:

¡     A PKI-based application (IKE, for example) performs identity authentication.

¡     No certificate is available for the application on the device.

·     Manual request mode—You must manually obtain the CA certificate and submit certificate requests.

Examples

# Set the certificate request mode to auto.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] certificate request mode auto

# Set the certificate request mode to auto, and set the certificate revocation password in plain text to 123456.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] certificate request mode auto password simple 123456

Related commands

pki request-certificate

certificate request polling

Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status.

Use undo certificate request polling to restore the defaults.

Syntax

certificate request polling { count count | interval minutes }

undo certificate request polling { count | interval }

Default

The polling interval is 20 minutes, and the maximum number of attempts is 50.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Parameters

count count: Sets the maximum number of attempts to query certificate request status. The value range is 1 to 100.

interval minutes: Sets a polling interval in minutes, in the range of 5 to 168.

Usage guidelines

After a PKI entity submits a certificate request, it might take the CA server a while to issue the certificate if the CA administrator manually approves the certificate request. During this period, the PKI entity periodically queries the CA server for the certificate request status. The periodic query operation stops until the PKI entity obtains the certificate or the maximum number of query attempts is reached. If the maximum number of query attempts is reached, the certificate request fails.

If the CA server automatically approves a certificate request, the PKI entity can obtain the certificate immediately after it submits a certificate request. In this case, the PKI entity does not send queries to the CA server.

Examples

# Set the polling interval to 15 minutes, and the maximum number of query attempts to 40.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] certificate request polling interval 15

[Sysname-pki-domain-aaa] certificate request polling count 40

Related commands

display pki certificate request-status

certificate request url

Use certificate request url to specify the URL of the certificate request reception authority (CA or RA) to which the device should send SCEP certificate requests.

Use undo certificate request url to remove the configuration.

Syntax

certificate request url url-string [ vpn-instance vpn-instance-name ]

undo certificate request url

Default

The URL of the certificate request reception authority is not specified.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Parameters

url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the certificate request reception authority server belongs. A VPN instance name is a case-sensitive string of 1 to 31 characters. If the certificate request reception authority server is on the public network, do not specify this option.

Usage guidelines

The URL is in the format http://server_location/ca_script_location, where:

·     The server_location argument is the IPv4 address or domain name of the certificate request reception authority (CA or RA) server.

·     The cgi_script_location argument is the path of the application script on the server.

Examples

# Specify http://169.254.0.100/certsrv/mscep/mscep.dll as the URL where the device should send certificate requests.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll

# Specify http://mytest.net/certsrv/mscep/mscep.dll in VPN instance vpn1 as the URL where the device should send certificate requests.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] certificate request url http:// mytest.net /certsrv/mscep/mscep.dll vpn-instance vpn1

common-name

Use common-name to set the common name for a PKI entity.

Use undo common-name to remove the configuration.

Syntax

common-name common-name-sting

undo common-name

Default

No common name is set for a PKI entity.

Views

PKI entity view

Predefined user roles

network-admin

mdc-admin

Parameters

common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name.

Examples

# Specify test as the common name of the PKI entity en.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] common-name test

country

Use country to set the country code of a PKI entity.

Use undo country to remove the configuration.

Syntax

country country-code-string

undo country

Default

No country code is set for a PKI entity.

Views

PKI entity view

Predefined user roles

network-admin

mdc-admin

Parameters

country-code-string: Specifies a country code, a case-sensitive string of two characters. For example, CN is the country code for China.

Examples

# Specify CN as the country code of the PKI entity en.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] country CN

crl check

Use crl check enable to enable CRL checking.

Use undo crl check enable to disable CRL checking.

Syntax

crl check enable

undo crl check enable

Default

CRL checking is enabled.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

A CA signs and publishes a list of revoked certificates, which is called CRL. Revoked certificates should no longer be trusted.

CRL checking is designed to check whether a certificate has been revoked.

Examples

# Disable CRL checking.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] undo crl check enable

Related commands

·     pki import

·     pki retrieve-certificate

·     pki validate-certificate

crl url

Use crl url to specify the URL of the CRL repository.

Use undo crl url to remove the configuration.

Syntax

crl url url-string [ vpn-instance vpn-instance-name ]

undo crl url

Default

The URL of the CRL repository is not specified.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Parameters

url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location, where server_location can be an IP address or a domain name. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option.

Usage guidelines

To use CRL checking, a CRL must be obtained from a CRL repository.

The device selects a CRL repository in the following order:

1.     CRL repository specified in the PKI domain by using this command.

2.     CRL repository in the certificate that is being verified.

3.     CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA certificate is the certificate being verified.

After the previous selection process, if the CRL repository is not found, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained.

If an LDAP URL is specified, the device must connect to the LDAP server to obtain the CRL. If the LDAP server's host name is not included in the URL, the device can get the complete URL information according to the LDAP server address specified in the PKI domain.

Examples

# Specify http://169.254.0.30 as the URL of the CRL repository.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] crl url http://169.254.0.30

# Specify ldap://169.254.0.30 in VPN instance vpn1 as the URL of the CRL repository.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl url ldap://169.254.0.30 vpn-instance vpn1

Related commands

·     ldap-server

·     pki retrieve-crl

display pki certificate access-control-policy

Use display pki certificate access-control-policy to display information about certificate-based access control policies.

Syntax

display pki certificate access-control-policy [ policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

policy-name: Specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

If you do not specify a policy name, this command displays information about all certificate-based access control policies.

Examples

# Display information about the certificate-based access control policy mypolicy.

<Sysname> display pki certificate access-control-policy mypolicy

 Access control policy name: mypolicy

     Rule 1  deny    mygroup1

     Rule 2  permit  mygroup2

# Display information about all certificate-based access control policies.

<Sysname> display pki certificate access-control-policy

 Total PKI certificate access control policies: 2

 Access control policy name: mypolicy1

     Rule 1  deny    mygroup1

     Rule 2  permit  mygroup2

 Access control policy name: mypolicy2

     Rule 1  deny    mygroup3

     Rule 2  permit  mygroup4

Table 18 Command output

Field

Description

Total PKI certificate access control policies

Total number of certificate-based access control policies.

permit

A certificate passes the check and is considered valid if it matches all attribute rules in the attribute group associated with the access control rule.

deny

A certificate fails the check and is considered invalid if it matches all attribute rules in the attribute group associated with the access control rule.

 

Related commands

·     pki certificate access-control-policy

·     rule

display pki certificate attribute-group

Use display pki certificate attribute-group to display information about certificate attribute groups.

Syntax

display pki certificate attribute-group [ group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups.

Examples

# Display information about the certificate attribute group mygroup.

<Sysname> display pki certificate attribute-group mygroup

 Attribute group name: mygroup

      Attribute  1 subject-name     dn    ctn   abc

      Attribute  2 issuer-name      fqdn  nctn  app

# Display information about all certificate attribute groups.

<Sysname> display pki certificate attribute-group

 Total PKI certificate attribute groups: 2.

 Attribute group name: mygroup1

      Attribute  1 subject-name     dn    ctn   abc

      Attribute  2 issuer-name      fqdn  nctn  app

Attribute group name: mygroup2

      Attribute  1 subject-name     dn    ctn   def

      Attribute  2 issuer-name      fqdn  nctn  fqd

Table 19 Command output

Field

Description

Total PKI certificate attribute groups

Total number of certificate attribute groups.

ctn

Contain operation.

nctn

Not-contain operation.

equ

Equal operation.

nequ

Not-equal operation.

Attribute  1 subject-name     dn    ctn   abc

Attribute rule 1 defines that the DN in the subject name contains the string of abc.

 

Related commands

·     attribute

·     pki certificate attribute-group

display pki certificate domain

Use display pki certificate domain to display information about certificates.

Syntax

display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] }

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').

ca: Specifies the CA certificate.

local: Specifies the local certificates.

peer: Specifies the peer certificates.

serial serial-num: Specifies the serial number of a peer certificate.

Usage guidelines

If you specify the CA keyword, this command displays information about all CA and RA certificates in the domain.

If you specify the local keyword, this command displays information about all local certificates in the domain

If you specify the peer keyword but do not specify any serial number, this command displays brief information about all peer certificates. If you specify a serial number, this command display detailed information about the specified peer certificate.

Examples

# Display information about the CA certificate in the PKI domain aaa.

<Sysname> display pki certificate domain aaa ca

Certificate:

    Data:

        Version: 1 (0x0)

        Serial Number:

            5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=cn, O=docm, OU=rnd, CN=rootca

        Validity

            Not Before: Jan  6 02:51:41 2011 GMT

            Not After : Dec  7 03:12:05 2013 GMT

        Subject: C=cn, O=ccc, OU=ppp, CN=rootca

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0:

                    28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40:

                    4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6:

                    57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6:

                    7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6:

                    6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd:

                    c1:91:18:ff:16:ee:d8:cf:8c:e3:4c:a3:1b:08:5d:

                    84:7e:11:32:5f:1a:f8:35:25:c0:7e:10:bd:aa:0f:

                    52:db:7b:cd:5d:2b:66:5a:fb

                Exponent: 65537 (0x10001)

    Signature Algorithm: sha1WithRSAEncryption

        6d:b1:4e:d7:ef:bb:1d:67:53:67:d0:8f:7c:96:1d:2a:03:98:

        3b:48:41:08:a4:8f:a9:c1:98:e3:ac:7d:05:54:7c:34:d5:ee:

        09:5a:11:e3:c8:7a:ab:3b:27:d7:62:a7:bb:bc:7e:12:5e:9e:

        4c:1c:4a:9f:d7:89:ca:20:46:de:c5:b3:ce:36:ca:5e:6e:dc:

        e7:c6:fe:3f:c5:38:dd:d5:a3:36:ad:f4:3d:e6:32:7f:48:df:

        07:f0:a2:32:89:86:72:22:cd:ed:e5:0f:95:df:9c:75:71:e7:

        fe:34:c5:a0:64:1c:f0:5c:e4:8f:d3:00:bd:fa:90:b6:64:d8:

        88:a6

# Display information about te local certificates in the PKI domain aaa.

<Sysname> display pki certificate domain aaa local

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            bc:05:70:1f:0e:da:0d:10:16:1e

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=CN, O=sec, OU=software, CN=ipsec

        Validity

            Not Before: Jan  7 20:05:44 2011 GMT

            Not After : Jan  7 20:05:44 2012 GMT

        Subject: O=OpenCA Labs, OU=Users, CN=fips fips-sec

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:b2:38:ad:8c:7d:78:38:37:88:ce:cc:97:17:39:

                    52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67:

                    d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7:

                    4a:83:69:0e:3e:24:e4:ab:91:6c:56:51:88:93:9e:

                    12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21:

                    46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd:

                    a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12:

                    bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b:

                    8a:f0:ea:02:fd:2d:44:7a:67

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Cert Type:

                SSL Client, S/MIME

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin

            Netscape Comment:

                User Certificate of OpenCA Labs

            X509v3 Subject Key Identifier:

                91:95:51:DD:BF:4F:55:FA:E4:C4:D0:10:C2:A1:C2:99:AF:A5:CB:30

            X509v3 Authority Key Identifier:

                keyid:DF:D2:C9:1A:06:1F:BC:61:54:39:FE:12:C4:22:64:EB:57:3B:11:9F

 

            X509v3 Subject Alternative Name:

                email:fips@ccc.com

            X509v3 Issuer Alternative Name:

                email:pki@openca.org

            Authority Information Access:

                CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt

                OCSP - URI:http://titan:2560/

                1.3.6.1.5.5.7.48.12 - URI:http://titan:830/

 

            X509v3 CRL Distribution Points:

 

                Full Name:

                  URI:http://titan/pki/pub/crl/cacrl.crl

 

    Signature Algorithm: sha256WithRSAEncryption

        94:ef:56:70:48:66:be:8f:9d:bb:77:0f:c9:f4:65:77:e3:bd:

        ea:9a:b8:24:ae:a1:38:2d:f4:ab:e8:0e:93:c2:30:33:c8:ef:

        f5:e9:eb:9d:37:04:6f:99:bd:b2:c0:e9:eb:b1:19:7e:e3:cb:

        95:cd:6c:b8:47:e2:cf:18:8d:99:f4:11:74:b1:1b:86:92:98:

        af:a2:34:f7:1b:15:ee:ea:91:ed:51:17:d0:76:ec:22:4c:56:

        da:d6:d1:3c:f2:43:31:4f:1d:20:c8:c2:c3:4d:e5:92:29:ee:

        43:c6:d7:72:92:e8:13:87:38:9a:9c:cd:54:38:b2:ad:ba:aa:

        f9:a4:68:b5:2a:df:9a:31:2f:42:80:0c:0c:d9:6d:b3:ab:0f:

        dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a:

        65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28:

        04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64:

        cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4:

        50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f:

        3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9:

        de:18:9d:c1

# Display brief information about all peer certificates in the PKI domain aaa.

<Sysname> display pki certificate domain aaa peer

Total peer certificates: 1

 

Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7

Subject  Name: CN=sldsslserver

# Display detailed information about a peer certificate in the PKI domain aaa.

<Sysname> display pki certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            9a:03:37:eb:21:56:ba:1f:54:76:e4:d7:54:a5:a9:f7

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=cn, O=ccc, OU=sec, CN=ssl

        Validity

            Not Before: Oct 15 01:23:06 2010 GMT

            Not After : Jul 26 06:30:54 2012 GMT

        Subject: CN=sldsslserver

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:c2:cf:37:76:93:29:5e:cd:0e:77:48:3a:4d:0f:

                    a6:28:a4:60:f8:31:56:28:7f:81:e3:17:47:78:98:

                    68:03:5b:72:f4:57:d3:bf:c5:30:32:0d:58:72:67:

                    04:06:61:08:3b:e9:ac:53:b9:e7:69:68:1a:23:f2:

                    97:4c:26:14:c2:b5:d9:34:8b:ee:c1:ef:af:1a:f4:

                    39:da:c5:ae:ab:56:95:b5:be:0e:c3:46:35:c1:52:

                    29:9c:b7:46:f2:27:80:2d:a4:65:9a:81:78:53:d4:

                    ca:d3:f5:f3:92:54:85:b3:ab:55:a5:03:96:2b:19:

                    8b:a3:4d:b2:17:08:8d:dd:81

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Authority Key Identifier:

                keyid:9A:83:29:13:29:D9:62:83:CB:41:D4:75:2E:52:A1:66:38:3C:90:11

 

            X509v3 Key Usage: critical

                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement

            Netscape Cert Type:

                SSL Server

            X509v3 Subject Alternative Name:

                DNS:docm.com

            X509v3 Subject Key Identifier:

                3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26

            X509v3 CRL Distribution Points:

 

                Full Name:

                  URI:http://s03130.ccc.sec.com:447/ssl.crl

 

    Signature Algorithm: sha1WithRSAEncryption

        61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3:

        31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59:

        36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c:

        85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5:

        17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72:

        ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2:

        ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8:

        f0:a5

Related commands

·     pki domain

·     pki retrieve-certificate

display pki certificate request-status

Use display pki certificate request-status to display certificate request status.

Syntax

display pki certificate request-status [ domain domain-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').

Usage guidelines

If no PKI domain is specified, this command displays the status of all certificate requests.

Examples

# Display certificate request status for the PKI domain aaa.

<Sysname> display pki certificate request-status domain aaa

Certificate Request Transaction 1

    Domain name: aaa

    Status: Pending

    Key usage: General

    Remain polling attempts: 10

    Next polling attempt after : 1191 seconds

# Display certificate request statuses for all PKI domains.

<Sysname> display pki certificate request-status

Certificate Request Transaction 1

    Domain name: domain1

    Status: Pending

    Key usage: General

    Remain polling attempts: 10

    Next polling attempt after : 1191 seconds

Certificate Request Transaction 2

    Domain name: domain2

    Status: Pending

    Key usage: Signature

    Remain polling attempts: 10

    Next polling attempt after : 188 seconds

Table 20 Command output

Field

Description

Certificate Request Transaction number

Certificate request transaction number, starting from 1.

Status

Certificate request status, including only the pending status.

Key usage

Certificate purposes:

·     GeneralSignature and encryption.

·     Signature—Signature only.

·     Encryption—Encryption only.

Remain polling attempts

Remaining number of attempts to query certificate request status.

Next polling attempt after

Remaining seconds before the next request status polling.

 

Related commands

·     certificate request polling

·     pki domain

·     pki retrieve-certificate

display pki crl

Use display pki crl domain to display information about the locally saved CRLs.

Syntax

display pki crl domain domain-name

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').

Usage guidelines

Use this command to check whether a certificate has been revoked.

Examples

# Display information about the CRL saved at the local for PKI domain aaa.

<Sysname> display pki crl domain aaa

Certificate Revocation List (CRL):

        Version 2 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: /C=cn/O=docm/OU=sec/CN=therootca

        Last Update: Apr 28 01:42:13 2011 GMT

        Next Update: NONE

        CRL extensions:

            X509v3 CRL Number:

                6

            X509v3 Authority Key Identifier:

                keyid:49:25:DB:07:3A:C4:8A:C2:B5:A0:64:A5:F1:54:93:69:14:51:11:EF

 

Revoked Certificates:

    Serial Number: CDE626BF7A44A727B25F9CD81475C004

        Revocation Date: Apr 28 01:37:52 2011 GMT

        CRL entry extensions:

            Invalidity Date:

                Apr 28 01:37:49 2011 GMT

    Serial Number: FCADFA81E1F56F43D3F2D3EF7EB56DE5

        Revocation Date: Apr 28 01:33:28 2011 GMT

        CRL entry extensions:

            Invalidity Date:

                Apr 28 01:33:09 2011 GMT

    Signature Algorithm: sha1WithRSAEncryption

        57:ac:00:3e:1e:e2:5f:59:62:04:05:9b:c7:61:58:2a:df:a4:

        5c:e5:c0:14:af:c8:e7:de:cf:2a:0a:31:7d:32:da:be:cd:6a:

        36:b5:83:e8:95:06:bd:b4:c0:36:fe:91:7c:77:d9:00:0f:9e:

        99:03:65:9e:0c:9c:16:22:ef:4a:40:ec:59:40:60:53:4a:fc:

        8e:47:57:23:e0:75:0a:a4:1c:0e:2f:3d:e0:b2:87:4d:61:8a:

        4a:cb:cb:37:af:51:bd:53:78:76:a1:16:3d:0b:89:01:91:61:

        52:d0:6f:5c:09:59:15:be:b8:68:65:0c:5d:1b:a1:f8:42:04:

        ba:aa

Table 21 Command output

Field

Description

Version

CRL version number.

Signature Algorithm

Signature algorithm used by the CA to sign the CRL.

Issuer

Name of the CA that issued the CRL.

Last Update

Most recent CRL update time.

Next Update

Next CRL update time.

X509v3 Authority Key Identifier

X509v3 ID of the CA that issues the CRL.

keyid

Key ID.

This field identifies the key pair used to sign the CRL.

Signature Algorithm:

Signature algorithm and signature data.

 

Related commands

pki retrieve-crl

fqdn

Use fqdn to set the FQDN of an entity.

Use undo fqdn to remove the configuration.

Syntax

fqdn fqdn-name-string

undo fqdn

Default

No FQDN is set for a PKI entity.

Views

PKI entity view

Predefined user roles

network-admin

mdc-admin

Parameters

fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters in the format hostname@domainname.

Usage guidelines

An FQDN uniquely identifies a PKI entity on a network.

Examples

# Specify pki.domain-name.com as the FQDN of the PKI entity en.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] fqdn abc@pki.domain.com

ip

Use ip to assign an IP address to a PKI entity.

Use undo ip to remove the configuration.

Syntax

ip { ip-address | interface interface-type interface-number }

undo ip

Default

No IP address is assigned to the PKI entity.

Views

PKI entity view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-address: Specifies an IPv4 address.

interface interface-type interface-number: Specifies an interface by its type and number. The primary IPv4 address of the interface will be used as the IP address of the PKI entity.

Usage guidelines

Use this command to assign an IP address to a PKI entity or specify an interface whose primary IPv4 address will be used as the IP address for the PKI entity. If you specify an interface, make sure the interface has an IP address before the PKI entity requests a certificate.

Examples

# Assign IP address 192.168.0.2 to PKI entity en.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] ip 192.168.0.2

ldap-server

Use ldap-server to specify an LDAP server for a PKI domain.

Use undo ldap-server to remove the configuration.

Syntax

ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ]

undo ldap-server

Default

No LDAP server is specified for a domain.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Parameters

host host-name: Specifies an LDAP server by its IPv4 address or domain name. The domain name is a case-sensitive string of 1 to 255 characters.

port port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the LDAP server is on the public network, do not specify this option.

Usage guidelines

You must specify an LDAP server in a PKI domain in the following situations:

·     An LDAP URL is specified in the PKI domain (by using the crl url command).

·     The specified LDAP URL does not contain the IP address or host name of the LDAP server.

You can specify only one LDAP server in a PKI domain. If you configure this command multiple times, the most recent configuration takes effect.

Examples

# Specify an LDAP server 10.0.0.1 for PKI domain aaa.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] ldap-server host 10.0.0.1

# Specify an LDAP server 10.0.0.11 in VPN instance vpn1 for PKI domain aaa. Set the port number to 333.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] ldap-server host 10.0.0.11 port 333 vpn-instance vpn1

Related commands

·     pki retrieve-certificate

·     pki retrieve-crl

locality

Use locality to set the locality of a PKI entity.

Use undo locality to remove the configuration.

Syntax

locality locality-name

undo locality

Default

No locality is set for a PKI entity.

Views

PKI entity view

Predefined user roles

network-admin

mdc-admin

Parameters

locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set a city name as the locality.

Examples

# Specify pukras as the locality of the PKI entity en.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] locality pukras

organization

Use organization to set an organization name for a PKI entity.

Use undo organization to remove the configuration.

Syntax

organization org-name

undo organization

Default

No organization name is set for a PKI entity.

Views

PKI entity view

Predefined user roles

network-admin

mdc-admin

Parameters

org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included.

Examples

# Specify abc as the organization name of the PKI entity en.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] organization abc

organization-unit

Use organization-unit to set an organization unit name for a PKI entity.

Use undo organization-unit to remove the configuration.

Syntax

organization-unit org-unit-name

undo organization-unit

Default

No organization unit name is set for a PKI entity.

Views

PKI entity view

Predefined user roles

network-admin

mdc-admin

Parameters

org-unit-name: Specifies an organization unit name, a case-sensitive string of 1 to 63 characters. No comma can be included.

Examples

# Specify rdtest as the organization unit name for the PKI entity en.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en] organization-unit rdtest

pki abort-certificate-request

Use pki abort-certificate-request to abort the certificate request for a PKI domain.

Syntax

pki abort-certificate-request domain domain-name

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').

Usage guidelines

You can abort a certificate request and change some parameters, such as common name, country code, or FQDN, in the certificate request before the CA issues the certificate. Use the display pki certificate request-status command to display the certificate request status.

Examples

# Abort the certificate request for the PKI domain 1.

<Sysname> system-view

[Sysname] pki abort-certificate- request domain 1

The certificate request is in process.

Confirm to abort it? [Y/N]:y

Related commands

·     display pki certificate request-status

·     pki request-certificate domain

pki certificate access-control-policy

Use pki certificate access-control-policy to create a certificate-based access control policy and enter its view.

Use undo pki certificate access-control-policy to remove a certificate-based access control policy.

Syntax

pki certificate access-control-policy policy-name

undo pki certificate access-control-policy policy-name

Default

No certificate-based access control policies exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

policy-name: Specifies a policy name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can add multiple rules to a certificate-based access control policy.

Examples

# Create a certificate-based access control policy named mypolicy and enter its view.

<Sysname> system-view

[Sysname] pki certificate access-control-policy mypolicy

[Sysname-pki-cert-acp-mypolicy]

Related commands

·     display pki certificate access-control-policy

·     rule

pki certificate attribute-group

Use pki certificate attribute-group to create a certificate attribute group and enter its view.

Use undo pki certificate attribute-group to remove a certificate attribute group.

Syntax

pki certificate attribute-group group-name

undo pki certificate attribute-group group-name

Default

No certificate attribute groups exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies a group name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates.

A certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command). If a certificate attribute group does not have any attribute rules, the system determines that the all certificates match the associated access control rule.

Examples

# Create a certificate attribute group named mygroup and enter its view.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

[Sysname-pki-cert-attribute-group-mygroup]

Related commands

·     attribute

·     display pki certificate attribute-group

·     rule

pki delete-certificate

Use pki delete-certificate to remove certificates from a PKI domain.

Syntax

pki delete-certificate domain domain-name { ca | local | peer [ serial serial-num ] }

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').

ca: Specifies the CA certificate.

local: Specifies the local certificates.

peer: Specifies the peer certificates.

serial serial-num: Specifies a peer certificate by its serial number, a case-insensitive string of 1 to 127 characters. If you do not specify a peer certificate, this command removes all peer certificates in the PKI domain.

Usage guidelines

When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain.

Examples

# Remove the CA certificate in the PKI domain aaa.

<Sysname> system-view

[Sysname] pki delete-certificate domain aaa ca

Local certificates, peer certificates and CRL will also be deleted while deleting the CA certificate.

Confirm to delete the CA certificate? [Y/N]:y

[Sysname]

# Remove the local certificates in the PKI domain aaa.

<Sysname> system-view

[Sysname] pki delete-certificate domain aaa local

[Sysname]

# Remove all peer certificates in the PKI domain aaa.

<Sysname> system-view

[Sysname] pki delete-certificate domain aaa peer

[Sysname]

# Display information about all peer certificates in the PKI domain aaa, and remove a peer certificate with the specified serial number.

<Sysname> system-view

[Sysname] display pki certificate domain aaa peer

Total peer certificates: 1

 

Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7

Subject  Name: CN=abc

[Sysname] pki delete-certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7

Related commands

display pki certificate

pki domain

Use pki domain to create a PKI domain and enter its view.

Use undo pki domain to remove a PKI domain.

Syntax

pki domain domain-name

undo pki domain domain-name

Default

No PKI domains exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').

Usage guidelines

When you remove a PKI domain, the certificates and the CRL in the domain are also removed.

Examples

# Create a PKI domain named aaa and enter its view.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa]

pki entity

Use pki entity to create a PKI entity and enter its view.

Use undo pki entity to remove a PKI entity.

Syntax

pki entity entity-name

undo pki entity entity-name

Default

No PKI entity exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

entity-name: Specifies the name of a PKI entity, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A PKI entity includes the identity information that can be used by a CA to identify a certificate applicant. You can configure multiple attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address. The information will be included as subject contents in the certificate issued by the CA.

Examples

# Create a PKI entity named en and enter its view.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en]

Related commands

pki domain

pki export

Use pki export to export the CA certificate and the local certificates in a PKI domain to local files or display them on a terminal.

Syntax

pki export domain domain-name der { all | ca | local } filename filename

pki export domain domain-name p12 { all | local } passphrase p12passwordstring filename filename

pki export domain domain-name pem { { all | local } [ { 3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc } pempasswordstring ] | ca } [ filename filename ]

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').

der: Specifies the certificate file format as DER.

p12: Specifies the certificate file format as PKCS12.

pem: Specifies the certificate file format as PEM.

all: Specifies both CA and local certificates. The RA certificate is excluded.

ca: Specifies the CA certificate.

local: Specifies the local certificates or the local certificates and their private keys.

passphrase p12passwordstring: Specifies a password for encrypting the private key of a local PKCS12 certificate.

3des-cbc: Specifies 3DES_CBC for encrypting the private key of a local certificate.

aes-128-cbc: Specifies 128-bit AES_CBC for encrypting the private key of a local certificate.

aes-192-cbc: Specifies 192-bit AES_CBC for encrypting the private key of a local certificate.

aes-256-cbc: Specifies 256-bit AES_CBC for encrypting the private key of a local certificate.

des-cbc: Specifies DES_CBC for encrypting the private key of a local certificate.

pempasswordstring: Specifies a password for encrypting the private key of a local certificate in PEM format.

filename filename: Specifies a file name for storing a certificate. The file name is a case-insensitive string. If you do not specify a file name for the certificates in PEM format, this command displays the certificates on the terminal.

Usage guidelines

When you export the CA certificate, the following conditions might exist:

·     If the PKI domain has only one CA certificate, this command exports the CA certificate to a file or displays it on the terminal.

·     If the PKI domain has a CA certificate chain, this command exports the certificate chain to a file or displays it on the terminal.

When you export the local certificates, the local file names might not be the same as specified in the command. The file names depend on the usage of the key pairs of the certificates. In the following description, the filename is the file name specified in the command.

·     If the key pair of the local certificate is for signing, the local file name is filename-sign.

·     If the key pair of the local certificate is for encryption, the local file name is filename-encr.

·     If the key pair of the local certificate is for general use (RSA or DSA), the local file name is filename.

If the PKI domain has two local certificates, one of the following results occurs:

·     If you specify a file name, the local certificates are exported to two different files.

·     If you do not specify a file name, the local certificates are displayed on the terminal, separated by the system prompts.

When you export all certificates:

·     If the PKI domain has only the CA certificate or local certificates, the result is the same as when you export the CA certificate or local certificates separately.

·     If the PKI domain has both the CA certificate and local certificates, you get the following results:

¡     If you specify a file name, each local certificate with its corresponding CA certificate chain is exported to a separate file.

¡     If you do not specify a file name, all local certificates and the CA certificate or CA certificate chain are displayed on the terminal, separated by the system prompts.

When you export all certificates in PKCS12 format, the PKI domain must have a local certificate. Otherwise, the export operation fails.

When you export the local certificates or all certificates in PEM format, you must specify the cryptographic algorithm and the challenge password for the private key. Otherwise, this command does not export the private keys of the local certificates. If you specify the cryptographic algorithm and the password, and the local certificates have their private keys, this command can export the local certificates with their private keys. If the local certificates do not have their private keys, the export operation fails.

When you export the local certificates, if the key pair in the PKI domain is changed and no longer matches the key in the local certificates, the export operation fails.

When you export the local certificates or all certificates, if the PKI domain has two local certificates, failure of exporting one local certificate does not affect export of the other.

The specified file name can contain an absolute path. If the specified path does not exist, the export operation fails.

Examples

# Export the CA certificate in the PKI domain to a file named cert-ca.der in DER format.

<Sysname> system-view

[Sysname] pki export domain domain1 der ca filename cert-ca.der

# Export the local certificates in the PKI domain to a file named cert-lo.der in DER format.

<Sysname> system-view

[Sysname] pki export domain domain1 der local filename cert-lo.der

# Export all certificates in the PKI domain to a file named cert-all.p7b in DER format.

<Sysname> system-view

[Sysname] pki export domain domain1 der all filename cert-all.p7b

# Export the CA certificate in the PKI domain to a file named cacert in PEM format.

<Sysname> system-view

[Sysname] pki export domain domain1 pem ca filename cacert

# Export the local certificates and their private keys in the PKI domain to a file named local.pem in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.

<Sysname> system-view

[Sysname] pki export domain domain1 pem local des-cbc 111 filename local.pem

# Export the all certificates in the PKI domain to a file named all.pem in PEM format. No cryptographic algorithm or password is specified, and the private keys are not exported.

<Sysname> system-view

[Sysname] pki export domain domain1 pem all filename all.pem

# Display the local certificates and their private keys in the PKI domain on the terminal in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.

<Sysname> system-view

[Sysname] pki export domain domain1 pem local des-cbc 111

 

%The signature usage local certificate:

Bag Attributes

    friendlyName:

    localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D

subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest

issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd

-----BEGIN CERTIFICATE-----

MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG

A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy

ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla

ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF

VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF

AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE

jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy

cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA

AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw

NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz

L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw

IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh

Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY

ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0

CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w

ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp

dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6

Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD

VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js

L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB

tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12

X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv

UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd

no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK

7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw==

-----END CERTIFICATE-----

Bag Attributes

    friendlyName:

    localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D

Key Attributes: <No Attributes>

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIAbfcE+KoYYoCAggA

MBEGBSsOAwIHBAjB+UsJM07JRQSCAoABqtASbjGTQbdxL3n4wNHmyWLxbvL9v27C

Uu6MjYJDCipVzxHU0rExgn+6cQsK5uK99FPBmy4q9/nnyrooTX8BVlXAjenvgyii

WQLwnIg1IuM8j2aPkQ3wbae1+0RACjSLy1u/PCl5sp6CDxI0b9xz6cxIGxKvUOCc

/gxdgk97XZSW/0qnOSZkhgeqBZuxq6Va8iRyho7RCStVxQaeiAZpq/WoZbcS5CKI

/WXEBQd4AX2UxN0Ld/On7Wc6KFToixROTxWTtf8SEsKGPDfrEKq3fSTW1xokB8nM

bkRtU+fUiY27V/mr1RHO6+yEr+/wGGClBy5YDoD4I9xPkGUkmqx+kfYbMo4yxkSi

JdL+X3uEjHnQ/rvnPSKBEU/URwXHxMX9CdCTSqh/SajnrGuB/E4JhOEnS/H9dIM+

DN6iz1IwPFklbcK9KMGwV1bosymXmuEbYCYmSmhZb5FnR/RIyE804Jz9ifin3g0Q

ZrykfG7LHL7Ga4nh0hpEeEDiHGEMcQU+g0EtfpOLTI8cMJf7kdNWDnI0AYCvBAAM

3CY3BElDVjJq3ioyHSJca8C+3lzcueuAF+lO7Y4Zluq3dqWeuJjE+/1BZJbMmaQA

X6NmXKNzmtTPcMtojf+n3+uju0le0d0QYXQz/wPsV+9IYRYasjzoXE5dhZ5sIPOd

u9x9hhp5Ns23bwyNP135qTNjx9i/CZMKvLKywm3Yg+Bgg8Df4bBrFrsH1U0ifmmp

ir2+OuhlC+GbHOxWNeBCa8iAq91k6FGFJ0OLA2oIvhCnh45tM7BjjKTHk+RZdMiA

0TKSWuOyihrwxdUEWh999GKUpkwDHLZJFd21z/kWspqThodEx8ea

-----END ENCRYPTED PRIVATE KEY-----

# Display all certificates in the PKI domain in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.

<Sysname> system-view

[Sysname] pki export domain domain1 pem all des-cbc 111

 

 %The signature usage local certificate:

Bag Attributes

    friendlyName:

    localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D

subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest

issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd

-----BEGIN CERTIFICATE-----

MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG

A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy

ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla

ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF

VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF

AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE

jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy

cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA

AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw

NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz

L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw

IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh

Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY

ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0

CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w

ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp

dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6

Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD

VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js

L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB

tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12

X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv

UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd

no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK

7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw==

-----END CERTIFICATE-----

Bag Attributes: <No Attributes>

subject=/C=CN/O=OpenCA Labs/OU=software/CN=abcd

issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd

-----BEGIN CERTIFICATE-----

MIIEYTCCA0mgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDTjEU

MBIGA1UECgwLT3BlbkNBIExhYnMxETAPBgNVBAsMCHNvZnR3YXJlMQ0wCwYDVQQD

DARhYmNkMB4XDTExMDQxODExNDQ0N1oXDTEzMDQxNzExNDQ0N1owRTELMAkGA1UE

BhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2FyZTEN

MAsGA1UEAwwEYWJjZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1g

vomMF8S4u6q51bOwjKFUBwxyvOy4D897LmOSedaCyDt6Lvp+PBEHfwWBYBpsHhk7

kmnSNhX5dZ6NxunHaARZ2VlcctsYKyvAQapuaThy1tuOcphAB+jQQL9dPoqdk0xp

jvmPDlW+k832Konn9U4dIivS0n+/KMGh0g5UyzHGqUUOo7s9qFuQf5EjQon40TZg

BwUnFYRlvGe7bSQpXjwi8LTyxHPy+dDVjO5CP+rXx5IiToFy1YGWewkyn/WeswDf

Yx7ZludNus5vKWTihgx2Qalgb+sqUMwI/WUET7ghO2dRxPUdUbgIYF0saTndKPYd

4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD

VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME

GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh

Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz

MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0

LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM

hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky

LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA

A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD

Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi

d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT

3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE

6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z

cXK8gzDBcsobcUMkwIYPAmd1kAPX

-----END CERTIFICATE-----

Bag Attributes

    friendlyName:

    localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D

Key Attributes: <No Attributes>

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIcUSKSW9GVmICAggA

MBEGBSsOAwIHBAi5QZM+lSYWPASCAoBKDYulE5f2BXL9ZhI9zWAJpx2cShz/9PsW

5Qm106D+xSj1eAzkx/m4Xb4xRU8oOAuzu1DlWfSHKXoaa0OoRSiOEX1eg0eo/2vv

CHCvKHfTJr4gVSSa7i4I+aQ6AItrI6q99WlkN/e/IE5U1UE4ZhcsIiFJG+IvG7S8

f9liWQ2CImy/hjgFCD9nqSLN8wUzP7O2SdLVlUb5z4FR6VISZdgTFE8j7ko2HtUs

HVSg0nm114EwPtPMMbHefcuQ6b82y1M+dWfVxBN9K03lN4tZNfPWwLSRrPvjUzBG

dKtjf3/IFdV7/tUMy9JJSpt4iFt1h7SZPcOoGp1ZW+YUR30I7YnFE+9Yp/46KWT8

bk7j0STRnZX/xMy/9E52uHkLdW1ET3TXralLMYt/4jg4M0jUvoi3GS2Kbo+czsUn

gKgqwYnxVfRSvt8d6GBYrpF2tMFS9LEyngPKXExd+m4mAryuT5PhdFTkb1B190Lp

UIBjk3IXnr7AdrhvyLkH0UuQE95emXBD/K0HlD73cMrtmogL8F4yS5B2hpIr/v5/

eW35+1QMnJ9FtHFnVsLx9wl9lX8iNfsoBhg6FQ/hNSioN7rNBe7wwIRzxPVfEhO8

5ajQxWlidRn5RkzfUo6HuAcq02QTpSXI6wf2bzsVmr5sk+fRaELD/cwL6VjtXO6x

ZBLJcUyAwvScrOtTEK7Q5n0I34gQd4qcF0D1x9yQ4sqvTeU/7Jkm6XCPV05/5uiF

RLCfFAwaJMBdIQ6jDQHnpWT67uNDwdEzaPmuTVMme5Woc5zsqE5DY3hWu4oqFdDz

kPLnbX74IZ0gOLki9eIJkVswnF5HkBCKS50ejlW6TgbMNZ+JPk2w

-----END ENCRYPTED PRIVATE KEY-----

# Display the CA certificate in the PKI domain in PEM format.

<Sysname> system-view

[Sysname]pki export domain domain1 pem ca

-----BEGIN CERTIFICATE-----

MIIB+TCCAWICEQDMbgjRKygg3vpGFVY6pa3ZMA0GCSqGSIb3DQEBBQUAMD0xCzAJ

BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxETAPBgNVBAsTCGgzYy10ZXN0MQ0wCwYD

VQQDEwQ4MDQzMB4XDTExMDMyMjA0NDQyNFoXDTE0MDMyMzA0MzUyNFowPTELMAkG

A1UEBhMCY24xDDAKBgNVBAoTA2gzYzERMA8GA1UECxMIaDNjLXRlc3QxDTALBgNV

BAMTBDgwNDMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOvDAYQhyc++G7h5

eNDzJs22OQjCn/4JqnNKIdKz1BbaJT8/+IueSn9JIsg64Ex2WBeCd/tcmnSW57ag

dCvNIUYXXVOGca2iaSOElqCF4CQfV9zLrBtA7giHD49T+JbxLrrJLmdIQMJ+vYdC

sCxIp3YMAiuCahVLZeXklooqwqIXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAElm7

W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy

TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j

0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o=

-----END CERTIFICATE-----

# Export the CA certificate in the PKI domain to a file named cacert in PEM format.

<Sysname> system-view

[Sysname] pki export domain domain1 pem ca filename cacert

# Display the CA certificate or the CA certificate chain in the PKI domain on the terminal.

<Sysname> system-view

[Sysname]pki export domain domain1 pem ca

-----BEGIN CERTIFICATE-----

MIIB7jCCAVcCEQCdSVShJFEMifVG8zRRoSsWMA0GCSqGSIb3DQEBBQUAMDcxCzAJ

BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEMMAoGA1UEAxMD

YWNhMB4XDTExMDEwNjAyNTc0NFoXDTEzMTIwMTAzMTMyMFowODELMAkGA1UEBhMC

Y24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ0wCwYDVQQDEwRhYWNhMIGf

MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcuJsWhAJXEDmowGb5z7VDVms54TKi

xnaNJCWvBOrU64ftvpVB7xQekbkjgAS9FjDyXlLQ8IyIsYIp5ebJr8P+n9i9Pl7j

lBx5mi4XeIldyv2OjfNx5oSQ+gWY9/m1R8uv13RS05r3rxPg+7EvKBjmiy0Giddw

vu3Y3WrjBPp6GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJrQddzVQEiy4AcgtzUL

ltkmlmWoz87+jUsgFB+H+xeyiZE4sancf2UwH8kXWqZ5AuReFCCBC2fkvvQvUGnV

cso7JXAhfw8sUFok9eHz2R+GSoEk5BZFzZ8eCmNyGq9ln6mJsO1hAqMpsCW6G2zh

5mus7FTHhywXpJ22/fnHg61m

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIB8DCCAVkCEQD2PBUx/rvslNw9uTrZB3DlMA0GCSqGSIb3DQEBBQUAMDoxCzAJ

BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEPMA0GA1UEAxMG

cm9mdcGNhMB4XDTExMDEwNjAyNTY1OFoXDTEzMTIwNDAzMTMxMFowNzELMAkGA1UE

BhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQwwCgYDVQQDEwNhY2Ew

gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOeklR7DpeEV72N1OLz+dydIDTx0

zVZDdPxF1gQYWSfIBwwFKJEyQ/4y8VIfDIm0EGTM4dsOX/QFwudhl/Czkio3dWLh

Q1y5XCJy68vQKrB82WZ2mah5Nuekus3LSZZBoZKTAOY5MCCMFcULM858dtSq15Sh

xF7tKSeAT7ARlJxTAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADJQCo6m0RNup0ewa

ItX4XK/tYcJXAQWMA0IuwaWpr+ofqVVgYBPwVpYglhJDOuIZxKdR2pfQOA4f35wM

Vz6kAujLATsEA1GW9ACUWa5PHwVgJk9BDEXhKSJ2e7odmrg/iROhJjc1NMV3pvIs

CuFiCLxRQcMGhCNHlOn4wuydssc=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIB8jCCAVsCEFxy3MSlQ835MrnBkI/dUPYwDQYJKoZIhvcNAQEFBQAwOjELMAkG

A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ8wDQYDVQQDEwZy

b290Y2EwHhcNMTEwMTA2MDI1MTQxWhcNMTMxMjA3MDMxMjA1WjA6MQswCQYDVQQG

EwJjbjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNoM2MxDzANBgNVBAMTBnJvb3Rj

YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxP2XLFE230zq6MhwZvAomOxa

7tc1r4bESXZu3UBKno3Ay9kQm2HrDOAizvZXfLu7Gx22ga2Qdz0lIeZ+EQrYHTyO

pBcejDjal/ZtvgnjXyHFoG8nS+P7n83BkRj/Fu7Yz4zjTKMbCF2EfhEyXxr4NSXA

fhC9qg9S23vNXStmWvsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBtsU7X77sdZ1Nn

0I98lh0qA5g7SEEIpI+pwZjjrH0FVHw01e4JWhHjyHqrOyfXYqe7vH4SXp5MHEqf

14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1

cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg==

-----END CERTIFICATE-----

# Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123.

<Sysname> system-view

[Sysname] pki export domain domain1 p12 local passphrase 123 filename cert-lo.der

# Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.

<Sysname> system-view

[Sysname] pki export domain domain1 p12 all passphrase 123 filename cert-all.p7b

Related commands

pki domain

pki import

Use pki import to import the CA certificate, local certificates, or peer certificates for a PKI domain.

Syntax

pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename f