- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-Text | 1.47 MB |
Contents
data-flow-format (RADIUS scheme view)
primary accounting (RADIUS scheme view)
primary authentication (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
timer quiet (RADIUS scheme view)
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
user-name-format (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
data-flow-format (HWTACACS scheme view)
primary accounting (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
timer realtime-accounting (HWTACACS scheme view)
timer response-timeout (HWTACACS scheme view)
user-name-format (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
display password-control blacklist
password-control { aging | composition | history | length } enable
password-control alert-before-expire
password-control expired-user-login
password-control login idle-time
password-control login-attempt
password-control super composition
password-control update-interval
reset password-control blacklist
reset password-control history-record
Public key management commands
display public-key local public
display pki certificate access-control-policy
display pki certificate attribute-group
display pki certificate domain
display pki certificate request-status
pki certificate access-control-policy
pki certificate attribute-group
ike invalid-spi-recovery enable
ike signature-identity from-certificate
match local address (IKE keychain view)
match local address (IKE profile view)
ssh server authentication-retries
ssh server authentication-timeout
ssh server compatible-ssh1x enable
ip source binding (interface view)
ip source binding (system view)
ARP attack protection commands
Unresolvable IP attack protection commands
arp resolving-route probe-count
arp resolving-route probe-interval
display arp source-suppression
ARP packet rate limit commands
Source MAC-based ARP attack detection commands
ARP packet source MAC consistency check commands
ARP active acknowledgement commands
arp restricted-forwarding enable
display arp detection statistics
reset arp detection statistics
ARP scanning and fixed ARP commands
ARP gateway protection commands
Attack detection and prevention commands
AAA commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
General AAA commands
aaa session-limit
Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.
Syntax
In non-FIPS mode:
aaa session-limit { ftp | ssh | telnet } max-sessions
undo aaa session-limit { ftp | ssh | telnet }
In FIPS mode:
aaa session-limit ssh max-sessions
undo aaa session-limit ssh
Default
The maximum number of concurrent users is 32 for each user type.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ftp: FTP users.
ssh: SSH users.
telnet: Telnet users.
max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to 32.
Usage guidelines
After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.
Examples
# Set the maximum number of concurrent FTP users to 4.
<Sysname> system-view
[Sysname] aaa session-limit ftp 4
accounting command
Use accounting command to specify the command line accounting method.
Use undo accounting command to restore the default.
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command
Default
The default accounting method of the ISP domain is used for command line accounting.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The command line accounting feature works with the accounting server to record all commands that have been successfully executed on the device.
Command line accounting can use only a remote HWTACACS server.
Examples
# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac
Related commands
· accounting default
· command accounting (Fundamentals Command Reference)
· hwtacacs scheme
accounting default
Use accounting default to specify the default accounting method for an ISP domain.
Use undo accounting default to restore the default.
Syntax
In non-FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting default
In FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting default
Default
The default accounting method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default accounting method is used for all users who support this method and do not have an accounting method configured.
Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.
You can specify one primary default accounting method and multiple backup default accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Examples
# Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting default radius-scheme rd local
Related commands
· hwtacacs scheme
· local-user
· radius scheme
accounting login
Use accounting login to specify the accounting method for login users.
Use undo accounting login to restore the default.
Syntax
In non-FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting login
In FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting login
Default
The default accounting method of the ISP domain is used for login users.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
Accounting is not supported for FTP, SFTP, and SCP users.
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local accounting for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login local
# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login radius-scheme rd local
Related commands
· accounting default
· hwtacacs scheme
· local-user
· radius scheme
authentication default
Use authentication default to specify the default authentication method for an ISP domain.
Use undo authentication default to restore the default.
Syntax
In non-FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication default
In FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication default
Default
The default authentication method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authentication method is used for all users who support this method and do not have an authentication method configured.
You can specify one primary default authentication method and multiple backup default authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication default radius-scheme rd local
Related commands
· hwtacacs scheme
· local-user
· radius scheme
authentication login
Use authentication login to specify the authentication method for login users.
Use undo authentication login to restore the default.
Syntax
In non-FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication login
In FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication login
Default
The default authentication method of the ISP is used for login users.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login local
# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login radius-scheme rd local
Related commands
· authentication default
· hwtacacs scheme
· local-user
· radius scheme
authentication super
Use authentication super to specify a method for user role authentication.
Use undo authentication super to restore the default.
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *
undo authentication super
Default
The default authentication method of the ISP domain is used for user role authentication.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.
If you specify a scheme to provide the method for user role authentication, the method applies only to users whose user role is in the format of level-n.
· If an HWTACACS scheme is specified, the device uses the entered username for role authentication. The username must already exist on the HWTACACS server to represent the highest user level that a user can obtain. For example, to obtain a level-3 user role whose username is test, the device uses the string test@domain-name or test for role authentication, depending on whether the domain name is required.
· If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication of any usernames. The variable n has the same value as the level of the target user role. For example, to obtain a level-3 user role, the device uses the username string $enab3$@domain-name or $enab3$, depending on whether the domain name is required.
Examples
# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-domain-test] authentication super hwtacacs-scheme tac
Related commands
· authentication default
· hwtacacs scheme
· radius scheme
authorization command
Use authorization command to specify the command authorization method.
Use undo authorization command to restore the default.
Syntax
In non-FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }
undo authorization command
In FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }
undo authorization command
Default
The default authorization method of the ISP domain is used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.
After login, users can access the command lines permitted by their authorized user roles.
You can specify one primary command authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
· authorization accounting (Fundamentals Command Reference)
· hwtacacs scheme
· local-user
authorization default
Use authorization default to specify the default authorization method for an ISP domain.
Use undo authorization default to restore the default.
Syntax
In non-FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization default
In FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization default
Default
The default authorization method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. After passing authentication, FTP, SFTP and SCP users use the root directory of the device as the working directory but cannot access to it, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authorization method is used for all users who support this method and do not have an authorization method configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# Configure the default authorization method for ISP domain test to use RADIUS scheme rd for user authorization and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local
Related commands
· hwtacacs scheme
· local-user
· radius scheme
authorization login
Use authorization login to configure the authorization method for login users.
Use undo authorization login to restore the default.
Syntax
In non-FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization login
In FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization login
Default
The default authorization method of the ISP domain is used for login users.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. After passing authentication, FTP, SFTP, and SCP users use the root directory of the device as the working directory but cannot access it, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login local
# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login radius-scheme rd local
Related commands
· authorization default
· hwtacacs scheme
· local-user
· radius scheme
display domain
Use display domain to display the ISP domain configuration.
Syntax
display domain [ isp-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 24 characters. If you do not specify an ISP domain, the command displays the configuration of all ISP domains.
Examples
# Display the configuration of all ISP domains.
<Sysname> display domain
Total 2 domain(s)
Domain:system
State: Active
Access-limit: Disable
Access-Count: 0
default Authentication Scheme: local
default Authorization Scheme: local
default Accounting Scheme: local
Authorization attributes :
Idle-cut : Disable
Domain:dm
State: Active
Access-limit: 2222
Access-Count: 0
login Authentication Scheme: radius: rad
login Authorization Scheme: tacacs: hw
default Authentication Scheme: radius: rad, local, none
default Authorization Scheme: local
default Accounting Scheme: none
Authorization attributes :
Idle-cut : Disable
Default Domain Name: system
Table 1 Command output
Field |
Description |
Domain |
ISP domain name. |
State |
Status of the ISP domain. |
Access-limit |
Limit to the number of user connections. If the number is not limited, this field displays Disabled. |
Access-Count |
Number of online users. |
default Authentication Scheme |
Default authentication method. |
default Authorization Scheme |
Default authorization method. |
default Accounting Scheme |
Default accounting method. |
login Authentication Scheme |
Authentication method for login users. |
login Authorization Scheme |
Authorization method for login users. |
login Accounting Scheme |
Accounting method for login users. |
Authorization attributes |
Authorization attributes for users in the ISP domain. |
Idle-cut |
Idle cut feature is disabled. The feature cannot be enabled in ISP domain view. |
radius |
RADIUS scheme. |
tacacs |
HWTACACS scheme. |
local |
Local scheme. |
none |
No authentication, no authorization, or no accounting. |
Command Authorization Scheme |
Command line authorization method. |
Command Accounting Scheme |
Command line accounting method. |
Super Authentication Scheme |
Authentication method for obtaining a temporary user role. |
domain
Use domain to create an ISP domain and enter ISP domain view.
Use undo domain to remove an ISP domain.
Syntax
domain isp-name
undo domain isp-name
Default
There is a system-defined ISP domain named system.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Usage guidelines
All ISP domains are in active state when they are created.
The system has a predefined ISP domain named system. You can modify but not remove its configuration.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Examples
# Create ISP domain test and enter ISP domain view.
<Sysname> system-view
[Sysname] domain test
Related commands
· display domain
· domain default enable
· state (ISP domain view)
domain default enable
Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.
Use undo domain default enable to restore the default.
Syntax
domain default enable isp-name
undo domain default enable
Default
The default ISP domain is the system-defined ISP domain system.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.
Usage guidelines
There can be only one default ISP domain.
The specified ISP domain must already exist.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Examples
# Create an ISP domain named test, and configure the domain as the default ISP domain.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] quit
[Sysname] domain default enable test
Related commands
· display domain
· domain
state (ISP domain view)
Use state to set the status of an ISP domain.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
An ISP domain is in active state.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.
block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.
Usage guidelines
By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected.
Examples
# Place the ISP domain test in blocked state.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block
Related commands
display domain
Local user commands
access-limit
Use access-limit to set the maximum number of concurrent logins using the local user name.
Use undo access-limit to restore the default.
Syntax
access-limit max-user-number
undo access-limit
Default
The number of concurrent logins using the local user name is not limited.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.
Usage guidelines
This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users, who do not support accounting.
Examples
# Set the maximum number of concurrent logins to 5 using the local user name abc.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-manage-abc] access-limit 5
Related commands
display local-user
authorization-attribute
Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.
Use undo authorization-attribute to restore the default.
Syntax
authorization-attribute { acl acl-number | idle-cut minute | user-role role-name | vlan vlan-id | work-directory directory-name } *
undo authorization-attribute { acl | idle-cut | user-role role-name | vlan | work-directory } *
Default
FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.
The network-operator user role is assigned to local users that are created by a network-admin or level-15 user on the default MDC.
The mdc-operator user role is assigned to local users that are created by an mdc-admin or level-15 user on a non-default MDC.
Views
Local user view, user group view
Predefined user roles
network-admin
mdc-admin
Parameters
acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.
idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 120. When the idle cut feature is enabled, an online user whose idle period exceeds the specified idle timeout period is logged out.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
· For Telnet and terminal users, only the authorization attributes idle-cut and user-role are effective.
· For SSH users, only the authorization attributes idle-cut, user-role, and work-directory are effective.
· For FTP users, only the authorization attributes user-role and work-directory are effective.
· For other types of local users, no authorization attribute is effective.
Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
To make sure FTP, SFTP, and SCP users can access the directory after a switchover between the active MPU and the standby MPU, do not specify slot information for the working directory.
To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles.
Examples
# Configure the authorized user role of the device management user abc as network-admin.
<Sysname> system-view
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] authorization-attribute user-role network-admin
Related commands
· display local-user
· display user-group
display local-user
Use display local-user to display the local user configuration and online user statistics.
Syntax
display local-user [ class manage | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
class manage: Specifies the device management users.
idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.
service-type: Specifies the local users who use a specific type of service.
· ftp: FTP users.
· ssh: SSH users.
· telnet: Telnet users.
· terminal: Terminal users who log in through console ports.
state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.
user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name.
vlan vlan-id: Specifies all local users in a VLAN. The value range for the vlan-id argument is 1 to 4094.
Usage guidelines
If you do not specify any parameters, the command displays information about all local users.
Examples
# Display information about all local users.
<Sysname> display local-user
Total 1 local users matched.
Device management user root:
State: Active
Service Type: SSH/Telnet/Terminal
Access limit: Enabled Max access number: 3
Current access number: 1
User Group: system
Bind Attributes:
Authorization Attributes:
Work Directory: flash:
User Role List: network-admin
Password control configurations:
Password aging: Enabled (3 days)
Table 2 Command output
Field |
Description |
State |
Status of the local user: active or blocked. |
Service Type |
Service types that the local user can use, including FTP, SSH, Telnet, and terminal. |
Access limit |
Whether the concurrent login limit is enabled. |
Max access number |
Maximum number of concurrent logins using the local user name. |
Current access number |
Current number of concurrent logins using the local user name. |
User Group |
Group to which the local user belongs. |
Bind attributes |
Binding attributes of the local user. The device does not support binding attributes. |
Authorization attributes |
Authorization attributes of the local user. |
Idle TimeOut |
Idle timeout period of the user, in minutes. |
Work Directory |
Directory that the FTP, SFTP, or SCP user can access. |
ACL Number |
Authorization ACL of the local user. |
VLAN ID |
Authorized VLAN of the local user. |
User Role List |
Authorized roles of the local user. |
Password aging |
This field appears only when password aging is enabled. The aging time is displayed in parentheses. |
Password length |
This field appears only when password length control is enabled. The minimum password length is displayed in parentheses. |
Password composition |
This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password. |
Password complexity |
This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times. |
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
Action for exceeding login attempts |
Action to take on the user who failed to log in after using up all login attempts. |
display user-group
Use display user-group to display the user group configuration.
Syntax
display user-group [ group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a user group, the command displays the configuration of all user groups.
Examples
# Display the configuration of all user groups.
<Sysname> display user-group
Total 2 user groups matched.
The contents of user group system:
Authorization Attributes:
Work Directory: flash:
The contents of user group jj:
Authorization Attributes:
Idle TimeOut: 2 (min)
Work Directory: flash:/
ACL Number: 2000
VLAN ID: 2
Password control configurations:
Password aging: Enabled (2 days)
Table 3 Command output
Field |
Description |
Idle TimeOut |
Idle timeout period, in minutes. |
Work Directory |
Directory that FTP, SFTP, or SCP users in the group can access. |
ACL Number |
Authorization ACL. |
VLAN ID |
Authorized VLAN. |
Password control configurations |
Password control attributes that are configured for the user group. |
Password aging |
This field appears only when password aging is enabled. The aging time is displayed in parentheses. |
Password length |
This field appears only when password length control is enabled. The minimum password length is displayed in parentheses. |
Password composition |
This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password. |
Password complexity |
This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times. |
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
Action for exceeding login attempts |
Action to take on the user who failed to log in after using up all login attempts. |
group
Use group to assign a local user to a user group.
Use undo group to restore the default.
Syntax
group group-name
undo group
Default
A local user belongs to the system-defined user group system.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Examples
# Assign device management user 111 to user group abc.
<Sysname> system-view
[Sysname] local-user 111 class manage
[Sysname-luser-manage-111] group abc
Related commands
display local-user
local-user
Use local-user to add a local user and enter local user view.
Use undo local-user to remove local users.
Syntax
local-user user-name [ class manage ]
undo local-user { user-name class manage | all [ service-type { ftp | ssh | telnet | terminal } | class manage ] }
Default
No local user exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
user-name: Specifies a name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. A local user name cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name cannot be a, al, or all, either.
class manage: Specifies the device management user. Device management users can configure and monitor the device after login. They can use FTP, Telnet, SSH, and terminal services.
all: Specifies all users.
service-type: Specifies the local users who use a specific type of service.
· ftp: FTP users.
· ssh: SSH users.
· telnet: Telnet users.
· terminal: Terminal users who log in through console ports.
Examples
# Add a device management user named user1.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1]
Related commands
· display local-user
· service-type
password
Use password to configure a password for a local user.
Use undo password to delete the password of a local user.
Syntax
In non-FIPS mode:
password [ { hash | simple } password ]
undo password
In FIPS mode:
password
Default
· In non-FIPS mode, there is no password configured for a local user. A local user can pass authentication after entering the correct username and passing attribute checks.
· In FIPS mode, there is no password configured for a local user. A local user cannot pass authentication.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
hash: Sets a hashed password.
simple: Sets a plaintext password.
password: Specifies the password string. This argument is case sensitive.
· In non-FIPS mode:
¡ A hashed password is a string of 1 to 110 characters.
¡ A plaintext password is a string of 1 to 63 characters.
· In FIPS mode, a password is a plaintext string of 15 to 63 characters and must contain digits, uppercase letters, lowercase letters, and special characters (see "Password control commands").
Usage guidelines
If you do not specify any parameters or the device operates in FIPS mode, you enter the interactive mode to set a plaintext password.
In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication.
Device management users support plaintext and hashed passwords. For security purposes, all passwords, including passwords configured in plain text, are saved in hashed text.
Examples
# Set the password of the device management user user1 to 123456TESTplat&! in plain text.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] password simple 123456TESTplat&!
# Set the password of the device management user test in interactive mode.
<Sysname> system-view
[Sysname] local-user test class manage
[Sysname-luser-manage-test] password
Password:
Confirm :
Related commands
· display local-user
· local-user password-display-mode
service-type
Use service-type to specify the service types that a local user can use.
Use undo service-type to delete service types configured for a local user.
Syntax
In non-FIPS mode:
service-type { ftp | { ssh | telnet | terminal } * }
undo service-type { ftp | { ssh | telnet | terminal } * }
In FIPS mode:
service-type { ssh | terminal } *
undo service-type { ssh | terminal } *
Default
A local user is not authorized to use any service.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
ftp: Authorizes the user to use the FTP service. By default, the user can use the root directory of the FTP, SFTP, or SCP server. The authorized directory can be modified by using the authorization-attribute work-directory command.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service and log in from a console port.
Usage guidelines
You can assign multiple service types to a user.
Examples
# Authorize the device management user user1 to use the Telnet and FTP services.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] service-type telnet
[Sysname-luser-manage-user1] service-type ftp
Related commands
display local-user
state (local user view)
Use state to set the status of a local user.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
A local user is in active state.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
active: Places the local user in active state to allow the local user to request network services.
block: Places the local user in blocked state to prevent the local user from requesting network services.
Usage guidelines
This command applies only to the local user.
Examples
# Place the device management user user1 in blocked state.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] state block
Related commands
display local-user
user-group
Use user-group to create a user group and enter user group view.
Use undo user-group to delete a user group.
Syntax
user-group group-name
undo user-group group-name
Default
There is a user group named system in the system.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes.
A user group with one or more local users cannot be deleted.
The system has a predefined user group named system. You can modify but not remove its configuration.
# Create a user group named abc and enter user group view.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]
Related commands
display user-group
RADIUS commands
accounting-on enable
Use accounting-on enable to configure the accounting-on feature.
Use undo accounting-on enable to restore the default.
Syntax
accounting-on enable [ interval seconds | send send-times ] *
undo accounting-on enable
Default
The accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds.
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.
Usage guidelines
The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device or card reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.
Execute the save command to make sure the accounting-on enable command takes effect at the next reboot. For information about the save command, see Fundamentals Command Reference.
Parameters set with the accounting-on enable command take effect immediately.
Examples
# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on enable interval 5 send 15
Related commands
display radius scheme
attribute 15 check-mode
Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.
Use undo attribute 15 check-mode to restore the default.
Syntax
attribute 15 check-mode { loose | strict }
undo attribute 15 check-mode
Default
The strict check method applies for SSH, FTP, and terminal users.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.
Usage guidelines
Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.
Examples
# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 15 check-mode loose
Related commands
display radius scheme
data-flow-format (RADIUS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
display radius scheme
display radius scheme
Use display radius scheme to display the configuration of RADIUS schemes.
Syntax
display radius scheme [ radius-scheme-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, the command displays the configuration of all RADIUS schemes.
Examples
# Display the configuration of all RADIUS schemes.
<Sysname> display radius scheme
Total 2 RADIUS schemes
------------------------------------------------------------------
RADIUS Scheme Name : rad
Index : 0
Primary Auth Server:
Host name: radius.com
IP : 82.0.0.37 Port: 1812 State: Active
VPN : Not configured
Primary Acct Server:
Host name: radius.com
IP : 82.0.0.37 Port: 1813 State: Active
VPN : Not configured
Accounting-On function : Disabled
retransmission times : 50
retransmission interval(seconds) : 3
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
NAS IP Address : Not configured
VPN : Not configured
User Name Format : without-domain
------------------------------------------------------------------
RADIUS Scheme Name : rad2
Index : 1
Primary Auth Server:
Host name: radius.com
IP : 82.0.0.37 Port: 1812 State: Active
VPN : 1
Primary Acct Server:
Host name: radius.com
IP : 82.0.0.37 Port: 1813 State: Active
VPN : 1
Accounting-On function : Disabled
retransmission times : 50
retransmission interval(seconds) : 3
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
NAS IP Address : Not configured
VPN : Not configured
User Name Format : without-domain
Attribute 15 check-mode : Strict
------------------------------------------------------------------
Table 4 Command output
Field |
Description |
Index |
Index number of the RADIUS scheme. |
Primary Auth Server |
Information about the primary authentication server. |
Primary Acct Server |
Information about the primary accounting server. |
Second Auth Server |
Information about the secondary authentication server. |
Second Acct Server |
Information about the secondary accounting server. |
Host name |
Hostname of the server. The field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address. |
IP |
IP address of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved. |
Port |
Service port number of the server. If no port number is specified, this field displays the default port number. |
State |
Status of the server: active or blocked. |
VPN |
VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured. |
Server: n |
Member ID of the security policy server. |
IP |
IP address of the security policy server. |
VPN |
VPN to which the security policy server belongs. If no VPN is specified for the server, this field displays Not configured. |
Accounting-On function |
Whether the accounting-on feature is enabled. |
retransmission times |
Number of accounting-on packet transmission attempts. |
retransmission interval(seconds) |
Interval at which the device retransmits accounting-on packets, in seconds. |
Timeout Interval(seconds) |
RADIUS server response timeout period, in seconds. |
Retransmission Times |
Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. |
Retransmission Times for Accounting Update |
Maximum number of accounting attempts. |
Server Quiet Period(minutes) |
Quiet period for the servers, in minutes. |
Realtime Accounting Interval(minutes) |
Interval for sending real-time accounting updates, in minutes. |
NAS IP Address |
Source IP address for outgoing RADIUS packets. |
VPN |
VPN to which the RADIUS scheme belongs. If no VPN is specified for the server, this field displays Not configured. |
User Name Format |
Format for the usernames sent to the RADIUS server. Possible values include: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
Attribute 15 check-mode |
RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. |
display radius statistics
Use display radius statistics to display RADIUS packet statistics.
Syntax
display radius statistics
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display RADIUS packet statistics.
<Sysname> display radius statistics
Auth. Acct. SessCtrl.
Request Packet: 0 0 0
Retry Packet: 0 0 -
Timeout Packet: 0 0 -
Access Challenge: 0 - -
Account Start: - 0 -
Account Update: - 0 -
Account Stop: - 0 -
Terminate Request: - - 0
Set Policy: - - 0
Packet With Response: 0 0 0
Packet Without Response: 0 0 -
Access Rejects: 0 - -
Dropped Packet: 0 0 0
Check Failures: 0 0 0
Table 5 Command output
Field |
Description |
Auth. |
Authentication packets. |
Acct. |
Accounting packets. |
SessCtrl. |
Session-control packets. |
Request Packet |
Number of request packets. |
Retry Packet |
Number of retransmitted request packets. |
Timeout Packet |
Number of request packets timed out. |
Access Challenge |
Number of access challenge packets. |
Account Start |
Number of start-accounting packets. |
Account Update |
Number of accounting update packets. |
Account Stop |
Number of stop-accounting packets. |
Terminate Request |
Number of packets for logging off users forcibly. |
Set Policy |
Number of packets for updating user authorization information. |
Packet With Response |
Number of packets for which responses were received. |
Packet Without Response |
Number of packets for which no responses were received. |
Access Rejects |
Number of Access-Reject packets. |
Dropped Packet |
Number of discarded packets. |
Check Failures |
Number of packets with checksum errors. |
Related commands
reset radius statistics
key (RADIUS scheme view)
Use key to set the shared key for secure RADIUS communication.
Use undo key to restore the default.
Syntax
key { accounting | authentication } { cipher | simple } string
undo key { accounting | authentication }
Default
No shared key is configured.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Sets the shared key for secure RADIUS accounting communication.
authentication: Sets the shared key for secure RADIUS authentication communication.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
string: Specifies the shared key string. This argument is case sensitive.
· In non-FIPS mode:
¡ A ciphertext shared key is a string of 1 to 117 characters.
¡ A plaintext shared key is a string of 1 to 64 characters.
· In FIPS mode:
¡ A ciphertext shared key is a string of 15 to 117 characters.
¡ A plaintext shared key is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters.
Usage guidelines
The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.
The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.
For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
Examples
# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting simple ok
Related commands
display radius scheme
nas-ip (RADIUS scheme view)
Use nas-ip to specify a source IP address for outgoing RADIUS packets.
Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.
Syntax
nas-ip ipv4-address
undo nas-ip
Default
The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view.
If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Usage guidelines
The source IP address of the RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
When you use both the nas-ip and radius nas-ip commands, the following guidelines apply:
· The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.
· The setting in RADIUS scheme view takes precedence over the setting in system view.
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. As a best practice, configure a loopback interface address as the source IP address for outgoing RADIUS packets.
A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new address overwrites the old one.
Examples
# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] nas-ip 10.1.1.1
Related commands
· display radius scheme
· radius nas-ip
primary accounting (RADIUS scheme view)
Use primary accounting to specify the primary RADIUS accounting server.
Use undo primary accounting to remove the configuration.
Syntax
primary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo primary accounting
Default
No primary RADIUS accounting server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.
port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813.
key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 117 characters.
¡ In FIPS mode, the key is a string of 15 to 117 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 64 characters.
¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of the primary RADIUS accounting server must be the same as the settings configured on the server.
The shared key configured by using this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for accounting.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests, either. The device might generate incorrect accounting results.
Examples
# Specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&! for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!
Related commands
· display radius scheme
· key (RADIUS scheme view)
· secondary accounting (RADIUS scheme view)
· vpn-instance (RADIUS scheme view)
primary authentication (RADIUS scheme view)
Use primary authentication to specify the primary RADIUS authentication server.
Use undo primary authentication to remove the configuration.
Syntax
primary authentication { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo primary authentication
Default
No primary RADIUS authentication server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.
port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535, and the default setting is 1812.
key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS authentication server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 117 characters.
¡ In FIPS mode, the key is a string of 15 to 117 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 64 characters.
¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The service port and shared key settings of the primary RADIUS authentication server must be the same as the settings configured on the server.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for authentication.
Examples
# Specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&! for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!
Related commands
· display radius scheme
· key (RADIUS scheme view)
· secondary authentication (RADIUS scheme view)
· vpn-instance (RADIUS scheme view)
radius nas-ip
Use radius nas-ip to specify a source IP address for outgoing RADIUS packets.
Use undo radius nas-ip to delete a source IP address for outgoing RADIUS packets.
Syntax
radius nas-ip ipv4-address [ vpn-instance vpn-instance-name ]
undo radius nas-ip ipv4-address [ vpn-instance vpn-instance-name ]
Default
The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option.
Usage guidelines
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error.
You can specify a maximum of 16 source IP addresses, including the following IP addresses:
· Zero or one public-network source IPv4 address.
· Private-network source IPv4 addresses.
A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address.
When you use both the nas-ip and radius nas-ip commands, the following guidelines apply:
· The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The setting configured by the radius nas-ip command in system view applies to all RADIUS schemes.
· The setting in RADIUS scheme view takes precedence over the setting in system view.
Examples
# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] radius nas-ip 129.10.10.1
Related commands
nas-ip (RADIUS scheme view)
radius session-control enable
Use radius session-control enable to enable the RADIUS session-control feature.
Use undo radius session-control enable to restore the default.
Syntax
radius session-control enable
undo radius session-control enable
Default
The RADIUS session-control feature is disabled and the UDP port 1812 is closed.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The RADIUS session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.
Examples
# Enable the RADIUS session-control feature.
<Sysname> system-view
[Sysname] radius session-control enable
radius scheme
Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view.
Use undo radius scheme to delete a RADIUS scheme.
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
Default
No RADIUS scheme is defined.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A RADIUS scheme can be used by more than one ISP domain at the same time.
The device supports a maximum of 16 RADIUS schemes.
Examples
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1]
Related commands
display radius scheme
reset radius statistics
Use reset radius statistics to clear RADIUS statistics.
Syntax
reset radius statistics
Views
User view
Predefined user roles
network-admin
mdc-admin
Examples
# Clear RADIUS statistics.
<Sysname> reset radius statistics
Related commands
display radius statistics
retry
Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Use undo retry to restore the default.
Syntax
retry retry-times
undo retry
Default
The maximum number of RADIUS packet transmission attempts is 3.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.
Usage guidelines
Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
· If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.
· If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.
The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.
Examples
# Set the maximum number of RADIUS packet transmission attempts to 5 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry 5
Related commands
· radius scheme
· timer response-timeout (RADIUS scheme view)
retry realtime-accounting
Use retry realtime-accounting to set the maximum number of accounting attempts.
Use undo retry realtime-accounting to restore the default.
Syntax
retry realtime-accounting retry-times
undo retry realtime-accounting
Default
The maximum number of accounting attempts is 5.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255.
Usage guidelines
Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period from the NAS, it considers that a line or device failure has occurred, and stops accounting for the user. To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.
For example, the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.
Examples
# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry realtime-accounting 10
Related commands
· retry
· timer realtime-accounting (RADIUS scheme view)
· timer response-timeout (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
Use secondary accounting to specify a secondary RADIUS accounting server.
Use undo secondary accounting to remove a secondary RADIUS accounting server.
Syntax
secondary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo secondary accounting [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS accounting server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.
port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813.
key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 117 characters.
¡ In FIPS mode, the key is a string of 15 to 117 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 64 characters.
¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary RADIUS accounting servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary RADIUS accounting server must be the same as the settings configured on the server.
The shared key configured by this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for accounting.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.
Examples
# For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813
# For RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813
[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813
Related commands
· display radius scheme
· key (RADIUS scheme view)
· primary accounting (RADIUS scheme view)
· vpn-instance (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
Use secondary authentication to specify a secondary RADIUS authentication server.
Use undo secondary authentication to remove a secondary RADIUS authentication server.
Syntax
secondary authentication { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo secondary authentication [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS authentication server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.
port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535, and the default setting is 1812.
key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS authentication server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 117 characters.
¡ In FIPS mode, the key is a string of 15 to 117 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 64 characters.
¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary RADIUS authentication servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary RADIUS authentication server must be the same as the settings configured on the server.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for authentication.
Examples
# For RADIUS scheme radius1, specify a secondary authentication server with the IP address 10.110.1.2 and the UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
# Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1812.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812
Related commands
· display radius scheme
· key (RADIUS scheme view)
· primary authentication (RADIUS scheme view)
· vpn-instance (RADIUS scheme view)
security-policy-server
Use security-policy-server to specify a security policy server.
Use undo security-policy-server to remove a security policy server.
Syntax
security-policy-server ipv4-address [ vpn-instance vpn-instance-name ]
undo security-policy-server { ipv4-address [ vpn-instance vpn-instance-name ] | all }
Default
No security policy server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies the IPv4 address of the security policy server.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the security policy server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the security policy server is on the public network, do not specify this option.
all: Specifies all security policy servers.
Usage guidelines
You can specify a maximum of eight security policy servers for a RADIUS scheme.
Examples
# Specify the security policy server 10.110.1.2 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] security-policy-server 10.110.1.2
Related commands
display radius scheme
snmp-agent trap enable radius
Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.
Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.
Syntax
snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
Default
All types of notifications for RADIUS are enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable.
accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable.
authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100 and the default value is 30. This threshold can only be configured through the MIB.
authentication-server-down: Sends a notification when the RADIUS authentication server becomes unreachable.
authentication-server-up: Sends a notification when the RADIUS authentication server becomes reachable.
Usage guidelines
If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.
When SNMP notifications for RADIUS are enabled, the SNMP agent supports the following notifications generated by RADIUS:
· RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.
· RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
· Excessive authentication failures notification—The number of authentication failures to the total number of authentication attempts exceeds the specified threshold.
Examples
# Enable the SNMP agent to send RADIUS accounting server unreachable notifications.
<Sysname> system-view
[Sysname] snmp-agent trap enable radius accounting-server-down
state primary
Use state primary to set the status of a primary RADIUS server.
Syntax
state primary { accounting | authentication } { active | block }
Default
The primary RADIUS server specified for a RADIUS scheme is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Sets the status of the primary RADIUS accounting server.
authentication: Sets the status of the primary RADIUS authentication server.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:
· Changes the status of the primary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with a secondary server in active state.
When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.
When the primary server and all secondary servers are in blocked state, authentication or accounting fails.
Examples
# Set the status of the primary authentication server in RADIUS scheme radius1 to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state primary authentication block
Related commands
· display radius scheme
· state secondary
state secondary
Use state secondary to set the status of a secondary RADIUS server.
Syntax
state secondary { accounting | authentication } [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }
Default
Every secondary RADIUS server specified in a RADIUS scheme is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Sets the status of a secondary RADIUS accounting server.
authentication: Sets the status of a secondary RADIUS authentication server.
host-name: Specifies the hostname of a secondary RADIUS server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.
port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.
If the device finds that a secondary server in active state is unreachable, the device performs the following operations:
· Changes the status of the secondary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with another secondary server in active state.
When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
Examples
# Set the status of all the secondary authentication servers in RADIUS scheme radius1 to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state secondary authentication block
Related commands
· display radius scheme
· state primary
timer quiet (RADIUS scheme view)
Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet timer period is 5 minutes in a RADIUS scheme.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Usage guidelines
Make sure the server quiet timer is set correctly.
· A timer that is too short might result in frequent authentication or accounting failures. The reason is that the device will continue to attempt to communicate with an unreachable server that is in active state.
· A timer that is too long might temporarily block a reachable server that has recovered from a failure. The reason is that the server will remain in blocked state until the timer expires.
Examples
# Set the quiet timer for the servers to 10 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer quiet 10
Related commands
display radius scheme
timer realtime-accounting (RADIUS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60.
Usage guidelines
When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.
When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.
A short interval helps improve accounting precision but requires many system resources.
Table 6 Recommended real-time accounting intervals
Number of users |
Real-time accounting interval |
1 to 99 |
3 minutes |
100 to 499 |
6 minutes |
500 to 999 |
12 minutes |
1000 or more |
15 minutes or longer |
Examples
# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer realtime-accounting 51
Related commands
retry realtime-accounting
timer response-timeout (RADIUS scheme view)
Use timer response-timeout to set the RADIUS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The RADIUS server response timeout period is 3 seconds.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.
Usage guidelines
If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.
Examples
# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer response-timeout 5
Related commands
· display radius scheme
· retry
user-name-format (RADIUS scheme view)
Use user-name-format to specify the format of the username to be sent to a RADIUS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to a RADIUS server.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
keep-original: Sends the username to the RADIUS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.
Examples
# Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] user-name-format without-domain
Related commands
display radius scheme
vpn-instance (RADIUS scheme view)
Use vpn-instance to specify a VPN for a RADIUS scheme.
Use undo vpn-instance to remove the configuration.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The RADIUS scheme belongs to the public network.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN specified by using this command applies to all servers in the RADIUS scheme for which no VPN is specified.
Examples
# Specify VPN test for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] vpn-instance test
Related commands
display radius scheme
HWTACACS commands
data-flow-format (HWTACACS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet
display hwtacacs scheme
display hwtacacs scheme
Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.
Syntax
display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, the command displays the configuration of all HWTACACS schemes.
statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the HWTACACS scheme.
Examples
# Display the configuration of all HWTACACS schemes.
<Sysname> display hwtacacs scheme
Total 2 TACACS schemes
------------------------------------------------------------------
HWTACACS Scheme Name : tac
Index : 0
Primary Auth Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: Not configured
Single-connection: Disabled
Primary Author Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: Not configured
Single-connection: Disabled
Primary Acct Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: Not configured
Single-connection: Disabled
VPN Instance : Not configured
NAS IP Address : Not configured
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
Response Timeout Interval(seconds) : 5
Username Format : without-domain
------------------------------------------------------------------
HWTACACS Scheme Name : tac2
Index : 1
Primary Auth Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: 1
Single-connection: Disabled
Primary Author Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: 1
Single-connection: Disabled
Primary Acct Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: 1
Single-connection: Disabled
VPN Instance : Not configured
NAS IP Address : Not configured
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
Response Timeout Interval(seconds) : 5
Username Format : without-domain
------------------------------------------------------------------
Table 7 Command output
Field |
Description |
Index |
Index number of the HWTACACS scheme. |
Primary Auth Server |
Primary HWTACACS authentication server. |
Primary Author Server |
Primary HWTACACS authorization server. |
Primary Acct Server |
Primary HWTACACS accounting server. |
Secondary Auth Server |
Secondary HWTACACS authentication server. |
Secondary Author Server |
Secondary HWTACACS authorization server. |
Secondary Acct Server |
Secondary HWTACACS accounting server. |
Host name |
Hostname of the HWTACACS server. The field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address. |
IP |
IP address of the HWTACACS server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved. |
Port |
Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number. |
Single-connection |
Single connection status: · Enabled—Establish only one TCP connection for all users to communicate with the server. · Disabled—Establish a TCP connection for each user to communicate with the server. |
State |
Status of the HWTACACS server: active or blocked. |
VPN Instance |
MPLS L3VPN to which the HWTACACS server or scheme belongs. If no VPN is specified for the server or scheme, this field displays Not configured. |
NAS IP Address |
Source IP address for outgoing HWTACACS packets. |
Server Quiet Period(minutes) |
Quiet period for the primary servers, in minutes. |
Realtime Accounting Interval(minutes) |
Real-time accounting interval, in minutes. |
Response Timeout Interval(seconds) |
HWTACACS server response timeout period, in seconds. |
Username Format |
Format for the usernames sent to the HWTACACS server. Possible values include: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
Related commands
reset hwtacacs statistics
hwtacacs nas-ip
Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.
Syntax
hwtacacs nas-ip ipv4-address [ vpn-instance vpn-instance-name ]
undo hwtacacs nas-ip ipv4-address [ vpn-instance vpn-instance-name ]
Default
The source IP address of an HWTACACS packet sent to the server is the IP address of the outbound interface.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
You can specify a maximum of 16 source IP addresses, including the following IP addresses:
· Zero or one public-network source IPv4 address.
· Private-network source IPv4 addresses.
A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address.
When you use both the nas-ip and hwtacacs nas-ip commands, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
Examples
# Set the IP address for the device to use as the source address for HWTACACS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] hwtacacs nas-ip 129.10.10.1
Related commands
nas-ip (HWTACACS scheme view)
hwtacacs scheme
Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view.
Use undo hwtacacs scheme to delete an HWTACACS scheme.
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
Default
No HWTACACS scheme exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
An HWTACACS scheme can be used by more than one ISP domain at the same time.
You can configure a maximum of 16 HWTACACS schemes.
Examples
# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Use undo key to remove the configuration.
Syntax
key { accounting | authentication | authorization } { cipher | simple } string
undo key { accounting | authentication | authorization }
Default
No shared key is configured.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Sets the shared key for secure HWTACACS accounting communication.
authentication: Sets the shared key for secure HWTACACS authentication communication.
authorization: Sets the shared key for secure HWTACACS authorization communication.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
string: Specifies the shared key string. This argument is case sensitive.
· In non-FIPS mode:
¡ A ciphertext shared key is a string of 1 to 373 characters.
¡ A plaintext shared key is a string of 1 to 255 characters.
· In FIPS mode:
¡ A ciphertext shared key is a string of 15 to 373 characters.
¡ A plaintext shared key is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters.
Usage guidelines
The shared keys configured on the device must match those configured on the HWTACACS servers.
For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
Examples
# Set the shared key for secure HWTACACS authentication communication to 123456TESTauth&! in plain text for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!
# Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text.
[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!
# Set the shared key for secure HWTACACS accounting communication to 123456TESTacct&! in plain text.
[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!
Related commands
display hwtacacs scheme
nas-ip (HWTACACS scheme view)
Use nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo nas-ip to delete a source IP address for outgoing HWTACACS packets.
Syntax
nas-ip ipv4-address
undo nas-ip
Default
The source IP address of an outgoing HWTACACS packet is the IP address configured by using the hwtacacs nas-ip command in system view.
If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Usage guidelines
The source IP address of the HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
When you use both the nas-ip and hwtacacs nas-ip commands, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
If you execute the command multiple times, the most recent configuration takes effect.
Examples
# Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1
Related commands
hwtacacs nas-ip
primary accounting (HWTACACS scheme view)
Use primary accounting to specify the primary HWTACACS accounting server.
Use undo primary accounting to remove the configuration.
Syntax
primary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary accounting
Default
No primary HWTACACS accounting server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.
port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS accounting server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of the primary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# Specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme test1.
<Sysname> system-view
[Sysname] hwtacacs scheme test1
[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· secondary accounting (HWTACACS scheme view)
· vpn-instance (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
Use primary authentication to specify the primary HWTACACS authentication server.
Use undo primary authentication to remove the configuration.
Syntax
primary authentication { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authentication
Default
No primary HWTACACS authentication server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.
port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of the primary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# Specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· secondary authentication (HWTACACS scheme view)
· vpn-instance (HWTACACS scheme view)
primary authorization
Use primary authorization to specify the primary HWTACACS authorization server.
Use undo primary authorization to remove the configuration.
Syntax
primary authorization { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authorization
Default
No primary HWTACACS authorization server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.
port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authorization server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of the primary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# Specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· secondary authorization
· vpn-instance (HWTACACS scheme view)
reset hwtacacs statistics
Use reset hwtacacs statistics to clear HWTACACS statistics.
Syntax
reset hwtacacs statistics { accounting | all | authentication | authorization }
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Clears the HWTACACS accounting statistics.
all: Clears all HWTACACS statistics.
authentication: Clears the HWTACACS authentication statistics.
authorization: Clears the HWTACACS authorization statistics.
Examples
# Clear all HWTACACS statistics.
<Sysname> reset hwtacacs statistics all
Related commands
display hwtacacs scheme
secondary accounting (HWTACACS scheme view)
Use secondary accounting to specify a secondary HWTACACS accounting server.
Use undo secondary accounting to remove a secondary HWTACACS accounting server.
Syntax
secondary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary accounting [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS accounting server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.
port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary HWTACACS accounting servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# Specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· primary accounting (HWTACACS scheme view)
· vpn-instance (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
Use secondary authentication to specify a secondary HWTACACS authentication server.
Use undo secondary authentication to remove a secondary HWTACACS authentication server.
Syntax
secondary authentication { host-name | ipv4-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authentication [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authentication server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.
port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authentication server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary HWTACACS authentication servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· primary authentication (HWTACACS scheme view)
· vpn-instance (HWTACACS scheme view)
secondary authorization
Use secondary authorization to specify a secondary HWTACACS authorization server.
Use undo secondary authorization to remove a secondary HWTACACS authorization server.
Syntax
secondary authorization { host-name | ipv4-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authorization [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authorization server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.
port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authorization server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary HWTACACS authorization servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· primary authorization
· vpn-instance (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet timer period is 5 minutes in an HWTACACS scheme.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Examples
# Set the server quiet timer to 10 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet 10
Related commands
display hwtacacs scheme
timer realtime-accounting (HWTACACS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.
Usage guidelines
For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.
A short interval helps improve accounting precision but requires many system resources.
Table 8 Recommended real-time accounting intervals
Number of users |
Real-time accounting interval |
1 to 99 |
3 minutes |
100 to 499 |
6 minutes |
500 to 999 |
12 minutes |
1000 or more |
15 minutes or longer |
Examples
# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51
Related commands
display hwtacacs scheme
timer response-timeout (HWTACACS scheme view)
Use timer response-timeout to set the HWTACACS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The HWTACACS server response timeout time is 5 seconds.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.
Usage guidelines
HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.
Examples
# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30
Related commands
display hwtacacs scheme
user-name-format (HWTACACS scheme view)
Use user-name-format to specify the format of the username to be sent to an HWTACACS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to an HWTACACS server.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
keep-original: Sends the username to the HWTACACS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.
If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.
Examples
# Configure the device to remove the ISP domain name from the username sent to the HWTACACS servers specified in HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
Related commands
display hwtacacs scheme
vpn-instance (HWTACACS scheme view)
Use vpn-instance to specify a VPN for an HWTACACS scheme.
Use undo vpn-instance to remove the configuration.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The HWTACACS scheme belongs to the public network.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN specified by using this command takes effect on all servers in the HWTACACS scheme for which no VPN is specified.
Examples
# Specify VPN test for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] vpn-instance test
Related commands
display hwtacacs scheme
Password control commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
display password-control
Use display password-control to display password control configuration.
Syntax
display password-control [ super ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
super: Displays the password control information for the super passwords. If you do not specify this keyword, the command displays the global password control configuration.
Examples
# Display the global password control configuration.
<Sysname> display password-control
Global password control configurations:
Password control: Disabled
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history records:4)
Early notice on password expiration: 7 days
Maximum login attempts: 3
Action for exceeding login attempts: Lock user for 1 minutes
Minimum interval between two updates: 24 hours
User account idle time: 90 days
Logins with aged password: 3 times in 30 days
Password complexity: Disabled (username checking)
Disabled (repeated characters checking)
# Display the password control configuration for super passwords.
<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Table 9 Command output
Field |
Description |
Password control |
Whether the password control feature is enabled. |
Password aging |
Whether password expiration is enabled and, if enabled, the expiration time. |
Password length |
Whether the minimum password length restriction feature is enabled and, if enabled, the setting. |
Password composition |
Whether the password composition restriction feature is enabled and, if enabled, the settings. |
Password history |
Whether the password history feature is enabled and, if enabled, the setting. |
Early notice on password expiration |
Number of days during which the user is notified of the pending password expiration. |
Maximum login attempts |
Allowed maximum number of consecutive failed login attempts for FTP and VTY users. |
Action for exceeding login attempts |
Action to be taken after a user fails to log in after the specified number of attempts. |
Minimum interval between two updates |
Minimum password update interval. |
Login with aged password |
Number of times and maximum number of days a user can log in using an expired password. |
Password complexity |
Whether the following password complexity checking is enabled: · username checking—Checks whether a password contains the username or the reverse of the username. · repeated characters checking—Checks whether a password contains any character that appears consecutively three or more times. |
display password-control blacklist
Use display password-control blacklist to display password control blacklist information. The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication.
Syntax
display password-control blacklist [ user-name name | ip ipv4-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
user-name name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters.
ip ipv4-address: Specifies the IPv4 address of a user.
Usage guidelines
If you do not specify any arguments, this command displays information about all users in the password control blacklist.
If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.
Users accessing the system through the console ports are not blacklisted, because the system is unable to obtain the IP addresses of these users and these users are privileged and therefore relatively secure to the system.
Examples
# Display password control blacklist information.
<Sysname> display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 1 Lock flag: unlock
Blacklist items matched: 1.
Table 10 Command output
Field |
Description |
IP |
IP address of the user. |
Login failed times |
Number of login failures. |
Lock flag |
Whether the user is prohibited from logging in: · unlock—Not prohibited. · lock—Prohibited temporarily or permanently, depending on the password-control login-attempt command. |
Blacklist items matched |
Number of blacklisted users. |
password-control { aging | composition | history | length } enable
Use password-control { aging | composition | history | length } enable to enable the password expiration, composition restriction, history, or minimum length restriction feature.
Use undo password-control { aging | composition | history | length } enable to disable a password control feature.
Syntax
password-control { aging | composition | history | length } enable
undo password-control { aging | composition | history | length } enable
Default
The password control features (aging, composition, history, and length) are all enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
aging: Enables the password expiration feature.
composition: Enables the password composition restriction feature.
history: Enables the password history feature.
length: Enables the minimum password length restriction feature.
Usage guidelines
To enable a specific password control feature, first enable the global password control feature.
The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
If the global password control feature is enabled but the minimum password length restriction feature is disabled, the following rules apply:
· In non-FIPS mode, a password must contain at least 4 characters and at least 4 characters must be different.
· In FIPS mode, a password must contain at least 15 characters and at least 4 characters must be different.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Enable the password composition restriction feature.
[Sysname] password-control composition enable
# Enable the password expiration feature.
[Sysname] password-control aging enable
# Enable the minimum password length restriction feature.
[Sysname] password-control length enable
# Enable the password history feature.
[Sysname] password-control history enable
Related commands
· display password-control
· password-control enable
password-control aging
Use password-control aging to set the password expiration time.
Use undo password-control aging to restore the default.
Syntax
password-control aging aging-time
undo password-control aging
Default
A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
aging-time: Specifies the password expiration time in days, in the range of 1 to 365.
Usage guidelines
The expiration time depends on the view:
· The time in system view has global significance and applies to all user groups.
· The time in user group view applies to all local users in the user group.
· The time in local user view applies only to the local user.
A password expiration time with a smaller application scope has higher priority. The system prefers to use the password expiration time in local user view for a local user.
· If no password expiration time is configured for the local user, the system uses the password expiration time for the user group to which the local user belongs.
· If no password expiration time is configured for the user group, the system uses the global password expiration time.
Examples
# Globally set the passwords to expire after 80 days.
<Sysname> system-view
[Sysname] password-control aging 80
# Set the passwords for user group test to expire after 90 days.
[Sysname] user-group test
[Sysname-ugroup-test] password-control aging 90
[Sysname-ugroup-test] quit
# Set the password for device management user abc to expire after 100 days.
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password-control aging 100
Related commands
· display local-user
· display password-control
· display user-group
· password-control aging enable
password-control alert-before-expire
Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.
Use undo password-control alert-before-expire to restore the default.
Syntax
password-control alert-before-expire alert-time
undo password-control alert-before-expire
Default
The default is 7 days.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.
Usage guidelines
This command is effective only for non-FTP users. FTP users can only have their passwords changed by the administrator.
Examples
# Configure the device to notify a user about pending password expiration 10 days before the user's password expires.
<Sysname> system-view
[Sysname] password-control alert-before-expire 10
Related commands
display password-control
password-control complexity
Use password-control complexity to configure the password complexity checking policy.
Use undo password-control complexity to remove a password complexity checking item.
Syntax
password-control complexity { same-character | user-name } check
undo password-control complexity { same-character | user-name } check
Default
The global password complexity checking policy is that both username checking and repeated character checking are disabled. The password complexity checking policy for a user group equals the global setting. The password complexity checking policy for a local user equals that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough.
user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Usage guidelines
The password complexity checking policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A password complexity checking policy with a smaller application scope has higher priority. The system prefers to use the password complexity checking policy in local user view for a local user.
· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.
· If no policy is configured for the user group, the system uses the global policy.
You can enable both username checking and repeated character checking.
After the password complexity checking is enabled, complexity-incompliant passwords will be refused.
Examples
# Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.
<Sysname> system-view
[Sysname] password-control complexity user-name check
Related commands
· display local-user
· display password-control
· display user-group
password-control composition
Use password-control composition to configure the password composition policy.
Use undo password-control composition to restore the default.
Syntax
password-control composition type-number type-number [ type-length type-length ]
undo password-control composition
Default
In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type.
In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type.
In both non-FIPS and FIPS modes, the password composition policy for a user group is the same as the global policy. The password composition policy for a local user is the same as that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. The following character types are available:
· Uppercase letters A to Z.
· Lowercase letters a to z.
· Digits 0 to 9.
· Special characters in Table 11.
Character name |
Symbol |
Character name |
Symbol |
Ampersand sign |
& |
Apostrophe |
' |
Asterisk |
* |
At sign |
@ |
Back quote |
` |
Back slash |
\ |
Blank space |
N/A |
Caret |
^ |
Colon |
: |
Comma |
, |
Dollar sign |
$ |
Dot |
. |
Equal sign |
= |
Exclamation point |
! |
Left angle bracket |
< |
Left brace |
{ |
Left bracket |
[ |
Left parenthesis |
( |
Minus sign |
- |
Percent sign |
% |
Plus sign |
+ |
Pound sign |
# |
Quotation marks |
" |
Right angle bracket |
> |
Right brace |
} |
Right bracket |
] |
Right parenthesis |
) |
Semi-colon |
; |
Slash |
/ |
Tilde |
~ |
Underscore |
_ |
Vertical bar |
| |
type-length type-length: Specifies the minimum number of characters for each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
Usage guidelines
The password composition policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user.
· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.
· If no policy is configured for the user group, the system uses the global policy.
The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of passwords.
Examples
# Specify that all passwords must each contain at least four character types and at least five characters for each type.
<Sysname> system-view
[Sysname] password-control composition type-number 4 type-length 5
# Specify that passwords in user group test must contain at least four character types and at least five characters for each type.
[Sysname] user-group test
[Sysname-ugroup-test] password-control composition type-number 4 type-length 5
[Sysname-ugroup-test] quit
# Specify that the password of device management user abc must contain at least four character types and at least five characters for each type.
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5
Related commands
· display local-user
· display password-control
· display user-group
· password-control composition enable
password-control enable
Use password-control enable to enable the password control feature globally.
Use undo password-control enable to disable the password control feature globally.
Syntax
password-control enable
undo password-control enable
Default
In non-FIPS mode, the password control feature is disabled globally.
In FIPS mode, the password control feature is enabled globally and cannot be disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
A specific password control feature takes effect only after the global password control feature is enabled.
After the global password control feature is enabled, you cannot display the password and super password configurations for device management users by using the corresponding display commands. The configuration for network access user passwords can be displayed. The first password configured for device management users must contain at least four different characters.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
Related commands
· display password-control
· password-control { aging | composition | history | length } enable
password-control expired-user-login
Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.
Use undo password-control expired-user-login to restore the defaults.
Syntax
password-control expired-user-login delay delay times times
undo password-control expired-user-login
Default
A user can log in three times within 30 days after the password expires.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
delay delay: Sets the maximum number of days during which a user can log in using an expired password. The value range for the delay argument is 1 to 90.
times times: Sets the maximum number of times a user can log in after the password expires. The value range is 0 to 10, and 0 means that a user cannot log in after the password expires.
Usage guidelines
This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.
Examples
# Specify that a user can log in five times within 60 days after the password expires.
<Sysname> system-view
[Sysname] password-control expired-user-login delay 60 times 5
Related commands
display password-control
password-control history
Use password-control history to set the maximum number of history password records for each user.
Use undo password-control history to restore the default.
Syntax
password-control history max-record-num
undo password-control history
Default
The maximum number of history password records for each user is 4.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
max-record-num: Specifies the maximum number of history password records for each user. The value range is 2 to 15.
Usage guidelines
When the number of history password records reaches the set maximum number, the subsequent history record overwrites the earliest one.
The system stops recording passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
To delete the existing records, use one of the following methods:
· Use the undo password-control enable command to disable the password control feature globally.
· Use the reset password-control history-record command to clear the passwords manually.
Examples
# Set the maximum number of history password records for each user to 10.
<Sysname> system-view
[Sysname] password-control history 10
Related commands
· display password-control
· password-control history enable
· reset password-control blacklist
password-control length
Use password-control length to set the minimum password length.
Use undo password-control length to restore the default.
Syntax
password-control length length
undo password-control length
Default
In non-FIPS mode, the global minimum password length is 10 characters.
In FIPS mode, the global minimum password length is 15 characters.
In both non-FIPS and FIPS modes, the minimum password length for a user group equals the global setting. The minimum password length for a local user equals that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode.
Usage guidelines
Before you execute this command, make sure the global password control feature and the minimum length feature are enabled. Otherwise, your configuration cannot take effect.
The minimum length setting depends on the view:
· The setting in system view has global significance and applies to all user groups.
· The setting in user group view applies to all local users in the user group.
· The setting in local user view applies only to the local user.
A minimum password length with a smaller application scope has higher priority. The system prefers to use the minimum password length in local user view for a local user.
· If no minimum password length is configured for the local user, the system uses the minimum password length for the user group to which the local user belongs.
· If no minimum password length is configured for the user group, the system uses the global minimum password length.
Examples
# Set the global minimum password length to 16 characters.
<Sysname> system-view
[Sysname] password-control length 16
# Set the minimum password length to 16 characters for user group test.
[Sysname] user-group test
[Sysname-ugroup-test] password-control length 16
[Sysname-ugroup-test] quit
# Set the minimum password length to 16 characters for device management user abc.
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password-control length 16
Related commands
· display local-user
· display password-control
· display user-group
· password-control length enable
password-control login idle-time
Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device.
Use undo password-control login idle-time to restore the default.
Syntax
password-control login idle-time idle-time
undo password-control login idle-time
Default
You cannot use a user account to log in to the device if the account has been idle for 90 days.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
idle-time: Specifies the maximum account idle time in days in the range of 0 to 365. 0 means no restriction for account idle time.
Usage guidelines
If a user has not been logged in within the specified idle time since the last successful login, the user account becomes invalid.
Examples
# Set the maximum account idle time to 30 days.
<Sysname> system-view
[Sysname] password-control login idle-time 30
Related commands
display password-control
password-control login-attempt
Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached.
Use undo password-control login-attempt to restore the default.
Syntax
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
undo password-control login-attempt
Default
The global login-attempt settings:
· The maximum number of consecutive login failures is 3.
· The locking period is 1 minute.
The login-attempt settings for a user group equal the global settings.
The login-attempt settings for a local user equal those for the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
login-times: Specifies the maximum number of consecutive failed login attempts. The value range is 2 to 10.
exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts.
· lock: Disables the user account permanently.
· lock-time time: Disables the user account for a period of time. The user can uses this user account when the timer expires. The value range for the time argument is 1 to 360 minutes.
· unlock: Allows the user account to continue using this account to perform login attempts.
Usage guidelines
The login-attempt policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A login-attempt policy with a smaller application scope has higher priority. The system prefers to use the login-attempt policy in local user view for a local user.
· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.
· If no policy is configured for the user group, the system uses the global policy.
If an FTP or VTY user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the maximum number of consecutive login failures is reached, the login attempt limit feature is triggered.
Whether a blacklisted user and user account are locked depends on the locking setting:
· If a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-control blacklist command.
· To use a temporarily locked user account, the user can perform either of the following tasks:
¡ Wait until the locking timer expires.
¡ Remove the user account from the password control blacklist.
· If the user account and the user are blacklisted but not locked, the user can continue using this account to log in. The account and the user's IP address are removed from the password control blacklist when the user uses the account to successfully log in to the device.
|
NOTE: This account is locked only for this user. Other users can still use this account, and the blacklisted user can use other user accounts. |
The password-control login-attempt command takes effect immediately after being executed, and can affect the users already in the password control blacklist.
Examples
# Allow a maximum of four consecutive login failures on a user account, and disable the user account if the limit is reached.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock
# Use the user account test to log in to the device, and enter incorrect password for four times.
# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock.
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 4 Lock flag: lock
Blacklist items matched: 1.
# Verify that the user at 192.168.44.1 cannot use this user account to log in.
# Allow a maximum of two consecutive login failures on a user account, and disable the account for 3 minutes if the limit is reached.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3
# Use the user account test to log in to the device, and enter incorrect password for two attempts.
# Display the password control blacklist. The output shows that the user account is on the blacklist and its status is lock.
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 2 Lock flag: lock
Blacklist items matched: 1.
# Verify that after 3 minutes, the user account is removed from the password control blacklist and the user at 192.168.44.1 can use this account.
Related commands
· display local-user
· display password-control
· display password-control blacklist
· display user-group
· reset password-control blacklist
password-control super aging
Use password-control super aging to set the expiration time for super passwords.
Use undo password-control super aging to restore the default.
Syntax
password-control super aging aging-time
undo password-control super aging
Default
A super password expires after 90 days.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
aging-time: Specifies the super password expiration time in days in the range of 1 to 365.
Examples
# Set the super passwords to expire after 10 days.
<Sysname> system-view
[Sysname] password-control super aging 10
Related commands
· display password-control
· password-control aging
password-control super composition
Use password-control super composition to configure the composition policy for super passwords.
Use undo password-control super composition to restore the default.
Syntax
password-control super composition type-number type-number [ type-length type-length ]
undo password-control super composition
Default
In non-FIPS mode, a super password must contain at least one character type and at least one character for each type.
In FIPS mode, a super password must contain at least four character types and at least one character for each type.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode.
type-length type-length: Specifies the minimum number of characters for each character type. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
Usage guidelines
The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of the super password.
Examples
# Specify that a super password must contain at least four character types and at least five characters for each type.
<Sysname> system-view
[Sysname] password-control super composition type-number 4 type-length 5
Related commands
· display password-control
· password-control composition
password-control super length
Use password-control super length to set the minimum length for super passwords.
Use undo password-control super length to restore the default.
Syntax
password-control super length length
undo password-control super length
Default
In non-FIPS mode, the minimum super password length is 10 characters.
In FIPS mode, the minimum super password length is 15 characters.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode.
Examples
# Set the minimum length of super passwords to 16 characters.
<Sysname> system-view
[Sysname] password-control super length 16
Related commands
· display password-control
· password-control length
password-control update-interval
Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords.
Use undo password-control update-interval to restore the default.
Syntax
password-control update-interval interval
undo password-control update-interval
Default
The minimum password update interval is 24 hours.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interval: Specifies the minimum password update interval in hours in the range of 0 to 168. 0 means no requirements for password update interval.
Usage guidelines
The set minimum interval is not effective on a user who is prompted to change the password at the first login or after the password expires.
Examples
# Set the minimum password update interval to 36 hours.
<Sysname> system-view
[Sysname] password-control update-interval 36
Related commands
display password-control
reset password-control blacklist
Use reset password-control blacklist to remove blacklisted users.
Syntax
reset password-control blacklist [ user-name name ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
user-name name: Specifies the username of a user account to be removed from the password control blacklist. The name argument is a case-sensitive string of 1 to 55 characters.
Usage guidelines
You can use this command to remove a user account that is blacklisted due to excessive login failures. Then the blacklisted user can use this user account to log in.
Examples
# Remove the user account named test from the password control blacklist.
<Sysname> reset password-control blacklist user-name test
Are you sure to delete the specified user in blacklist? [Y/N]:
Related commands
display password-control blacklist
reset password-control history-record
Use reset password-control history-record to delete history password records.
Syntax
reset password-control history-record [ super [ role role name ] | user-name name ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
super: Deletes the history records of a specified super password or all super passwords.
role role name: Specifies a user role in the range of 1 to 63.
user-name name: Specifies the username of the user whose password records are to be deleted. The name argument is a case-sensitive string of 1 to 55 characters.
Usage guidelines
If you do not specify any arguments or keywords, this command deletes the history password records of all local users.
If you do not specify the role role name option, this command deletes the history records of all super passwords.
Examples
# Clear the history password records of all local users (enter Y to confirm).
<Sysname> reset password-control history-record
Are you sure to delete all local user's history records? [Y/N]:y
Related commands
password-control history
Public key management commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
display public-key local public
Use display public-key local public to display local public keys.
Syntax
display public-key local { dsa | ecdsa | rsa } public [ name key-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
dsa: Specifies the DSA key pair type.
ecdsa: Specifies the ECDSA key pair type.
rsa: Specifies the RSA key pair type.
name key-name: Specifies the name of a local asymmetric key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-) If no name is specified, the command displays public key for all local asymmetric key pairs of the specified type.
Usage guidelines
You can copy and distribute the public key of a local asymmetric key pair to peer devices.
Examples
# Display all local RSA public keys.
<Sysname> display public-key local rsa public
=============================================
Key name: hostkey (default)
Key type: RSA
Time when key pair created: 15:40:48 2013/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DAA4AAFEFE04C2C9
667269BB8226E26331E30F41A8FF922C7338208097E84332610632B49F75DABF6D871B80CE
C1BA2B75020077C74745C933E2F390DC0B39D35B88283D700A163BB309B19F8F87216A44AB
FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1
2DA4C04EF5AE0835090203010001
=============================================
Key name: serverkey (default)
Key type: RSA
Time when key pair created: 15:40:48 2013/05/12
Key code:
307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442
762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64
DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E
9D85C13413996ECD093B0203010001
=============================================
Key name: rsa1
Key type: RSA
Time when key pair created: 15:42:26 2013/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D
426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA
1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7
9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03
92D8C6D940890BF4290203010001
# Display all local DSA public keys.
<Sysname> display public-key local dsa public
=============================================
Key name: dsakey (default)
Key type: DSA
Time when key pair created: 15:41:37 2013/05/12
Key code:
308201B73082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381840002818041912CE34D12BCD2157E7AB1C2F03B3EF395
100F3DB4A9E2FDFE860C1BD663D676438F7DA40A9406D61CA9079AF13E330489F1C76785DE
52DA649AC8BC04B6D39CD7C52CD0A14F75F7491A91D31D6AC22340B5981B27A915CDEC4F09
887E541EC1E5302D500F68E7AC29A084463C60F9EE266985A502FC92193E1CF4D265C4BA
=============================================
Key name: dsa1
Key type: DSA
Time when key pair created: 15:35:42 2013/05/12
Key code:
308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8
3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74
0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7
15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A
# Display all local ECDSA public keys.
<Sysname> display public-key local ecdsa public
=============================================
Key name: ecdsakey (default)
Key type: ECDSA
Time when key pair created: 15:42:04 2013/05/12
Key code:
3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF
68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B
1D
=============================================
Key name: ecdsa1
Key type: ECDSA
Time when key pair created: 15:43:33 2013/05/12
Key code:
3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1
AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58
4D
# Display the public key of the local RSA key pair rsa1.
<Sysname> display public-key local rsa public name rsa1
=============================================
Key name: rsa1
Key type: RSA
Time when key pair created: 15:42:26 2013/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D
426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA
1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7
9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03
92D8C6D940890BF4290203010001
# Display the public key of the local DSA key pair dsa1.
<Sysname> display public-key local dsa public name dsa1
=============================================
Key name: dsa1
Key type: DSA
Time when key pair created: 15:35:42 2013/05/12
Key code:
308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8
3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74
0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7
15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A
# Display the public key of the local ECDSA key pair ecdsa1.
<Sysname> display public-key local ecdsa public name ecdsa1
=============================================
Key name: ecdsa1
Key type: ECDSA
Time when key pair created: 15:43:33 2013/05/12
Key code:
3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1
AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58
4D
Table 12 Command output
Field |
Description |
Key name |
Name of the local key pair. If you did not specify a name when creating the key pair, the word default in brackets follows the key pair name. The following is the default key pair name for each key algorithm: · hostkey—Default RSA host key pair name. · serverkey—Default RSA server key pair name. · dsakey—Default DSA host key pair name. ecdsakey—Default ECDSA host key pair name. |
Key type |
Options include: · RSA. · DSA. · ECDSA. |
Time when key pair created |
Date and time when the local key pair was created. |
Key code |
Public key string. |
Related commands
public-key local create
display public-key peer
Use display public-key peer to display information about peer public keys.
Syntax
display public-key peer [ brief | name publickey-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name.
name publickey-name: Displays detailed information about a peer public key, including its key code. The publickey-name argument specifies the peer public key name, a case-sensitive string of 1 to 64 characters.
Usage guidelines
If none of the parameters is specified, the command displays detailed information about all peer public keys you have configured on the local device.
You can use the public-key peer command or the public-key peer import sshkey command to configure a peer public key on the local device.
Examples
# Display detailed information about the peer host public key idrsa.
<Sysname> display public-key peer name idrsa
=============================================
Key name: idrsa
Key type: RSA
Key modulus: 1024
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100C5971581A78B5388
B3C9063EC6B53D395A6704D9752B6F9B7B1F734EEB5DD509F0B050662C46FFB8D27F797E37
918F6270C5793F1FC63638970A0E4D51A3CEF7CFF6E92BFAFD73F530E0BDE27056E81F2525
6D0883836FD8E68031B2C272FE2EA75C87734A7B8F85B8EBEB3BD51CC26916AF3B3FDC32C3
42C142D41BB4884FEB0203010001
Table 13 Command output
Field |
Description |
Key name |
Name of the peer public key. |
Key type |
Key type: RSA, DSA or ECDSA. |
Key modulus |
Key modulus length in bits. |
Key code |
Public key string. |
# Display brief information about all peer public keys.
<Sysname> display public-key peer brief
Type Modulus Name
---------------------------
RSA 1024 idrsa
DSA 1024 10.1.1.1
Table 14 Command output
Field |
Description |
Type |
Key type: RSA, DSA or ECDSA. |
Modulus |
Key modulus length in bits. |
Name |
Name of the peer public key. |
Related commands
· public-key peer
· public-key peer import sshkey
peer-public-key end
Use peer-public-key end to exit public key view to system view and save the configured peer public key.
Syntax
peer-public-key end
Views
Public key view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
After you type the peer public key on the local device, use this command to exit public key view and to save the public key.
The system verifies the public key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, for example, the key displayed by the display public-key local public command, the system saves the key.
Examples
# Exit public key view and save the configured public key.
<Sysname> system-view
[Sysname] public-key peer key1
Public key view: return to System View with "peer-public-key end".
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC8014F82515F6335A0A
[Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D1643135877E13B1C531B4
[Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80EB5F52698FCF3D6
[Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE675AC30CB020301
[Sysname-pkey-public-key-key1]0001
[Sysname-pkey-public-key-key1] peer-public-key end
[Sysname]
Related commands
· display public-key local public
· display public-key peer
· public-key peer
public-key local create
Use public-key local create to create local asymmetric key pairs.
Syntax
public-key local create { dsa | ecdsa | rsa } [ name key-name ]
Default
No local asymmetric key pair exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
dsa: Creates a DSA key pair.
ecdsa: Creates an ECDSA key pair.
rsa: Creates an RSA key pair.
name key-name: Assigns a name to the key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is assigned, the public key pair takes the default name.
Table 15 Default local key pair names
Type |
Default name |
RSA |
· Host key pair: hostkey · Server key pair: serverkey |
DSA |
dsakey |
ECDSA |
ecdsakey |
Usage guidelines
The key algorithm must be the same as required by the security application.
The key modulus length must be appropriate (see Table 16). The longer the key modulus length, the higher the security, and the longer the key generation time.
If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default.
The name of a key pair must be unique among all manually named key pairs that use the same key algorithm, but can be the same as a key pair that uses a different key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair.
The key pairs are automatically saved and can survive system reboots.
Table 16 A comparison of different types of asymmetric key algorithms
Type |
Generated key pairs |
Modulus length |
RSA |
· In non-FIPS mode: ¡ One host key pair, if you specify a key pair name. ¡ One server key pair and one host key pair, if you do not specify a
key pair name. · In FIPS mode: One host key pair. NOTE: Only SSH 1.5 uses the RSA server key pair. |
· In non-FIPS mode: 512 to 2048 bits, 1024 bits
by default. · In FIPS mode: 2048 bits. |
DSA |
One host key pair. |
· In non-FIPS mode: 512 to 2048 bits, 1024 bits
by default. · In FIPS mode: 2048 bits. |
ECDSA |
One host key pair. |
192 bits. |
Examples
# Create local RSA key pairs with default names.
<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...++++++
.++++++
..++++++++
....++++++++
Create the key pair successfully.
# Create a local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
Create the key pair successfully.
# Create a local ECDSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create ecdsa
Generating Keys...
Create the key pair successfully.
# Create a local RSA key pair with the name rsa1.
<Sysname> system-view
[Sysname] public-key local create rsa name rsa1
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...++++++
...............................++++++
Create the key pair successfully.
# Create a local DSA key pair with the name dsa1.
<Sysname> system-view
[Sysname] public-key local create dsa name dsa1
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
Create the key pair successfully.
# Create a local ECDSA key pair with the name ecdsa1.
<Sysname> system-view
[Sysname] public-key local create ecdsa name ecdsa1
Generating Keys...
Create the key pair successfully.
# In FIPS mode, create a local RSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key modulus is (2048 ~ 2048).
It will take a few minutes.Press CTRL+C to abort.
Input the modulus length [default = 2024]:
Generating Keys...
...++++++
.++++++
..++++++++
....++++++++
Create the key pair successfully.
# In FIPS mode, create a local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create dsa
The range of public key modulus is (2048 ~ 2048).
It will take a few minutes.Press CTRL+C to abort.
Input the modulus length [default = 2024]:
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
Create the key pair successfully.
Related commands
· display public-key local public
· public-key local destroy
public-key local destroy
Use public-key local destroy to destroy local key pairs.
Syntax
public-key local destroy { dsa | ecdsa | rsa } [ name key-name ]
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
dsa: Specifies the DSA type.
ecdsa: Specifies the ECDSA type.
rsa: Specifies the RSA type.
name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
Usage guidelines
To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs:
· An intrusion event has occurred.
· The storage media of the device is replaced.
· The local certificate has expired. For more information about local certificates, see Security Configuration Guide.
Examples
# Destroy the local RSA key pairs with the default names.
<Sysname> system-view
[Sysname] public-key local destroy rsa
Confirm to destroy the key pair? [Y/N]:y
# Destroy the local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local destroy dsa
Confirm to destroy the key pair? [Y/N] :y
# Destroy the local ECDSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local destroy ecdsa
Confirm to destroy the key pair? [Y/N]:y
# Destroy the local RSA key pair rsa1.
<Sysname> system-view
[Sysname] public-key local destroy rsa name rsa1
Confirm to destroy the key pair? [Y/N]:y
# Destroy the local DSA key pair dsa1.
<Sysname> system-view
[Sysname] public-key local destroy dsa name dsa1
Confirm to destroy the key pair? [Y/N] :y
# Destroy the local ECDSA key pair ecdsa1.
<Sysname> system-view
[Sysname] public-key local destroy ecdsa name ecdsa1
Confirm to destroy the key pair? [Y/N]:y
Related commands
public-key local create
public-key local export dsa
Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file.
Syntax
public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ]
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
name key-name: Specifies the name of a local DSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name.
openssh: Uses the format of OpenSSH.
ssh2: Uses the format of SSH2.0.
filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide.
Usage guidelines
Whether the command exports or displays the local DSA host public key depends on the presence of the filename argument.
You can use the command to display or export the local DSA host public key before distributing it to a peer device.
1. Save the local host public key to a file with one of the following methods:
¡ Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } command to display the local host public key in the specific format, copy and paste it to a file.
¡ Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey or its subfolders.
2. Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file.
SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key.
Examples
# Export the host public key of the local DSA key pair with the default name in OpenSSH format to a file named key.pub.
<Sysname> system-view
[Sysname] public-key local export dsa openssh key.pub
# Display the host public key of the local DSA key pair with the default name in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export dsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-2013/05/12"
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxwvA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakdMdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo=
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local DSA key pair with the default name in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export dsa openssh
ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxwvA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakdMdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= dsa-key
# Export the host public key of the local DSA key pair dsa1 in OpenSSH format to the file dsa1.pub.
<Sysname> system-view
[Sysname] public-key local export dsa name dsa1 openssh dsa1.pub
# Display the host public key of the local DSA key pair dsa1 in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export dsa name dsa1 ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-2013/05/12"
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEYZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local DSA key pair dsa1 in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export dsa name dsa1 openssh
ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEYZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq dsa-key
Related commands
· public-key local create
· public-key peer import sshkey
public-key local export rsa
Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file.
Syntax
In non-FIPS mode:
public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ]
In FIPS mode:
public-key local export rsa [ name key-name ] { openssh | ssh2 } [ filename ]
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
name key-name: Specifies the name of a local RSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name.
openssh: Uses the format of OpenSSH.
ssh1: Uses the format of SSH1.5.
ssh2: Uses the format of SSH2.0.
filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide.
Usage guidelines
Whether the command exports or displays the host public key depends on the presence of the filename argument.
You can use the command to display or export the local RSA host public keys before distributing it to a peer device.
1. Save the local host public key to a file with one of the following methods:
¡ Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } command to display the host public key in the specified format, copy and paste it to a file.
¡ Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey and its subfolders.
2. Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file.
SSH1.5, SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key. In FIPS mode, the device only supports SSH2.0 and OpenSSH.
Examples
# Export the host public key of the local RSA key pair with the default name in OpenSSH format to the file key.pub.
<Sysname> system-view
[Sysname] public-key local export rsa openssh key.pub
# Display the host public key of the local RSA key pair with the default name in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export rsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-2013/05/12"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/bYcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xdv4tlas+mLNloY0dImbwS2kwE71rgg1CQ==
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local RSA key pair with the default name in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export rsa openssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/bYcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xdv4tlas+mLNloY0dImbwS2kwE71rgg1CQ== rsa-key
# Export the host public key of the local RSA key pair rsa1 in OpenSSH format to the file rsa1.pub.
<Sysname> system-view
[Sysname] public-key local export rsa name rsa1 openssh rsa1.pub
# Display the host public key of the local RSA key pair rsa1 in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export rsa name rsa1 ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-2013/05/12"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8ba8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ==
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local RSA key pair rsa1 in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export rsa name rsa1 openssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8ba8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key
Related commands
· public-key local create
· public-key peer import sshkey
public-key peer
Use public-key peer to specify a name for a peer public key and enter public key view.
Use undo public-key peer to delete a peer public key.
Syntax
public-key peer keyname
undo public-key peer keyname
Default
The local device has no peer public key.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.
Usage guidelines
After you execute the command to enter the public key view, type the public key. Spaces and carriage returns are allowed, but are not saved.
To manually specify a peer public key on the local device, obtain the public key in hexadecimal from the peer device beforehand, and perform the following configurations on the local device:
1. Execute the public-key peer command to enter public key view.
2. Type the public key.
3. Execute the peer-public-key end command to save the public key and return to system view.
The public key you type in the public key view must be in a correct format. If your device is an H3C device, use the display public-key local public command to display and record its public key.
Examples
# Specify the name key1 for a peer public key and enter public key view.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key-key1]
Related commands
· display public-key local public
· display public-key peer
· peer-public-key end
public-key peer import sshkey
Use public-key peer import sshkey to import a peer host public key from the public key file.
Use undo public-key peer to remove the specified peer host public key.
Syntax
public-key peer keyname import sshkey filename
undo public-key peer keyname
Default
The device has no peer public key.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.
filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide.
Usage guidelines
After you configure this command, the system automatically transforms the host public key to the PKCS format, and saves the key. This operation requires that you get a copy of the public key file from the peer device through FTP or TFTP in binary mode in advance.
In non-FIPS mode, the device supports importing public keys in the format of SSH1.5, SSH2.0, and OpenSSH.
In FIPS mode, the device supports importing public keys in the format of SSH2.0 and OpenSSH.
Examples
# Import the peer host public key key2 from the public key file key.pub.
<Sysname> system-view
[Sysname] public-key peer key2 import sshkey key.pub
Related commands
· display public-key peer
· public-key local export dsa
· public-key local export rsa
PKI commands
The PKI feature is available in Release 1138P01 and later versions.
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
attribute
Use attribute to configure a rule to filter certificates based on an attribute in the certificate issuer name, subject name, or alternative subject name field.
Use undo attribute to remove an attribute rule.
Syntax
attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value
undo attribute id
Default
No attribute rules exist.
Views
Certificate attribute group view
Predefined user roles
network-admin
mdc-admin
Parameters
id: Specifies a rule ID in the range of 1 to 16.
alt-subject-name: Specifies the alternative subject name.
fqdn: Specifies an FQDN of the PKI entity.
ip: Specifies an IP address of the PKI entity.
dn: Specifies the DN of the PKI entity.
issuer-name: Specifies the issuer name.
subject-name: Specifies the subject name.
ctn: Specifies the contain operation.
equ: Specifies the equal operation.
nctn: Specifies the not-contain operation.
nequ: Specifies the not-equal operation.
attribute-value: Sets an attribute value, a case-insensitive string of 1 to 128 characters.
Usage guidelines
The issuer name, subject name, and alternative subject name field can contain the following attributes in a certificate:
· Each subject name and the issuer name can contain a single DN, multiple FQDNs, and multiple IP addresses.
· The alternative subject name can contain multiple FQDNs and IP addresses but zero DNs.
An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in Table 17.
Table 17 Combinations of attribute-value pairs and operation keywords
Operation |
DN |
FQDN/IP |
ctn |
The DN contains the specified attribute value. |
Any FQDN or IP address contains the specified attribute value. |
nctn |
The DN does not contain the specified attribute value. |
None of the FQDNs or IP addresses contain the specified attribute value. |
equ |
The DN is the same as the specified attribute value. |
Any FQDN or IP address is the same as the specified attribute value. |
nequ |
The DN is not the same as the specified attribute value. |
None of the FQDNs or IP addresses are the same as the specified attribute value. |
A certificate matches an attribute rule only if it contains an attribute that matches the criterion defined in the rule. For example, an attribute rule defines a criterion that the DN of the subject name contains the abc string. All certificates that have the DN in the subject name containing the abc string match the rule.
A certificate matches an attribute group if it matches all attribute rules in the group.
Examples
# Create a certificate attribute group and enter its view.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
# Specify an attribute rule to match certificates that contain the abc string in the subject DN.
[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc
# Specify an attribute rule to match certificates that do not contain FQDN abc in the issuer name field.
[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc
# Specify an attribute rule to match certificates that do not contain IP address 10.0.0.1 in the alternative subject name field.
[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1
Related commands
· display pki certificate attribute-group
· rule
ca identifier
Use ca identifier to specify the trusted CA.
Use undo ca identifier to remove the trusted CA.
Syntax
ca identifier name
undo ca identifier
Default
No trusted CA is specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters.
Usage guidelines
To obtain a CA certificate, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the same CA server. The CA server's URL is specified by using the certificate request url command.
When you use this command, make sure the specified CA name is consistent with the name of the CA that owns the CA certificate to be obtained.
Examples
# Specify the trusted CA as new-ca.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] ca identifier new-ca
certificate request entity
Use certificate request entity to specify the PKI entity for certificate request.
Use undo certificate request entity to remove the PKI entity for certificate request.
Syntax
certificate request entity entity-name
undo certificate request entity
Default
No PKI entity is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
entity-name: Specifies a PKI entity by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A PKI entity describes the identity attributes of an entity for certificate request, including the following information:
· Common name.
· Organization.
· Unit in the organization.
· Locality.
· State and country where the entity resides.
· FQDN.
· IP address.
You can specify only one PKI entity for a PKI domain. If you configure this command for a PKI domain multiple times, the most recent configuration takes effect.
Examples
# Specify PKI entity en1 for certificate request in PKI domain aaa.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request entity en1
Related commands
pki entity
certificate request from
Use certificate request from to specify the type of certificate request reception authority.
Use undo certificate request from to remove the configuration.
Syntax
certificate request from { ca | ra }
undo certificate request from
Default
The type of certificate request reception authority is not specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
ca: Specifies the CA to accept certificate requests.
ra: Specifies the RA to accept certificate requests.
Usage guidelines
The CA server determines whether CA or RA accepts certificate requests. This authority setting must be consistent with the setting on the CA server.
Examples
# Specify the RA to accept certificate requests.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request from ra
certificate request mode
Use certificate request mode to set the certificate request mode.
Use undo certificate request mode to restore the default.
Syntax
certificate request mode { auto [ password { cipher | simple } password ] | manual }
undo certificate request mode
Default
The certificate request mode is manual.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
auto: Specifies the auto certificate request mode.
password: Specifies a password for certificate revocation as required by the CA policy.
cipher: Sets a ciphertext password for certificate revocation.
simple: Sets a plaintext password for certificate revocation. For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 31 characters. If cipher is specified, it must be a ciphertext string of 1 to 73 characters.
manual: Specifies the manual certificate request mode.
Usage guidelines
A certificate request can be submitted to a CA in offline or online mode. In online mode, a certificate request can be automatically or manually submitted:
· Auto request mode—A PKI entity automatically obtains the CA certificate and submits a certificate request to the CA when both of the following conditions exist:
¡ A PKI-based application (IKE, for example) performs identity authentication.
¡ No certificate is available for the application on the device.
· Manual request mode—You must manually obtain the CA certificate and submit certificate requests.
Examples
# Set the certificate request mode to auto.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request mode auto
# Set the certificate request mode to auto, and set the certificate revocation password in plain text to 123456.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request mode auto password simple 123456
Related commands
pki request-certificate
certificate request polling
Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status.
Use undo certificate request polling to restore the defaults.
Syntax
certificate request polling { count count | interval minutes }
undo certificate request polling { count | interval }
Default
The polling interval is 20 minutes, and the maximum number of attempts is 50.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
count count: Sets the maximum number of attempts to query certificate request status. The value range is 1 to 100.
interval minutes: Sets a polling interval in minutes, in the range of 5 to 168.
Usage guidelines
After a PKI entity submits a certificate request, it might take the CA server a while to issue the certificate if the CA administrator manually approves the certificate request. During this period, the PKI entity periodically queries the CA server for the certificate request status. The periodic query operation stops until the PKI entity obtains the certificate or the maximum number of query attempts is reached. If the maximum number of query attempts is reached, the certificate request fails.
If the CA server automatically approves a certificate request, the PKI entity can obtain the certificate immediately after it submits a certificate request. In this case, the PKI entity does not send queries to the CA server.
Examples
# Set the polling interval to 15 minutes, and the maximum number of query attempts to 40.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request polling interval 15
[Sysname-pki-domain-aaa] certificate request polling count 40
Related commands
display pki certificate request-status
certificate request url
Use certificate request url to specify the URL of the certificate request reception authority (CA or RA) to which the device should send SCEP certificate requests.
Use undo certificate request url to remove the configuration.
Syntax
certificate request url url-string [ vpn-instance vpn-instance-name ]
undo certificate request url
Default
The URL of the certificate request reception authority is not specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the certificate request reception authority server belongs. A VPN instance name is a case-sensitive string of 1 to 31 characters. If the certificate request reception authority server is on the public network, do not specify this option.
Usage guidelines
The URL is in the format http://server_location/ca_script_location, where:
· The server_location argument is the IPv4 address or domain name of the certificate request reception authority (CA or RA) server.
· The cgi_script_location argument is the path of the application script on the server.
Examples
# Specify http://169.254.0.100/certsrv/mscep/mscep.dll as the URL where the device should send certificate requests.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll
# Specify http://mytest.net/certsrv/mscep/mscep.dll in VPN instance vpn1 as the URL where the device should send certificate requests.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request url http:// mytest.net /certsrv/mscep/mscep.dll vpn-instance vpn1
common-name
Use common-name to set the common name for a PKI entity.
Use undo common-name to remove the configuration.
Syntax
common-name common-name-sting
undo common-name
Default
No common name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name.
Examples
# Specify test as the common name of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name test
country
Use country to set the country code of a PKI entity.
Use undo country to remove the configuration.
Syntax
country country-code-string
undo country
Default
No country code is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
country-code-string: Specifies a country code, a case-sensitive string of two characters. For example, CN is the country code for China.
Examples
# Specify CN as the country code of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] country CN
crl check
Use crl check enable to enable CRL checking.
Use undo crl check enable to disable CRL checking.
Syntax
crl check enable
undo crl check enable
Default
CRL checking is enabled.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
A CA signs and publishes a list of revoked certificates, which is called CRL. Revoked certificates should no longer be trusted.
CRL checking is designed to check whether a certificate has been revoked.
Examples
# Disable CRL checking.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] undo crl check enable
Related commands
· pki import
· pki retrieve-certificate
· pki validate-certificate
crl url
Use crl url to specify the URL of the CRL repository.
Use undo crl url to remove the configuration.
Syntax
crl url url-string [ vpn-instance vpn-instance-name ]
undo crl url
Default
The URL of the CRL repository is not specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location, where server_location can be an IP address or a domain name. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option.
Usage guidelines
To use CRL checking, a CRL must be obtained from a CRL repository.
The device selects a CRL repository in the following order:
1. CRL repository specified in the PKI domain by using this command.
2. CRL repository in the certificate that is being verified.
3. CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA certificate is the certificate being verified.
After the previous selection process, if the CRL repository is not found, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained.
If an LDAP URL is specified, the device must connect to the LDAP server to obtain the CRL. If the LDAP server's host name is not included in the URL, the device can get the complete URL information according to the LDAP server address specified in the PKI domain.
Examples
# Specify http://169.254.0.30 as the URL of the CRL repository.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] crl url http://169.254.0.30
# Specify ldap://169.254.0.30 in VPN instance vpn1 as the URL of the CRL repository.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl url ldap://169.254.0.30 vpn-instance vpn1
· ldap-server
· pki retrieve-crl
display pki certificate access-control-policy
Use display pki certificate access-control-policy to display information about certificate-based access control policies.
Syntax
display pki certificate access-control-policy [ policy-name ]
Views
Any view
Predefined user roles
mdc-admin
mdc-operator
Parameters
policy-name: Specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you do not specify a policy name, this command displays information about all certificate-based access control policies.
Examples
# Display information about the certificate-based access control policy mypolicy.
<Sysname> display pki certificate access-control-policy mypolicy
Access control policy name: mypolicy
Rule 1 deny mygroup1
Rule 2 permit mygroup2
# Display information about all certificate-based access control policies.
<Sysname> display pki certificate access-control-policy
Total PKI certificate access control policies: 2
Access control policy name: mypolicy1
Rule 1 deny mygroup1
Rule 2 permit mygroup2
Access control policy name: mypolicy2
Rule 1 deny mygroup3
Rule 2 permit mygroup4
Table 18 Command output
Field |
Description |
Total PKI certificate access control policies |
Total number of certificate-based access control policies. |
permit |
A certificate passes the check and is considered valid if it matches all attribute rules in the attribute group associated with the access control rule. |
deny |
A certificate fails the check and is considered invalid if it matches all attribute rules in the attribute group associated with the access control rule. |
Related commands
· pki certificate access-control-policy
· rule
display pki certificate attribute-group
Use display pki certificate attribute-group to display information about certificate attribute groups.
Syntax
display pki certificate attribute-group [ group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups.
Examples
# Display information about the certificate attribute group mygroup.
<Sysname> display pki certificate attribute-group mygroup
Attribute group name: mygroup
Attribute 1 subject-name dn ctn abc
Attribute 2 issuer-name fqdn nctn app
# Display information about all certificate attribute groups.
<Sysname> display pki certificate attribute-group
Total PKI certificate attribute groups: 2.
Attribute group name: mygroup1
Attribute 1 subject-name dn ctn abc
Attribute 2 issuer-name fqdn nctn app
Attribute group name: mygroup2
Attribute 1 subject-name dn ctn def
Attribute 2 issuer-name fqdn nctn fqd
Table 19 Command output
Field |
Description |
Total PKI certificate attribute groups |
Total number of certificate attribute groups. |
ctn |
Contain operation. |
nctn |
Not-contain operation. |
equ |
Equal operation. |
nequ |
Not-equal operation. |
Attribute 1 subject-name dn ctn abc |
Attribute rule 1 defines that the DN in the subject name contains the string of abc. |
Related commands
· attribute
· pki certificate attribute-group
display pki certificate domain
Use display pki certificate domain to display information about certificates.
Syntax
display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer: Specifies the peer certificates.
serial serial-num: Specifies the serial number of a peer certificate.
Usage guidelines
If you specify the CA keyword, this command displays information about all CA and RA certificates in the domain.
If you specify the local keyword, this command displays information about all local certificates in the domain
If you specify the peer keyword but do not specify any serial number, this command displays brief information about all peer certificates. If you specify a serial number, this command display detailed information about the specified peer certificate.
Examples
# Display information about the CA certificate in the PKI domain aaa.
<Sysname> display pki certificate domain aaa ca
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=docm, OU=rnd, CN=rootca
Validity
Not Before: Jan 6 02:51:41 2011 GMT
Not After : Dec 7 03:12:05 2013 GMT
Subject: C=cn, O=ccc, OU=ppp, CN=rootca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0:
28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40:
4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6:
57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6:
7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6:
6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd:
c1:91:18:ff:16:ee:d8:cf:8c:e3:4c:a3:1b:08:5d:
84:7e:11:32:5f:1a:f8:35:25:c0:7e:10:bd:aa:0f:
52:db:7b:cd:5d:2b:66:5a:fb
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
6d:b1:4e:d7:ef:bb:1d:67:53:67:d0:8f:7c:96:1d:2a:03:98:
3b:48:41:08:a4:8f:a9:c1:98:e3:ac:7d:05:54:7c:34:d5:ee:
09:5a:11:e3:c8:7a:ab:3b:27:d7:62:a7:bb:bc:7e:12:5e:9e:
4c:1c:4a:9f:d7:89:ca:20:46:de:c5:b3:ce:36:ca:5e:6e:dc:
e7:c6:fe:3f:c5:38:dd:d5:a3:36:ad:f4:3d:e6:32:7f:48:df:
07:f0:a2:32:89:86:72:22:cd:ed:e5:0f:95:df:9c:75:71:e7:
fe:34:c5:a0:64:1c:f0:5c:e4:8f:d3:00:bd:fa:90:b6:64:d8:
88:a6
# Display information about te local certificates in the PKI domain aaa.
<Sysname> display pki certificate domain aaa local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bc:05:70:1f:0e:da:0d:10:16:1e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, O=sec, OU=software, CN=ipsec
Validity
Not Before: Jan 7 20:05:44 2011 GMT
Not After : Jan 7 20:05:44 2012 GMT
Subject: O=OpenCA Labs, OU=Users, CN=fips fips-sec
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b2:38:ad:8c:7d:78:38:37:88:ce:cc:97:17:39:
52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67:
d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7:
4a:83:69:0e:3e:24:e4:ab:91:6c:56:51:88:93:9e:
12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21:
46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd:
a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12:
bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b:
8a:f0:ea:02:fd:2d:44:7a:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin
Netscape Comment:
User Certificate of OpenCA Labs
X509v3 Subject Key Identifier:
91:95:51:DD:BF:4F:55:FA:E4:C4:D0:10:C2:A1:C2:99:AF:A5:CB:30
X509v3 Authority Key Identifier:
keyid:DF:D2:C9:1A:06:1F:BC:61:54:39:FE:12:C4:22:64:EB:57:3B:11:9F
X509v3 Subject Alternative Name:
email:fips@ccc.com
X509v3 Issuer Alternative Name:
email:pki@openca.org
Authority Information Access:
CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt
OCSP - URI:http://titan:2560/
1.3.6.1.5.5.7.48.12 - URI:http://titan:830/
X509v3 CRL Distribution Points:
Full Name:
URI:http://titan/pki/pub/crl/cacrl.crl
Signature Algorithm: sha256WithRSAEncryption
94:ef:56:70:48:66:be:8f:9d:bb:77:0f:c9:f4:65:77:e3:bd:
ea:9a:b8:24:ae:a1:38:2d:f4:ab:e8:0e:93:c2:30:33:c8:ef:
f5:e9:eb:9d:37:04:6f:99:bd:b2:c0:e9:eb:b1:19:7e:e3:cb:
95:cd:6c:b8:47:e2:cf:18:8d:99:f4:11:74:b1:1b:86:92:98:
af:a2:34:f7:1b:15:ee:ea:91:ed:51:17:d0:76:ec:22:4c:56:
da:d6:d1:3c:f2:43:31:4f:1d:20:c8:c2:c3:4d:e5:92:29:ee:
43:c6:d7:72:92:e8:13:87:38:9a:9c:cd:54:38:b2:ad:ba:aa:
f9:a4:68:b5:2a:df:9a:31:2f:42:80:0c:0c:d9:6d:b3:ab:0f:
dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a:
65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28:
04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64:
cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4:
50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f:
3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9:
de:18:9d:c1
# Display brief information about all peer certificates in the PKI domain aaa.
<Sysname> display pki certificate domain aaa peer
Total peer certificates: 1
Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7
Subject Name: CN=sldsslserver
# Display detailed information about a peer certificate in the PKI domain aaa.
<Sysname> display pki certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9a:03:37:eb:21:56:ba:1f:54:76:e4:d7:54:a5:a9:f7
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=ccc, OU=sec, CN=ssl
Validity
Not Before: Oct 15 01:23:06 2010 GMT
Not After : Jul 26 06:30:54 2012 GMT
Subject: CN=sldsslserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:cf:37:76:93:29:5e:cd:0e:77:48:3a:4d:0f:
a6:28:a4:60:f8:31:56:28:7f:81:e3:17:47:78:98:
68:03:5b:72:f4:57:d3:bf:c5:30:32:0d:58:72:67:
04:06:61:08:3b:e9:ac:53:b9:e7:69:68:1a:23:f2:
97:4c:26:14:c2:b5:d9:34:8b:ee:c1:ef:af:1a:f4:
39:da:c5:ae:ab:56:95:b5:be:0e:c3:46:35:c1:52:
29:9c:b7:46:f2:27:80:2d:a4:65:9a:81:78:53:d4:
ca:d3:f5:f3:92:54:85:b3:ab:55:a5:03:96:2b:19:
8b:a3:4d:b2:17:08:8d:dd:81
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:9A:83:29:13:29:D9:62:83:CB:41:D4:75:2E:52:A1:66:38:3C:90:11
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
Netscape Cert Type:
SSL Server
X509v3 Subject Alternative Name:
DNS:docm.com
X509v3 Subject Key Identifier:
3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26
X509v3 CRL Distribution Points:
Full Name:
URI:http://s03130.ccc.sec.com:447/ssl.crl
Signature Algorithm: sha1WithRSAEncryption
61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3:
31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59:
36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c:
85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5:
17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72:
ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2:
ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8:
f0:a5
Related commands
· pki domain
· pki retrieve-certificate
display pki certificate request-status
Use display pki certificate request-status to display certificate request status.
Syntax
display pki certificate request-status [ domain domain-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Usage guidelines
If no PKI domain is specified, this command displays the status of all certificate requests.
Examples
# Display certificate request status for the PKI domain aaa.
<Sysname> display pki certificate request-status domain aaa
Certificate Request Transaction 1
Domain name: aaa
Status: Pending
Key usage: General
Remain polling attempts: 10
Next polling attempt after : 1191 seconds
# Display certificate request statuses for all PKI domains.
<Sysname> display pki certificate request-status
Certificate Request Transaction 1
Domain name: domain1
Status: Pending
Key usage: General
Remain polling attempts: 10
Next polling attempt after : 1191 seconds
Certificate Request Transaction 2
Domain name: domain2
Status: Pending
Key usage: Signature
Remain polling attempts: 10
Next polling attempt after : 188 seconds
Table 20 Command output
Field |
Description |
Certificate Request Transaction number |
Certificate request transaction number, starting from 1. |
Status |
Certificate request status, including only the pending status. |
Key usage |
Certificate purposes: · General—Signature and encryption. · Signature—Signature only. · Encryption—Encryption only. |
Remain polling attempts |
Remaining number of attempts to query certificate request status. |
Next polling attempt after |
Remaining seconds before the next request status polling. |
Related commands
· certificate request polling
· pki domain
· pki retrieve-certificate
display pki crl
Use display pki crl domain to display information about the locally saved CRLs.
Syntax
display pki crl domain domain-name
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Usage guidelines
Use this command to check whether a certificate has been revoked.
Examples
# Display information about the CRL saved at the local for PKI domain aaa.
<Sysname> display pki crl domain aaa
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=cn/O=docm/OU=sec/CN=therootca
Last Update: Apr 28 01:42:13 2011 GMT
Next Update: NONE
CRL extensions:
X509v3 CRL Number:
6
X509v3 Authority Key Identifier:
keyid:49:25:DB:07:3A:C4:8A:C2:B5:A0:64:A5:F1:54:93:69:14:51:11:EF
Revoked Certificates:
Serial Number: CDE626BF7A44A727B25F9CD81475C004
Revocation Date: Apr 28 01:37:52 2011 GMT
CRL entry extensions:
Invalidity Date:
Apr 28 01:37:49 2011 GMT
Serial Number: FCADFA81E1F56F43D3F2D3EF7EB56DE5
Revocation Date: Apr 28 01:33:28 2011 GMT
CRL entry extensions:
Invalidity Date:
Apr 28 01:33:09 2011 GMT
Signature Algorithm: sha1WithRSAEncryption
57:ac:00:3e:1e:e2:5f:59:62:04:05:9b:c7:61:58:2a:df:a4:
5c:e5:c0:14:af:c8:e7:de:cf:2a:0a:31:7d:32:da:be:cd:6a:
36:b5:83:e8:95:06:bd:b4:c0:36:fe:91:7c:77:d9:00:0f:9e:
99:03:65:9e:0c:9c:16:22:ef:4a:40:ec:59:40:60:53:4a:fc:
8e:47:57:23:e0:75:0a:a4:1c:0e:2f:3d:e0:b2:87:4d:61:8a:
4a:cb:cb:37:af:51:bd:53:78:76:a1:16:3d:0b:89:01:91:61:
52:d0:6f:5c:09:59:15:be:b8:68:65:0c:5d:1b:a1:f8:42:04:
ba:aa
Table 21 Command output
Field |
Description |
Version |
CRL version number. |
Signature Algorithm |
Signature algorithm used by the CA to sign the CRL. |
Issuer |
Name of the CA that issued the CRL. |
Last Update |
Most recent CRL update time. |
Next Update |
Next CRL update time. |
X509v3 Authority Key Identifier |
X509v3 ID of the CA that issues the CRL. |
keyid |
Key ID. This field identifies the key pair used to sign the CRL. |
Signature Algorithm: |
Signature algorithm and signature data. |
Related commands
pki retrieve-crl
fqdn
Use fqdn to set the FQDN of an entity.
Use undo fqdn to remove the configuration.
Syntax
fqdn fqdn-name-string
undo fqdn
Default
No FQDN is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters in the format hostname@domainname.
Usage guidelines
An FQDN uniquely identifies a PKI entity on a network.
Examples
# Specify pki.domain-name.com as the FQDN of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] fqdn abc@pki.domain.com
ip
Use ip to assign an IP address to a PKI entity.
Use undo ip to remove the configuration.
Syntax
ip { ip-address | interface interface-type interface-number }
undo ip
Default
No IP address is assigned to the PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Specifies an IPv4 address.
interface interface-type interface-number: Specifies an interface by its type and number. The primary IPv4 address of the interface will be used as the IP address of the PKI entity.
Usage guidelines
Use this command to assign an IP address to a PKI entity or specify an interface whose primary IPv4 address will be used as the IP address for the PKI entity. If you specify an interface, make sure the interface has an IP address before the PKI entity requests a certificate.
Examples
# Assign IP address 192.168.0.2 to PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] ip 192.168.0.2
ldap-server
Use ldap-server to specify an LDAP server for a PKI domain.
Use undo ldap-server to remove the configuration.
Syntax
ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ldap-server
Default
No LDAP server is specified for a domain.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
host host-name: Specifies an LDAP server by its IPv4 address or domain name. The domain name is a case-sensitive string of 1 to 255 characters.
port port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the LDAP server is on the public network, do not specify this option.
Usage guidelines
You must specify an LDAP server in a PKI domain in the following situations:
· An LDAP URL is specified in the PKI domain (by using the crl url command).
· The specified LDAP URL does not contain the IP address or host name of the LDAP server.
You can specify only one LDAP server in a PKI domain. If you configure this command multiple times, the most recent configuration takes effect.
Examples
# Specify an LDAP server 10.0.0.1 for PKI domain aaa.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] ldap-server host 10.0.0.1
# Specify an LDAP server 10.0.0.11 in VPN instance vpn1 for PKI domain aaa. Set the port number to 333.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] ldap-server host 10.0.0.11 port 333 vpn-instance vpn1
Related commands
· pki retrieve-certificate
· pki retrieve-crl
locality
Use locality to set the locality of a PKI entity.
Use undo locality to remove the configuration.
Syntax
locality locality-name
undo locality
Default
No locality is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set a city name as the locality.
Examples
# Specify pukras as the locality of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] locality pukras
organization
Use organization to set an organization name for a PKI entity.
Use undo organization to remove the configuration.
Syntax
organization org-name
undo organization
Default
No organization name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included.
Examples
# Specify abc as the organization name of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] organization abc
organization-unit
Use organization-unit to set an organization unit name for a PKI entity.
Use undo organization-unit to remove the configuration.
Syntax
organization-unit org-unit-name
undo organization-unit
Default
No organization unit name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
org-unit-name: Specifies an organization unit name, a case-sensitive string of 1 to 63 characters. No comma can be included.
Examples
# Specify rdtest as the organization unit name for the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] organization-unit rdtest
pki abort-certificate-request
Use pki abort-certificate-request to abort the certificate request for a PKI domain.
Syntax
pki abort-certificate-request domain domain-name
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Usage guidelines
You can abort a certificate request and change some parameters, such as common name, country code, or FQDN, in the certificate request before the CA issues the certificate. Use the display pki certificate request-status command to display the certificate request status.
Examples
# Abort the certificate request for the PKI domain 1.
<Sysname> system-view
[Sysname] pki abort-certificate- request domain 1
The certificate request is in process.
Confirm to abort it? [Y/N]:y
Related commands
· display pki certificate request-status
· pki request-certificate domain
pki certificate access-control-policy
Use pki certificate access-control-policy to create a certificate-based access control policy and enter its view.
Use undo pki certificate access-control-policy to remove a certificate-based access control policy.
Syntax
pki certificate access-control-policy policy-name
undo pki certificate access-control-policy policy-name
Default
No certificate-based access control policies exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies a policy name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can add multiple rules to a certificate-based access control policy.
Examples
# Create a certificate-based access control policy named mypolicy and enter its view.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy]
Related commands
· display pki certificate access-control-policy
· rule
pki certificate attribute-group
Use pki certificate attribute-group to create a certificate attribute group and enter its view.
Use undo pki certificate attribute-group to remove a certificate attribute group.
Syntax
pki certificate attribute-group group-name
undo pki certificate attribute-group group-name
Default
No certificate attribute groups exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies a group name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates.
A certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command). If a certificate attribute group does not have any attribute rules, the system determines that the all certificates match the associated access control rule.
Examples
# Create a certificate attribute group named mygroup and enter its view.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup]
Related commands
· attribute
· display pki certificate attribute-group
· rule
pki delete-certificate
Use pki delete-certificate to remove certificates from a PKI domain.
Syntax
pki delete-certificate domain domain-name { ca | local | peer [ serial serial-num ] }
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer: Specifies the peer certificates.
serial serial-num: Specifies a peer certificate by its serial number, a case-insensitive string of 1 to 127 characters. If you do not specify a peer certificate, this command removes all peer certificates in the PKI domain.
Usage guidelines
When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain.
Examples
# Remove the CA certificate in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki delete-certificate domain aaa ca
Local certificates, peer certificates and CRL will also be deleted while deleting the CA certificate.
Confirm to delete the CA certificate? [Y/N]:y
[Sysname]
# Remove the local certificates in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki delete-certificate domain aaa local
[Sysname]
# Remove all peer certificates in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki delete-certificate domain aaa peer
[Sysname]
# Display information about all peer certificates in the PKI domain aaa, and remove a peer certificate with the specified serial number.
<Sysname> system-view
[Sysname] display pki certificate domain aaa peer
Total peer certificates: 1
Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7
Subject Name: CN=abc
[Sysname] pki delete-certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7
Related commands
display pki certificate
pki domain
Use pki domain to create a PKI domain and enter its view.
Use undo pki domain to remove a PKI domain.
Syntax
pki domain domain-name
undo pki domain domain-name
Default
No PKI domains exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Usage guidelines
When you remove a PKI domain, the certificates and the CRL in the domain are also removed.
Examples
# Create a PKI domain named aaa and enter its view.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa]
pki entity
Use pki entity to create a PKI entity and enter its view.
Use undo pki entity to remove a PKI entity.
Syntax
pki entity entity-name
undo pki entity entity-name
Default
No PKI entity exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
entity-name: Specifies the name of a PKI entity, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A PKI entity includes the identity information that can be used by a CA to identify a certificate applicant. You can configure multiple attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address. The information will be included as subject contents in the certificate issued by the CA.
Examples
# Create a PKI entity named en and enter its view.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en]
Related commands
pki domain
pki export
Use pki export to export the CA certificate and the local certificates in a PKI domain to local files or display them on a terminal.
Syntax
pki export domain domain-name der { all | ca | local } filename filename
pki export domain domain-name p12 { all | local } passphrase p12passwordstring filename filename
pki export domain domain-name pem { { all | local } [ { 3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc } pempasswordstring ] | ca } [ filename filename ]
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
der: Specifies the certificate file format as DER.
p12: Specifies the certificate file format as PKCS12.
pem: Specifies the certificate file format as PEM.
all: Specifies both CA and local certificates. The RA certificate is excluded.
ca: Specifies the CA certificate.
local: Specifies the local certificates or the local certificates and their private keys.
passphrase p12passwordstring: Specifies a password for encrypting the private key of a local PKCS12 certificate.
3des-cbc: Specifies 3DES_CBC for encrypting the private key of a local certificate.
aes-128-cbc: Specifies 128-bit AES_CBC for encrypting the private key of a local certificate.
aes-192-cbc: Specifies 192-bit AES_CBC for encrypting the private key of a local certificate.
aes-256-cbc: Specifies 256-bit AES_CBC for encrypting the private key of a local certificate.
des-cbc: Specifies DES_CBC for encrypting the private key of a local certificate.
pempasswordstring: Specifies a password for encrypting the private key of a local certificate in PEM format.
filename filename: Specifies a file name for storing a certificate. The file name is a case-insensitive string. If you do not specify a file name for the certificates in PEM format, this command displays the certificates on the terminal.
Usage guidelines
When you export the CA certificate, the following conditions might exist:
· If the PKI domain has only one CA certificate, this command exports the CA certificate to a file or displays it on the terminal.
· If the PKI domain has a CA certificate chain, this command exports the certificate chain to a file or displays it on the terminal.
When you export the local certificates, the local file names might not be the same as specified in the command. The file names depend on the usage of the key pairs of the certificates. In the following description, the filename is the file name specified in the command.
· If the key pair of the local certificate is for signing, the local file name is filename-sign.
· If the key pair of the local certificate is for encryption, the local file name is filename-encr.
· If the key pair of the local certificate is for general use (RSA or DSA), the local file name is filename.
If the PKI domain has two local certificates, one of the following results occurs:
· If you specify a file name, the local certificates are exported to two different files.
· If you do not specify a file name, the local certificates are displayed on the terminal, separated by the system prompts.
When you export all certificates:
· If the PKI domain has only the CA certificate or local certificates, the result is the same as when you export the CA certificate or local certificates separately.
· If the PKI domain has both the CA certificate and local certificates, you get the following results:
¡ If you specify a file name, each local certificate with its corresponding CA certificate chain is exported to a separate file.
¡ If you do not specify a file name, all local certificates and the CA certificate or CA certificate chain are displayed on the terminal, separated by the system prompts.
When you export all certificates in PKCS12 format, the PKI domain must have a local certificate. Otherwise, the export operation fails.
When you export the local certificates or all certificates in PEM format, you must specify the cryptographic algorithm and the challenge password for the private key. Otherwise, this command does not export the private keys of the local certificates. If you specify the cryptographic algorithm and the password, and the local certificates have their private keys, this command can export the local certificates with their private keys. If the local certificates do not have their private keys, the export operation fails.
When you export the local certificates, if the key pair in the PKI domain is changed and no longer matches the key in the local certificates, the export operation fails.
When you export the local certificates or all certificates, if the PKI domain has two local certificates, failure of exporting one local certificate does not affect export of the other.
The specified file name can contain an absolute path. If the specified path does not exist, the export operation fails.
Examples
# Export the CA certificate in the PKI domain to a file named cert-ca.der in DER format.
<Sysname> system-view
[Sysname] pki export domain domain1 der ca filename cert-ca.der
# Export the local certificates in the PKI domain to a file named cert-lo.der in DER format.
<Sysname> system-view
[Sysname] pki export domain domain1 der local filename cert-lo.der
# Export all certificates in the PKI domain to a file named cert-all.p7b in DER format.
<Sysname> system-view
[Sysname] pki export domain domain1 der all filename cert-all.p7b
# Export the CA certificate in the PKI domain to a file named cacert in PEM format.
<Sysname> system-view
[Sysname] pki export domain domain1 pem ca filename cacert
# Export the local certificates and their private keys in the PKI domain to a file named local.pem in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.
<Sysname> system-view
[Sysname] pki export domain domain1 pem local des-cbc 111 filename local.pem
# Export the all certificates in the PKI domain to a file named all.pem in PEM format. No cryptographic algorithm or password is specified, and the private keys are not exported.
<Sysname> system-view
[Sysname] pki export domain domain1 pem all filename all.pem
# Display the local certificates and their private keys in the PKI domain on the terminal in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.
<Sysname> system-view
[Sysname] pki export domain domain1 pem local des-cbc 111
%The signature usage local certificate:
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest
issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG
A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy
ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla
ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF
VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE
jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy
cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA
AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw
NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz
L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw
IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh
Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY
ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0
CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w
ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp
dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6
Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js
L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB
tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12
X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv
UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd
no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK
7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw==
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIAbfcE+KoYYoCAggA
MBEGBSsOAwIHBAjB+UsJM07JRQSCAoABqtASbjGTQbdxL3n4wNHmyWLxbvL9v27C
Uu6MjYJDCipVzxHU0rExgn+6cQsK5uK99FPBmy4q9/nnyrooTX8BVlXAjenvgyii
WQLwnIg1IuM8j2aPkQ3wbae1+0RACjSLy1u/PCl5sp6CDxI0b9xz6cxIGxKvUOCc
/gxdgk97XZSW/0qnOSZkhgeqBZuxq6Va8iRyho7RCStVxQaeiAZpq/WoZbcS5CKI
/WXEBQd4AX2UxN0Ld/On7Wc6KFToixROTxWTtf8SEsKGPDfrEKq3fSTW1xokB8nM
bkRtU+fUiY27V/mr1RHO6+yEr+/wGGClBy5YDoD4I9xPkGUkmqx+kfYbMo4yxkSi
JdL+X3uEjHnQ/rvnPSKBEU/URwXHxMX9CdCTSqh/SajnrGuB/E4JhOEnS/H9dIM+
DN6iz1IwPFklbcK9KMGwV1bosymXmuEbYCYmSmhZb5FnR/RIyE804Jz9ifin3g0Q
ZrykfG7LHL7Ga4nh0hpEeEDiHGEMcQU+g0EtfpOLTI8cMJf7kdNWDnI0AYCvBAAM
3CY3BElDVjJq3ioyHSJca8C+3lzcueuAF+lO7Y4Zluq3dqWeuJjE+/1BZJbMmaQA
X6NmXKNzmtTPcMtojf+n3+uju0le0d0QYXQz/wPsV+9IYRYasjzoXE5dhZ5sIPOd
u9x9hhp5Ns23bwyNP135qTNjx9i/CZMKvLKywm3Yg+Bgg8Df4bBrFrsH1U0ifmmp
ir2+OuhlC+GbHOxWNeBCa8iAq91k6FGFJ0OLA2oIvhCnh45tM7BjjKTHk+RZdMiA
0TKSWuOyihrwxdUEWh999GKUpkwDHLZJFd21z/kWspqThodEx8ea
-----END ENCRYPTED PRIVATE KEY-----
# Display all certificates in the PKI domain in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.
<Sysname> system-view
[Sysname] pki export domain domain1 pem all des-cbc 111
%The signature usage local certificate:
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest
issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG
A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy
ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla
ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF
VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE
jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy
cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA
AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw
NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz
L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw
IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh
Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY
ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0
CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w
ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp
dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6
Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js
L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB
tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12
X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv
UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd
no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK
7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw==
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDTjEU
MBIGA1UECgwLT3BlbkNBIExhYnMxETAPBgNVBAsMCHNvZnR3YXJlMQ0wCwYDVQQD
DARhYmNkMB4XDTExMDQxODExNDQ0N1oXDTEzMDQxNzExNDQ0N1owRTELMAkGA1UE
BhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2FyZTEN
MAsGA1UEAwwEYWJjZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1g
vomMF8S4u6q51bOwjKFUBwxyvOy4D897LmOSedaCyDt6Lvp+PBEHfwWBYBpsHhk7
kmnSNhX5dZ6NxunHaARZ2VlcctsYKyvAQapuaThy1tuOcphAB+jQQL9dPoqdk0xp
jvmPDlW+k832Konn9U4dIivS0n+/KMGh0g5UyzHGqUUOo7s9qFuQf5EjQon40TZg
BwUnFYRlvGe7bSQpXjwi8LTyxHPy+dDVjO5CP+rXx5IiToFy1YGWewkyn/WeswDf
Yx7ZludNus5vKWTihgx2Qalgb+sqUMwI/WUET7ghO2dRxPUdUbgIYF0saTndKPYd
4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD
VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME
GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh
Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz
MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0
LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM
hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky
LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD
Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi
d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT
3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE
6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z
cXK8gzDBcsobcUMkwIYPAmd1kAPX
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIcUSKSW9GVmICAggA
MBEGBSsOAwIHBAi5QZM+lSYWPASCAoBKDYulE5f2BXL9ZhI9zWAJpx2cShz/9PsW
5Qm106D+xSj1eAzkx/m4Xb4xRU8oOAuzu1DlWfSHKXoaa0OoRSiOEX1eg0eo/2vv
CHCvKHfTJr4gVSSa7i4I+aQ6AItrI6q99WlkN/e/IE5U1UE4ZhcsIiFJG+IvG7S8
f9liWQ2CImy/hjgFCD9nqSLN8wUzP7O2SdLVlUb5z4FR6VISZdgTFE8j7ko2HtUs
HVSg0nm114EwPtPMMbHefcuQ6b82y1M+dWfVxBN9K03lN4tZNfPWwLSRrPvjUzBG
dKtjf3/IFdV7/tUMy9JJSpt4iFt1h7SZPcOoGp1ZW+YUR30I7YnFE+9Yp/46KWT8
bk7j0STRnZX/xMy/9E52uHkLdW1ET3TXralLMYt/4jg4M0jUvoi3GS2Kbo+czsUn
gKgqwYnxVfRSvt8d6GBYrpF2tMFS9LEyngPKXExd+m4mAryuT5PhdFTkb1B190Lp
UIBjk3IXnr7AdrhvyLkH0UuQE95emXBD/K0HlD73cMrtmogL8F4yS5B2hpIr/v5/
eW35+1QMnJ9FtHFnVsLx9wl9lX8iNfsoBhg6FQ/hNSioN7rNBe7wwIRzxPVfEhO8
5ajQxWlidRn5RkzfUo6HuAcq02QTpSXI6wf2bzsVmr5sk+fRaELD/cwL6VjtXO6x
ZBLJcUyAwvScrOtTEK7Q5n0I34gQd4qcF0D1x9yQ4sqvTeU/7Jkm6XCPV05/5uiF
RLCfFAwaJMBdIQ6jDQHnpWT67uNDwdEzaPmuTVMme5Woc5zsqE5DY3hWu4oqFdDz
kPLnbX74IZ0gOLki9eIJkVswnF5HkBCKS50ejlW6TgbMNZ+JPk2w
-----END ENCRYPTED PRIVATE KEY-----
# Display the CA certificate in the PKI domain in PEM format.
<Sysname> system-view
[Sysname]pki export domain domain1 pem ca
-----BEGIN CERTIFICATE-----
MIIB+TCCAWICEQDMbgjRKygg3vpGFVY6pa3ZMA0GCSqGSIb3DQEBBQUAMD0xCzAJ
BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxETAPBgNVBAsTCGgzYy10ZXN0MQ0wCwYD
VQQDEwQ4MDQzMB4XDTExMDMyMjA0NDQyNFoXDTE0MDMyMzA0MzUyNFowPTELMAkG
A1UEBhMCY24xDDAKBgNVBAoTA2gzYzERMA8GA1UECxMIaDNjLXRlc3QxDTALBgNV
BAMTBDgwNDMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOvDAYQhyc++G7h5
eNDzJs22OQjCn/4JqnNKIdKz1BbaJT8/+IueSn9JIsg64Ex2WBeCd/tcmnSW57ag
dCvNIUYXXVOGca2iaSOElqCF4CQfV9zLrBtA7giHD49T+JbxLrrJLmdIQMJ+vYdC
sCxIp3YMAiuCahVLZeXklooqwqIXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAElm7
W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy
TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j
0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o=
-----END CERTIFICATE-----
# Export the CA certificate in the PKI domain to a file named cacert in PEM format.
<Sysname> system-view
[Sysname] pki export domain domain1 pem ca filename cacert
# Display the CA certificate or the CA certificate chain in the PKI domain on the terminal.
<Sysname> system-view
[Sysname]pki export domain domain1 pem ca
-----BEGIN CERTIFICATE-----
MIIB7jCCAVcCEQCdSVShJFEMifVG8zRRoSsWMA0GCSqGSIb3DQEBBQUAMDcxCzAJ
BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEMMAoGA1UEAxMD
YWNhMB4XDTExMDEwNjAyNTc0NFoXDTEzMTIwMTAzMTMyMFowODELMAkGA1UEBhMC
Y24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ0wCwYDVQQDEwRhYWNhMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcuJsWhAJXEDmowGb5z7VDVms54TKi
xnaNJCWvBOrU64ftvpVB7xQekbkjgAS9FjDyXlLQ8IyIsYIp5ebJr8P+n9i9Pl7j
lBx5mi4XeIldyv2OjfNx5oSQ+gWY9/m1R8uv13RS05r3rxPg+7EvKBjmiy0Giddw
vu3Y3WrjBPp6GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJrQddzVQEiy4AcgtzUL
ltkmlmWoz87+jUsgFB+H+xeyiZE4sancf2UwH8kXWqZ5AuReFCCBC2fkvvQvUGnV
cso7JXAhfw8sUFok9eHz2R+GSoEk5BZFzZ8eCmNyGq9ln6mJsO1hAqMpsCW6G2zh
5mus7FTHhywXpJ22/fnHg61m
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB8DCCAVkCEQD2PBUx/rvslNw9uTrZB3DlMA0GCSqGSIb3DQEBBQUAMDoxCzAJ
BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEPMA0GA1UEAxMG
cm9mdcGNhMB4XDTExMDEwNjAyNTY1OFoXDTEzMTIwNDAzMTMxMFowNzELMAkGA1UE
BhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQwwCgYDVQQDEwNhY2Ew
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOeklR7DpeEV72N1OLz+dydIDTx0
zVZDdPxF1gQYWSfIBwwFKJEyQ/4y8VIfDIm0EGTM4dsOX/QFwudhl/Czkio3dWLh
Q1y5XCJy68vQKrB82WZ2mah5Nuekus3LSZZBoZKTAOY5MCCMFcULM858dtSq15Sh
xF7tKSeAT7ARlJxTAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADJQCo6m0RNup0ewa
ItX4XK/tYcJXAQWMA0IuwaWpr+ofqVVgYBPwVpYglhJDOuIZxKdR2pfQOA4f35wM
Vz6kAujLATsEA1GW9ACUWa5PHwVgJk9BDEXhKSJ2e7odmrg/iROhJjc1NMV3pvIs
CuFiCLxRQcMGhCNHlOn4wuydssc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB8jCCAVsCEFxy3MSlQ835MrnBkI/dUPYwDQYJKoZIhvcNAQEFBQAwOjELMAkG
A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ8wDQYDVQQDEwZy
b290Y2EwHhcNMTEwMTA2MDI1MTQxWhcNMTMxMjA3MDMxMjA1WjA6MQswCQYDVQQG
EwJjbjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNoM2MxDzANBgNVBAMTBnJvb3Rj
YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxP2XLFE230zq6MhwZvAomOxa
7tc1r4bESXZu3UBKno3Ay9kQm2HrDOAizvZXfLu7Gx22ga2Qdz0lIeZ+EQrYHTyO
pBcejDjal/ZtvgnjXyHFoG8nS+P7n83BkRj/Fu7Yz4zjTKMbCF2EfhEyXxr4NSXA
fhC9qg9S23vNXStmWvsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBtsU7X77sdZ1Nn
0I98lh0qA5g7SEEIpI+pwZjjrH0FVHw01e4JWhHjyHqrOyfXYqe7vH4SXp5MHEqf
14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1
cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg==
-----END CERTIFICATE-----
# Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123.
<Sysname> system-view
[Sysname] pki export domain domain1 p12 local passphrase 123 filename cert-lo.der
# Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
<Sysname> system-view
[Sysname] pki export domain domain1 p12 all passphrase 123 filename cert-all.p7b
Related commands
pki domain
pki import
Use pki import to import the CA certificate, local certificates, or peer certificates for a PKI domain.
Syntax
pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename f