Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Text | 1.47 MB |
Contents
data-flow-format (RADIUS scheme view)
primary accounting (RADIUS scheme view)
primary authentication (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
timer quiet (RADIUS scheme view)
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
user-name-format (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
data-flow-format (HWTACACS scheme view)
primary accounting (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
timer realtime-accounting (HWTACACS scheme view)
timer response-timeout (HWTACACS scheme view)
user-name-format (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
display password-control blacklist
password-control { aging | composition | history | length } enable
password-control alert-before-expire
password-control expired-user-login
password-control login idle-time
password-control login-attempt
password-control super composition
password-control update-interval
reset password-control blacklist
reset password-control history-record
Public key management commands
display public-key local public
display pki certificate access-control-policy
display pki certificate attribute-group
display pki certificate domain
display pki certificate request-status
pki certificate access-control-policy
pki certificate attribute-group
ike invalid-spi-recovery enable
ike signature-identity from-certificate
match local address (IKE keychain view)
match local address (IKE profile view)
ssh server authentication-retries
ssh server authentication-timeout
ssh server compatible-ssh1x enable
ip source binding (interface view)
ip source binding (system view)
ARP attack protection commands
Unresolvable IP attack protection commands
arp resolving-route probe-count
arp resolving-route probe-interval
display arp source-suppression
ARP packet rate limit commands
Source MAC-based ARP attack detection commands
ARP packet source MAC consistency check commands
ARP active acknowledgement commands
arp restricted-forwarding enable
display arp detection statistics
reset arp detection statistics
ARP scanning and fixed ARP commands
ARP gateway protection commands
Attack detection and prevention commands
AAA commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
General AAA commands
aaa session-limit
Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.
Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.
Syntax
In non-FIPS mode:
aaa session-limit { ftp | ssh | telnet } max-sessions
undo aaa session-limit { ftp | ssh | telnet }
In FIPS mode:
aaa session-limit ssh max-sessions
undo aaa session-limit ssh
Default
The maximum number of concurrent users is 32 for each user type.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ftp: FTP users.
ssh: SSH users.
telnet: Telnet users.
max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to 32.
Usage guidelines
After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.
Examples
# Set the maximum number of concurrent FTP users to 4.
<Sysname> system-view
[Sysname] aaa session-limit ftp 4
accounting command
Use accounting command to specify the command line accounting method.
Use undo accounting command to restore the default.
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command
Default
The default accounting method of the ISP domain is used for command line accounting.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The command line accounting feature works with the accounting server to record all commands that have been successfully executed on the device.
Command line accounting can use only a remote HWTACACS server.
Examples
# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac
Related commands
· accounting default
· command accounting (Fundamentals Command Reference)
· hwtacacs scheme
accounting default
Use accounting default to specify the default accounting method for an ISP domain.
Use undo accounting default to restore the default.
Syntax
In non-FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting default
In FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting default
Default
The default accounting method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default accounting method is used for all users who support this method and do not have an accounting method configured.
Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.
You can specify one primary default accounting method and multiple backup default accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Examples
# Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting default radius-scheme rd local
Related commands
· hwtacacs scheme
· local-user
· radius scheme
accounting login
Use accounting login to specify the accounting method for login users.
Use undo accounting login to restore the default.
Syntax
In non-FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting login
In FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting login
Default
The default accounting method of the ISP domain is used for login users.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
Accounting is not supported for FTP, SFTP, and SCP users.
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local accounting for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login local
# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login radius-scheme rd local
Related commands
· accounting default
· hwtacacs scheme
· local-user
· radius scheme
authentication default
Use authentication default to specify the default authentication method for an ISP domain.
Use undo authentication default to restore the default.
Syntax
In non-FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication default
In FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication default
Default
The default authentication method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authentication method is used for all users who support this method and do not have an authentication method configured.
You can specify one primary default authentication method and multiple backup default authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication default radius-scheme rd local
Related commands
· hwtacacs scheme
· local-user
· radius scheme
authentication login
Use authentication login to specify the authentication method for login users.
Use undo authentication login to restore the default.
Syntax
In non-FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication login
In FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication login
Default
The default authentication method of the ISP is used for login users.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login local
# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login radius-scheme rd local
Related commands
· authentication default
· hwtacacs scheme
· local-user
· radius scheme
authentication super
Use authentication super to specify a method for user role authentication.
Use undo authentication super to restore the default.
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *
undo authentication super
Default
The default authentication method of the ISP domain is used for user role authentication.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.
If you specify a scheme to provide the method for user role authentication, the method applies only to users whose user role is in the format of level-n.
· If an HWTACACS scheme is specified, the device uses the entered username for role authentication. The username must already exist on the HWTACACS server to represent the highest user level that a user can obtain. For example, to obtain a level-3 user role whose username is test, the device uses the string test@domain-name or test for role authentication, depending on whether the domain name is required.
· If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication of any usernames. The variable n has the same value as the level of the target user role. For example, to obtain a level-3 user role, the device uses the username string $enab3$@domain-name or $enab3$, depending on whether the domain name is required.
Examples
# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-domain-test] authentication super hwtacacs-scheme tac
Related commands
· authentication default
· hwtacacs scheme
· radius scheme
authorization command
Use authorization command to specify the command authorization method.
Use undo authorization command to restore the default.
Syntax
In non-FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }
undo authorization command
In FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }
undo authorization command
Default
The default authorization method of the ISP domain is used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.
After login, users can access the command lines permitted by their authorized user roles.
You can specify one primary command authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
· authorization accounting (Fundamentals Command Reference)
· hwtacacs scheme
· local-user
authorization default
Use authorization default to specify the default authorization method for an ISP domain.
Use undo authorization default to restore the default.
Syntax
In non-FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization default
In FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization default
Default
The default authorization method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. After passing authentication, FTP, SFTP and SCP users use the root directory of the device as the working directory but cannot access to it, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authorization method is used for all users who support this method and do not have an authorization method configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# Configure the default authorization method for ISP domain test to use RADIUS scheme rd for user authorization and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local
Related commands
· hwtacacs scheme
· local-user
· radius scheme
authorization login
Use authorization login to configure the authorization method for login users.
Use undo authorization login to restore the default.
Syntax
In non-FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization login
In FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization login
Default
The default authorization method of the ISP domain is used for login users.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. After passing authentication, FTP, SFTP, and SCP users use the root directory of the device as the working directory but cannot access it, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login local
# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login radius-scheme rd local
Related commands
· authorization default
· hwtacacs scheme
· local-user
· radius scheme
display domain
Use display domain to display the ISP domain configuration.
Syntax
display domain [ isp-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 24 characters. If you do not specify an ISP domain, the command displays the configuration of all ISP domains.
Examples
# Display the configuration of all ISP domains.
<Sysname> display domain
Total 2 domain(s)
Domain:system
State: Active
Access-limit: Disable
Access-Count: 0
default Authentication Scheme: local
default Authorization Scheme: local
default Accounting Scheme: local
Authorization attributes :
Idle-cut : Disable
Domain:dm
State: Active
Access-limit: 2222
Access-Count: 0
login Authentication Scheme: radius: rad
login Authorization Scheme: tacacs: hw
default Authentication Scheme: radius: rad, local, none
default Authorization Scheme: local
default Accounting Scheme: none
Authorization attributes :
Idle-cut : Disable
Default Domain Name: system
Table 1 Command output
|
Field |
Description |
|
Domain |
ISP domain name. |
|
State |
Status of the ISP domain. |
|
Access-limit |
Limit to the number of user connections. If the number is not limited, this field displays Disabled. |
|
Access-Count |
Number of online users. |
|
default Authentication Scheme |
Default authentication method. |
|
default Authorization Scheme |
Default authorization method. |
|
default Accounting Scheme |
Default accounting method. |
|
login Authentication Scheme |
Authentication method for login users. |
|
login Authorization Scheme |
Authorization method for login users. |
|
login Accounting Scheme |
Accounting method for login users. |
|
Authorization attributes |
Authorization attributes for users in the ISP domain. |
|
Idle-cut |
Idle cut feature is disabled. The feature cannot be enabled in ISP domain view. |
|
radius |
RADIUS scheme. |
|
tacacs |
HWTACACS scheme. |
|
local |
Local scheme. |
|
none |
No authentication, no authorization, or no accounting. |
|
Command Authorization Scheme |
Command line authorization method. |
|
Command Accounting Scheme |
Command line accounting method. |
|
Super Authentication Scheme |
Authentication method for obtaining a temporary user role. |
domain
Use domain to create an ISP domain and enter ISP domain view.
Use undo domain to remove an ISP domain.
Syntax
domain isp-name
undo domain isp-name
Default
There is a system-defined ISP domain named system.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Usage guidelines
All ISP domains are in active state when they are created.
The system has a predefined ISP domain named system. You can modify but not remove its configuration.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Examples
# Create ISP domain test and enter ISP domain view.
<Sysname> system-view
[Sysname] domain test
Related commands
· display domain
· domain default enable
· state (ISP domain view)
domain default enable
Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.
Use undo domain default enable to restore the default.
Syntax
domain default enable isp-name
undo domain default enable
Default
The default ISP domain is the system-defined ISP domain system.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.
Usage guidelines
There can be only one default ISP domain.
The specified ISP domain must already exist.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Examples
# Create an ISP domain named test, and configure the domain as the default ISP domain.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] quit
[Sysname] domain default enable test
Related commands
· display domain
· domain
state (ISP domain view)
Use state to set the status of an ISP domain.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
An ISP domain is in active state.
Views
ISP domain view
Predefined user roles
network-admin
mdc-admin
Parameters
active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.
block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.
Usage guidelines
By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected.
Examples
# Place the ISP domain test in blocked state.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block
Related commands
display domain
Local user commands
access-limit
Use access-limit to set the maximum number of concurrent logins using the local user name.
Use undo access-limit to restore the default.
Syntax
access-limit max-user-number
undo access-limit
Default
The number of concurrent logins using the local user name is not limited.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.
Usage guidelines
This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users, who do not support accounting.
Examples
# Set the maximum number of concurrent logins to 5 using the local user name abc.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-manage-abc] access-limit 5
Related commands
display local-user
authorization-attribute
Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.
Use undo authorization-attribute to restore the default.
Syntax
authorization-attribute { acl acl-number | idle-cut minute | user-role role-name | vlan vlan-id | work-directory directory-name } *
undo authorization-attribute { acl | idle-cut | user-role role-name | vlan | work-directory } *
Default
FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.
The network-operator user role is assigned to local users that are created by a network-admin or level-15 user on the default MDC.
The mdc-operator user role is assigned to local users that are created by an mdc-admin or level-15 user on a non-default MDC.
Views
Local user view, user group view
Predefined user roles
network-admin
mdc-admin
Parameters
acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.
idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 120. When the idle cut feature is enabled, an online user whose idle period exceeds the specified idle timeout period is logged out.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
· For Telnet and terminal users, only the authorization attributes idle-cut and user-role are effective.
· For SSH users, only the authorization attributes idle-cut, user-role, and work-directory are effective.
· For FTP users, only the authorization attributes user-role and work-directory are effective.
· For other types of local users, no authorization attribute is effective.
Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
To make sure FTP, SFTP, and SCP users can access the directory after a switchover between the active MPU and the standby MPU, do not specify slot information for the working directory.
To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles.
Examples
# Configure the authorized user role of the device management user abc as network-admin.
<Sysname> system-view
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] authorization-attribute user-role network-admin
Related commands
· display local-user
· display user-group
display local-user
Use display local-user to display the local user configuration and online user statistics.
Syntax
display local-user [ class manage | idle-cut { disable | enable } | service-type { ftp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
class manage: Specifies the device management users.
idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.
service-type: Specifies the local users who use a specific type of service.
· ftp: FTP users.
· ssh: SSH users.
· telnet: Telnet users.
· terminal: Terminal users who log in through console ports.
state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.
user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name.
vlan vlan-id: Specifies all local users in a VLAN. The value range for the vlan-id argument is 1 to 4094.
Usage guidelines
If you do not specify any parameters, the command displays information about all local users.
Examples
# Display information about all local users.
<Sysname> display local-user
Total 1 local users matched.
Device management user root:
State: Active
Service Type: SSH/Telnet/Terminal
Access limit: Enabled Max access number: 3
Current access number: 1
User Group: system
Bind Attributes:
Authorization Attributes:
Work Directory: flash:
User Role List: network-admin
Password control configurations:
Password aging: Enabled (3 days)
Table 2 Command output
|
Field |
Description |
|
State |
Status of the local user: active or blocked. |
|
Service Type |
Service types that the local user can use, including FTP, SSH, Telnet, and terminal. |
|
Access limit |
Whether the concurrent login limit is enabled. |
|
Max access number |
Maximum number of concurrent logins using the local user name. |
|
Current access number |
Current number of concurrent logins using the local user name. |
|
User Group |
Group to which the local user belongs. |
|
Bind attributes |
Binding attributes of the local user. The device does not support binding attributes. |
|
Authorization attributes |
Authorization attributes of the local user. |
|
Idle TimeOut |
Idle timeout period of the user, in minutes. |
|
Work Directory |
Directory that the FTP, SFTP, or SCP user can access. |
|
ACL Number |
Authorization ACL of the local user. |
|
VLAN ID |
Authorized VLAN of the local user. |
|
User Role List |
Authorized roles of the local user. |
|
Password aging |
This field appears only when password aging is enabled. The aging time is displayed in parentheses. |
|
Password length |
This field appears only when password length control is enabled. The minimum password length is displayed in parentheses. |
|
Password composition |
This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password. |
|
Password complexity |
This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user who failed to log in after using up all login attempts. |
display user-group
Use display user-group to display the user group configuration.
Syntax
display user-group [ group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a user group, the command displays the configuration of all user groups.
Examples
# Display the configuration of all user groups.
<Sysname> display user-group
Total 2 user groups matched.
The contents of user group system:
Authorization Attributes:
Work Directory: flash:
The contents of user group jj:
Authorization Attributes:
Idle TimeOut: 2 (min)
Work Directory: flash:/
ACL Number: 2000
VLAN ID: 2
Password control configurations:
Password aging: Enabled (2 days)
Table 3 Command output
|
Field |
Description |
|
Idle TimeOut |
Idle timeout period, in minutes. |
|
Work Directory |
Directory that FTP, SFTP, or SCP users in the group can access. |
|
ACL Number |
Authorization ACL. |
|
VLAN ID |
Authorized VLAN. |
|
Password control configurations |
Password control attributes that are configured for the user group. |
|
Password aging |
This field appears only when password aging is enabled. The aging time is displayed in parentheses. |
|
Password length |
This field appears only when password length control is enabled. The minimum password length is displayed in parentheses. |
|
Password composition |
This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password. |
|
Password complexity |
This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user who failed to log in after using up all login attempts. |
group
Use group to assign a local user to a user group.
Use undo group to restore the default.
Syntax
group group-name
undo group
Default
A local user belongs to the system-defined user group system.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Examples
# Assign device management user 111 to user group abc.
<Sysname> system-view
[Sysname] local-user 111 class manage
[Sysname-luser-manage-111] group abc
Related commands
display local-user
local-user
Use local-user to add a local user and enter local user view.
Use undo local-user to remove local users.
Syntax
local-user user-name [ class manage ]
undo local-user { user-name class manage | all [ service-type { ftp | ssh | telnet | terminal } | class manage ] }
Default
No local user exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
user-name: Specifies a name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. A local user name cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name cannot be a, al, or all, either.
class manage: Specifies the device management user. Device management users can configure and monitor the device after login. They can use FTP, Telnet, SSH, and terminal services.
all: Specifies all users.
service-type: Specifies the local users who use a specific type of service.
· ftp: FTP users.
· ssh: SSH users.
· telnet: Telnet users.
· terminal: Terminal users who log in through console ports.
Examples
# Add a device management user named user1.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1]
Related commands
· display local-user
· service-type
password
Use password to configure a password for a local user.
Use undo password to delete the password of a local user.
Syntax
In non-FIPS mode:
password [ { hash | simple } password ]
undo password
In FIPS mode:
password
Default
· In non-FIPS mode, there is no password configured for a local user. A local user can pass authentication after entering the correct username and passing attribute checks.
· In FIPS mode, there is no password configured for a local user. A local user cannot pass authentication.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
hash: Sets a hashed password.
simple: Sets a plaintext password.
password: Specifies the password string. This argument is case sensitive.
· In non-FIPS mode:
¡ A hashed password is a string of 1 to 110 characters.
¡ A plaintext password is a string of 1 to 63 characters.
· In FIPS mode, a password is a plaintext string of 15 to 63 characters and must contain digits, uppercase letters, lowercase letters, and special characters (see "Password control commands").
Usage guidelines
If you do not specify any parameters or the device operates in FIPS mode, you enter the interactive mode to set a plaintext password.
In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication.
Device management users support plaintext and hashed passwords. For security purposes, all passwords, including passwords configured in plain text, are saved in hashed text.
Examples
# Set the password of the device management user user1 to 123456TESTplat&! in plain text.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] password simple 123456TESTplat&!
# Set the password of the device management user test in interactive mode.
<Sysname> system-view
[Sysname] local-user test class manage
[Sysname-luser-manage-test] password
Password:
Confirm :
Related commands
· display local-user
· local-user password-display-mode
service-type
Use service-type to specify the service types that a local user can use.
Use undo service-type to delete service types configured for a local user.
Syntax
In non-FIPS mode:
service-type { ftp | { ssh | telnet | terminal } * }
undo service-type { ftp | { ssh | telnet | terminal } * }
In FIPS mode:
service-type { ssh | terminal } *
undo service-type { ssh | terminal } *
Default
A local user is not authorized to use any service.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
ftp: Authorizes the user to use the FTP service. By default, the user can use the root directory of the FTP, SFTP, or SCP server. The authorized directory can be modified by using the authorization-attribute work-directory command.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service and log in from a console port.
Usage guidelines
You can assign multiple service types to a user.
Examples
# Authorize the device management user user1 to use the Telnet and FTP services.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] service-type telnet
[Sysname-luser-manage-user1] service-type ftp
Related commands
display local-user
state (local user view)
Use state to set the status of a local user.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
A local user is in active state.
Views
Local user view
Predefined user roles
network-admin
mdc-admin
Parameters
active: Places the local user in active state to allow the local user to request network services.
block: Places the local user in blocked state to prevent the local user from requesting network services.
Usage guidelines
This command applies only to the local user.
Examples
# Place the device management user user1 in blocked state.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] state block
Related commands
display local-user
user-group
Use user-group to create a user group and enter user group view.
Use undo user-group to delete a user group.
Syntax
user-group group-name
undo user-group group-name
Default
There is a user group named system in the system.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes.
A user group with one or more local users cannot be deleted.
The system has a predefined user group named system. You can modify but not remove its configuration.
# Create a user group named abc and enter user group view.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]
Related commands
display user-group
RADIUS commands
accounting-on enable
Use accounting-on enable to configure the accounting-on feature.
Use undo accounting-on enable to restore the default.
Syntax
accounting-on enable [ interval seconds | send send-times ] *
undo accounting-on enable
Default
The accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds.
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.
Usage guidelines
The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device or card reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.
Execute the save command to make sure the accounting-on enable command takes effect at the next reboot. For information about the save command, see Fundamentals Command Reference.
Parameters set with the accounting-on enable command take effect immediately.
Examples
# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on enable interval 5 send 15
Related commands
display radius scheme
attribute 15 check-mode
Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.
Use undo attribute 15 check-mode to restore the default.
Syntax
attribute 15 check-mode { loose | strict }
undo attribute 15 check-mode
Default
The strict check method applies for SSH, FTP, and terminal users.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.
Usage guidelines
Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.
Examples
# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 15 check-mode loose
Related commands
display radius scheme
data-flow-format (RADIUS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
display radius scheme
display radius scheme
Use display radius scheme to display the configuration of RADIUS schemes.
Syntax
display radius scheme [ radius-scheme-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, the command displays the configuration of all RADIUS schemes.
Examples
# Display the configuration of all RADIUS schemes.
<Sysname> display radius scheme
Total 2 RADIUS schemes
------------------------------------------------------------------
RADIUS Scheme Name : rad
Index : 0
Primary Auth Server:
Host name: radius.com
IP : 82.0.0.37 Port: 1812 State: Active
VPN : Not configured
Primary Acct Server:
Host name: radius.com
IP : 82.0.0.37 Port: 1813 State: Active
VPN : Not configured
Accounting-On function : Disabled
retransmission times : 50
retransmission interval(seconds) : 3
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
NAS IP Address : Not configured
VPN : Not configured
User Name Format : without-domain
------------------------------------------------------------------
RADIUS Scheme Name : rad2
Index : 1
Primary Auth Server:
Host name: radius.com
IP : 82.0.0.37 Port: 1812 State: Active
VPN : 1
Primary Acct Server:
Host name: radius.com
IP : 82.0.0.37 Port: 1813 State: Active
VPN : 1
Accounting-On function : Disabled
retransmission times : 50
retransmission interval(seconds) : 3
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
NAS IP Address : Not configured
VPN : Not configured
User Name Format : without-domain
Attribute 15 check-mode : Strict
------------------------------------------------------------------
Table 4 Command output
|
Field |
Description |
|
Index |
Index number of the RADIUS scheme. |
|
Primary Auth Server |
Information about the primary authentication server. |
|
Primary Acct Server |
Information about the primary accounting server. |
|
Second Auth Server |
Information about the secondary authentication server. |
|
Second Acct Server |
Information about the secondary accounting server. |
|
Host name |
Hostname of the server. The field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address. |
|
IP |
IP address of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved. |
|
Port |
Service port number of the server. If no port number is specified, this field displays the default port number. |
|
State |
Status of the server: active or blocked. |
|
VPN |
VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured. |
|
Server: n |
Member ID of the security policy server. |
|
IP |
IP address of the security policy server. |
|
VPN |
VPN to which the security policy server belongs. If no VPN is specified for the server, this field displays Not configured. |
|
Accounting-On function |
Whether the accounting-on feature is enabled. |
|
retransmission times |
Number of accounting-on packet transmission attempts. |
|
retransmission interval(seconds) |
Interval at which the device retransmits accounting-on packets, in seconds. |
|
Timeout Interval(seconds) |
RADIUS server response timeout period, in seconds. |
|
Retransmission Times |
Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. |
|
Retransmission Times for Accounting Update |
Maximum number of accounting attempts. |
|
Server Quiet Period(minutes) |
Quiet period for the servers, in minutes. |
|
Realtime Accounting Interval(minutes) |
Interval for sending real-time accounting updates, in minutes. |
|
NAS IP Address |
Source IP address for outgoing RADIUS packets. |
|
VPN |
VPN to which the RADIUS scheme belongs. If no VPN is specified for the server, this field displays Not configured. |
|
User Name Format |
Format for the usernames sent to the RADIUS server. Possible values include: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
|
Attribute 15 check-mode |
RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. |
display radius statistics
Use display radius statistics to display RADIUS packet statistics.
Syntax
display radius statistics
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display RADIUS packet statistics.
<Sysname> display radius statistics
Auth. Acct. SessCtrl.
Request Packet: 0 0 0
Retry Packet: 0 0 -
Timeout Packet: 0 0 -
Access Challenge: 0 - -
Account Start: - 0 -
Account Update: - 0 -
Account Stop: - 0 -
Terminate Request: - - 0
Set Policy: - - 0
Packet With Response: 0 0 0
Packet Without Response: 0 0 -
Access Rejects: 0 - -
Dropped Packet: 0 0 0
Check Failures: 0 0 0
Table 5 Command output
|
Field |
Description |
|
Auth. |
Authentication packets. |
|
Acct. |
Accounting packets. |
|
SessCtrl. |
Session-control packets. |
|
Request Packet |
Number of request packets. |
|
Retry Packet |
Number of retransmitted request packets. |
|
Timeout Packet |
Number of request packets timed out. |
|
Access Challenge |
Number of access challenge packets. |
|
Account Start |
Number of start-accounting packets. |
|
Account Update |
Number of accounting update packets. |
|
Account Stop |
Number of stop-accounting packets. |
|
Terminate Request |
Number of packets for logging off users forcibly. |
|
Set Policy |
Number of packets for updating user authorization information. |
|
Packet With Response |
Number of packets for which responses were received. |
|
Packet Without Response |
Number of packets for which no responses were received. |
|
Access Rejects |
Number of Access-Reject packets. |
|
Dropped Packet |
Number of discarded packets. |
|
Check Failures |
Number of packets with checksum errors. |
Related commands
reset radius statistics
key (RADIUS scheme view)
Use key to set the shared key for secure RADIUS communication.
Use undo key to restore the default.
Syntax
key { accounting | authentication } { cipher | simple } string
undo key { accounting | authentication }
Default
No shared key is configured.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Sets the shared key for secure RADIUS accounting communication.
authentication: Sets the shared key for secure RADIUS authentication communication.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
string: Specifies the shared key string. This argument is case sensitive.
· In non-FIPS mode:
¡ A ciphertext shared key is a string of 1 to 117 characters.
¡ A plaintext shared key is a string of 1 to 64 characters.
· In FIPS mode:
¡ A ciphertext shared key is a string of 15 to 117 characters.
¡ A plaintext shared key is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters.
Usage guidelines
The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.
The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.
For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
Examples
# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting simple ok
Related commands
display radius scheme
nas-ip (RADIUS scheme view)
Use nas-ip to specify a source IP address for outgoing RADIUS packets.
Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.
Syntax
nas-ip ipv4-address
undo nas-ip
Default
The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view.
If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Usage guidelines
The source IP address of the RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
When you use both the nas-ip and radius nas-ip commands, the following guidelines apply:
· The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.
· The setting in RADIUS scheme view takes precedence over the setting in system view.
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. As a best practice, configure a loopback interface address as the source IP address for outgoing RADIUS packets.
A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new address overwrites the old one.
Examples
# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] nas-ip 10.1.1.1
Related commands
· display radius scheme
· radius nas-ip
primary accounting (RADIUS scheme view)
Use primary accounting to specify the primary RADIUS accounting server.
Use undo primary accounting to remove the configuration.
Syntax
primary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo primary accounting
Default
No primary RADIUS accounting server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.
port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813.
key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 117 characters.
¡ In FIPS mode, the key is a string of 15 to 117 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 64 characters.
¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of the primary RADIUS accounting server must be the same as the settings configured on the server.
The shared key configured by using this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for accounting.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests, either. The device might generate incorrect accounting results.
Examples
# Specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&! for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!
Related commands
· display radius scheme
· key (RADIUS scheme view)
· secondary accounting (RADIUS scheme view)
· vpn-instance (RADIUS scheme view)
primary authentication (RADIUS scheme view)
Use primary authentication to specify the primary RADIUS authentication server.
Use undo primary authentication to remove the configuration.
Syntax
primary authentication { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo primary authentication
Default
No primary RADIUS authentication server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.
port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535, and the default setting is 1812.
key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS authentication server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 117 characters.
¡ In FIPS mode, the key is a string of 15 to 117 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 64 characters.
¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The service port and shared key settings of the primary RADIUS authentication server must be the same as the settings configured on the server.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for authentication.
Examples
# Specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&! for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!
Related commands
· display radius scheme
· key (RADIUS scheme view)
· secondary authentication (RADIUS scheme view)
· vpn-instance (RADIUS scheme view)
radius nas-ip
Use radius nas-ip to specify a source IP address for outgoing RADIUS packets.
Use undo radius nas-ip to delete a source IP address for outgoing RADIUS packets.
Syntax
radius nas-ip ipv4-address [ vpn-instance vpn-instance-name ]
undo radius nas-ip ipv4-address [ vpn-instance vpn-instance-name ]
Default
The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option.
Usage guidelines
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error.
You can specify a maximum of 16 source IP addresses, including the following IP addresses:
· Zero or one public-network source IPv4 address.
· Private-network source IPv4 addresses.
A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address.
When you use both the nas-ip and radius nas-ip commands, the following guidelines apply:
· The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The setting configured by the radius nas-ip command in system view applies to all RADIUS schemes.
· The setting in RADIUS scheme view takes precedence over the setting in system view.
Examples
# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] radius nas-ip 129.10.10.1
Related commands
nas-ip (RADIUS scheme view)
radius session-control enable
Use radius session-control enable to enable the RADIUS session-control feature.
Use undo radius session-control enable to restore the default.
Syntax
radius session-control enable
undo radius session-control enable
Default
The RADIUS session-control feature is disabled and the UDP port 1812 is closed.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The RADIUS session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.
Examples
# Enable the RADIUS session-control feature.
<Sysname> system-view
[Sysname] radius session-control enable
radius scheme
Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view.
Use undo radius scheme to delete a RADIUS scheme.
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
Default
No RADIUS scheme is defined.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A RADIUS scheme can be used by more than one ISP domain at the same time.
The device supports a maximum of 16 RADIUS schemes.
Examples
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1]
Related commands
display radius scheme
reset radius statistics
Use reset radius statistics to clear RADIUS statistics.
Syntax
reset radius statistics
Views
User view
Predefined user roles
network-admin
mdc-admin
Examples
# Clear RADIUS statistics.
<Sysname> reset radius statistics
Related commands
display radius statistics
retry
Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Use undo retry to restore the default.
Syntax
retry retry-times
undo retry
Default
The maximum number of RADIUS packet transmission attempts is 3.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.
Usage guidelines
Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
· If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.
· If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.
The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.
Examples
# Set the maximum number of RADIUS packet transmission attempts to 5 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry 5
Related commands
· radius scheme
· timer response-timeout (RADIUS scheme view)
retry realtime-accounting
Use retry realtime-accounting to set the maximum number of accounting attempts.
Use undo retry realtime-accounting to restore the default.
Syntax
retry realtime-accounting retry-times
undo retry realtime-accounting
Default
The maximum number of accounting attempts is 5.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255.
Usage guidelines
Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period from the NAS, it considers that a line or device failure has occurred, and stops accounting for the user. To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.
For example, the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.
Examples
# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry realtime-accounting 10
Related commands
· retry
· timer realtime-accounting (RADIUS scheme view)
· timer response-timeout (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
Use secondary accounting to specify a secondary RADIUS accounting server.
Use undo secondary accounting to remove a secondary RADIUS accounting server.
Syntax
secondary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo secondary accounting [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS accounting server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.
port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535, and the default setting is 1813.
key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 117 characters.
¡ In FIPS mode, the key is a string of 15 to 117 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 64 characters.
¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary RADIUS accounting servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary RADIUS accounting server must be the same as the settings configured on the server.
The shared key configured by this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for accounting.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.
Examples
# For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813
# For RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813
[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813
Related commands
· display radius scheme
· key (RADIUS scheme view)
· primary accounting (RADIUS scheme view)
· vpn-instance (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
Use secondary authentication to specify a secondary RADIUS authentication server.
Use undo secondary authentication to remove a secondary RADIUS authentication server.
Syntax
secondary authentication { host-name | ipv4-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo secondary authentication [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS authentication server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.
port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535, and the default setting is 1812.
key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS authentication server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 117 characters.
¡ In FIPS mode, the key is a string of 15 to 117 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 64 characters.
¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary RADIUS authentication servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary RADIUS authentication server must be the same as the settings configured on the server.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.
If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for authentication.
Examples
# For RADIUS scheme radius1, specify a secondary authentication server with the IP address 10.110.1.2 and the UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
# Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1812.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812
Related commands
· display radius scheme
· key (RADIUS scheme view)
· primary authentication (RADIUS scheme view)
· vpn-instance (RADIUS scheme view)
security-policy-server
Use security-policy-server to specify a security policy server.
Use undo security-policy-server to remove a security policy server.
Syntax
security-policy-server ipv4-address [ vpn-instance vpn-instance-name ]
undo security-policy-server { ipv4-address [ vpn-instance vpn-instance-name ] | all }
Default
No security policy server is specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies the IPv4 address of the security policy server.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the security policy server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the security policy server is on the public network, do not specify this option.
all: Specifies all security policy servers.
Usage guidelines
You can specify a maximum of eight security policy servers for a RADIUS scheme.
Examples
# Specify the security policy server 10.110.1.2 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] security-policy-server 10.110.1.2
Related commands
display radius scheme
snmp-agent trap enable radius
Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.
Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.
Syntax
snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
Default
All types of notifications for RADIUS are enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable.
accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable.
authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100 and the default value is 30. This threshold can only be configured through the MIB.
authentication-server-down: Sends a notification when the RADIUS authentication server becomes unreachable.
authentication-server-up: Sends a notification when the RADIUS authentication server becomes reachable.
Usage guidelines
If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.
When SNMP notifications for RADIUS are enabled, the SNMP agent supports the following notifications generated by RADIUS:
· RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.
· RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
· Excessive authentication failures notification—The number of authentication failures to the total number of authentication attempts exceeds the specified threshold.
Examples
# Enable the SNMP agent to send RADIUS accounting server unreachable notifications.
<Sysname> system-view
[Sysname] snmp-agent trap enable radius accounting-server-down
state primary
Use state primary to set the status of a primary RADIUS server.
Syntax
state primary { accounting | authentication } { active | block }
Default
The primary RADIUS server specified for a RADIUS scheme is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Sets the status of the primary RADIUS accounting server.
authentication: Sets the status of the primary RADIUS authentication server.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:
· Changes the status of the primary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with a secondary server in active state.
When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.
When the primary server and all secondary servers are in blocked state, authentication or accounting fails.
Examples
# Set the status of the primary authentication server in RADIUS scheme radius1 to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state primary authentication block
Related commands
· display radius scheme
· state secondary
state secondary
Use state secondary to set the status of a secondary RADIUS server.
Syntax
state secondary { accounting | authentication } [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }
Default
Every secondary RADIUS server specified in a RADIUS scheme is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Sets the status of a secondary RADIUS accounting server.
authentication: Sets the status of a secondary RADIUS authentication server.
host-name: Specifies the hostname of a secondary RADIUS server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.
port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.
If the device finds that a secondary server in active state is unreachable, the device performs the following operations:
· Changes the status of the secondary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with another secondary server in active state.
When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
Examples
# Set the status of all the secondary authentication servers in RADIUS scheme radius1 to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state secondary authentication block
Related commands
· display radius scheme
· state primary
timer quiet (RADIUS scheme view)
Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet timer period is 5 minutes in a RADIUS scheme.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Usage guidelines
Make sure the server quiet timer is set correctly.
· A timer that is too short might result in frequent authentication or accounting failures. The reason is that the device will continue to attempt to communicate with an unreachable server that is in active state.
· A timer that is too long might temporarily block a reachable server that has recovered from a failure. The reason is that the server will remain in blocked state until the timer expires.
Examples
# Set the quiet timer for the servers to 10 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer quiet 10
Related commands
display radius scheme
timer realtime-accounting (RADIUS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60.
Usage guidelines
When the real-time accounting interval configured on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.
When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.
A short interval helps improve accounting precision but requires many system resources.
Table 6 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval |
|
1 to 99 |
3 minutes |
|
100 to 499 |
6 minutes |
|
500 to 999 |
12 minutes |
|
1000 or more |
15 minutes or longer |
Examples
# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer realtime-accounting 51
Related commands
retry realtime-accounting
timer response-timeout (RADIUS scheme view)
Use timer response-timeout to set the RADIUS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The RADIUS server response timeout period is 3 seconds.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.
Usage guidelines
If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.
Examples
# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer response-timeout 5
Related commands
· display radius scheme
· retry
user-name-format (RADIUS scheme view)
Use user-name-format to specify the format of the username to be sent to a RADIUS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to a RADIUS server.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
keep-original: Sends the username to the RADIUS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.
Examples
# Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] user-name-format without-domain
Related commands
display radius scheme
vpn-instance (RADIUS scheme view)
Use vpn-instance to specify a VPN for a RADIUS scheme.
Use undo vpn-instance to remove the configuration.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The RADIUS scheme belongs to the public network.
Views
RADIUS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN specified by using this command applies to all servers in the RADIUS scheme for which no VPN is specified.
Examples
# Specify VPN test for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] vpn-instance test
Related commands
display radius scheme
HWTACACS commands
data-flow-format (HWTACACS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet
display hwtacacs scheme
display hwtacacs scheme
Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.
Syntax
display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, the command displays the configuration of all HWTACACS schemes.
statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the HWTACACS scheme.
Examples
# Display the configuration of all HWTACACS schemes.
<Sysname> display hwtacacs scheme
Total 2 TACACS schemes
------------------------------------------------------------------
HWTACACS Scheme Name : tac
Index : 0
Primary Auth Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: Not configured
Single-connection: Disabled
Primary Author Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: Not configured
Single-connection: Disabled
Primary Acct Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: Not configured
Single-connection: Disabled
VPN Instance : Not configured
NAS IP Address : Not configured
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
Response Timeout Interval(seconds) : 5
Username Format : without-domain
------------------------------------------------------------------
HWTACACS Scheme Name : tac2
Index : 1
Primary Auth Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: 1
Single-connection: Disabled
Primary Author Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: 1
Single-connection: Disabled
Primary Acct Server:
Host name: tacacs.com
IP : 82.0.0.37 Port: 49 State: Active
VPN Instance: 1
Single-connection: Disabled
VPN Instance : Not configured
NAS IP Address : Not configured
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
Response Timeout Interval(seconds) : 5
Username Format : without-domain
------------------------------------------------------------------
Table 7 Command output
|
Field |
Description |
|
Index |
Index number of the HWTACACS scheme. |
|
Primary Auth Server |
Primary HWTACACS authentication server. |
|
Primary Author Server |
Primary HWTACACS authorization server. |
|
Primary Acct Server |
Primary HWTACACS accounting server. |
|
Secondary Auth Server |
Secondary HWTACACS authentication server. |
|
Secondary Author Server |
Secondary HWTACACS authorization server. |
|
Secondary Acct Server |
Secondary HWTACACS accounting server. |
|
Host name |
Hostname of the HWTACACS server. The field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address. |
|
IP |
IP address of the HWTACACS server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved. |
|
Port |
Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number. |
|
Single-connection |
Single connection status: · Enabled—Establish only one TCP connection for all users to communicate with the server. · Disabled—Establish a TCP connection for each user to communicate with the server. |
|
State |
Status of the HWTACACS server: active or blocked. |
|
VPN Instance |
MPLS L3VPN to which the HWTACACS server or scheme belongs. If no VPN is specified for the server or scheme, this field displays Not configured. |
|
NAS IP Address |
Source IP address for outgoing HWTACACS packets. |
|
Server Quiet Period(minutes) |
Quiet period for the primary servers, in minutes. |
|
Realtime Accounting Interval(minutes) |
Real-time accounting interval, in minutes. |
|
Response Timeout Interval(seconds) |
HWTACACS server response timeout period, in seconds. |
|
Username Format |
Format for the usernames sent to the HWTACACS server. Possible values include: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
Related commands
reset hwtacacs statistics
hwtacacs nas-ip
Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.
Syntax
hwtacacs nas-ip ipv4-address [ vpn-instance vpn-instance-name ]
undo hwtacacs nas-ip ipv4-address [ vpn-instance vpn-instance-name ]
Default
The source IP address of an HWTACACS packet sent to the server is the IP address of the outbound interface.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 address, do not specify this option.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
You can specify a maximum of 16 source IP addresses, including the following IP addresses:
· Zero or one public-network source IPv4 address.
· Private-network source IPv4 addresses.
A newly specified public-network source IPv4 address overwrites the previous address. Each VPN can have a maximum of one private-network source IPv4 address.
When you use both the nas-ip and hwtacacs nas-ip commands, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
Examples
# Set the IP address for the device to use as the source address for HWTACACS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] hwtacacs nas-ip 129.10.10.1
Related commands
nas-ip (HWTACACS scheme view)
hwtacacs scheme
Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view.
Use undo hwtacacs scheme to delete an HWTACACS scheme.
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
Default
No HWTACACS scheme exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
An HWTACACS scheme can be used by more than one ISP domain at the same time.
You can configure a maximum of 16 HWTACACS schemes.
Examples
# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Use undo key to remove the configuration.
Syntax
key { accounting | authentication | authorization } { cipher | simple } string
undo key { accounting | authentication | authorization }
Default
No shared key is configured.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Sets the shared key for secure HWTACACS accounting communication.
authentication: Sets the shared key for secure HWTACACS authentication communication.
authorization: Sets the shared key for secure HWTACACS authorization communication.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
string: Specifies the shared key string. This argument is case sensitive.
· In non-FIPS mode:
¡ A ciphertext shared key is a string of 1 to 373 characters.
¡ A plaintext shared key is a string of 1 to 255 characters.
· In FIPS mode:
¡ A ciphertext shared key is a string of 15 to 373 characters.
¡ A plaintext shared key is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters.
Usage guidelines
The shared keys configured on the device must match those configured on the HWTACACS servers.
For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
Examples
# Set the shared key for secure HWTACACS authentication communication to 123456TESTauth&! in plain text for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!
# Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text.
[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!
# Set the shared key for secure HWTACACS accounting communication to 123456TESTacct&! in plain text.
[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!
Related commands
display hwtacacs scheme
nas-ip (HWTACACS scheme view)
Use nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo nas-ip to delete a source IP address for outgoing HWTACACS packets.
Syntax
nas-ip ipv4-address
undo nas-ip
Default
The source IP address of an outgoing HWTACACS packet is the IP address configured by using the hwtacacs nas-ip command in system view.
If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Usage guidelines
The source IP address of the HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
When you use both the nas-ip and hwtacacs nas-ip commands, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
If you execute the command multiple times, the most recent configuration takes effect.
Examples
# Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1
Related commands
hwtacacs nas-ip
primary accounting (HWTACACS scheme view)
Use primary accounting to specify the primary HWTACACS accounting server.
Use undo primary accounting to remove the configuration.
Syntax
primary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary accounting
Default
No primary HWTACACS accounting server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.
port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS accounting server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of the primary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# Specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme test1.
<Sysname> system-view
[Sysname] hwtacacs scheme test1
[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· secondary accounting (HWTACACS scheme view)
· vpn-instance (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
Use primary authentication to specify the primary HWTACACS authentication server.
Use undo primary authentication to remove the configuration.
Syntax
primary authentication { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authentication
Default
No primary HWTACACS authentication server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.
port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of the primary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# Specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· secondary authentication (HWTACACS scheme view)
· vpn-instance (HWTACACS scheme view)
primary authorization
Use primary authorization to specify the primary HWTACACS authorization server.
Use undo primary authorization to remove the configuration.
Syntax
primary authorization { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authorization
Default
No primary HWTACACS authorization server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the primary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.
port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authorization server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of the primary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# Specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· secondary authorization
· vpn-instance (HWTACACS scheme view)
reset hwtacacs statistics
Use reset hwtacacs statistics to clear HWTACACS statistics.
Syntax
reset hwtacacs statistics { accounting | all | authentication | authorization }
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
accounting: Clears the HWTACACS accounting statistics.
all: Clears all HWTACACS statistics.
authentication: Clears the HWTACACS authentication statistics.
authorization: Clears the HWTACACS authorization statistics.
Examples
# Clear all HWTACACS statistics.
<Sysname> reset hwtacacs statistics all
Related commands
display hwtacacs scheme
secondary accounting (HWTACACS scheme view)
Use secondary accounting to specify a secondary HWTACACS accounting server.
Use undo secondary accounting to remove a secondary HWTACACS accounting server.
Syntax
secondary accounting { host-name | ipv4-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary accounting [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS accounting server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.
port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary HWTACACS accounting servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# Specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· primary accounting (HWTACACS scheme view)
· vpn-instance (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
Use secondary authentication to specify a secondary HWTACACS authentication server.
Use undo secondary authentication to remove a secondary HWTACACS authentication server.
Syntax
secondary authentication { host-name | ipv4-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authentication [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authentication server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.
port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authentication server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary HWTACACS authentication servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· primary authentication (HWTACACS scheme view)
· vpn-instance (HWTACACS scheme view)
secondary authorization
Use secondary authorization to specify a secondary HWTACACS authorization server.
Use undo secondary authorization to remove a secondary HWTACACS authorization server.
Syntax
secondary authorization { host-name | ipv4-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authorization [ { host-name | ipv4-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authorization server is specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
host-name: Specifies the hostname of the secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.
port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535, and the default setting is 49.
key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authorization server.
· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 373 characters.
¡ In FIPS mode, the key is a string of 15 to 373 characters.
· simple string: Sets a plaintext shared key. The string argument is case sensitive.
¡ In non-FIPS mode, the key is a string of 1 to 255 characters.
¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
You can configure a maximum of 16 secondary HWTACACS authorization servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.
The specified hostname might be resolved to multiple IPv4 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.
The port number and shared key settings of a secondary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
· display hwtacacs scheme
· key (HWTACACS scheme view)
· primary authorization
· vpn-instance (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet timer period is 5 minutes in an HWTACACS scheme.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Examples
# Set the server quiet timer to 10 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet 10
Related commands
display hwtacacs scheme
timer realtime-accounting (HWTACACS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.
Usage guidelines
For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.
A short interval helps improve accounting precision but requires many system resources.
Table 8 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval |
|
1 to 99 |
3 minutes |
|
100 to 499 |
6 minutes |
|
500 to 999 |
12 minutes |
|
1000 or more |
15 minutes or longer |
Examples
# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51
Related commands
display hwtacacs scheme
timer response-timeout (HWTACACS scheme view)
Use timer response-timeout to set the HWTACACS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The HWTACACS server response timeout time is 5 seconds.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.
Usage guidelines
HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.
Examples
# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30
Related commands
display hwtacacs scheme
user-name-format (HWTACACS scheme view)
Use user-name-format to specify the format of the username to be sent to an HWTACACS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to an HWTACACS server.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
keep-original: Sends the username to the HWTACACS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.
If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.
Examples
# Configure the device to remove the ISP domain name from the username sent to the HWTACACS servers specified in HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
Related commands
display hwtacacs scheme
vpn-instance (HWTACACS scheme view)
Use vpn-instance to specify a VPN for an HWTACACS scheme.
Use undo vpn-instance to remove the configuration.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The HWTACACS scheme belongs to the public network.
Views
HWTACACS scheme view
Predefined user roles
network-admin
mdc-admin
Parameters
vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN specified by using this command takes effect on all servers in the HWTACACS scheme for which no VPN is specified.
Examples
# Specify VPN test for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] vpn-instance test
Related commands
display hwtacacs scheme
Password control commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
display password-control
Use display password-control to display password control configuration.
Syntax
display password-control [ super ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
super: Displays the password control information for the super passwords. If you do not specify this keyword, the command displays the global password control configuration.
Examples
# Display the global password control configuration.
<Sysname> display password-control
Global password control configurations:
Password control: Disabled
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history records:4)
Early notice on password expiration: 7 days
Maximum login attempts: 3
Action for exceeding login attempts: Lock user for 1 minutes
Minimum interval between two updates: 24 hours
User account idle time: 90 days
Logins with aged password: 3 times in 30 days
Password complexity: Disabled (username checking)
Disabled (repeated characters checking)
# Display the password control configuration for super passwords.
<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Table 9 Command output
|
Field |
Description |
|
Password control |
Whether the password control feature is enabled. |
|
Password aging |
Whether password expiration is enabled and, if enabled, the expiration time. |
|
Password length |
Whether the minimum password length restriction feature is enabled and, if enabled, the setting. |
|
Password composition |
Whether the password composition restriction feature is enabled and, if enabled, the settings. |
|
Password history |
Whether the password history feature is enabled and, if enabled, the setting. |
|
Early notice on password expiration |
Number of days during which the user is notified of the pending password expiration. |
|
Maximum login attempts |
Allowed maximum number of consecutive failed login attempts for FTP and VTY users. |
|
Action for exceeding login attempts |
Action to be taken after a user fails to log in after the specified number of attempts. |
|
Minimum interval between two updates |
Minimum password update interval. |
|
Login with aged password |
Number of times and maximum number of days a user can log in using an expired password. |
|
Password complexity |
Whether the following password complexity checking is enabled: · username checking—Checks whether a password contains the username or the reverse of the username. · repeated characters checking—Checks whether a password contains any character that appears consecutively three or more times. |
display password-control blacklist
Use display password-control blacklist to display password control blacklist information. The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication.
Syntax
display password-control blacklist [ user-name name | ip ipv4-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
user-name name: Specifies a user by its name, a case-sensitive string of 1 to 55 characters.
ip ipv4-address: Specifies the IPv4 address of a user.
Usage guidelines
If you do not specify any arguments, this command displays information about all users in the password control blacklist.
If an FTP or virtual terminal line (VTY) user fails authentication, the system adds the user to a password control blacklist. You can use this command to view information about these users in the blacklist.
Users accessing the system through the console ports are not blacklisted, because the system is unable to obtain the IP addresses of these users and these users are privileged and therefore relatively secure to the system.
Examples
# Display password control blacklist information.
<Sysname> display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 1 Lock flag: unlock
Blacklist items matched: 1.
Table 10 Command output
|
Field |
Description |
|
IP |
IP address of the user. |
|
Login failed times |
Number of login failures. |
|
Lock flag |
Whether the user is prohibited from logging in: · unlock—Not prohibited. · lock—Prohibited temporarily or permanently, depending on the password-control login-attempt command. |
|
Blacklist items matched |
Number of blacklisted users. |
password-control { aging | composition | history | length } enable
Use password-control { aging | composition | history | length } enable to enable the password expiration, composition restriction, history, or minimum length restriction feature.
Use undo password-control { aging | composition | history | length } enable to disable a password control feature.
Syntax
password-control { aging | composition | history | length } enable
undo password-control { aging | composition | history | length } enable
Default
The password control features (aging, composition, history, and length) are all enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
aging: Enables the password expiration feature.
composition: Enables the password composition restriction feature.
history: Enables the password history feature.
length: Enables the minimum password length restriction feature.
Usage guidelines
To enable a specific password control feature, first enable the global password control feature.
The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
If the global password control feature is enabled but the minimum password length restriction feature is disabled, the following rules apply:
· In non-FIPS mode, a password must contain at least 4 characters and at least 4 characters must be different.
· In FIPS mode, a password must contain at least 15 characters and at least 4 characters must be different.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Enable the password composition restriction feature.
[Sysname] password-control composition enable
# Enable the password expiration feature.
[Sysname] password-control aging enable
# Enable the minimum password length restriction feature.
[Sysname] password-control length enable
# Enable the password history feature.
[Sysname] password-control history enable
Related commands
· display password-control
· password-control enable
password-control aging
Use password-control aging to set the password expiration time.
Use undo password-control aging to restore the default.
Syntax
password-control aging aging-time
undo password-control aging
Default
A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
aging-time: Specifies the password expiration time in days, in the range of 1 to 365.
Usage guidelines
The expiration time depends on the view:
· The time in system view has global significance and applies to all user groups.
· The time in user group view applies to all local users in the user group.
· The time in local user view applies only to the local user.
A password expiration time with a smaller application scope has higher priority. The system prefers to use the password expiration time in local user view for a local user.
· If no password expiration time is configured for the local user, the system uses the password expiration time for the user group to which the local user belongs.
· If no password expiration time is configured for the user group, the system uses the global password expiration time.
Examples
# Globally set the passwords to expire after 80 days.
<Sysname> system-view
[Sysname] password-control aging 80
# Set the passwords for user group test to expire after 90 days.
[Sysname] user-group test
[Sysname-ugroup-test] password-control aging 90
[Sysname-ugroup-test] quit
# Set the password for device management user abc to expire after 100 days.
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password-control aging 100
Related commands
· display local-user
· display password-control
· display user-group
· password-control aging enable
password-control alert-before-expire
Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.
Use undo password-control alert-before-expire to restore the default.
Syntax
password-control alert-before-expire alert-time
undo password-control alert-before-expire
Default
The default is 7 days.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.
Usage guidelines
This command is effective only for non-FTP users. FTP users can only have their passwords changed by the administrator.
Examples
# Configure the device to notify a user about pending password expiration 10 days before the user's password expires.
<Sysname> system-view
[Sysname] password-control alert-before-expire 10
Related commands
display password-control
password-control complexity
Use password-control complexity to configure the password complexity checking policy.
Use undo password-control complexity to remove a password complexity checking item.
Syntax
password-control complexity { same-character | user-name } check
undo password-control complexity { same-character | user-name } check
Default
The global password complexity checking policy is that both username checking and repeated character checking are disabled. The password complexity checking policy for a user group equals the global setting. The password complexity checking policy for a local user equals that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough.
user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Usage guidelines
The password complexity checking policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A password complexity checking policy with a smaller application scope has higher priority. The system prefers to use the password complexity checking policy in local user view for a local user.
· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.
· If no policy is configured for the user group, the system uses the global policy.
You can enable both username checking and repeated character checking.
After the password complexity checking is enabled, complexity-incompliant passwords will be refused.
Examples
# Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.
<Sysname> system-view
[Sysname] password-control complexity user-name check
Related commands
· display local-user
· display password-control
· display user-group
password-control composition
Use password-control composition to configure the password composition policy.
Use undo password-control composition to restore the default.
Syntax
password-control composition type-number type-number [ type-length type-length ]
undo password-control composition
Default
In non-FIPS mode, the password using the global composition policy must contain at least one character type and at least one character for each type.
In FIPS mode, the password using the global composition policy must contain at least four character types and at least one character for each type.
In both non-FIPS and FIPS modes, the password composition policy for a user group is the same as the global policy. The password composition policy for a local user is the same as that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. The following character types are available:
· Uppercase letters A to Z.
· Lowercase letters a to z.
· Digits 0 to 9.
· Special characters in Table 11.
|
Character name |
Symbol |
Character name |
Symbol |
|
Ampersand sign |
& |
Apostrophe |
' |
|
Asterisk |
* |
At sign |
@ |
|
Back quote |
` |
Back slash |
\ |
|
Blank space |
N/A |
Caret |
^ |
|
Colon |
: |
Comma |
, |
|
Dollar sign |
$ |
Dot |
. |
|
Equal sign |
= |
Exclamation point |
! |
|
Left angle bracket |
< |
Left brace |
{ |
|
Left bracket |
[ |
Left parenthesis |
( |
|
Minus sign |
- |
Percent sign |
% |
|
Plus sign |
+ |
Pound sign |
# |
|
Quotation marks |
" |
Right angle bracket |
> |
|
Right brace |
} |
Right bracket |
] |
|
Right parenthesis |
) |
Semi-colon |
; |
|
Slash |
/ |
Tilde |
~ |
|
Underscore |
_ |
Vertical bar |
| |
type-length type-length: Specifies the minimum number of characters for each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
Usage guidelines
The password composition policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user.
· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.
· If no policy is configured for the user group, the system uses the global policy.
The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of passwords.
Examples
# Specify that all passwords must each contain at least four character types and at least five characters for each type.
<Sysname> system-view
[Sysname] password-control composition type-number 4 type-length 5
# Specify that passwords in user group test must contain at least four character types and at least five characters for each type.
[Sysname] user-group test
[Sysname-ugroup-test] password-control composition type-number 4 type-length 5
[Sysname-ugroup-test] quit
# Specify that the password of device management user abc must contain at least four character types and at least five characters for each type.
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5
Related commands
· display local-user
· display password-control
· display user-group
· password-control composition enable
password-control enable
Use password-control enable to enable the password control feature globally.
Use undo password-control enable to disable the password control feature globally.
Syntax
password-control enable
undo password-control enable
Default
In non-FIPS mode, the password control feature is disabled globally.
In FIPS mode, the password control feature is enabled globally and cannot be disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
A specific password control feature takes effect only after the global password control feature is enabled.
After the global password control feature is enabled, you cannot display the password and super password configurations for device management users by using the corresponding display commands. The configuration for network access user passwords can be displayed. The first password configured for device management users must contain at least four different characters.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
Related commands
· display password-control
· password-control { aging | composition | history | length } enable
password-control expired-user-login
Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.
Use undo password-control expired-user-login to restore the defaults.
Syntax
password-control expired-user-login delay delay times times
undo password-control expired-user-login
Default
A user can log in three times within 30 days after the password expires.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
delay delay: Sets the maximum number of days during which a user can log in using an expired password. The value range for the delay argument is 1 to 90.
times times: Sets the maximum number of times a user can log in after the password expires. The value range is 0 to 10, and 0 means that a user cannot log in after the password expires.
Usage guidelines
This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.
Examples
# Specify that a user can log in five times within 60 days after the password expires.
<Sysname> system-view
[Sysname] password-control expired-user-login delay 60 times 5
Related commands
display password-control
password-control history
Use password-control history to set the maximum number of history password records for each user.
Use undo password-control history to restore the default.
Syntax
password-control history max-record-num
undo password-control history
Default
The maximum number of history password records for each user is 4.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
max-record-num: Specifies the maximum number of history password records for each user. The value range is 2 to 15.
Usage guidelines
When the number of history password records reaches the set maximum number, the subsequent history record overwrites the earliest one.
The system stops recording passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
To delete the existing records, use one of the following methods:
· Use the undo password-control enable command to disable the password control feature globally.
· Use the reset password-control history-record command to clear the passwords manually.
Examples
# Set the maximum number of history password records for each user to 10.
<Sysname> system-view
[Sysname] password-control history 10
Related commands
· display password-control
· password-control history enable
· reset password-control blacklist
password-control length
Use password-control length to set the minimum password length.
Use undo password-control length to restore the default.
Syntax
password-control length length
undo password-control length
Default
In non-FIPS mode, the global minimum password length is 10 characters.
In FIPS mode, the global minimum password length is 15 characters.
In both non-FIPS and FIPS modes, the minimum password length for a user group equals the global setting. The minimum password length for a local user equals that of the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode.
Usage guidelines
Before you execute this command, make sure the global password control feature and the minimum length feature are enabled. Otherwise, your configuration cannot take effect.
The minimum length setting depends on the view:
· The setting in system view has global significance and applies to all user groups.
· The setting in user group view applies to all local users in the user group.
· The setting in local user view applies only to the local user.
A minimum password length with a smaller application scope has higher priority. The system prefers to use the minimum password length in local user view for a local user.
· If no minimum password length is configured for the local user, the system uses the minimum password length for the user group to which the local user belongs.
· If no minimum password length is configured for the user group, the system uses the global minimum password length.
Examples
# Set the global minimum password length to 16 characters.
<Sysname> system-view
[Sysname] password-control length 16
# Set the minimum password length to 16 characters for user group test.
[Sysname] user-group test
[Sysname-ugroup-test] password-control length 16
[Sysname-ugroup-test] quit
# Set the minimum password length to 16 characters for device management user abc.
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password-control length 16
Related commands
· display local-user
· display password-control
· display user-group
· password-control length enable
password-control login idle-time
Use password-control login idle-time to set the maximum account idle time. If a user account is idle for this period of time, you can no longer use this account to log in to the device.
Use undo password-control login idle-time to restore the default.
Syntax
password-control login idle-time idle-time
undo password-control login idle-time
Default
You cannot use a user account to log in to the device if the account has been idle for 90 days.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
idle-time: Specifies the maximum account idle time in days in the range of 0 to 365. 0 means no restriction for account idle time.
Usage guidelines
If a user has not been logged in within the specified idle time since the last successful login, the user account becomes invalid.
Examples
# Set the maximum account idle time to 30 days.
<Sysname> system-view
[Sysname] password-control login idle-time 30
Related commands
display password-control
password-control login-attempt
Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached.
Use undo password-control login-attempt to restore the default.
Syntax
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
undo password-control login-attempt
Default
The global login-attempt settings:
· The maximum number of consecutive login failures is 3.
· The locking period is 1 minute.
The login-attempt settings for a user group equal the global settings.
The login-attempt settings for a local user equal those for the user group to which the local user belongs.
Views
System view, user group view, local user view
Predefined user roles
network-admin
mdc-admin
Parameters
login-times: Specifies the maximum number of consecutive failed login attempts. The value range is 2 to 10.
exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts.
· lock: Disables the user account permanently.
· lock-time time: Disables the user account for a period of time. The user can uses this user account when the timer expires. The value range for the time argument is 1 to 360 minutes.
· unlock: Allows the user account to continue using this account to perform login attempts.
Usage guidelines
The login-attempt policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A login-attempt policy with a smaller application scope has higher priority. The system prefers to use the login-attempt policy in local user view for a local user.
· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.
· If no policy is configured for the user group, the system uses the global policy.
If an FTP or VTY user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the maximum number of consecutive login failures is reached, the login attempt limit feature is triggered.
Whether a blacklisted user and user account are locked depends on the locking setting:
· If a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-control blacklist command.
· To use a temporarily locked user account, the user can perform either of the following tasks:
¡ Wait until the locking timer expires.
¡ Remove the user account from the password control blacklist.
· If the user account and the user are blacklisted but not locked, the user can continue using this account to log in. The account and the user's IP address are removed from the password control blacklist when the user uses the account to successfully log in to the device.
|
|
NOTE: This account is locked only for this user. Other users can still use this account, and the blacklisted user can use other user accounts. |
The password-control login-attempt command takes effect immediately after being executed, and can affect the users already in the password control blacklist.
Examples
# Allow a maximum of four consecutive login failures on a user account, and disable the user account if the limit is reached.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock
# Use the user account test to log in to the device, and enter incorrect password for four times.
# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock.
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 4 Lock flag: lock
Blacklist items matched: 1.
# Verify that the user at 192.168.44.1 cannot use this user account to log in.
# Allow a maximum of two consecutive login failures on a user account, and disable the account for 3 minutes if the limit is reached.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3
# Use the user account test to log in to the device, and enter incorrect password for two attempts.
# Display the password control blacklist. The output shows that the user account is on the blacklist and its status is lock.
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 2 Lock flag: lock
Blacklist items matched: 1.
# Verify that after 3 minutes, the user account is removed from the password control blacklist and the user at 192.168.44.1 can use this account.
Related commands
· display local-user
· display password-control
· display password-control blacklist
· display user-group
· reset password-control blacklist
password-control super aging
Use password-control super aging to set the expiration time for super passwords.
Use undo password-control super aging to restore the default.
Syntax
password-control super aging aging-time
undo password-control super aging
Default
A super password expires after 90 days.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
aging-time: Specifies the super password expiration time in days in the range of 1 to 365.
Examples
# Set the super passwords to expire after 10 days.
<Sysname> system-view
[Sysname] password-control super aging 10
Related commands
· display password-control
· password-control aging
password-control super composition
Use password-control super composition to configure the composition policy for super passwords.
Use undo password-control super composition to restore the default.
Syntax
password-control super composition type-number type-number [ type-length type-length ]
undo password-control super composition
Default
In non-FIPS mode, a super password must contain at least one character type and at least one character for each type.
In FIPS mode, a super password must contain at least four character types and at least one character for each type.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode.
type-length type-length: Specifies the minimum number of characters for each character type. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
Usage guidelines
The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of the super password.
Examples
# Specify that a super password must contain at least four character types and at least five characters for each type.
<Sysname> system-view
[Sysname] password-control super composition type-number 4 type-length 5
Related commands
· display password-control
· password-control composition
password-control super length
Use password-control super length to set the minimum length for super passwords.
Use undo password-control super length to restore the default.
Syntax
password-control super length length
undo password-control super length
Default
In non-FIPS mode, the minimum super password length is 10 characters.
In FIPS mode, the minimum super password length is 15 characters.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode.
Examples
# Set the minimum length of super passwords to 16 characters.
<Sysname> system-view
[Sysname] password-control super length 16
Related commands
· display password-control
· password-control length
password-control update-interval
Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords.
Use undo password-control update-interval to restore the default.
Syntax
password-control update-interval interval
undo password-control update-interval
Default
The minimum password update interval is 24 hours.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interval: Specifies the minimum password update interval in hours in the range of 0 to 168. 0 means no requirements for password update interval.
Usage guidelines
The set minimum interval is not effective on a user who is prompted to change the password at the first login or after the password expires.
Examples
# Set the minimum password update interval to 36 hours.
<Sysname> system-view
[Sysname] password-control update-interval 36
Related commands
display password-control
reset password-control blacklist
Use reset password-control blacklist to remove blacklisted users.
Syntax
reset password-control blacklist [ user-name name ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
user-name name: Specifies the username of a user account to be removed from the password control blacklist. The name argument is a case-sensitive string of 1 to 55 characters.
Usage guidelines
You can use this command to remove a user account that is blacklisted due to excessive login failures. Then the blacklisted user can use this user account to log in.
Examples
# Remove the user account named test from the password control blacklist.
<Sysname> reset password-control blacklist user-name test
Are you sure to delete the specified user in blacklist? [Y/N]:
Related commands
display password-control blacklist
reset password-control history-record
Use reset password-control history-record to delete history password records.
Syntax
reset password-control history-record [ super [ role role name ] | user-name name ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
super: Deletes the history records of a specified super password or all super passwords.
role role name: Specifies a user role in the range of 1 to 63.
user-name name: Specifies the username of the user whose password records are to be deleted. The name argument is a case-sensitive string of 1 to 55 characters.
Usage guidelines
If you do not specify any arguments or keywords, this command deletes the history password records of all local users.
If you do not specify the role role name option, this command deletes the history records of all super passwords.
Examples
# Clear the history password records of all local users (enter Y to confirm).
<Sysname> reset password-control history-record
Are you sure to delete all local user's history records? [Y/N]:y
Related commands
password-control history
Public key management commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
display public-key local public
Use display public-key local public to display local public keys.
Syntax
display public-key local { dsa | ecdsa | rsa } public [ name key-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
dsa: Specifies the DSA key pair type.
ecdsa: Specifies the ECDSA key pair type.
rsa: Specifies the RSA key pair type.
name key-name: Specifies the name of a local asymmetric key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-) If no name is specified, the command displays public key for all local asymmetric key pairs of the specified type.
Usage guidelines
You can copy and distribute the public key of a local asymmetric key pair to peer devices.
Examples
# Display all local RSA public keys.
<Sysname> display public-key local rsa public
=============================================
Key name: hostkey (default)
Key type: RSA
Time when key pair created: 15:40:48 2013/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DAA4AAFEFE04C2C9
667269BB8226E26331E30F41A8FF922C7338208097E84332610632B49F75DABF6D871B80CE
C1BA2B75020077C74745C933E2F390DC0B39D35B88283D700A163BB309B19F8F87216A44AB
FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1
2DA4C04EF5AE0835090203010001
=============================================
Key name: serverkey (default)
Key type: RSA
Time when key pair created: 15:40:48 2013/05/12
Key code:
307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442
762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64
DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E
9D85C13413996ECD093B0203010001
=============================================
Key name: rsa1
Key type: RSA
Time when key pair created: 15:42:26 2013/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D
426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA
1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7
9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03
92D8C6D940890BF4290203010001
# Display all local DSA public keys.
<Sysname> display public-key local dsa public
=============================================
Key name: dsakey (default)
Key type: DSA
Time when key pair created: 15:41:37 2013/05/12
Key code:
308201B73082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381840002818041912CE34D12BCD2157E7AB1C2F03B3EF395
100F3DB4A9E2FDFE860C1BD663D676438F7DA40A9406D61CA9079AF13E330489F1C76785DE
52DA649AC8BC04B6D39CD7C52CD0A14F75F7491A91D31D6AC22340B5981B27A915CDEC4F09
887E541EC1E5302D500F68E7AC29A084463C60F9EE266985A502FC92193E1CF4D265C4BA
=============================================
Key name: dsa1
Key type: DSA
Time when key pair created: 15:35:42 2013/05/12
Key code:
308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8
3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74
0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7
15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A
# Display all local ECDSA public keys.
<Sysname> display public-key local ecdsa public
=============================================
Key name: ecdsakey (default)
Key type: ECDSA
Time when key pair created: 15:42:04 2013/05/12
Key code:
3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF
68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B
1D
=============================================
Key name: ecdsa1
Key type: ECDSA
Time when key pair created: 15:43:33 2013/05/12
Key code:
3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1
AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58
4D
# Display the public key of the local RSA key pair rsa1.
<Sysname> display public-key local rsa public name rsa1
=============================================
Key name: rsa1
Key type: RSA
Time when key pair created: 15:42:26 2013/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D
426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA
1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7
9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03
92D8C6D940890BF4290203010001
# Display the public key of the local DSA key pair dsa1.
<Sysname> display public-key local dsa public name dsa1
=============================================
Key name: dsa1
Key type: DSA
Time when key pair created: 15:35:42 2013/05/12
Key code:
308201B83082012C06072A8648CE3804013082013F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8
3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74
0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7
15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A
# Display the public key of the local ECDSA key pair ecdsa1.
<Sysname> display public-key local ecdsa public name ecdsa1
=============================================
Key name: ecdsa1
Key type: ECDSA
Time when key pair created: 15:43:33 2013/05/12
Key code:
3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1
AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58
4D
Table 12 Command output
|
Field |
Description |
|
Key name |
Name of the local key pair. If you did not specify a name when creating the key pair, the word default in brackets follows the key pair name. The following is the default key pair name for each key algorithm: · hostkey—Default RSA host key pair name. · serverkey—Default RSA server key pair name. · dsakey—Default DSA host key pair name. ecdsakey—Default ECDSA host key pair name. |
|
Key type |
Options include: · RSA. · DSA. · ECDSA. |
|
Time when key pair created |
Date and time when the local key pair was created. |
|
Key code |
Public key string. |
Related commands
public-key local create
display public-key peer
Use display public-key peer to display information about peer public keys.
Syntax
display public-key peer [ brief | name publickey-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
brief: Displays brief information about all peer public keys. The brief information includes only the key type, key modulus, and key name.
name publickey-name: Displays detailed information about a peer public key, including its key code. The publickey-name argument specifies the peer public key name, a case-sensitive string of 1 to 64 characters.
Usage guidelines
If none of the parameters is specified, the command displays detailed information about all peer public keys you have configured on the local device.
You can use the public-key peer command or the public-key peer import sshkey command to configure a peer public key on the local device.
Examples
# Display detailed information about the peer host public key idrsa.
<Sysname> display public-key peer name idrsa
=============================================
Key name: idrsa
Key type: RSA
Key modulus: 1024
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100C5971581A78B5388
B3C9063EC6B53D395A6704D9752B6F9B7B1F734EEB5DD509F0B050662C46FFB8D27F797E37
918F6270C5793F1FC63638970A0E4D51A3CEF7CFF6E92BFAFD73F530E0BDE27056E81F2525
6D0883836FD8E68031B2C272FE2EA75C87734A7B8F85B8EBEB3BD51CC26916AF3B3FDC32C3
42C142D41BB4884FEB0203010001
Table 13 Command output
|
Field |
Description |
|
Key name |
Name of the peer public key. |
|
Key type |
Key type: RSA, DSA or ECDSA. |
|
Key modulus |
Key modulus length in bits. |
|
Key code |
Public key string. |
# Display brief information about all peer public keys.
<Sysname> display public-key peer brief
Type Modulus Name
---------------------------
RSA 1024 idrsa
DSA 1024 10.1.1.1
Table 14 Command output
|
Field |
Description |
|
Type |
Key type: RSA, DSA or ECDSA. |
|
Modulus |
Key modulus length in bits. |
|
Name |
Name of the peer public key. |
Related commands
· public-key peer
· public-key peer import sshkey
peer-public-key end
Use peer-public-key end to exit public key view to system view and save the configured peer public key.
Syntax
peer-public-key end
Views
Public key view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
After you type the peer public key on the local device, use this command to exit public key view and to save the public key.
The system verifies the public key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, for example, the key displayed by the display public-key local public command, the system saves the key.
Examples
# Exit public key view and save the configured public key.
<Sysname> system-view
[Sysname] public-key peer key1
Public key view: return to System View with "peer-public-key end".
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC8014F82515F6335A0A
[Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D1643135877E13B1C531B4
[Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80EB5F52698FCF3D6
[Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE675AC30CB020301
[Sysname-pkey-public-key-key1]0001
[Sysname-pkey-public-key-key1] peer-public-key end
[Sysname]
Related commands
· display public-key local public
· display public-key peer
· public-key peer
public-key local create
Use public-key local create to create local asymmetric key pairs.
Syntax
public-key local create { dsa | ecdsa | rsa } [ name key-name ]
Default
No local asymmetric key pair exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
dsa: Creates a DSA key pair.
ecdsa: Creates an ECDSA key pair.
rsa: Creates an RSA key pair.
name key-name: Assigns a name to the key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is assigned, the public key pair takes the default name.
Table 15 Default local key pair names
|
Type |
Default name |
|
RSA |
· Host key pair: hostkey · Server key pair: serverkey |
|
DSA |
dsakey |
|
ECDSA |
ecdsakey |
Usage guidelines
The key algorithm must be the same as required by the security application.
The key modulus length must be appropriate (see Table 16). The longer the key modulus length, the higher the security, and the longer the key generation time.
If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default.
The name of a key pair must be unique among all manually named key pairs that use the same key algorithm, but can be the same as a key pair that uses a different key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair.
The key pairs are automatically saved and can survive system reboots.
Table 16 A comparison of different types of asymmetric key algorithms
|
Type |
Generated key pairs |
Modulus length |
|
RSA |
· In non-FIPS mode: ¡ One host key pair, if you specify a key pair name. ¡ One server key pair and one host key pair, if you do not specify a
key pair name. · In FIPS mode: One host key pair. NOTE: Only SSH 1.5 uses the RSA server key pair. |
· In non-FIPS mode: 512 to 2048 bits, 1024 bits
by default. · In FIPS mode: 2048 bits. |
|
DSA |
One host key pair. |
· In non-FIPS mode: 512 to 2048 bits, 1024 bits
by default. · In FIPS mode: 2048 bits. |
|
ECDSA |
One host key pair. |
192 bits. |
Examples
# Create local RSA key pairs with default names.
<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...++++++
.++++++
..++++++++
....++++++++
Create the key pair successfully.
# Create a local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
Create the key pair successfully.
# Create a local ECDSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create ecdsa
Generating Keys...
Create the key pair successfully.
# Create a local RSA key pair with the name rsa1.
<Sysname> system-view
[Sysname] public-key local create rsa name rsa1
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...++++++
...............................++++++
Create the key pair successfully.
# Create a local DSA key pair with the name dsa1.
<Sysname> system-view
[Sysname] public-key local create dsa name dsa1
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
Create the key pair successfully.
# Create a local ECDSA key pair with the name ecdsa1.
<Sysname> system-view
[Sysname] public-key local create ecdsa name ecdsa1
Generating Keys...
Create the key pair successfully.
# In FIPS mode, create a local RSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key modulus is (2048 ~ 2048).
It will take a few minutes.Press CTRL+C to abort.
Input the modulus length [default = 2024]:
Generating Keys...
...++++++
.++++++
..++++++++
....++++++++
Create the key pair successfully.
# In FIPS mode, create a local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create dsa
The range of public key modulus is (2048 ~ 2048).
It will take a few minutes.Press CTRL+C to abort.
Input the modulus length [default = 2024]:
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
Create the key pair successfully.
Related commands
· display public-key local public
· public-key local destroy
public-key local destroy
Use public-key local destroy to destroy local key pairs.
Syntax
public-key local destroy { dsa | ecdsa | rsa } [ name key-name ]
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
dsa: Specifies the DSA type.
ecdsa: Specifies the ECDSA type.
rsa: Specifies the RSA type.
name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the command destroys the specified type of local key pairs that take the default names.
Usage guidelines
To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs:
· An intrusion event has occurred.
· The storage media of the device is replaced.
· The local certificate has expired. For more information about local certificates, see Security Configuration Guide.
Examples
# Destroy the local RSA key pairs with the default names.
<Sysname> system-view
[Sysname] public-key local destroy rsa
Confirm to destroy the key pair? [Y/N]:y
# Destroy the local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local destroy dsa
Confirm to destroy the key pair? [Y/N] :y
# Destroy the local ECDSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local destroy ecdsa
Confirm to destroy the key pair? [Y/N]:y
# Destroy the local RSA key pair rsa1.
<Sysname> system-view
[Sysname] public-key local destroy rsa name rsa1
Confirm to destroy the key pair? [Y/N]:y
# Destroy the local DSA key pair dsa1.
<Sysname> system-view
[Sysname] public-key local destroy dsa name dsa1
Confirm to destroy the key pair? [Y/N] :y
# Destroy the local ECDSA key pair ecdsa1.
<Sysname> system-view
[Sysname] public-key local destroy ecdsa name ecdsa1
Confirm to destroy the key pair? [Y/N]:y
Related commands
public-key local create
public-key local export dsa
Use public-key local export dsa to display local DSA host public keys in a specific format, or export the key in a specific format to a file.
Syntax
public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ]
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
name key-name: Specifies the name of a local DSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name.
openssh: Uses the format of OpenSSH.
ssh2: Uses the format of SSH2.0.
filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide.
Usage guidelines
Whether the command exports or displays the local DSA host public key depends on the presence of the filename argument.
You can use the command to display or export the local DSA host public key before distributing it to a peer device.
1. Save the local host public key to a file with one of the following methods:
¡ Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } command to display the local host public key in the specific format, copy and paste it to a file.
¡ Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey or its subfolders.
2. Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file.
SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key.
Examples
# Export the host public key of the local DSA key pair with the default name in OpenSSH format to a file named key.pub.
<Sysname> system-view
[Sysname] public-key local export dsa openssh key.pub
# Display the host public key of the local DSA key pair with the default name in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export dsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-2013/05/12"
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxwvA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakdMdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo=
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local DSA key pair with the default name in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export dsa openssh
ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxwvA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakdMdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= dsa-key
# Export the host public key of the local DSA key pair dsa1 in OpenSSH format to the file dsa1.pub.
<Sysname> system-view
[Sysname] public-key local export dsa name dsa1 openssh dsa1.pub
# Display the host public key of the local DSA key pair dsa1 in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export dsa name dsa1 ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-2013/05/12"
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEYZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local DSA key pair dsa1 in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export dsa name dsa1 openssh
ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEYZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq dsa-key
Related commands
· public-key local create
· public-key peer import sshkey
public-key local export rsa
Use public-key local export rsa to display the local RSA host public key in a specific format, or export the key to a specific file.
Syntax
In non-FIPS mode:
public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ]
In FIPS mode:
public-key local export rsa [ name key-name ] { openssh | ssh2 } [ filename ]
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
name key-name: Specifies the name of a local RSA key pair. The key-name argument is a case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is provided, the command displays or exports the host public key of the local DSA key pair with the default name.
openssh: Uses the format of OpenSSH.
ssh1: Uses the format of SSH1.5.
ssh2: Uses the format of SSH2.0.
filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide.
Usage guidelines
Whether the command exports or displays the host public key depends on the presence of the filename argument.
You can use the command to display or export the local RSA host public keys before distributing it to a peer device.
1. Save the local host public key to a file with one of the following methods:
¡ Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } command to display the host public key in the specified format, copy and paste it to a file.
¡ Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to the file. You cannot export the host public key to the folder pkey and its subfolders.
2. Transfer a copy of the file to the peer device, for example, by using FTP or TFTP in binary mode.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file.
SSH1.5, SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on the device where you import the host public key. In FIPS mode, the device only supports SSH2.0 and OpenSSH.
Examples
# Export the host public key of the local RSA key pair with the default name in OpenSSH format to the file key.pub.
<Sysname> system-view
[Sysname] public-key local export rsa openssh key.pub
# Display the host public key of the local RSA key pair with the default name in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export rsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-2013/05/12"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/bYcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xdv4tlas+mLNloY0dImbwS2kwE71rgg1CQ==
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local RSA key pair with the default name in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export rsa openssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/bYcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xdv4tlas+mLNloY0dImbwS2kwE71rgg1CQ== rsa-key
# Export the host public key of the local RSA key pair rsa1 in OpenSSH format to the file rsa1.pub.
<Sysname> system-view
[Sysname] public-key local export rsa name rsa1 openssh rsa1.pub
# Display the host public key of the local RSA key pair rsa1 in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export rsa name rsa1 ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-2013/05/12"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8ba8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ==
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local RSA key pair rsa1 in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export rsa name rsa1 openssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8ba8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key
Related commands
· public-key local create
· public-key peer import sshkey
public-key peer
Use public-key peer to specify a name for a peer public key and enter public key view.
Use undo public-key peer to delete a peer public key.
Syntax
public-key peer keyname
undo public-key peer keyname
Default
The local device has no peer public key.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.
Usage guidelines
After you execute the command to enter the public key view, type the public key. Spaces and carriage returns are allowed, but are not saved.
To manually specify a peer public key on the local device, obtain the public key in hexadecimal from the peer device beforehand, and perform the following configurations on the local device:
1. Execute the public-key peer command to enter public key view.
2. Type the public key.
3. Execute the peer-public-key end command to save the public key and return to system view.
The public key you type in the public key view must be in a correct format. If your device is an H3C device, use the display public-key local public command to display and record its public key.
Examples
# Specify the name key1 for a peer public key and enter public key view.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key-key1]
Related commands
· display public-key local public
· display public-key peer
· peer-public-key end
public-key peer import sshkey
Use public-key peer import sshkey to import a peer host public key from the public key file.
Use undo public-key peer to remove the specified peer host public key.
Syntax
public-key peer keyname import sshkey filename
undo public-key peer keyname
Default
The device has no peer public key.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
keyname: Specifies a name for a peer public key, a case-sensitive string of 1 to 64 characters.
filename: Specifies the name of the file for saving the local host public key. The file name is a string of case-insensitive characters excluding ./ and ../. The name cannot be dots (.), hostkey, serverkey, dsakey, or ecdsakey, and cannot start with a slash (/).For more information about file name, see Fundamentals Configuration Guide.
Usage guidelines
After you configure this command, the system automatically transforms the host public key to the PKCS format, and saves the key. This operation requires that you get a copy of the public key file from the peer device through FTP or TFTP in binary mode in advance.
In non-FIPS mode, the device supports importing public keys in the format of SSH1.5, SSH2.0, and OpenSSH.
In FIPS mode, the device supports importing public keys in the format of SSH2.0 and OpenSSH.
Examples
# Import the peer host public key key2 from the public key file key.pub.
<Sysname> system-view
[Sysname] public-key peer key2 import sshkey key.pub
Related commands
· display public-key peer
· public-key local export dsa
· public-key local export rsa
PKI commands
The PKI feature is available in Release 1138P01 and later versions.
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
attribute
Use attribute to configure a rule to filter certificates based on an attribute in the certificate issuer name, subject name, or alternative subject name field.
Use undo attribute to remove an attribute rule.
Syntax
attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value
undo attribute id
Default
No attribute rules exist.
Views
Certificate attribute group view
Predefined user roles
network-admin
mdc-admin
Parameters
id: Specifies a rule ID in the range of 1 to 16.
alt-subject-name: Specifies the alternative subject name.
fqdn: Specifies an FQDN of the PKI entity.
ip: Specifies an IP address of the PKI entity.
dn: Specifies the DN of the PKI entity.
issuer-name: Specifies the issuer name.
subject-name: Specifies the subject name.
ctn: Specifies the contain operation.
equ: Specifies the equal operation.
nctn: Specifies the not-contain operation.
nequ: Specifies the not-equal operation.
attribute-value: Sets an attribute value, a case-insensitive string of 1 to 128 characters.
Usage guidelines
The issuer name, subject name, and alternative subject name field can contain the following attributes in a certificate:
· Each subject name and the issuer name can contain a single DN, multiple FQDNs, and multiple IP addresses.
· The alternative subject name can contain multiple FQDNs and IP addresses but zero DNs.
An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in Table 17.
Table 17 Combinations of attribute-value pairs and operation keywords
|
Operation |
DN |
FQDN/IP |
|
ctn |
The DN contains the specified attribute value. |
Any FQDN or IP address contains the specified attribute value. |
|
nctn |
The DN does not contain the specified attribute value. |
None of the FQDNs or IP addresses contain the specified attribute value. |
|
equ |
The DN is the same as the specified attribute value. |
Any FQDN or IP address is the same as the specified attribute value. |
|
nequ |
The DN is not the same as the specified attribute value. |
None of the FQDNs or IP addresses are the same as the specified attribute value. |
A certificate matches an attribute rule only if it contains an attribute that matches the criterion defined in the rule. For example, an attribute rule defines a criterion that the DN of the subject name contains the abc string. All certificates that have the DN in the subject name containing the abc string match the rule.
A certificate matches an attribute group if it matches all attribute rules in the group.
Examples
# Create a certificate attribute group and enter its view.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
# Specify an attribute rule to match certificates that contain the abc string in the subject DN.
[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc
# Specify an attribute rule to match certificates that do not contain FQDN abc in the issuer name field.
[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc
# Specify an attribute rule to match certificates that do not contain IP address 10.0.0.1 in the alternative subject name field.
[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1
Related commands
· display pki certificate attribute-group
· rule
ca identifier
Use ca identifier to specify the trusted CA.
Use undo ca identifier to remove the trusted CA.
Syntax
ca identifier name
undo ca identifier
Default
No trusted CA is specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
name: Specifies the name of the trusted CA, a case-sensitive string of 1 to 63 characters.
Usage guidelines
To obtain a CA certificate, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the same CA server. The CA server's URL is specified by using the certificate request url command.
When you use this command, make sure the specified CA name is consistent with the name of the CA that owns the CA certificate to be obtained.
Examples
# Specify the trusted CA as new-ca.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] ca identifier new-ca
certificate request entity
Use certificate request entity to specify the PKI entity for certificate request.
Use undo certificate request entity to remove the PKI entity for certificate request.
Syntax
certificate request entity entity-name
undo certificate request entity
Default
No PKI entity is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
entity-name: Specifies a PKI entity by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A PKI entity describes the identity attributes of an entity for certificate request, including the following information:
· Common name.
· Organization.
· Unit in the organization.
· Locality.
· State and country where the entity resides.
· FQDN.
· IP address.
You can specify only one PKI entity for a PKI domain. If you configure this command for a PKI domain multiple times, the most recent configuration takes effect.
Examples
# Specify PKI entity en1 for certificate request in PKI domain aaa.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request entity en1
Related commands
pki entity
certificate request from
Use certificate request from to specify the type of certificate request reception authority.
Use undo certificate request from to remove the configuration.
Syntax
certificate request from { ca | ra }
undo certificate request from
Default
The type of certificate request reception authority is not specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
ca: Specifies the CA to accept certificate requests.
ra: Specifies the RA to accept certificate requests.
Usage guidelines
The CA server determines whether CA or RA accepts certificate requests. This authority setting must be consistent with the setting on the CA server.
Examples
# Specify the RA to accept certificate requests.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request from ra
certificate request mode
Use certificate request mode to set the certificate request mode.
Use undo certificate request mode to restore the default.
Syntax
certificate request mode { auto [ password { cipher | simple } password ] | manual }
undo certificate request mode
Default
The certificate request mode is manual.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
auto: Specifies the auto certificate request mode.
password: Specifies a password for certificate revocation as required by the CA policy.
cipher: Sets a ciphertext password for certificate revocation.
simple: Sets a plaintext password for certificate revocation. For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 31 characters. If cipher is specified, it must be a ciphertext string of 1 to 73 characters.
manual: Specifies the manual certificate request mode.
Usage guidelines
A certificate request can be submitted to a CA in offline or online mode. In online mode, a certificate request can be automatically or manually submitted:
· Auto request mode—A PKI entity automatically obtains the CA certificate and submits a certificate request to the CA when both of the following conditions exist:
¡ A PKI-based application (IKE, for example) performs identity authentication.
¡ No certificate is available for the application on the device.
· Manual request mode—You must manually obtain the CA certificate and submit certificate requests.
Examples
# Set the certificate request mode to auto.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request mode auto
# Set the certificate request mode to auto, and set the certificate revocation password in plain text to 123456.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request mode auto password simple 123456
Related commands
pki request-certificate
certificate request polling
Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status.
Use undo certificate request polling to restore the defaults.
Syntax
certificate request polling { count count | interval minutes }
undo certificate request polling { count | interval }
Default
The polling interval is 20 minutes, and the maximum number of attempts is 50.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
count count: Sets the maximum number of attempts to query certificate request status. The value range is 1 to 100.
interval minutes: Sets a polling interval in minutes, in the range of 5 to 168.
Usage guidelines
After a PKI entity submits a certificate request, it might take the CA server a while to issue the certificate if the CA administrator manually approves the certificate request. During this period, the PKI entity periodically queries the CA server for the certificate request status. The periodic query operation stops until the PKI entity obtains the certificate or the maximum number of query attempts is reached. If the maximum number of query attempts is reached, the certificate request fails.
If the CA server automatically approves a certificate request, the PKI entity can obtain the certificate immediately after it submits a certificate request. In this case, the PKI entity does not send queries to the CA server.
Examples
# Set the polling interval to 15 minutes, and the maximum number of query attempts to 40.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request polling interval 15
[Sysname-pki-domain-aaa] certificate request polling count 40
Related commands
display pki certificate request-status
certificate request url
Use certificate request url to specify the URL of the certificate request reception authority (CA or RA) to which the device should send SCEP certificate requests.
Use undo certificate request url to remove the configuration.
Syntax
certificate request url url-string [ vpn-instance vpn-instance-name ]
undo certificate request url
Default
The URL of the certificate request reception authority is not specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the certificate request reception authority server belongs. A VPN instance name is a case-sensitive string of 1 to 31 characters. If the certificate request reception authority server is on the public network, do not specify this option.
Usage guidelines
The URL is in the format http://server_location/ca_script_location, where:
· The server_location argument is the IPv4 address or domain name of the certificate request reception authority (CA or RA) server.
· The cgi_script_location argument is the path of the application script on the server.
Examples
# Specify http://169.254.0.100/certsrv/mscep/mscep.dll as the URL where the device should send certificate requests.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll
# Specify http://mytest.net/certsrv/mscep/mscep.dll in VPN instance vpn1 as the URL where the device should send certificate requests.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request url http:// mytest.net /certsrv/mscep/mscep.dll vpn-instance vpn1
common-name
Use common-name to set the common name for a PKI entity.
Use undo common-name to remove the configuration.
Syntax
common-name common-name-sting
undo common-name
Default
No common name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name.
Examples
# Specify test as the common name of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name test
country
Use country to set the country code of a PKI entity.
Use undo country to remove the configuration.
Syntax
country country-code-string
undo country
Default
No country code is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
country-code-string: Specifies a country code, a case-sensitive string of two characters. For example, CN is the country code for China.
Examples
# Specify CN as the country code of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] country CN
crl check
Use crl check enable to enable CRL checking.
Use undo crl check enable to disable CRL checking.
Syntax
crl check enable
undo crl check enable
Default
CRL checking is enabled.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
A CA signs and publishes a list of revoked certificates, which is called CRL. Revoked certificates should no longer be trusted.
CRL checking is designed to check whether a certificate has been revoked.
Examples
# Disable CRL checking.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] undo crl check enable
Related commands
· pki import
· pki retrieve-certificate
· pki validate-certificate
crl url
Use crl url to specify the URL of the CRL repository.
Use undo crl url to remove the configuration.
Syntax
crl url url-string [ vpn-instance vpn-instance-name ]
undo crl url
Default
The URL of the CRL repository is not specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location, where server_location can be an IP address or a domain name. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option.
Usage guidelines
To use CRL checking, a CRL must be obtained from a CRL repository.
The device selects a CRL repository in the following order:
1. CRL repository specified in the PKI domain by using this command.
2. CRL repository in the certificate that is being verified.
3. CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA certificate is the certificate being verified.
After the previous selection process, if the CRL repository is not found, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained.
If an LDAP URL is specified, the device must connect to the LDAP server to obtain the CRL. If the LDAP server's host name is not included in the URL, the device can get the complete URL information according to the LDAP server address specified in the PKI domain.
Examples
# Specify http://169.254.0.30 as the URL of the CRL repository.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] crl url http://169.254.0.30
# Specify ldap://169.254.0.30 in VPN instance vpn1 as the URL of the CRL repository.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl url ldap://169.254.0.30 vpn-instance vpn1
· ldap-server
· pki retrieve-crl
display pki certificate access-control-policy
Use display pki certificate access-control-policy to display information about certificate-based access control policies.
Syntax
display pki certificate access-control-policy [ policy-name ]
Views
Any view
Predefined user roles
mdc-admin
mdc-operator
Parameters
policy-name: Specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you do not specify a policy name, this command displays information about all certificate-based access control policies.
Examples
# Display information about the certificate-based access control policy mypolicy.
<Sysname> display pki certificate access-control-policy mypolicy
Access control policy name: mypolicy
Rule 1 deny mygroup1
Rule 2 permit mygroup2
# Display information about all certificate-based access control policies.
<Sysname> display pki certificate access-control-policy
Total PKI certificate access control policies: 2
Access control policy name: mypolicy1
Rule 1 deny mygroup1
Rule 2 permit mygroup2
Access control policy name: mypolicy2
Rule 1 deny mygroup3
Rule 2 permit mygroup4
Table 18 Command output
|
Field |
Description |
|
Total PKI certificate access control policies |
Total number of certificate-based access control policies. |
|
permit |
A certificate passes the check and is considered valid if it matches all attribute rules in the attribute group associated with the access control rule. |
|
deny |
A certificate fails the check and is considered invalid if it matches all attribute rules in the attribute group associated with the access control rule. |
Related commands
· pki certificate access-control-policy
· rule
display pki certificate attribute-group
Use display pki certificate attribute-group to display information about certificate attribute groups.
Syntax
display pki certificate attribute-group [ group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups.
Examples
# Display information about the certificate attribute group mygroup.
<Sysname> display pki certificate attribute-group mygroup
Attribute group name: mygroup
Attribute 1 subject-name dn ctn abc
Attribute 2 issuer-name fqdn nctn app
# Display information about all certificate attribute groups.
<Sysname> display pki certificate attribute-group
Total PKI certificate attribute groups: 2.
Attribute group name: mygroup1
Attribute 1 subject-name dn ctn abc
Attribute 2 issuer-name fqdn nctn app
Attribute group name: mygroup2
Attribute 1 subject-name dn ctn def
Attribute 2 issuer-name fqdn nctn fqd
Table 19 Command output
|
Field |
Description |
|
Total PKI certificate attribute groups |
Total number of certificate attribute groups. |
|
ctn |
Contain operation. |
|
nctn |
Not-contain operation. |
|
equ |
Equal operation. |
|
nequ |
Not-equal operation. |
|
Attribute 1 subject-name dn ctn abc |
Attribute rule 1 defines that the DN in the subject name contains the string of abc. |
Related commands
· attribute
· pki certificate attribute-group
display pki certificate domain
Use display pki certificate domain to display information about certificates.
Syntax
display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer: Specifies the peer certificates.
serial serial-num: Specifies the serial number of a peer certificate.
Usage guidelines
If you specify the CA keyword, this command displays information about all CA and RA certificates in the domain.
If you specify the local keyword, this command displays information about all local certificates in the domain
If you specify the peer keyword but do not specify any serial number, this command displays brief information about all peer certificates. If you specify a serial number, this command display detailed information about the specified peer certificate.
Examples
# Display information about the CA certificate in the PKI domain aaa.
<Sysname> display pki certificate domain aaa ca
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=docm, OU=rnd, CN=rootca
Validity
Not Before: Jan 6 02:51:41 2011 GMT
Not After : Dec 7 03:12:05 2013 GMT
Subject: C=cn, O=ccc, OU=ppp, CN=rootca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0:
28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40:
4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6:
57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6:
7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6:
6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd:
c1:91:18:ff:16:ee:d8:cf:8c:e3:4c:a3:1b:08:5d:
84:7e:11:32:5f:1a:f8:35:25:c0:7e:10:bd:aa:0f:
52:db:7b:cd:5d:2b:66:5a:fb
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
6d:b1:4e:d7:ef:bb:1d:67:53:67:d0:8f:7c:96:1d:2a:03:98:
3b:48:41:08:a4:8f:a9:c1:98:e3:ac:7d:05:54:7c:34:d5:ee:
09:5a:11:e3:c8:7a:ab:3b:27:d7:62:a7:bb:bc:7e:12:5e:9e:
4c:1c:4a:9f:d7:89:ca:20:46:de:c5:b3:ce:36:ca:5e:6e:dc:
e7:c6:fe:3f:c5:38:dd:d5:a3:36:ad:f4:3d:e6:32:7f:48:df:
07:f0:a2:32:89:86:72:22:cd:ed:e5:0f:95:df:9c:75:71:e7:
fe:34:c5:a0:64:1c:f0:5c:e4:8f:d3:00:bd:fa:90:b6:64:d8:
88:a6
# Display information about te local certificates in the PKI domain aaa.
<Sysname> display pki certificate domain aaa local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bc:05:70:1f:0e:da:0d:10:16:1e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, O=sec, OU=software, CN=ipsec
Validity
Not Before: Jan 7 20:05:44 2011 GMT
Not After : Jan 7 20:05:44 2012 GMT
Subject: O=OpenCA Labs, OU=Users, CN=fips fips-sec
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b2:38:ad:8c:7d:78:38:37:88:ce:cc:97:17:39:
52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67:
d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7:
4a:83:69:0e:3e:24:e4:ab:91:6c:56:51:88:93:9e:
12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21:
46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd:
a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12:
bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b:
8a:f0:ea:02:fd:2d:44:7a:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin
Netscape Comment:
User Certificate of OpenCA Labs
X509v3 Subject Key Identifier:
91:95:51:DD:BF:4F:55:FA:E4:C4:D0:10:C2:A1:C2:99:AF:A5:CB:30
X509v3 Authority Key Identifier:
keyid:DF:D2:C9:1A:06:1F:BC:61:54:39:FE:12:C4:22:64:EB:57:3B:11:9F
X509v3 Subject Alternative Name:
email:[email protected]
X509v3 Issuer Alternative Name:
email:[email protected]
Authority Information Access:
CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt
OCSP - URI:http://titan:2560/
1.3.6.1.5.5.7.48.12 - URI:http://titan:830/
X509v3 CRL Distribution Points:
Full Name:
URI:http://titan/pki/pub/crl/cacrl.crl
Signature Algorithm: sha256WithRSAEncryption
94:ef:56:70:48:66:be:8f:9d:bb:77:0f:c9:f4:65:77:e3:bd:
ea:9a:b8:24:ae:a1:38:2d:f4:ab:e8:0e:93:c2:30:33:c8:ef:
f5:e9:eb:9d:37:04:6f:99:bd:b2:c0:e9:eb:b1:19:7e:e3:cb:
95:cd:6c:b8:47:e2:cf:18:8d:99:f4:11:74:b1:1b:86:92:98:
af:a2:34:f7:1b:15:ee:ea:91:ed:51:17:d0:76:ec:22:4c:56:
da:d6:d1:3c:f2:43:31:4f:1d:20:c8:c2:c3:4d:e5:92:29:ee:
43:c6:d7:72:92:e8:13:87:38:9a:9c:cd:54:38:b2:ad:ba:aa:
f9:a4:68:b5:2a:df:9a:31:2f:42:80:0c:0c:d9:6d:b3:ab:0f:
dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a:
65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28:
04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64:
cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4:
50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f:
3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9:
de:18:9d:c1
# Display brief information about all peer certificates in the PKI domain aaa.
<Sysname> display pki certificate domain aaa peer
Total peer certificates: 1
Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7
Subject Name: CN=sldsslserver
# Display detailed information about a peer certificate in the PKI domain aaa.
<Sysname> display pki certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9a:03:37:eb:21:56:ba:1f:54:76:e4:d7:54:a5:a9:f7
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=ccc, OU=sec, CN=ssl
Validity
Not Before: Oct 15 01:23:06 2010 GMT
Not After : Jul 26 06:30:54 2012 GMT
Subject: CN=sldsslserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:cf:37:76:93:29:5e:cd:0e:77:48:3a:4d:0f:
a6:28:a4:60:f8:31:56:28:7f:81:e3:17:47:78:98:
68:03:5b:72:f4:57:d3:bf:c5:30:32:0d:58:72:67:
04:06:61:08:3b:e9:ac:53:b9:e7:69:68:1a:23:f2:
97:4c:26:14:c2:b5:d9:34:8b:ee:c1:ef:af:1a:f4:
39:da:c5:ae:ab:56:95:b5:be:0e:c3:46:35:c1:52:
29:9c:b7:46:f2:27:80:2d:a4:65:9a:81:78:53:d4:
ca:d3:f5:f3:92:54:85:b3:ab:55:a5:03:96:2b:19:
8b:a3:4d:b2:17:08:8d:dd:81
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:9A:83:29:13:29:D9:62:83:CB:41:D4:75:2E:52:A1:66:38:3C:90:11
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
Netscape Cert Type:
SSL Server
X509v3 Subject Alternative Name:
DNS:docm.com
X509v3 Subject Key Identifier:
3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26
X509v3 CRL Distribution Points:
Full Name:
URI:http://s03130.ccc.sec.com:447/ssl.crl
Signature Algorithm: sha1WithRSAEncryption
61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3:
31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59:
36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c:
85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5:
17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72:
ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2:
ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8:
f0:a5
Related commands
· pki domain
· pki retrieve-certificate
display pki certificate request-status
Use display pki certificate request-status to display certificate request status.
Syntax
display pki certificate request-status [ domain domain-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Usage guidelines
If no PKI domain is specified, this command displays the status of all certificate requests.
Examples
# Display certificate request status for the PKI domain aaa.
<Sysname> display pki certificate request-status domain aaa
Certificate Request Transaction 1
Domain name: aaa
Status: Pending
Key usage: General
Remain polling attempts: 10
Next polling attempt after : 1191 seconds
# Display certificate request statuses for all PKI domains.
<Sysname> display pki certificate request-status
Certificate Request Transaction 1
Domain name: domain1
Status: Pending
Key usage: General
Remain polling attempts: 10
Next polling attempt after : 1191 seconds
Certificate Request Transaction 2
Domain name: domain2
Status: Pending
Key usage: Signature
Remain polling attempts: 10
Next polling attempt after : 188 seconds
Table 20 Command output
|
Field |
Description |
|
Certificate Request Transaction number |
Certificate request transaction number, starting from 1. |
|
Status |
Certificate request status, including only the pending status. |
|
Key usage |
Certificate purposes: · General—Signature and encryption. · Signature—Signature only. · Encryption—Encryption only. |
|
Remain polling attempts |
Remaining number of attempts to query certificate request status. |
|
Next polling attempt after |
Remaining seconds before the next request status polling. |
Related commands
· certificate request polling
· pki domain
· pki retrieve-certificate
display pki crl
Use display pki crl domain to display information about the locally saved CRLs.
Syntax
display pki crl domain domain-name
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Usage guidelines
Use this command to check whether a certificate has been revoked.
Examples
# Display information about the CRL saved at the local for PKI domain aaa.
<Sysname> display pki crl domain aaa
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=cn/O=docm/OU=sec/CN=therootca
Last Update: Apr 28 01:42:13 2011 GMT
Next Update: NONE
CRL extensions:
X509v3 CRL Number:
6
X509v3 Authority Key Identifier:
keyid:49:25:DB:07:3A:C4:8A:C2:B5:A0:64:A5:F1:54:93:69:14:51:11:EF
Revoked Certificates:
Serial Number: CDE626BF7A44A727B25F9CD81475C004
Revocation Date: Apr 28 01:37:52 2011 GMT
CRL entry extensions:
Invalidity Date:
Apr 28 01:37:49 2011 GMT
Serial Number: FCADFA81E1F56F43D3F2D3EF7EB56DE5
Revocation Date: Apr 28 01:33:28 2011 GMT
CRL entry extensions:
Invalidity Date:
Apr 28 01:33:09 2011 GMT
Signature Algorithm: sha1WithRSAEncryption
57:ac:00:3e:1e:e2:5f:59:62:04:05:9b:c7:61:58:2a:df:a4:
5c:e5:c0:14:af:c8:e7:de:cf:2a:0a:31:7d:32:da:be:cd:6a:
36:b5:83:e8:95:06:bd:b4:c0:36:fe:91:7c:77:d9:00:0f:9e:
99:03:65:9e:0c:9c:16:22:ef:4a:40:ec:59:40:60:53:4a:fc:
8e:47:57:23:e0:75:0a:a4:1c:0e:2f:3d:e0:b2:87:4d:61:8a:
4a:cb:cb:37:af:51:bd:53:78:76:a1:16:3d:0b:89:01:91:61:
52:d0:6f:5c:09:59:15:be:b8:68:65:0c:5d:1b:a1:f8:42:04:
ba:aa
Table 21 Command output
|
Field |
Description |
|
Version |
CRL version number. |
|
Signature Algorithm |
Signature algorithm used by the CA to sign the CRL. |
|
Issuer |
Name of the CA that issued the CRL. |
|
Last Update |
Most recent CRL update time. |
|
Next Update |
Next CRL update time. |
|
X509v3 Authority Key Identifier |
X509v3 ID of the CA that issues the CRL. |
|
keyid |
Key ID. This field identifies the key pair used to sign the CRL. |
|
Signature Algorithm: |
Signature algorithm and signature data. |
Related commands
pki retrieve-crl
fqdn
Use fqdn to set the FQDN of an entity.
Use undo fqdn to remove the configuration.
Syntax
fqdn fqdn-name-string
undo fqdn
Default
No FQDN is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters in the format hostname@domainname.
Usage guidelines
An FQDN uniquely identifies a PKI entity on a network.
Examples
# Specify pki.domain-name.com as the FQDN of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] fqdn [email protected]
ip
Use ip to assign an IP address to a PKI entity.
Use undo ip to remove the configuration.
Syntax
ip { ip-address | interface interface-type interface-number }
undo ip
Default
No IP address is assigned to the PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Specifies an IPv4 address.
interface interface-type interface-number: Specifies an interface by its type and number. The primary IPv4 address of the interface will be used as the IP address of the PKI entity.
Usage guidelines
Use this command to assign an IP address to a PKI entity or specify an interface whose primary IPv4 address will be used as the IP address for the PKI entity. If you specify an interface, make sure the interface has an IP address before the PKI entity requests a certificate.
Examples
# Assign IP address 192.168.0.2 to PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] ip 192.168.0.2
ldap-server
Use ldap-server to specify an LDAP server for a PKI domain.
Use undo ldap-server to remove the configuration.
Syntax
ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ldap-server
Default
No LDAP server is specified for a domain.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
host host-name: Specifies an LDAP server by its IPv4 address or domain name. The domain name is a case-sensitive string of 1 to 255 characters.
port port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the LDAP server is on the public network, do not specify this option.
Usage guidelines
You must specify an LDAP server in a PKI domain in the following situations:
· An LDAP URL is specified in the PKI domain (by using the crl url command).
· The specified LDAP URL does not contain the IP address or host name of the LDAP server.
You can specify only one LDAP server in a PKI domain. If you configure this command multiple times, the most recent configuration takes effect.
Examples
# Specify an LDAP server 10.0.0.1 for PKI domain aaa.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] ldap-server host 10.0.0.1
# Specify an LDAP server 10.0.0.11 in VPN instance vpn1 for PKI domain aaa. Set the port number to 333.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] ldap-server host 10.0.0.11 port 333 vpn-instance vpn1
Related commands
· pki retrieve-certificate
· pki retrieve-crl
locality
Use locality to set the locality of a PKI entity.
Use undo locality to remove the configuration.
Syntax
locality locality-name
undo locality
Default
No locality is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set a city name as the locality.
Examples
# Specify pukras as the locality of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] locality pukras
organization
Use organization to set an organization name for a PKI entity.
Use undo organization to remove the configuration.
Syntax
organization org-name
undo organization
Default
No organization name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included.
Examples
# Specify abc as the organization name of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] organization abc
organization-unit
Use organization-unit to set an organization unit name for a PKI entity.
Use undo organization-unit to remove the configuration.
Syntax
organization-unit org-unit-name
undo organization-unit
Default
No organization unit name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
org-unit-name: Specifies an organization unit name, a case-sensitive string of 1 to 63 characters. No comma can be included.
Examples
# Specify rdtest as the organization unit name for the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] organization-unit rdtest
pki abort-certificate-request
Use pki abort-certificate-request to abort the certificate request for a PKI domain.
Syntax
pki abort-certificate-request domain domain-name
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Usage guidelines
You can abort a certificate request and change some parameters, such as common name, country code, or FQDN, in the certificate request before the CA issues the certificate. Use the display pki certificate request-status command to display the certificate request status.
Examples
# Abort the certificate request for the PKI domain 1.
<Sysname> system-view
[Sysname] pki abort-certificate- request domain 1
The certificate request is in process.
Confirm to abort it? [Y/N]:y
Related commands
· display pki certificate request-status
· pki request-certificate domain
pki certificate access-control-policy
Use pki certificate access-control-policy to create a certificate-based access control policy and enter its view.
Use undo pki certificate access-control-policy to remove a certificate-based access control policy.
Syntax
pki certificate access-control-policy policy-name
undo pki certificate access-control-policy policy-name
Default
No certificate-based access control policies exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies a policy name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can add multiple rules to a certificate-based access control policy.
Examples
# Create a certificate-based access control policy named mypolicy and enter its view.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy]
Related commands
· display pki certificate access-control-policy
· rule
pki certificate attribute-group
Use pki certificate attribute-group to create a certificate attribute group and enter its view.
Use undo pki certificate attribute-group to remove a certificate attribute group.
Syntax
pki certificate attribute-group group-name
undo pki certificate attribute-group group-name
Default
No certificate attribute groups exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies a group name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates.
A certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command). If a certificate attribute group does not have any attribute rules, the system determines that the all certificates match the associated access control rule.
Examples
# Create a certificate attribute group named mygroup and enter its view.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup]
Related commands
· attribute
· display pki certificate attribute-group
· rule
pki delete-certificate
Use pki delete-certificate to remove certificates from a PKI domain.
Syntax
pki delete-certificate domain domain-name { ca | local | peer [ serial serial-num ] }
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer: Specifies the peer certificates.
serial serial-num: Specifies a peer certificate by its serial number, a case-insensitive string of 1 to 127 characters. If you do not specify a peer certificate, this command removes all peer certificates in the PKI domain.
Usage guidelines
When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain.
Examples
# Remove the CA certificate in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki delete-certificate domain aaa ca
Local certificates, peer certificates and CRL will also be deleted while deleting the CA certificate.
Confirm to delete the CA certificate? [Y/N]:y
[Sysname]
# Remove the local certificates in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki delete-certificate domain aaa local
[Sysname]
# Remove all peer certificates in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki delete-certificate domain aaa peer
[Sysname]
# Display information about all peer certificates in the PKI domain aaa, and remove a peer certificate with the specified serial number.
<Sysname> system-view
[Sysname] display pki certificate domain aaa peer
Total peer certificates: 1
Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7
Subject Name: CN=abc
[Sysname] pki delete-certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7
Related commands
display pki certificate
pki domain
Use pki domain to create a PKI domain and enter its view.
Use undo pki domain to remove a PKI domain.
Syntax
pki domain domain-name
undo pki domain domain-name
Default
No PKI domains exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Usage guidelines
When you remove a PKI domain, the certificates and the CRL in the domain are also removed.
Examples
# Create a PKI domain named aaa and enter its view.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa]
pki entity
Use pki entity to create a PKI entity and enter its view.
Use undo pki entity to remove a PKI entity.
Syntax
pki entity entity-name
undo pki entity entity-name
Default
No PKI entity exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
entity-name: Specifies the name of a PKI entity, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A PKI entity includes the identity information that can be used by a CA to identify a certificate applicant. You can configure multiple attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address. The information will be included as subject contents in the certificate issued by the CA.
Examples
# Create a PKI entity named en and enter its view.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en]
Related commands
pki domain
pki export
Use pki export to export the CA certificate and the local certificates in a PKI domain to local files or display them on a terminal.
Syntax
pki export domain domain-name der { all | ca | local } filename filename
pki export domain domain-name p12 { all | local } passphrase p12passwordstring filename filename
pki export domain domain-name pem { { all | local } [ { 3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc } pempasswordstring ] | ca } [ filename filename ]
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
der: Specifies the certificate file format as DER.
p12: Specifies the certificate file format as PKCS12.
pem: Specifies the certificate file format as PEM.
all: Specifies both CA and local certificates. The RA certificate is excluded.
ca: Specifies the CA certificate.
local: Specifies the local certificates or the local certificates and their private keys.
passphrase p12passwordstring: Specifies a password for encrypting the private key of a local PKCS12 certificate.
3des-cbc: Specifies 3DES_CBC for encrypting the private key of a local certificate.
aes-128-cbc: Specifies 128-bit AES_CBC for encrypting the private key of a local certificate.
aes-192-cbc: Specifies 192-bit AES_CBC for encrypting the private key of a local certificate.
aes-256-cbc: Specifies 256-bit AES_CBC for encrypting the private key of a local certificate.
des-cbc: Specifies DES_CBC for encrypting the private key of a local certificate.
pempasswordstring: Specifies a password for encrypting the private key of a local certificate in PEM format.
filename filename: Specifies a file name for storing a certificate. The file name is a case-insensitive string. If you do not specify a file name for the certificates in PEM format, this command displays the certificates on the terminal.
Usage guidelines
When you export the CA certificate, the following conditions might exist:
· If the PKI domain has only one CA certificate, this command exports the CA certificate to a file or displays it on the terminal.
· If the PKI domain has a CA certificate chain, this command exports the certificate chain to a file or displays it on the terminal.
When you export the local certificates, the local file names might not be the same as specified in the command. The file names depend on the usage of the key pairs of the certificates. In the following description, the filename is the file name specified in the command.
· If the key pair of the local certificate is for signing, the local file name is filename-sign.
· If the key pair of the local certificate is for encryption, the local file name is filename-encr.
· If the key pair of the local certificate is for general use (RSA or DSA), the local file name is filename.
If the PKI domain has two local certificates, one of the following results occurs:
· If you specify a file name, the local certificates are exported to two different files.
· If you do not specify a file name, the local certificates are displayed on the terminal, separated by the system prompts.
When you export all certificates:
· If the PKI domain has only the CA certificate or local certificates, the result is the same as when you export the CA certificate or local certificates separately.
· If the PKI domain has both the CA certificate and local certificates, you get the following results:
¡ If you specify a file name, each local certificate with its corresponding CA certificate chain is exported to a separate file.
¡ If you do not specify a file name, all local certificates and the CA certificate or CA certificate chain are displayed on the terminal, separated by the system prompts.
When you export all certificates in PKCS12 format, the PKI domain must have a local certificate. Otherwise, the export operation fails.
When you export the local certificates or all certificates in PEM format, you must specify the cryptographic algorithm and the challenge password for the private key. Otherwise, this command does not export the private keys of the local certificates. If you specify the cryptographic algorithm and the password, and the local certificates have their private keys, this command can export the local certificates with their private keys. If the local certificates do not have their private keys, the export operation fails.
When you export the local certificates, if the key pair in the PKI domain is changed and no longer matches the key in the local certificates, the export operation fails.
When you export the local certificates or all certificates, if the PKI domain has two local certificates, failure of exporting one local certificate does not affect export of the other.
The specified file name can contain an absolute path. If the specified path does not exist, the export operation fails.
Examples
# Export the CA certificate in the PKI domain to a file named cert-ca.der in DER format.
<Sysname> system-view
[Sysname] pki export domain domain1 der ca filename cert-ca.der
# Export the local certificates in the PKI domain to a file named cert-lo.der in DER format.
<Sysname> system-view
[Sysname] pki export domain domain1 der local filename cert-lo.der
# Export all certificates in the PKI domain to a file named cert-all.p7b in DER format.
<Sysname> system-view
[Sysname] pki export domain domain1 der all filename cert-all.p7b
# Export the CA certificate in the PKI domain to a file named cacert in PEM format.
<Sysname> system-view
[Sysname] pki export domain domain1 pem ca filename cacert
# Export the local certificates and their private keys in the PKI domain to a file named local.pem in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.
<Sysname> system-view
[Sysname] pki export domain domain1 pem local des-cbc 111 filename local.pem
# Export the all certificates in the PKI domain to a file named all.pem in PEM format. No cryptographic algorithm or password is specified, and the private keys are not exported.
<Sysname> system-view
[Sysname] pki export domain domain1 pem all filename all.pem
# Display the local certificates and their private keys in the PKI domain on the terminal in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.
<Sysname> system-view
[Sysname] pki export domain domain1 pem local des-cbc 111
%The signature usage local certificate:
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest
issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG
A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy
ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla
ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF
VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE
jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy
cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA
AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw
NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz
L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw
IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh
Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY
ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0
CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w
ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp
dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6
Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js
L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB
tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12
X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv
UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd
no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK
7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw==
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIAbfcE+KoYYoCAggA
MBEGBSsOAwIHBAjB+UsJM07JRQSCAoABqtASbjGTQbdxL3n4wNHmyWLxbvL9v27C
Uu6MjYJDCipVzxHU0rExgn+6cQsK5uK99FPBmy4q9/nnyrooTX8BVlXAjenvgyii
WQLwnIg1IuM8j2aPkQ3wbae1+0RACjSLy1u/PCl5sp6CDxI0b9xz6cxIGxKvUOCc
/gxdgk97XZSW/0qnOSZkhgeqBZuxq6Va8iRyho7RCStVxQaeiAZpq/WoZbcS5CKI
/WXEBQd4AX2UxN0Ld/On7Wc6KFToixROTxWTtf8SEsKGPDfrEKq3fSTW1xokB8nM
bkRtU+fUiY27V/mr1RHO6+yEr+/wGGClBy5YDoD4I9xPkGUkmqx+kfYbMo4yxkSi
JdL+X3uEjHnQ/rvnPSKBEU/URwXHxMX9CdCTSqh/SajnrGuB/E4JhOEnS/H9dIM+
DN6iz1IwPFklbcK9KMGwV1bosymXmuEbYCYmSmhZb5FnR/RIyE804Jz9ifin3g0Q
ZrykfG7LHL7Ga4nh0hpEeEDiHGEMcQU+g0EtfpOLTI8cMJf7kdNWDnI0AYCvBAAM
3CY3BElDVjJq3ioyHSJca8C+3lzcueuAF+lO7Y4Zluq3dqWeuJjE+/1BZJbMmaQA
X6NmXKNzmtTPcMtojf+n3+uju0le0d0QYXQz/wPsV+9IYRYasjzoXE5dhZ5sIPOd
u9x9hhp5Ns23bwyNP135qTNjx9i/CZMKvLKywm3Yg+Bgg8Df4bBrFrsH1U0ifmmp
ir2+OuhlC+GbHOxWNeBCa8iAq91k6FGFJ0OLA2oIvhCnh45tM7BjjKTHk+RZdMiA
0TKSWuOyihrwxdUEWh999GKUpkwDHLZJFd21z/kWspqThodEx8ea
-----END ENCRYPTED PRIVATE KEY-----
# Display all certificates in the PKI domain in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.
<Sysname> system-view
[Sysname] pki export domain domain1 pem all des-cbc 111
%The signature usage local certificate:
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest
issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG
A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy
ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla
ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF
VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE
jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy
cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA
AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw
NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz
L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw
IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh
Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY
ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0
CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w
ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp
dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6
Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js
L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB
tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12
X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv
UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd
no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK
7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw==
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDTjEU
MBIGA1UECgwLT3BlbkNBIExhYnMxETAPBgNVBAsMCHNvZnR3YXJlMQ0wCwYDVQQD
DARhYmNkMB4XDTExMDQxODExNDQ0N1oXDTEzMDQxNzExNDQ0N1owRTELMAkGA1UE
BhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2FyZTEN
MAsGA1UEAwwEYWJjZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1g
vomMF8S4u6q51bOwjKFUBwxyvOy4D897LmOSedaCyDt6Lvp+PBEHfwWBYBpsHhk7
kmnSNhX5dZ6NxunHaARZ2VlcctsYKyvAQapuaThy1tuOcphAB+jQQL9dPoqdk0xp
jvmPDlW+k832Konn9U4dIivS0n+/KMGh0g5UyzHGqUUOo7s9qFuQf5EjQon40TZg
BwUnFYRlvGe7bSQpXjwi8LTyxHPy+dDVjO5CP+rXx5IiToFy1YGWewkyn/WeswDf
Yx7ZludNus5vKWTihgx2Qalgb+sqUMwI/WUET7ghO2dRxPUdUbgIYF0saTndKPYd
4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD
VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME
GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh
Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz
MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0
LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM
hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky
LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD
Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi
d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT
3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE
6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z
cXK8gzDBcsobcUMkwIYPAmd1kAPX
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIcUSKSW9GVmICAggA
MBEGBSsOAwIHBAi5QZM+lSYWPASCAoBKDYulE5f2BXL9ZhI9zWAJpx2cShz/9PsW
5Qm106D+xSj1eAzkx/m4Xb4xRU8oOAuzu1DlWfSHKXoaa0OoRSiOEX1eg0eo/2vv
CHCvKHfTJr4gVSSa7i4I+aQ6AItrI6q99WlkN/e/IE5U1UE4ZhcsIiFJG+IvG7S8
f9liWQ2CImy/hjgFCD9nqSLN8wUzP7O2SdLVlUb5z4FR6VISZdgTFE8j7ko2HtUs
HVSg0nm114EwPtPMMbHefcuQ6b82y1M+dWfVxBN9K03lN4tZNfPWwLSRrPvjUzBG
dKtjf3/IFdV7/tUMy9JJSpt4iFt1h7SZPcOoGp1ZW+YUR30I7YnFE+9Yp/46KWT8
bk7j0STRnZX/xMy/9E52uHkLdW1ET3TXralLMYt/4jg4M0jUvoi3GS2Kbo+czsUn
gKgqwYnxVfRSvt8d6GBYrpF2tMFS9LEyngPKXExd+m4mAryuT5PhdFTkb1B190Lp
UIBjk3IXnr7AdrhvyLkH0UuQE95emXBD/K0HlD73cMrtmogL8F4yS5B2hpIr/v5/
eW35+1QMnJ9FtHFnVsLx9wl9lX8iNfsoBhg6FQ/hNSioN7rNBe7wwIRzxPVfEhO8
5ajQxWlidRn5RkzfUo6HuAcq02QTpSXI6wf2bzsVmr5sk+fRaELD/cwL6VjtXO6x
ZBLJcUyAwvScrOtTEK7Q5n0I34gQd4qcF0D1x9yQ4sqvTeU/7Jkm6XCPV05/5uiF
RLCfFAwaJMBdIQ6jDQHnpWT67uNDwdEzaPmuTVMme5Woc5zsqE5DY3hWu4oqFdDz
kPLnbX74IZ0gOLki9eIJkVswnF5HkBCKS50ejlW6TgbMNZ+JPk2w
-----END ENCRYPTED PRIVATE KEY-----
# Display the CA certificate in the PKI domain in PEM format.
<Sysname> system-view
[Sysname]pki export domain domain1 pem ca
-----BEGIN CERTIFICATE-----
MIIB+TCCAWICEQDMbgjRKygg3vpGFVY6pa3ZMA0GCSqGSIb3DQEBBQUAMD0xCzAJ
BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxETAPBgNVBAsTCGgzYy10ZXN0MQ0wCwYD
VQQDEwQ4MDQzMB4XDTExMDMyMjA0NDQyNFoXDTE0MDMyMzA0MzUyNFowPTELMAkG
A1UEBhMCY24xDDAKBgNVBAoTA2gzYzERMA8GA1UECxMIaDNjLXRlc3QxDTALBgNV
BAMTBDgwNDMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOvDAYQhyc++G7h5
eNDzJs22OQjCn/4JqnNKIdKz1BbaJT8/+IueSn9JIsg64Ex2WBeCd/tcmnSW57ag
dCvNIUYXXVOGca2iaSOElqCF4CQfV9zLrBtA7giHD49T+JbxLrrJLmdIQMJ+vYdC
sCxIp3YMAiuCahVLZeXklooqwqIXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAElm7
W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy
TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j
0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o=
-----END CERTIFICATE-----
# Export the CA certificate in the PKI domain to a file named cacert in PEM format.
<Sysname> system-view
[Sysname] pki export domain domain1 pem ca filename cacert
# Display the CA certificate or the CA certificate chain in the PKI domain on the terminal.
<Sysname> system-view
[Sysname]pki export domain domain1 pem ca
-----BEGIN CERTIFICATE-----
MIIB7jCCAVcCEQCdSVShJFEMifVG8zRRoSsWMA0GCSqGSIb3DQEBBQUAMDcxCzAJ
BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEMMAoGA1UEAxMD
YWNhMB4XDTExMDEwNjAyNTc0NFoXDTEzMTIwMTAzMTMyMFowODELMAkGA1UEBhMC
Y24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ0wCwYDVQQDEwRhYWNhMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcuJsWhAJXEDmowGb5z7VDVms54TKi
xnaNJCWvBOrU64ftvpVB7xQekbkjgAS9FjDyXlLQ8IyIsYIp5ebJr8P+n9i9Pl7j
lBx5mi4XeIldyv2OjfNx5oSQ+gWY9/m1R8uv13RS05r3rxPg+7EvKBjmiy0Giddw
vu3Y3WrjBPp6GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJrQddzVQEiy4AcgtzUL
ltkmlmWoz87+jUsgFB+H+xeyiZE4sancf2UwH8kXWqZ5AuReFCCBC2fkvvQvUGnV
cso7JXAhfw8sUFok9eHz2R+GSoEk5BZFzZ8eCmNyGq9ln6mJsO1hAqMpsCW6G2zh
5mus7FTHhywXpJ22/fnHg61m
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB8DCCAVkCEQD2PBUx/rvslNw9uTrZB3DlMA0GCSqGSIb3DQEBBQUAMDoxCzAJ
BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEPMA0GA1UEAxMG
cm9mdcGNhMB4XDTExMDEwNjAyNTY1OFoXDTEzMTIwNDAzMTMxMFowNzELMAkGA1UE
BhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQwwCgYDVQQDEwNhY2Ew
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOeklR7DpeEV72N1OLz+dydIDTx0
zVZDdPxF1gQYWSfIBwwFKJEyQ/4y8VIfDIm0EGTM4dsOX/QFwudhl/Czkio3dWLh
Q1y5XCJy68vQKrB82WZ2mah5Nuekus3LSZZBoZKTAOY5MCCMFcULM858dtSq15Sh
xF7tKSeAT7ARlJxTAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADJQCo6m0RNup0ewa
ItX4XK/tYcJXAQWMA0IuwaWpr+ofqVVgYBPwVpYglhJDOuIZxKdR2pfQOA4f35wM
Vz6kAujLATsEA1GW9ACUWa5PHwVgJk9BDEXhKSJ2e7odmrg/iROhJjc1NMV3pvIs
CuFiCLxRQcMGhCNHlOn4wuydssc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB8jCCAVsCEFxy3MSlQ835MrnBkI/dUPYwDQYJKoZIhvcNAQEFBQAwOjELMAkG
A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ8wDQYDVQQDEwZy
b290Y2EwHhcNMTEwMTA2MDI1MTQxWhcNMTMxMjA3MDMxMjA1WjA6MQswCQYDVQQG
EwJjbjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNoM2MxDzANBgNVBAMTBnJvb3Rj
YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxP2XLFE230zq6MhwZvAomOxa
7tc1r4bESXZu3UBKno3Ay9kQm2HrDOAizvZXfLu7Gx22ga2Qdz0lIeZ+EQrYHTyO
pBcejDjal/ZtvgnjXyHFoG8nS+P7n83BkRj/Fu7Yz4zjTKMbCF2EfhEyXxr4NSXA
fhC9qg9S23vNXStmWvsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBtsU7X77sdZ1Nn
0I98lh0qA5g7SEEIpI+pwZjjrH0FVHw01e4JWhHjyHqrOyfXYqe7vH4SXp5MHEqf
14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1
cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg==
-----END CERTIFICATE-----
# Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123.
<Sysname> system-view
[Sysname] pki export domain domain1 p12 local passphrase 123 filename cert-lo.der
# Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
<Sysname> system-view
[Sysname] pki export domain domain1 p12 all passphrase 123 filename cert-all.p7b
Related commands
pki domain
pki import
Use pki import to import the CA certificate, local certificates, or peer certificates for a PKI domain.
Syntax
pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename filename | pem { ca | local | peer } [ filename filename ] }
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
der: Specifies the certificate format as DER, including PKCS#7.
p12: Specifies the certificate format as PKCS12.
pem: Specifies the certificate format as PEM.
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer: Specifies the peer certificates.
filename filename: Specifies a certificate file name, a case-insensitive string. For a certificate in PEM format, you can also choose to copy and paste the certificate contents on the terminal instead of importing from a file.
Usage guidelines
Use the command to import the certificates in the following situations:
· The CRL repository is not specified or the CA server does not support SCEP.
· Use a certificate that is packed with the server generated key pair in a single file. Only certificate files in PKCS12 or PEM format might contain key pairs.
Before you import the certificates, complete the following tasks:
· Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not available, you can import the certificates by copying and pasting the certificate contents through the terminal. In this case, make sure the certificate is in PEM format because only certificates in PEM format can be imported by this means.
· For the local certificates or peer certificates to be imported, the corresponding CA certificate chain must exist. The CA certificate chain can be stored on the device, or carried in the local certificates or peer certificates. If the PKI domain, the local certificates, or the peer certificates do not have the CA certificate chain, you must import the CA certificate first. To import a local or peer certificate, a CA certificate chain must exist in the PKI domain, or be carried in the local or peer certificate. If not, obtain it first.
When you import the local certificates or peer certificates:
· If the local certificates or peer certificates to be imported contain the CA certificate chain, you can import the CA certificate and the local certificates or peer certificates at the same time. If the certificate of the CA that issues the local certificates or peer certificates already exists in a PKI domain, the system displays a prompt to ask you whether to overwrite the existing CA certificate.
· If the local certificates or peer certificates to be imported do not contain the CA certificate chain, but the certificate of the CA that issues the local certificate or peer certificate already exists in a PKI domain, you can directly import the local certificates or peer certificates.
When you import the CA certificate:
· If the CA certificate to be imported is the CA root certificate or contains the certificate chain with the root certificate, you can import the CA certificate.
· If the CA certificate to be imported contains a certificate chain without the root certificate, but can form a complete certificate chain with the CA certificate on the device, you can import the CA certificate. Otherwise, you cannot import it.
Contact the CA server administrator to get information in the following scenarios:
· If the certificate file to be imported contains the root certificate, but the root certificate and its fingerprint are not specified on the device, the system asks you to confirm the fingerprint.
· If the local certificate to be imported contains a key pair, the system asks you to enter the challenge password used for encrypting the private key.
When you import a local certificate file that contains a key pair, you can choose to update the domain with the key pair. Depending on the purpose of the key pair, the following conditions apply:
· If the purpose of the key pair is general, the device uses the key pair to replace the local key pair that is found in this order: general-purpose key pair, signature key pair, and encryption key pair.
· If the purpose of the key pair is signature, the device uses the key pair to replace the local key pair that is found in this order: general-purpose key pair and signature key pair.
· If the purpose of the key pair is encryption, the device searches the domain for an encryption key pair.
If a match is found, the device displays a prompt to ask you whether to overwrite the existing key pair on the device. If no match is found, the device asks you to enter a key pair name (defaulting to the PKI domain name). Then, it generates a key pair according to the algorithm and the purpose of the key pair defined in the certificate file.
The import operation automatically updates or generates the correct key pair. When you perform the import operation, be sure to save the configuration file to avoid data loss.
Examples
# Import the CA certificate file rootca_pem.cer in PEM format to the PKI domain aaa. The certificate file contains the root certificate.
<Sysname> system-view
[Sysname] pki import domain aaa pem ca filename rootca_pem.cer
The trusted CA's finger print is:
MD5 fingerprint:FFFF 3EFF FFFF 37FF FFFF 137B FFFF 7535
SHA1 fingerprint:FFFF FF7F FF2B FFFF 7618 FF4C FFFF 0A7D FFFF FF69
Is the finger print correct?(Y/N):y
[Sysname]
# Import the CA certificate file aca_pem.cer in PEM format to the PKI domain bbb. The certificate file does not contain the root certificate.
<Sysname> system-view
[Sysname] pki import domain bbb pem ca filename aca_pem.cer
[Sysname]
# Import the local certificate file local-ca.p12 in PKCS12 format to the PKI domain bbb. The certificate file contains a key pair.
<Sysname> system-view
[Sysname] pki import domain bbb p12 local filename local-ca.p12
Please input challenge password:
******
[Sysname]
# Import the local certificate in PEM format to the PKI domain bbb by copying and pasting the contents of the certificate. The certificate contains the key pair and the CA certificate chain.
<Sysname> system-view
[Sysname] pki import domain bbb pem local
Enter PEM-formatted certificate.
End with a Ctrl+c on a line by itself.
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: {F7619D96-3AC2-40D4-B6F3-4EAB73DEED73}
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8DCE37F0A61A4B8C
k9C3KHY5S3EtnF5iQymvHYYrVFy5ZdjSasU5y4XFubjdcvmpFHQteMjD0GKX6+xO
kuKbvpyCnWsPVg56sL/PDRyrRmqLmtUV3bpyQsFXgnc7p+Snj3CG2Ciow9XApybW
Ec1TDCD75yuQckpVQdhguTvoPQXf9zHmiGu5jLkySp2k7ec/Mc97Ef+qqpfnHpQp
GDmMqnFpp59ZzB21OGlbGzlPcsjoT+EGpZg6B1KrPiCyFim95L9dWVwX9sk+U1s2
+8wqac8jETwwM0UZ1NGJ50JJz1QYIzMbcrw+S5WlPxACTIz1cldlBlb1kpc+7mcX
4W+MxFzsL88IJ99T72eu4iUNsy26g0BZMAcc1sJA3A4w9RNhfs9hSG43S3hAh5li
JPp720LfYBlkQHn/MgMCZASWDJ5G0eSXQt9QymHAth4BiT9v7zetnQqf4q8plfd/
Xqd9zEFlBPpoJFtJqXwxHUCKgw6kJeC4CxHvi9ZCJU/upg9IpiguFPoaDOPia+Pm
GbRqSyy55clVde5GOccGN1DZ94DW7AypazgLpBbrkIYAdjFPRmq+zMOdyqsGMTNj
jnheI5l784pNOAKuGi0i/uXmRRcfoMh6qAnK6YZGS7rOLC9CfPmy8fgY+/Sl9d9x
Q00ruO1psxzh9c2YfuaiXFIx0auKl6o5+ZZYn7Rg/xy2Y0awVP+dO925GoAcHO40
cCl6jA/HsGAU9HkpwKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7+Uz2QHJOfP10
0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ==
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/CN=sldsslserver
issuer=/C=cn/O=ccc/OU=sec/CN=ssl
-----BEGIN CERTIFICATE-----
MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw
NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD
VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD
VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP
N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp
rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k
ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j
BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG
SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb
3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw
LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD
gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHFGNEFx7k
zxBp/JPpcFM8hapAfrVHdQ/wstq0pVDdBkrVF6XKIBks6XgCvRl32gcaQt9yrQd9
5RbWdetuBljudjFj25airYO2u7pLeVmdWWx3WVvZBzOo8KU=
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=cn/O=ccc/OU=sec/CN=ssl
issuer=/C=cn/O=ccc/OU=sec/CN=ssl
-----BEGIN CERTIFICATE-----
MIIB7DCCAVUCEG+jJTPxxiE67pl2ff0SnOMwDQYJKoZIhvcNAQEFBQAwNzELMAkG
A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYDVQQDEwNz
c2wwHhcNMDkwNzMxMDY0ODQ2WhcNMTIwNzI5MDYyODU4WjA3MQswCQYDVQQGEwJj
bjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNzZWMxDDAKBgNVBAMTA3NzbDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8QSMetQ70GONiFh7iJkvGQ8nC15zCF1
cqC/RcJhE/88LkKyQcu9j+Tz8Bk9Qj2UPaZdrk8fOrgtBsa7lZ+UO3j3l30q84l+
HjWq8yxVLRQahU3gqJze6pGR2l0s76u6GRyCX/zizGrHKqYlNnxK44NyRZx2klQ2
tKQAfpXCPIkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBWsaMgRbBMtYNrrYCMjY6g
c7PBjvajVOKNUMxaDalePmXfKCxl91+PKM7+i8I/zLcoQO+sHbva26a2/C4sNvoJ
2QZs6GtAOahP6CDqXC5VuNBU6eTKNKjL+mf6uuDeMxrlDNha0iymdrXXVIp5cuIu
fl7xgArs8Ks6aXDXM1o4DQ==
-----END CERTIFICATE-----
Please input the password:********
Local certificate already exist, confirm to overwrite it? [Y/N]:y
The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted.
Overwrite it? [Y/N]:y
The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
Please enter the key pair name [default name: bbb]:
The key pair already exists.
Please enter the key pair name:
import-key
Related commands
· display pki certificate
· public-key dsa
· public-key rsa
pki request-certificate
Use pki request-certificate to submit a local certificate request or generate a certificate request in PKCS#10 format.
Syntax
pki request-certificate domain domain-name [ password password ] [ pkcs10 [ filename filename ] ]
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
password password: Sets the password for certificate revocation, a case-sensitive string of 1 to 31 characters. The password is contained in the certificate request and must be provided if the certificate is revoked.
pkcs10: Displays BASE64-encoded PKCS#10 certificate request information, which can be used to request a certificate by an out-of-band means, like phone, disk, or email.
filename filename: Specifies a local file for saving the certificate request in PKCS#10 format. The filename argument is case-insensitive.
Usage guidelines
If SCEP fails, you can perform one of the following operations:
· Use the pkcs10 keyword to print the BASE64-encoded request information.
· Use the pkcs10 filename filename option to save the request information to a local file and send the file to the CA by an out-of-band means. The specified file name can contain an absolute path. If the specified path does exist, the request information cannot be saved.
This command is not saved in the configuration file.
Examples
# Display information about the certificate request in the PKCS#10 format.
<Sysname> system-view
[Sysname] pki request-certificate domain aaa pkcs10
*** Request for general certificate ***
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5
ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nmdcu5TED6iN8
4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G
CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw
R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ
JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c
-----END NEW CERTIFICATE REQUEST-----
# Request the local certificates.
[Sysname] pki request-certificate domain openca
Start to request the general certificate ...
…
Request certificate of domain openca successfully
Related commands
display pki certificate
pki retrieve-certificate
Use pki retrieve-certificate to obtain a certificate from the certificate distribution server.
Syntax
pki retrieve-certificate domain domain-name { ca | local | peer entity-name }
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer entity-name: Specifies a peer entity by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
In online mode:
· You can obtain the CA certificate through the SCEP protocol. If a CA certificate already exists locally, do not obtain the CA certificate again. To obtain a new one, use the pki delete-certificate command to remove the CA certificate and local certificates, and then obtain the CA certificate again.
· You can obtain local certificates or peer certificates through the LDAP protocol. If a PKI domain already has local certificates or peer certificates, you can still perform the obtain operation and the obtained local certificates or peer certificates overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for signing and the other for encryption. Certificates for different purposes do not overwrite each other.
The obtained CA certificate, local certificates, and peer certificates are automatically verified before they are saved locally. If the verification fails, they are not saved.
This command is not saved in the configuration file.
Examples
# Obtain the CA certificate from the certificate distribution server. (This operation requires the user to confirm the fingerprint of the CA root certificate.)
<Sysname> system-view
[Sysname] pki retrieve-certificate domain aaa ca
The trusted CA's finger print is:
MD5 fingerprint:5C41 E657 A0D6 ECB4 6BD6 1823 7473 AABC
SHA1 fingerprint:1616 E7A5 D89A 2A99 9419 1C12 D696 8228 87BC C266
Is the finger print correct?(Y/N):y
# Obtain the local certificates from the certificate distribution server.
<Sysname> system-view
[Sysname] pki retrieve-certificate domain aaa local
# Obtain the certificate of the peer entity en1 from the certificate distribution server.
<Sysname> system-view
[Sysname] pki retrieve-certificate domain aaa peer en1
Related commands
· display pki certificate
· pki delete-certificate
pki retrieve-crl
Use pki retrieve-crl to obtain CRLs and save them locally.
Syntax
pki retrieve-crl domain domain-name
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
Usage guidelines
CRLs are used to verify the validity of the local certificates and the peer certificates in a PKI domain. To obtain CRLs, a PKI domain must have the correct CA certificate.
The URL of the CRL repository is specified by using the crl url command.
The device can obtain CRLs from the CRL repository through the HTTP, LDAP, or SCEP protocol. Which protocol is used depends on the configuration of the CRL repository in the PKI domain:
· If the specified URL of the CRL repository is in HTTP format, the device obtains CRLs through the HTTP protocol.
· If the specified URL of the CRL repository is in LDAP format, the device obtains CRLs through the LDAP protocol. If the specified URL does not have a host name, for example, ldap:///CN=8088,OU=test,U=rd,C=cn, you must specify the LDAP server's URL for the PKI domain by using the ldap server command. The device can obtain the complete URL of the LDAP repository by combining the URL of the LDAP server and the URL of the CRL repository.
· If the PKI domain is not configured with the CRL repository, the device looks up the local certificates and then the CA certificate for the CRL repository. If a CRL repository is found, the device obtains CRLs from the point. Otherwise, the device obtains CRLs through the SCEP protocol.
Examples
# Obtain CRLs from the CRL repository.
<Sysname> system-view
[Sysname] pki retrieve-crl domain aaa
Related commands
· crl url
· ldap server
pki storage
Use pki storage to specify the storage path for the certificates or CRLs.
Use undo pki storage to restore the default.
Syntax
pki storage { certificates | crls } dir-path
undo pki storage { certificates | crls }
Default
The storage path for the certificates and CRLs is the PKI directory on the storage media of the device.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
certificates: Specifies a storage path for the certificates.
crls: Specifies a storage path for the CRLs.
dir-path: Specifies a storage path, a case-sensitive string, which cannot start with a slash (/) or contains two dots plus a slash (../). The dir-path argument specifies an absolute path or a relative path, and the path must exist.
Usage guidelines
The default PKI directory on the device is automatically created when you successfully request, obtain, or import a certificate for the first time.
If the path to be specified does not exist, you must use the mkdir command to create the path before using this command. After you change the storage path for the certificates or CRLs, the certificate files and CRL files in the original path are moved to the new path. The other types of files are not moved. Certificate files have the extension .cer or .p12. CRL files have the extension .crl.
Examples
# Specifies flash:/pki-new as the storage path for the certificates.
<Sysname> system-view
[Sysname] pki storage certificates flash:/pki-new
# Specifies pki-new as the storage path for the CRLs.
<Sysname> system-view
[Sysname] pki storage crls pki-new
pki validate-certificate
Use pki validate-certificate to verify the validity of certificates.
Syntax
pki validate-certificate domain domain-name { ca | local }
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and apostrophe (').
ca: Specifies the CA certificate.
local: Specifies the local certificates.
Usage guidelines
Generally, certificates are automatically verified when you request, obtain, or import them, or when an application uses PKI.
You can also use this command to manually verify a certificate in the following aspects:
· Whether the certificate is issued by a trusted CA.
· Whether the certificate expires.
· Whether the certificate is revoked if CRL checking is enabled.
When CRL checking is enabled:
· To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally save CRLs. If a CRL is found, the device loads the CRL to the PKI domain. Otherwise, the device obtains the CRL from the CA server and saves it locally.
· To verify the CA certificate, CRL checking is performed for the CA certificate chain from the current CA to the root CA.
Examples
# Verify the validity of the CA certificate in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki validate-certificate domain aaa ca
Verifying certificate......
Serial Number:
f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5
Issuer:
C=cn
O=ccc
OU=ppp
CN=rootca
Subject:
C=cn
O=abc
OU=test
CN=aca
Verify result: OK
Verifying certificate......
Serial Number:
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6
Issuer:
C=cn
O=ccc
OU=ppp
CN=rootca
Subject:
C=cn
O=ccc
OU=ppp
CN=rootca
Verify result: OK
# Verify the local certificates in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki validate-certificate domain aaa local
Verifying certificate......
Serial Number:
bc:05:70:1f:0e:da:0d:10:16:1e
Issuer:
C=CN
O=sec
OU=software
CN=bca
Subject:
O=OpenCA Labs
OU=Users
CN=fips fips-sec
Verify result: OK
Related commands
· crl check
· pki domain
public-key dsa
Use public-key dsa to specify a DSA key pair for certificate request.
Use undo public-key to remove the configuration.
Syntax
public-key dsa name key-name [ length key-length ]
undo public-key
Default
No key pair is specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name contains only letters, digits, and hyphens (-).
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. A key pair can be obtained in any of the following ways:
· Use the public-key local create command to generate a key pair.
· An application, like IKE using digital signature authentication, triggers to generate a key pair
· Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, RSA).
· If DSA is used, a PKI domain can have only one key pair.
· If RSA is used, a PKI domain can have two key pairs: one is the signing key pair, and the other is the encryption key pair.
· In a PKI domain, key pairs for different purposes (RSA signing and RSA encryption) do not overwrite each other.
· For DSA, the most recent configuration takes effect.
The specified length is effective on only a key pair to be generated. If the device already has a key pair or a key pair is contained in an imported certificate, using this command to specify the key length for the key pair does not take effect.
Examples
# Specify the DSA key pair abc with the key length 2048 bits for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key dsa name abc length 2048
Related commands
· pki import
· public-key local create (see Security Command Reference)
public-key rsa
Use public-key rsa to specify an RSA key pair for certificate request.
Use undo public-key to remove the configuration.
Syntax
public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name signature-key-name [ length key-length ] } * | general name key-name [ length key-length ] }
undo public-key
Default
No key pair is specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
encryption: Specifies a key pair for encryption.
name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name contains only letters, digits, and hyphens (-).
signature: Specifies a key pair for signing.
name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name contains only letters, digits, and hyphens (-).
general: Specifies a key pair for both signing and encryption.
name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name contains only letters, digits, and hyphens (-).
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways:
· Use the public-key local create command to generate a key pair.
· An application, like IKE using digital signature authentication, triggers the device to generate a key pair.
· Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, RSA).
· If DSA is used, a PKI domain can have only one key pair.
· If RSA is used, a PKI domain can have two key pairs: one is the signing key pair, and the other is the encryption one.
· In a PKI domain, key pairs for different purposes (RSA signing and RSA encryption) do not overwrite each other.
· For DSA, the most recent configuration takes effect.
If you specify a signing key pair and an encryption key pair separately, their key length can be different.
The specified length is effective on only a key pair to be generated. If the device already has a key pair or a key pair is contained in an imported certificate, using this command to specify the key length for the key pair does not take effect.
Examples
# Specify the RSA key pair abc with the purpose general and key length 2048 bits for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa general name abc length 2048
# Specify the RSA encryption key pair rsa1 with the key length 2048 bits, and the RSA signing key pair sig1 with the key length 2048 bits for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa encryption name rsa1 length 2048
[Sysname-pki-domain-aaa] public-key rsa signature name sig1 length 2048
Related commands
· pki import
· public-key local create (see Security Command Reference)
root-certificate fingerprint
Use root-certificate fingerprint to set the fingerprint for verifying the validity of the CA root certificate.
Use undo root-certificate fingerprint to remove the configuration.
Syntax
In non-FIPS mode:
root-certificate fingerprint { md5 | sha1 } string
undo root-certificate fingerprint
In FIPS mode:
root-certificate fingerprint sha1 string
undo root-certificate fingerprint
Default
No fingerprint is set.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
md5: Sets an MD5 fingerprint.
sha1: Sets a SHA1 fingerprint.
string: Sets the fingerprint information in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is a string of 32 characters. If you specify the SHA1 keyword, the fingerprint is a string of 40 characters.
Usage guidelines
If you set the certificate request mode to auto, and if the PKI domain does not have a CA certificate, you must use this command to set the fingerprint for verifying the validity of the CA root certificate.
When an application, like IKE, triggers the device to request local certificates, the device automatically obtains the CA certificate from the CA server.
If the obtained CA certificate contains a CA root certificate that does not exist on the local device, the device verifies the CA root certificate with the fingerprint. If the PKI domain is not configured with any fingerprint, the local certificate request fails.
You can choose whether to set the fingerprint of the CA root certificate when performing the following operations:
· Import the CA certificate by using the pki import command.
· Obtain the CA certificate by using the pki retrieve command.
If you specify the fingerprint in the PKI domain, the device automatically verifies the fingerprint of the CA certificate to be imported or obtained against that configured in the domain. If the two fingerprints do not match, the device rejects the CA certificate. If no fingerprint is specified in the domain, the device asks you to manually verify the fingerprint of the CA certificate.
Examples
# Specify an MD5 fingerprint for verifying the validity of the CA root certificate. (This configuration is supported only in non-FIPS mode.)
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E
# Set an SHA1 fingerprint for verifying the validity of the CA root certificate.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93
Related commands
· certificate request mode
· pki import
· pki retrieve-certificate
rule
Use rule to create an access control rule (or statement).
Use undo rule to remove an access control rule(or statement).
Syntax
rule [ id ] { deny | permit } group-name
undo rule id
Default
No statement exists.
Views
PKI certificate access control policy view
Predefined user roles
network-admin
mdc-admin
Parameters
id: Assigns an ID to the access control rule, in the range of 1 to 16. The default setting is the smallest unused ID in this range.
deny: Denies the certificates that match the associated certificate group.
permit: Permits the certificates that match the associated certificate group.
group-name: Specifies a certificate attribute group, a case-insensitive string of 1 to 31 characters.
Usage guidelines
When you create an access control rule, you can associate it with a nonexistent certificate attribute group.
The system determines that a certificate matches an access control rule when either of the following conditions exists:
· The associated certificate attribute group does not exist.
· The associated certificate attribute group does not contain any attribute rules.
· The certificate matches all attribute rules in the associated certificated attribute group.
You can create multiple access control rules for an access control policy. A certificate matches the rules one by one, starting with the rule with the smallest ID. When a match is found, the match process stops, and the system performs the access control action defined in the access control rule.
Examples
# Create rule 1 to permit all certificates that match certificate attribute group mygroup.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup
Related commands
· attribute
· display pki certificate access-control-policy
· pki certificate attribute-group
source
Use source to specify a source IP address for PKI protocol packets.
Use undo source to remove the configuration.
Syntax
source ip { ip-address | interface interface-type interface-number }
undo source
Default
The source IP address of PKI protocol packets is the IP address of their outgoing interface.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
ip ip-address: Specifies a source IPv4 address.
interface interface-type interface-number: Specifies an interface by its type and number. The interface's primary IP address will be used as the source IP address for PKI protocol packets.
Usage guidelines
Use this command to specify the source IP address for PKI protocol packets. You can also specify a source interface if the IP address is dynamically obtained.
Make sure there is a route between the source IP address and the CA server.
You can specify only one source IP address in a PKI domain. If you configure this command multiple times, the most recent configuration takes effect.
Examples
# Specify 111.1.1.8 as the source IP address for PKI protocol packets.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] source ip 111.1.1.8
# Specify the IP address of VLAN-interface 1 as the source IPv4 address of PKI protocol packets.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] source ip interface vlan-interface 1
state
Use state to set the state or province name for a PKI entity.
Use undo state to remove the configuration.
Syntax
state state-name
undo state
Default
No state name or province name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
mdc-admin
Parameters
state-name: Specifies a state or province by its name, a case-sensitive string of 1 to 63 characters. No comma can be included.
Examples
# Specify countryA as the state name of the PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] state countryA
usage
Use usage to specify the extensions for certificates.
Use undo usage to remove certificate extensions.
Syntax
usage { ike | ssl-client | ssl-server } *
undo usage [ ike | ssl-client | ssl-server ] *
Default
No extension is specified. A certificate can be used for all applications, including IKE, SSL clients, and SSL servers.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
ike: Specifies the IKE certificate extension so IKE peers can use the certificates.
ssl-client: Specifies the SSL client certificate extension so the SSL clients can use the certificates.
ssl-server: Specifies the SSL server certificate extension so the SSL servers can use the certificates.
Usage guidelines
If you do not specify any keywords for the undo usage command, the command removes all certificate extensions.
The extension options contained in a certificate depends on the CA policy, and might be different from those specified in the PKI domain.
Examples
# Specify the SSL client certificate extension.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] usage ssl-client
SSL commands
The SSL feature is available in Release 1138P01 and later versions.
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
ciphersuite
Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Use undo ciphersuite to restore the default.
Syntax
In non-FIPS mode:
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } *
undo ciphersuite
In FIPS mode:
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha } *
undo ciphersuite
Default
An SSL server policy supports all cipher suites.
Views
SSL server policy view
Predefined user roles
mdc-admin
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES, and the MAC algorithm SHA.
dhe_rsa_aes_256_cbc_sha: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES, and the MAC algorithm SHA.
exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm DES_CBC, and the MAC algorithm SHA.
exp_rsa_rc2_md5: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm RC2, and the MAC algorithm MD5.
exp_rsa_rc4_md5: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm RC4, and the MAC algorithm MD5.
rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 3DES_EDE_CBC, and the MAC algorithm SHA.
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES_CBC, and the MAC algorithm SHA.
rsa_aes_256_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 256-bit AES_CBC, and the MAC algorithm SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm DES_CBC, and the MAC algorithm SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm SHA.
Usage guidelines
SSL employs the following algorithms:
· Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms, such as DES_CBC, 3DES_EDE_CBC, AES_CBC, and RC4. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key.
· Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity. Commonly used MAC algorithms include MD5 and SHA. When using a MAC algorithm, the SSL server and the SSL client must use the same key.
· Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are usually asymmetric key algorithms, such as RSA.
After the SSL server receives a cipher suite from a client, the server matches the received cipher suite against the cipher suits it supports. If a match is found, the cipher suite negotiation succeeds. If no match is found, the negotiation fails.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure SSL server policy policy1 to support the following cipher suites:
· Key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA.
· Key exchange algorithm RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha
Related commands
· display ssl server-policy
· prefer-cipher
client-verify enable
Use client-verify enable to enable the SSL server to use digital certificates to authenticate clients.
Use undo client-verify enable to restore the default.
Syntax
client-verify enable
undo client-verify enable
Default
The SSL server does not authenticate SSL clients.
Views
SSL server policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The SSL client and server use digital certificates to authenticate each other. For more information about digital certificates, see Security Configuration Guide.
If you execute the client-verify enable command, an SSL client must send its own digital certificate to the SSL server for authentication. The client can access the SSL server only after it passes the authentication.
Examples
# Enable the SSL server to use digital certificates to authenticate SSL clients.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable
Related commands
display ssl server-policy
display ssl client-policy
Use display ssl client-policy to display SSL client policy information.
Syntax
display ssl client-policy [ policy-name ]
Views
Any view
Predefined user roles
mdc-admin
mdc-operator
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy, this command displays information about all SSL client policies.
Examples
# Display information about the SSL client policy policy1.
<Sysname> display ssl client-policy policy1
SSL client policy: policy1
SSL version: SSL 3.0
PKI domain: client-domain
Preferred ciphersuite:
RSA_AES_128_CBC_SHA
Server-verify: enabled
Table 22 Command output
|
Field |
Description |
|
Server-verify |
Indicates whether the client is enabled to use digital certificates to authenticate servers. |
display ssl server-policy
Use display ssl server-policy to display SSL server policy information.
Syntax
display ssl server-policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy, this command displays information about all SSL server policies.
Examples
# Display information about the SSL server policy policy1.
<Sysname> display ssl server-policy policy1
SSL server policy: policy1
PKI domain: server-domain
Ciphersuites:
DHE_RSA_AES_128_CBC_SHA
RSA_AES_128_CBC_SHA
Session cache size: 600
Client-verify: enabled
Table 23 Command output
|
Field |
Description |
|
Client-verify |
Indicates whether the server is enabled to use digital certificates to authenticate clients. |
pki-domain
Use pki-domain to specify a PKI domain for an SSL client policy or an SSL server policy.
Use undo pki-domain to restore the default.
Syntax
pki-domain domain-name
undo pki-domain
Default
No PKI domain is specified for an SSL client policy or an SSL server policy.
Views
SSL client policy view, SSL server policy view
Predefined user roles
mdc-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you specify a PKI domain for an SSL client policy, the SSL client that uses the SSL client policy will obtain its digital certificate through the specified PKI domain.
If you specify a PKI domain for an SSL server policy, the SSL server that uses the SSL server policy will obtain its digital certificate through the specified PKI domain.
Examples
# Specify PKI domain client-domain for the SSL client policy policy1.
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] pki-domain client-domain
# Specify PKI domain server-domain for the SSL server policy policy1.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] pki-domain server-domain
Related commands
· display ssl server-policy
· pki domain
prefer-cipher
Use prefer-cipher to specify a preferred cipher suite for an SSL client policy.
Use undo prefer-cipher to restore the default.
Syntax
In non-FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }
undo prefer-cipher
In FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha }
undo prefer-cipher
Default
In non-FIPS mode:
The preferred cipher suite of an SSL client policy is rsa_rc4_128_md5.
In FIPS mode:
The preferred cipher suite of an SSL client policy is rsa_aes_128_cbc_sha.
Views
SSL client policy view
Predefined user roles
mdc-admin
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES, and the MAC algorithm SHA.
dhe_rsa_aes_256_cbc_sha: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES, and the MAC algorithm SHA.
exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm DES_CBC, and the MAC algorithm SHA.
exp_rsa_rc2_md5: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm RC2, and the MAC algorithm MD5.
exp_rsa_rc4_md5: Specifies the export cipher suite that uses the key exchange algorithm RSA, the data encryption algorithm RC4, and the MAC algorithm MD5.
rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 3DES_EDE_CBC, and the MAC algorithm SHA.
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES_CBC, and the MAC algorithm SHA.
rsa_aes_256_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 256-bit AES_CBC, and the MAC algorithm SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm DES_CBC, and the MAC algorithm SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit RC4, and the MAC algorithm SHA.
Usage guidelines
SSL employs the following algorithms:
· Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms, such as DES_CBC, 3DES_EDE_CBC, AES_CBC, and RC4. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key.
· Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity. Commonly used MAC algorithms include MD5 and SHA. When using a MAC algorithm, the SSL server and the SSL client must use the same key.
· Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are asymmetric key algorithms, such as RSA.
The SSL client sends the preferred cipher suite to the SSL server, the server matches the received cipher suite against the cipher suits it supports. If a match is found, the cipher suite negotiation succeeds. Otherwise, the negotiation fails.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the SSL client policy policy1 to support the key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha
Related commands
· ciphersuite
· display ssl client-policy
server-verify enable
Use server-verify enable to enable the SSL client to use digital certificates to authenticate SSL servers.
Use undo server-verify enable to disable SSL server authentication.
Syntax
server-verify enable
undo server-verify enable
Default
The SSL client uses digital certificates to authenticate SSL servers.
Views
SSL client policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The SSL client and server use digital certificates to authenticate each other. For more information about digital certificates, see Security Configuration Guide.
If you execute the server-verify enable command, an SSL server must send its own digital certificate to the SSL client for authentication. The client can access the SSL server only after the server passes the authentication.
Examples
# Enable the SSL client to use digital certificates to authenticate SSL servers.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] server-verify enable
Related commands
display ssl client-policy
session cachesize
Use session cachesize to set the maximum number of sessions that the SSL server can cache.
Use undo session cachesize to restore the default.
Syntax
session cachesize size
undo session cachesize
Default
The SSL server can cache a maximum of 500 sessions.
Views
SSL server policy view
Predefined user roles
network-admin
mdc-admin
Parameters
size: Specifies the maximum number of cached sessions, in the range of 100 to 1000.
Usage guidelines
The SSL handshake protocol follows a complicated procedure to negotiate session parameters and establish sessions. To simplify the procedure, SSL allows you to reuse negotiated session parameters to establish sessions. This feature requires that the SSL server maintain information about existing sessions.
This command limits the maximum number of sessions that the SSL server can cache. If the number of sessions in the cache reaches the maximum, SSL does not cache new sessions.
Examples
# Set the maximum number of cached sessions to 600.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] session cachesize 600
Related commands
display ssl server-policy
ssl client-policy
Use ssl client-policy to create an SSL client policy and enter SSL client policy view.
Use undo ssl client-policy to delete an SSL client policy.
Syntax
ssl client-policy policy-name
undo ssl client-policy policy-name
Default
No SSL client policies exist on the device.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command creates an SSL client policy for which you can configure SSL parameters that the client uses to establish a connection to the server. The parameters include a PKI domain and a preferred cipher suite. An SSL client policy takes effect only after it is associated with an application such as DDNS.
Examples
# Create SSL client policy policy1 and enter SSL client policy view.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1]
Related commands
display ssl client-policy
ssl server-policy
Use ssl server-policy to create an SSL server policy and enter SSL server policy view.
Use undo ssl server-policy to delete an SSL server policy.
Syntax
ssl server-policy policy-name
undo ssl server-policy policy-name
Default
No SSL server policies exist on the device.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies a name for the SSL server policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits. An SSL server policy takes effect only after it is associated with an application such as HTTPS.
Examples
# Create SSL server policy policy1 and enter SSL server policy view.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]
Related commands
display ssl server-policy
ssl version ssl3.0 disable
Use ssl version ssl3.0 disable to disable SSL 3.0 on the device.
Use undo ssl version ssl3.0 disable restore the default.
Syntax
ssl version ssl3.0 disable
undo ssl version ssl3.0 disable
Default
SSL 3.0 is enabled.
Views
System view
Predefined user roles
mdc-admin
Usage guidelines
Use this command to disable SSL 3.0 on a device to enhance system security.
· An SSL server supports only TLS 1.0 after SSL 3.0 is disabled.
· An SSL client always uses SSL 3.0 if SSL 3.0 is specified for the client policy, whether you disable SSL 3.0 or not.
To ensure successful establishment of an SSL connection, do not disable SSL 3.0 on a device when the peer device only supports SSL 3.0. As a best practice to improve security, upgrade the peer device to support TLS 1.0.
Examples
# Disable SSL 3.0 on the device.
<Sysname> system-view
[Sysname] ssl version ssl3.0 disable
version
Use version to specify an SSL version for an SSL client policy.
Use undo version to restore the default.
Syntax
In non-FIPS mode:
version { ssl3.0 | tls1.0 }
undo version
In FIPS mode:
version tls1.0
undo version
Default
The SSL protocol version for an SSL client policy is TLS 1.0.
Views
SSL client policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
You can specify SSL 3.0 or TLS 1.0 for an SSL client policy:
· If TLS 1.0 is specified and SSL 3.0 is not disabled, the client first uses TLS 1.0 to connect to the SSL server. If the connection attempt fails, the client uses SSL 3.0.
· If TLS 1.0 is specified and SSL 3.0 is disabled, the client only uses TLS 1.0 to connect to the SSL server.
· If SSL 3.0 is specified, the client uses SSL 3.0 to connect to the SSL server, whether you disable SSL 3.0 or not.
As a best practice to enhance system security, disable SSL 3.0 on the device and specify TLS 1.0 for an SSL client policy.
Examples
# Set the SSL version to TLS 1.0 for SSL client policy policy1.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] version tls1.0
Related commands
display ssl client-policy
IPsec commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
ah authentication-algorithm
Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Use undo ah authentication-algorithm to remove all specified authentication algorithms for the AH protocols.
Syntax
In non-FIPS mode:
ah authentication-algorithm { md5 | sha1 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm sha1
undo ah authentication-algorithm
Default
AH does not use any authentication algorithm.
Views
IPsec transform set view
Predefined user roles
network-admin
mdc-admin
Parameters
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
Usage guidelines
In non-FIPS mode, you can specify multiple AH authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
· For a manual IPsec policy, the first specified AH authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first AH authentication algorithm.
· For an IKE-based IPsec policy, the initiator sends the first AH authentication algorithm specified in the IPsec transform set to the peer end during the negotiation phase, and the responder matches the received algorithm against all its local algorithms until a match is found. To ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must have at least one same AH authentication algorithm.
Examples
# Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1
description
Use description to configure description for an IPsec policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is defined.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
text: Specifies the description content, a case-sensitive string of 1 to 80 characters.
Usage guidelines
If the system has multiple IPsec policies, you can use this command to configure different descriptions for them to distinguish them.
Examples
# Configure the description for IPsec policy 1 as CenterToA.
<Sysname> system-view
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] description CenterToA
display ipsec policy
Use display ipsec policy to display information about IPsec policies.
Syntax
display ipsec policy [ policy-name [ seq-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
policy: Displays information about IPv4 IPsec policies.
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535.
Usage guidelines
· If you do not specify any parameters, this command displays information about all IPsec policies.
· If you specify an IPsec policy name and a sequence number, this command displays information about the specified IPsec policy entry. If you specify an IPsec policy name without any sequence number, this command displays information about all IPsec policy entries with the specified name.
Examples
# Display information about all IPv4 IPsec policies.
<Sysname> display ipsec policy
-------------------------------------------
IPsec Policy: mypolicy
Interface: Vlan-interface 1
-------------------------------------------
-----------------------------
Sequence number: 10
Mode: manual
-----------------------------
Security data flow: 3101
Remote address: 192.168.0.64
Transform set: tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0x0000d431)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x00003039)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Table 24 Command output
|
Field |
Description |
|
IPsec Policy |
IPsec policy name. |
|
Interface |
Interface applied with the IPsec policy. |
|
Sequence number |
Sequence number of the IPsec policy entry. |
|
Mode |
Negotiation mode of the IPsec policy: · manual—Manual mode. · isakmp—IKE negotiation mode. |
|
The policy configuration is incomplete |
IPsec policy configuration incomplete. Possible causes include: · The ACL is not configured. · The IPsec transform set is not configured. · The ACL does not have any permit statements. · The IPsec transform set configuration is not complete. · The peer IP address of the IPsec tunnel is not specified. · The SPI and key of the IPsec SA do not match the IPsec policy. |
|
Description |
Description of the IPsec policy. |
|
Security data flow |
ACL referenced by the IPsec policy. |
|
Selector mode |
Data flow protection mode of the IPsec policy: · standard · aggregation · per-host |
|
Local address |
Local end IP address of the IPsec tunnel (only available for the IPsec policy using IKE negotiation). |
|
Remote address |
Remote end IP address or host name of the IPsec tunnel. |
|
Transform set |
Transform set referenced by the IPsec policy. |
|
IKE profile |
IKE peer referenced by the IPsec policy. |
|
SA duration(time based) |
Time-based IPsec SA lifetime, in seconds. |
|
SA duration(traffic based) |
Traffic-based IPsec SA lifetime, in kilobytes. |
|
SA idle time |
Idle expiration time of the IPsec SA, in seconds. |
|
AH string-key |
AH string key (****** is displayed if the key is configured). |
|
AH authentication hex key |
AH authentication hex key (****** is displayed if the key is configured). |
|
ESP string-key |
ESP string key (****** is displayed if the key is configured). |
|
ESP encryption hex key |
ESP encryption hex key (****** is displayed if the key is configured). |
|
ESP authentication hex key |
ESP authentication hex key (****** is displayed if the key is configured). |
Related commands
ipsec policy
display ipsec sa
Use display ipsec sa to display information about IPsec SAs.
Syntax
display ipsec sa [ brief | count | interface interface-type interface-number | policy policy-name [ seq-number ] | remote ip-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
brief: Displays brief information about all IPsec SAs.
count: Displays the number of IPsec SAs.
interface interface-type interface-number: Specifies an interface by its type and number.
policy: Displays detailed information about IPsec SAs created by using a specific IPv4 IPsec policy.
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies an IPsec policy by its sequence number. The value range is 1 to 65535.
remote ip-address: Specifies an IPsec SA by its remote end IP address.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec SAs.
Examples
# Display brief information about IPsec SAs.
<Sysname> display ipsec sa brief
-----------------------------------------------------------------------
Interface/Global Dst Address SPI Protocol Status
-----------------------------------------------------------------------
Vlan-int1 192.168.0.64 12345 ESP active
Vlan-int1 192.168.0.61 54321 ESP active
Table 25 Command output
|
Field |
Description |
|
Interface/Global |
Interface where the IPsec SA belongs to or global IPsec SA. |
|
Dst Address |
Remote end IP address of the IPsec tunnel. |
|
SPI |
IPsec SA SPI. |
|
Protocol |
Security protocol used by IPsec. |
|
Status |
Stateful failover status of the IPsec SA: active or backup. In standalone mode, this field displays –. |
# Display the number of IPsec SAs.
<Sysname> display ipsec sa count
Total IPsec SAs count: 4
# Display information about all IPsec SAs.
<Sysname> display ipsec sa
-------------------------------
Interface: Vlan-interface1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: manual
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Path MTU: 1427
Tunnel:
local address: 192.168.0.61
remote address: 192.168.0.64
Flow:
as defined in ACL 3101
[Inbound ESP SA]
SPI: 54321 (0x0000d431)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 12345 (0x00003039)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
No duration limit for this SA
Table 26 Command output
|
Field |
Description |
|
Interface |
Interface where the IPsec SA belongs. |
|
IPsec policy |
Name of the used IPsec policy. |
|
Sequence number |
Sequence number of the IPsec policy entry. |
|
Mode |
Negotiation mode used by the IPsec policy: · manual · isakmp |
|
Tunnel id |
IPsec tunnel ID |
|
Encapsulation mode |
Encapsulation mode, transport or tunnel. |
|
Perfect Forward Secrecy |
Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1) · 1024-bit Diffie-Hellman group (dh-group2) · 1536-bit Diffie-Hellman group (dh-group5) · 2048-bit Diffie-Hellman group (dh-group14) · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) |
|
Path MTU |
Path MTU of the IPsec SA. |
|
Tunnel |
Local and remote addresses of the IPsec tunnel. |
|
local address |
Local end IP address of the IPsec tunnel. |
|
remote address |
Remote end IP address of the IPsec tunnel. |
|
Flow |
Information about the data flow protected by the IPsec tunnel. |
|
sour addr |
Source IP address of the data flow. |
|
dest addr |
Destination IP address, |
|
port |
Port number. |
|
protocol |
Protocol type. |
|
SPI |
SPI of the IPsec SA. |
|
Transform set |
Security protocol and algorithms used by the IPsec transform set. |
|
SA duration (kilobytes/sec) |
IPsec SA lifetime, in kilobytes or seconds. |
|
SA remaining duration (kilobytes/sec) |
Remaining IPsec SA lifetime, in kilobytes or seconds. |
|
Max received sequence-number |
Max sequence number in the received packets. |
|
Max sent sequence-number |
Max sequence number in the sent packets. |
|
Anti-replay check enable |
Whether any-replay checking is enabled. |
|
UDP encapsulation used for NAT traversal |
Whether NAT traversal is used by the IPsec SA. |
|
Status |
IPsec SA stateful failover status: active or backup. |
|
No duration limit for this SA |
The manual IPsec SAs do not have lifetime. |
Related commands
· ipsec sa global-duration
· reset ipsec sa
display ipsec statistics
Use display ipsec statistics to display IPsec packet statistics.
Syntax
display ipsec statistics [ tunnel-id tunnel-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
Usage guidelines
If you do not specify any parameters, this command displays statistics for all IPsec packets.
Examples
# Display statistics for all IPsec packets.
<Sysname> display ipsec statistics
IPsec packet statistics:
Received/sent packets: 47/64
Received/sent bytes: 3948/5208
Dropped packets (received/sent): 0/45
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 45
MTU check failure: 0
Loopback limit exceeded: 0
# Display statistics for the packets of IPsec tunnel 1.
<Sysname> display ipsec statistics tunnel-id 1
IPsec packet statistics:
Received/sent packets: 5124/8231
Received/sent bytes: 52348/64356
Dropped packets (received/sent): 0/0
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 0
MTU check failure: 0
Loopback limit exceeded: 0
Table 27 Command output
|
Field |
Description |
|
Received/sent packets |
Number of received/sent IPsec-protected packets. |
|
Received/sent bytes |
Number of bytes of received/sent IPsec-protected packets. |
|
Dropped packets (received/sent) |
Number of dropped IPsec-protected packets (received/sent). |
|
No available SA |
Number of dropped packets due to lack of available IPsec SA. |
|
Wrong SA |
Number of dropped packets due to wrong IPsec SA. |
|
Invalid length |
Number of dropped packets due to invalid packet length. |
|
Authentication failure |
Number of dropped packets due to authentication failure. |
|
Encapsulation failure |
Number of dropped packets due to encapsulation failure. |
|
Decapsulation failure |
Number of dropped packets due to decapsulation failure. |
|
Replayed packets |
Number of dropped replayed packets. |
|
ACL check failure |
Number of dropped packets due to ACL check failure. |
|
MTU check failure |
Number of dropped packets due to MTU check failure. |
|
Loopback limit exceeded |
Number of dropped packets due to loopback limit exceeded. |
Related commands
reset ipsec statistics
display ipsec transform-set
Use display ipsec transform-set to display information about IPsec transform sets.
Syntax
display ipsec transform-set [ transform-set-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets.
Examples
# Display information about all IPsec transform sets.
<Sysname> display ipsec transform-set
IPsec transform set: mytransform
State: incomplete
Encapsulation mode: tunnel
Transform: ESP
IPsec transform set: completeTransform
State: complete
Encapsulation mode: transport
Transform: AH-ESP
AH protocol:
Integrity: SHA1
ESP protocol:
Integrity: SHA1
Encryption: AES-CBC-128
Table 28 Command output
|
Field |
Description |
|
IPsec transform set |
Name of the IPsec transform set. |
|
State |
Whether the IPsec transform set is complete. |
|
Encapsulation mode |
Encapsulation mode used by the IPsec transform set: transport or tunnel. |
|
Transform |
Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH. |
|
AH protocol |
AH settings. |
|
ESP protocol |
ESP settings. |
|
Integrity |
Authentication algorithm used by the security protocol. |
|
Encryption |
Encryption algorithm used by the security protocol. |
Related commands
ipsec transform-set
display ipsec tunnel
Use display ipsec tunnel to display information about IPsec tunnels.
Syntax
display ipsec tunnel { brief | count | tunnel-id tunnel-id }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
brief: Displays brief information about IPsec tunnels.
count: Displays the number of IPsec tunnels.
tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295.
Usage guidelines
IPsec transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
Examples
# Display brief information about all IPsec tunnels.
<Sysname> display ipsec tunnel brief
----------------------------------------------------------------------------
Tunn-id Src Address Dst Address Inbound SPI Outbound SPI Status
----------------------------------------------------------------------------
0 192.168.0.61 192.168.0.64 54321 12345 active
Table 29 Command output
|
Field |
Description |
|
Src Address |
Source IP address of the IPsec tunnel. |
|
Dst Address |
Destination IP address of the IPsec tunnel. |
|
Inbound SPI |
Valid SPI in the inbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines. |
|
Outbound SPI |
Valid SPI in the outbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines. |
|
Status |
Stateful failover status of the IPsec SA: active or backup. This filed displays active. |
# Display the number of IPsec tunnels.
<Sysname> display ipsec tunnel count
Total IPsec Tunnel Count: 2
# Display information about all IPsec tunnels.
<Sysname> display ipsec tunnel
Tunnel ID: 0
Status: active
Perfect forward secrecy:
SA's SPI:
outbound: 2000 (0x000007d0) [AH]
inbound: 1000 (0x000003e8) [AH]
outbound: 4000 (0x00000fa0) [ESP]
inbound: 3000 (0x00000bb8) [ESP]
Tunnel:
local address:
remote address:
Flow:
Tunnel ID: 1
Status: active
Perfect forward secrecy:
SA's SPI:
outbound: 6000 (0x00001770) [AH]
inbound: 5000 (0x00001388) [AH]
outbound: 8000 (0x00001f40) [ESP]
inbound: 7000 (0x00001b58) [ESP]
Tunnel:
local address: 1.2.3.1
remote address: 2.2.2.2
Flow:
as defined in ACL3100
# Display information about IPsec tunnel 1.
<Sysname> display ipsec tunnel tunnel-id 1
Tunnel ID: 1
Status: active
Perfect forward secrecy:
SA's SPI:
outbound: 6000 (0x00001770) [AH]
inbound: 5000 (0x00001388) [AH]
outbound: 8000 (0x00001f40) [ESP]
inbound: 7000 (0x00001b58) [ESP]
Tunnel:
local address: 1.2.3.1
remote address: 2.2.2.2
Flow:
as defined in ACL 3100
Table 30 Command output
|
Field |
Description |
|
Tunnel ID |
IPsec ID, used to uniquely identify an IPsec tunnel. |
|
Status |
IPsec tunnel status. Only active is available. |
|
Perfect Forward Secrecy |
Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1) · 1024-bit Diffie-Hellman group (dh-group2) · 1536-bit Diffie-Hellman group (dh-group5) · 2048-bit Diffie-Hellman group (dh-group14) · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) |
|
SA's SPI |
SPIs of the inbound and outbound SAs. |
|
Tunnel |
Local and remote addresses of the IPsec tunnel. |
|
local address |
Local end IP address of the IPsec tunnel. |
|
remote address |
Remote end IP address of the IPsec tunnel. |
|
Flow |
Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol. |
|
as defined in ACL 3001 |
Range of data flow protected by the IPsec tunnel that is established manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001. |
encapsulation-mode
Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
Use undo encapsulation-mode to restore the default.
Syntax
encapsulation-mode { transport | tunnel }
undo encapsulation-mode
Default
IP packets are encapsulated in tunnel mode.
Views
IPsec transform set view
Predefined user roles
network-admin
mdc-admin
Parameters
transport: Uses the transport mode for IP packet encapsulation.
tunnel: Uses the tunnel mode for IP packet encapsulation.
Usage guidelines
IPsec supports the following encapsulation modes:
· Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications.
· Tunnel mode—The security protocols protect the entire IP packet. The entire IP packet is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are encapsulated in a new IP packet. In this mode, the encapsulated packet has two IP headers. The inner IP header is the original IP header. The outer IP header is added by the network device that provides the IPsec service. You must use the tunnel mode when the secured transmission start and end points are not the actual start and end points of the data packets (for example, when two gateways provide IPsec but the data start and end points are two hosts behind the gateways). The tunnel mode is typically used for protecting gateway-to-gateway communications.
The IPsec transform sets at both ends of the IPsec tunnel must have the same encapsulation mode.
Examples
# Configure the IPsec transform set tran1 to use the transport mode for IP packet encapsulation.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport
Related commands
ipsec transform-set
esp authentication-algorithm
Use esp authentication-algorithm to specify an authentication algorithm for ESP.
Use undo esp authentication-algorithm to remove all authentication algorithms specified for ESP.
Syntax
In non-FIPS mode:
esp authentication-algorithm { md5 | sha1 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm sha1
undo esp authentication-algorithm
Default
ESP does not use any authentication algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
mdc-admin
Parameters
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
Usage guidelines
In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
· For a manual IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP authentication algorithm.
· For an IKE-based IPsec policy, the initiator sends the first ESP authentication algorithm specified in the IPsec transform set to the peer end during the negotiation phase, and the responder matches the received algorithm against its local algorithms starting from the first one until a match is found. To ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must have at least one same ESP authentication algorithm.
Examples
# Configure the IPsec transform set tran1 to use HMAC-SHA1 algorithm as the ESP authentication algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1
Related commands
ipsec transform-set
esp encryption-algorithm
Use esp encryption-algorithm to specify encryption algorithms for ESP.
Use undo esp encryption-algorithm to remove all encryption algorithms specified for ESP.
Syntax
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null } *
undo esp encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*
undo esp encryption-algorithm
Default
ESP does not use any encryption algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
mdc-admin
Parameters
3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128- bit key.
aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key.
des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key.
null: Uses the NULL algorithm, which means encryption is not performed.
Usage guidelines
You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
· For a manual IPsec policy, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.
· For an IKE-based IPsec policy, the initiator sends the first ESP encryption algorithm specified in the IPsec transform set to the peer end during the negotiation phase, and the responder matches the received algorithm against its local algorithms starting from the first one until a match is found. To ensure a successful IKE negotiation, the IPsec transform sets specified at both ends of the tunnel must have at least one same ESP encryption algorithm.
Examples
# Configure the IPsec transform set tran1 to use aes-cbc-128 as the ESP encryption algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
Related commands
ipsec transform-set
ike-profile
Use ike-profile to specify an IKE profile for an IPsec policy.
Use undo ike-profile to remove the configuration.
Syntax
ike-profile profile-name
undo ike-profile
Default
An IPsec policy does not reference any IKE profile, and the device selects an IKE profile configured in system view for negotiation. If no IKE profile is configured, the globally configured IKE settings are used.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
profile-name: Specifies an IKE profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The IKE profile referenced by an IPsec policy defines the parameters used for IKE negotiation.
An IPsec policy can reference only one IKE profile and they cannot reference any IKE profile that is already referenced by another IPsec policy.
Examples
# Specify IPsec policy policy1 to reference IKE profile profile1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-profile profile1
Related commands
ike profile
ipsec anti-replay check
Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.
In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol, only IPsec SAs negotiated by IKE support anti-replay checking.
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check
Related commands
ipsec anti-replay window
ipsec anti-replay window
Use ipsec anti-replay window to set the anti-replay window size.
Use undo ipsec anti-replay window to restore the default.
Syntax
ipsec anti-replay window width
undo ipsec anti-replay window
Default
The anti-replay window size is 64.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
width: Specifies the size for the anti-replay window. It can be 64, 128, 256, 512, or 1024 packets.
Usage guidelines
Changing the anti-replay window size affects only the IPsec SAs negotiated later.
In some cases, some service data packets might be received in a very different order than their original order, and the IPsec anti-replay feature might drop them as replayed packets, affecting normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
Examples
# Set the size of the anti-replay window to 128.
<Sysname> system-view
[Sysname] ipsec anti-replay window 128
Related commands
ipsec anti-replay check
ipsec apply policy
Use ipsec apply policy to apply an IPsec policy to an interface.
Use undo ipsec apply policy to remove the application.
Syntax
ipsec apply policy policy-name
undo ipsec apply policy
Default
No IPsec policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies the name of an IPv4 IPsec policy, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can apply only one IPsec policy on an interface. To apply a new IPsec policy to the interface, you must first remove the IPsec policy that is already applied to the interface.
An IKE-based IPsec policy can be applied to multiple interfaces. As a best practice, apply an IKE-based IPsec policy to only one interface. A manual IPsec policy can be applied to only one interface.
Examples
# Apply the IPsec policy policy1 to interface VLAN-interface 2.
<Sysname> system-view
[Sysname] interface Vlan-interface 2
[Sysname-Vlan-interface2] ipsec apply policy policy1
Related commands
· display ipsec policy
· ipsec policy
ipsec decrypt-check enable
Use ipsec decrypt-check enable to enable ACL checking for de-encapsulated IPsec packets.
Use undo ipsec decrypt-check to disable ACL checking for de-encapsulated IPsec packets.
Syntax
ipsec decrypt-check enable
undo ipsec decrypt-check enable
Default
ACL checking for de-encapsulated IPsec packets is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security.
Examples
# Enable ACL checking for de-encapsulated IPsec packets.
<Sysname> system-view
[Sysname] ipsec decrypt-check enable
ipsec logging packet enable
Use ipsec logging packet enable to enable logging for IPsec packets.
Use undo ipsec logging packet enable to disable logging for IPsec packets.
Syntax
ipsec logging packet enable
undo ipsec logging packet enable
Default
Logging for IPsec packets is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded due to, for example, lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.
Examples
# Enable logging for IPsec packets.
<Sysname> system-view
[Sysname] ipsec logging packet enable
ipsec df-bit
Use ipsec df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on an interface.
Use undo ipsec df-bit to restore the default.
Syntax
ipsec df-bit { clear | copy | set }
undo ipsec df-bit
Default
The DF bit is not set for outer IP headers of encapsulated IPsec packets on an interface. The global DF bit is used.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented.
copy: Copies the DF bit of the original IP headers to the outer IP headers.
set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented.
Usage guidelines
This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because outer IP headers are not added in transport mode.
This command does not change the DF bit for the original IP headers of encapsulated packets.
If multiple interfaces have referenced an IPsec policy that is bound to a source interface, you must use the same DF bit setting on these interfaces.
Examples
# Set the DF bit for outer IP headers of encapsulated IPsec packets on VLAN-interface 1.
<Sysname> system-view
[Sysname] interface vlan-interface 1
[Sysname-Van-interface1] ipsec df-bit set
Related commands
ipsec global-df-bit
ipsec global-df-bit
Use ipsec global-df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces.
Use undo ipsec global-df-bit to restore the default.
Syntax
ipsec global-df-bit { clear | copy | set }
undo ipsec global-df-bit
Default
The DF bit of original IP headers is copied to the outer IP headers for encapsulated IPsec packets.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented.
copy: Copies the DF bit of the original IP headers to the outer IP headers.
set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented.
Usage guidelines
This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because outer IP headers are not added in transport mode.
This command does not change the DF bit for the original IP headers of encapsulated packets.
Examples
# Set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces.
<Sysname> system-view
[Sysname] ipsec global-df-bit set
Related commands
ipsec df-bit
ipsec policy
Use ipsec policy to create an IPsec policy entry, and enter IPsec policy view.
Use undo ipsec policy to delete the specified IPsec policy.
Syntax
ipsec policy policy-name seq-number [ isakmp | manual ]
undo ipsec policy policy-name [ seq-number ]
Default
No IPsec policy is created.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
policy: Specifies an IPv4 IPsec policy.
policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535.
isakmp: Establishes IPsec SAs through IKE negotiation.
manual: Establishes IPsec SAs manually.
Usage guidelines
· When you create an IPsec policy, you must specify the SA setup mode (isakmp or manual). When you enter the view of an existing IPsec policy, you do not need to specify the SA setup mode.
· You cannot change the SA setup mode of an existing IPsec policy.
· An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority.
· With the seq-number argument specified, the undo command deletes the specified IPsec policy entry. Without this argument, the undo command deletes all entries of the specified IPsec policy.
Examples
# Create an IPsec policy entry, and specify the IPsec policy name as policy1, the sequence number as 100, and the IPsec SA setup mode as IKE, and enter the IPsec policy view.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100]
# Create an IPsec policy entry, and specify the IPsec policy name as policy1, the sequence number as 101, and the IPsec SA setup mode as manual, and enter the IPsec policy view.
<Sysname> system-view
[Sysname] ipsec policy policy1 101 manual
[Sysname-ipsec-policy-manual-policy1-101]
Related commands
· display ipsec policy
· ipsec apply
ipsec policy local-address
Use ipsec policy local-address to bind an IPsec policy to a source interface.
Use undo ipsec policy local-address to remove the bindings of IPsec policies and source interfaces.
Syntax
ipsec policy policy-name local-address interface-type interface-number
undo ipsec policy policy-name local-address
Default
No IPsec policy is bound to a source interface.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
policy: Specifies an IPv4 IPsec policy.
policy-name: Name of an IPsec policy, a case-insensitive string of 1 to 63 characters.
local-address interface-type interface-number: Specifies the shared source interface by its type and number.
Usage guidelines
For high availability, two interfaces might operate in backup or load sharing mode. After an IPsec policy is applied to the two interfaces, they negotiate with their peers to establish IPsec SAs respectively. When one interface fails and a link failover occurs, the other interface needs to take some time to re-negotiate SAs, resulting in service interruption.
To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces. This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working, regardless of link failover.
After an IPsec policy is applied to a service interface and IPsec SAs have been established, if you bind the IPsec policy to a source interface, the existing IPsec SAs are deleted.
Only the IKE-based IPsec policies can be bound to a source interface.
An IPsec policy can be bound to only one source interface. To bind an IPsec policy to another source interface, you must first remove the current binding.
A source interface can be bound to multiple IPsec policies.
As a best practice, use a stable interface, such as a Loopback interface, as a source interface.
Examples
# Bind the IPsec policy map to source interface Loopback 11.
<Sysname> system-view
[Sysname] ipsec policy map local-address loopback 11
Related commands
ipsec policy
ipsec sa global-duration
Use ipsec sa global-duration to configure the global IPsec SA lifetime.
Use undo ipsec sa global-duration to restore the default.
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
Default
The time-based global lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 kilobytes.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.
traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires.
Usage guidelines
You can also configure IPsec SA lifetimes in IPsec policy view. The device prefers the IPsec SA lifetimes configured in IPsec policy view over the global IPsec SA lifetimes.
When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.
An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Before the IPsec SA expires, IKE negotiates a new IPsec SA, which takes over immediately after its creation.
Examples
# Configure the global IPsec SA lifetime as 7200 seconds.
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200
# Configure the global IPsec SA lifetime as 10240 kilobytes.
[Sysname] ipsec sa global-duration traffic-based 10240
Related commands
· display ipsec sa
· sa duration
ipsec sa idle-time
Use ipsec sa idle-time to enable the global IPsec SA idle timeout feature and set the idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.
Use undo ipsec sa idle-time to restore the default.
Syntax
ipsec sa idle-time seconds
undo ipsec sa idle-time
Default
The global IPsec SA idle timeout feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.
Usage guidelines
This feature applies only to IPsec SAs negotiated by IKE.
The IPsec SA idle timeout can also be configured in IPsec policy view, which takes precedence over the global IPsec SA timeout.
Examples
# Set the IPsec SA idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec sa idle-time 600
· display ipsec sa
· sa idle-time
ipsec transform-set
Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view.
Use undo ipsec transform-set to delete an IPsec transform set.
Syntax
ipsec transform-set transform-set-name
undo ipsec transform-set transform-set-name
Default
No IPsec transform set exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
transform-set-name: Specifies a name for the IPsec transform set, a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms.
Examples
# Create an IPsec transform set named tran1 and enter its view.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-transform-set-tran1]
display ipsec transform-set
local-address
Use local-address to configure the local IP address for the IPsec tunnel.
Use undo local-address to restore the default.
Syntax
local-address ipv4-address
undo local-address
Default
The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies the local IPv4 address for the IPsec tunnel.
Usage guidelines
The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder.
Examples
# Configure the local address 1.1.1.1 for the IPsec tunnel.
<Sysname> system-view
[Sysname] ipsec policy map 1 isakmp
[Sysname-ipsec-policy-isakmp-map-1] local-address 1.1.1.1
remote-address
pfs
Use pfs to enable the perfect forward secrecy (PFS) feature for an IPsec transform set, used for IKE negotiation.
Use undo pfs to restore the default.
Syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }
undo pfs
In FIPS mode:
pfs dh-group14
undo pfs
Default
The PFS feature is disabled for the IPsec transform set.
Views
IPsec transform set view
Predefined user roles
network-admin
mdc-admin
Parameters
dh-group1: Uses 768-bit Diffie-Hellman group.
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.
Usage guidelines
In terms of security and necessary calculation time, the following groups are in descending order: 2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2), and 768-bit Diffie-Hellman group (dh-group1).
The security level of the Diffie-Hellman group of the initiator must be higher than or equal to that of the responder.
The end without the PFS feature performs IKE negotiation according to the PFS requirements of the peer end.
Examples
# Enable PFS using 2048-bit Diffie-Hellman group for IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] pfs dh-group14
protocol
Use protocol to specify a security protocol for an IPsec transform set.
Use undo protocol to restore the default.
Syntax
protocol { ah | ah-esp | esp }
undo protocol
Default
The IPsec transform set uses the ESP protocol.
Views
IPsec transform set view
Predefined user roles
network-admin
mdc-admin
Parameters
ah: Specifies the AH protocol.
ah-esp: Specifies using the ESP protocol first and then using the AH protocol.
ah: Specifies the AH protocol.
Usage guidelines
The two tunnel ends must use the same security protocol in the IPsec transform set.
Examples
# Specify the AH protocol for the IPsec transform set.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] protocol ah
qos pre-classify
Use qos pre-classify to enable the QoS pre-classify feature.
Use undo qos pre-classify to restore the default.
Syntax
qos pre-classify
undo qos pre-classify
Default
The QoS pre-classify feature is disabled. QoS uses the new IP header of IPsec packets to perform traffic classification.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The QoS pre-classify feature enables QoS to classify packets by using the IP header of the original IP packets.
Examples
# Enable the QoS pre-classify feature.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] qos pre-classify
remote-address
Use remote-address to configure the remote IP address for the IPsec tunnel.
Use undo remote-address to restore the default.
Syntax
remote-address { host-name | ipv4-address }
undo remote-address { host-name | ipv4-address }
Default
No remote IP address is specified for the IPsec tunnel.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters. The host name can be resolved to an IP address by the DNS server.
ipv4-address: Specifies a remote IPv4 address.
Usage guidelines
This remote IP address configuration is required on the IKE negotiation initiator and optional on the responder.
A manual IPsec policy does not support DNS. Therefore, you must specify a remote IP address rather than a remote host name for the manual IPsec policy.
If you configure a remote host name, the following scenarios apply:
· If the host name is resolved by the DNS server, the local end sends a request to the DNS server to obtain the latest IP address corresponding to the host name when the domain name resolution period expires. The resolution period is defined by the DNS server and restarts after the local end obtains the latest IP address of the host.
· If the host name is resolved by the ip host command and you change the IP address of the remote host, you must reconfigure the remote host name in the IPsec policy by using the remote-address command. Otherwise, the local end cannot obtain the latest IP address of the remote host.
For example, the local end has a static domain name resolution entry, which maps the host name test to the IP address 1.1.1.1. Configure the following commands:
# Configure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] remote-address test
# Change the IP address for the host test to 2.2.2.2.
[Sysname] ip host test 2.2.2.2
In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host.
# Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
[Sysname] ipsec policy policy1 1 isakmp
[Sysname -ipsec-policy-isakmp-policy1-1] remote-address test
Examples
# Specify the remote IP address 10.1.1.2 for the IPsec tunnel.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 manual
[Sysname-ipsec-policy-policy1-10] remote-address 10.1.1.2
· ip host (see Layer 3—IP Services Commands Reference)
· local-address
reset ipsec sa
Use reset ipsec sa to clear IPsec SAs.
Syntax
reset ipsec sa [ policy policy-name [ seq-number ] | remote ipv4-address | spi ipv4-address { ah | esp } spi-num ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
policy policy-name [ seq-number ]: Clears IPsec SAs for the specified IPsec policy.
· policy: Specifies an IPv4 IPsec policy.
· policy-name: Specifies the name of the IPsec policy, a case-insensitive string of 1 to 63 characters.
· seq-number: Specifies the sequence number of an IPsec policy entry, in the range of 1 to 65535. If no seq-number is specified, all the entries in the IPsec policy are specified.
remote ipv4-address: Clears IPsec SAs for the specified remote address. The ipv4-address argument specifies a remote IPv4 address.
spi ipv4-address { ah | esp } spi-num: Clears IPsec SAs matching the specified SA triplet: the remote address, the security protocol, and the SPI.
· ipv4-address: Specifies a remote IPv4 address.
· ah: Specifies the AH protocol.
· esp: Specifies the ESP protocol.
· spi-num: Specifies the security parameter index in the range of 256 to 4294967295.
Usage guidelines
If no parameters are specified, this command clears all IPsec SAs.
If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPSec SAs using the other security protocol (AH or ESP).
An outbound SA is uniquely identified by an SA triplet and an inbound SA is uniquely identified by an SPI. To clear IPsec SAs by specifying a triplet in the outbound direction, you should provide the remote IP address, the security protocol, and the SPI. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters.
After a manual IPsec SA is cleared, the system automatically creates a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system creates new SAs only when IKE negotiation is triggered by packets.
Examples
# Clear all IPsec SAs.
<Sysname> reset ipsec sa
# Clear the inbound and outbound IPsec SAs for the triplet of SPI 123, remote IP address 10.1.1.2, and security protocol AH.
<Sysname> reset ipsec sa spi 10.1.1.2 ah 123
# Clear all IPsec SAs for the remote IP address 10.1.1.2.
<Sysname> reset ipsec sa remote 10.1.1.2
# Clear all IPsec SAs for the entry 10 of the IPsec policy policy1.
<Sysname> reset ipsec sa policy policy1 10
# Clear all IPsec SAs for the IPsec policy policy1.
<Sysname> reset ipsec sa policy policy1
Related commands
display ipsec sa
reset ipsec statistics
Use reset ipsec statistics to clear IPsec packet statistics.
Syntax
reset ipsec statistics[ tunnel-id tunnel-id ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id is 0 to 4294967295. If no tunnel ID is specified, the command clears all IPsec packet statistics.
Examples
# Clear IPsec packet statistics.
<Sysname> reset ipsec statistics
display ipsec statistics
sa duration
Use sa duration to set an SA lifetime for an IPsec policy.
Use undo sa duration to remove the SA lifetime.
Syntax
sa duration { time-based seconds | traffic-based kilobytes }
undo sa duration { time-based | traffic-based }
Default
The SA lifetime of an IPsec policy is the current global SA lifetime.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds.
traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes.
Usage guidelines
IKE prefers the SA lifetime of the IPsec policy over the global SA lifetime. If the IPsec policy is not configured with the SA lifetime, IKE uses the global SA lifetime configured by the ipsec sa global-duration command for SA negotiation.
During SA negotiation, IKE selects the shorter SA lifetime between the local SA lifetime and the remote SA lifetime.
Examples
# Set the SA lifetime for the IPsec policy policy1 to 7200 seconds.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200
# Set the SA lifetime for the IPsec policy policy1 to 20 MB. The IPsec SA expires after transmitting 20480 kilobytes.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480
Related commands
· display ipsec sa
· ipsec sa global-duration
sa hex-key authentication
Use sa hex-key authentication to configure a hexadecimal authentication key for manual IPsec SAs.
Use undo sa hex-key authentication to remove the hexadecimal authentication key.
Syntax
sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } key-value
undo sa hex-key authentication { inbound | outbound } { ah | esp }
Default
No authentication key is configured for manual IPsec SAs.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
inbound: Specifies a hexadecimal authentication key for inbound SAs.
outbound: Specifies a hexadecimal authentication key for outbound SAs.
ah: Uses AH.
esp: Uses ESP.
cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters.
simple key-value: Sets a plaintext authentication key. The key-value argument is case insensitive and must be a 16-byte hexadecimal string for HMAC-MD5, and a 20-byte hexadecimal string for HMAC-SHA1.
Usage guidelines
This command applies to only manual IPsec policies.
You must set an authentication key for both the inbound and outbound SAs.
The local inbound SA must use the same authentication key as the remote outbound SA, and the local outbound SA must use the same authentication key as the remote inbound SA.
If you configure a key in different formats, only the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Configure plaintext authentication keys 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication inbound ah simple 112233445566778899aabbccddeeff00
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication outbound ah simple aabbccddeeff001100aabbccddeeff00
· display ipsec sa
· sa string-key
sa hex-key encryption
Use sa encryption-hex to configure a hexadecimal encryption key for manual IPsec SAs.
Use undo sa encryption-hex to remove the hexadecimal encryption key.
Syntax
sa hex-key encryption { inbound | outbound } esp { cipher | simple } key-value
undo sa hex-key encryption { inbound | outbound } esp
Default
No encryption key is configured for manual IPsec SAs.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
inbound: Specifies a hexadecimal encryption key for inbound SAs.
outbound: Specifies a hexadecimal encryption key for outbound SAs.
esp: Uses ESP.
cipher key-value: Sets a ciphertext encryption key, a case-sensitive string of 1 to 117 characters.
simple key-value: Sets a plaintext encryption key. The key-value argument is case insensitive and must be an 8-byte hexadecimal string for DES-CBC, a 24-byte hexadecimal string for 3DES-CBC, a 16-byte hexadecimal string for AES128-CBC, a 24-byte hexadecimal string for AES192-CBC, and a 32-byte hexadecimal string for AES256-CBC.
Usage guidelines
This command applies to only manual IPsec policies.
You must set an encryption key for both the inbound and outbound SAs.
The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA.
If you configure a key in different formats (hexadecimal or character format), only the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound and outbound IPsec SAs that use ESP.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple 1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple abcdefabcdef1234
· display ipsec sa
· sa string-key
sa idle-time
Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.
Use undo sa idle-time to restore the default.
Syntax
sa idle-time seconds
undo sa idle-time
Default
An IPsec policy uses the global IPsec SA idle timeout.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.
Usage guidelines
This feature applies only to IPsec SAs negotiated by IKE and takes effect when the ipsec sa idle-time command has been configured.
The IPsec SA idle timeout configured in IPsec policy view takes precedence over the global IPsec SA timeout configured by the ipsec sa idle-time command.
Examples
# Set the IPsec SA idle timeout to 600 seconds for the IPsec policy.
<Sysname> system-view
[Sysname] ipsec policy map 100 isakmp
[Sysname-ipsec-policy-isakmp-map-100] sa idle-time 600
Related commands
· display ipsec sa
· ipsec sa idle-time
sa spi
Use sa spi to configure an SPI for IPsec SAs.
Use undo sa spi to remove the SPI.
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
Default
No SPI is configured for IPsec SAs.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
inbound: Specifies an SPI for inbound SAs.
outbound: Specifies an SPI for outbound SAs.
ah: Uses AH.
esp: Uses ESP.
spi-number: Specifies a Security parameters index (SPI) in the range of 256 to 4294967295.
Usage guidelines
This command applies to only manual IPsec policies.
You must configure an SPI for both inbound and outbound SAs, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
The local inbound SA must use the same SPI as the remote outbound SA, and the local outbound SA must use the same SPI as the remote inbound SA.
Examples
# Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in a manual IPsec policy.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000
display ipsec sa
sa string-key
Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.
Use undo sa string-key to remove the key string.
Syntax
sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key
undo sa string-key { inbound | outbound } { ah | esp }
Default
No key string is configured for IPsec SAs.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
inbound: Sets a key string for inbound IPsec SAs.
outbound: Sets a key string for outbound IPsec SAs.
ah: Uses AH.
esp: Uses ESP.
cipher: Sets a ciphertext key.
simple: Sets a plaintext key.
key-value: Specifies a case-sensitive key string. If cipher is specified, it must be a string of 1 to 373 characters. If simple is specified, it must be a string of 1 to 255 characters. Using this key string, the system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the system generates the keys for the authentication algorithm and encryption algorithm respectively.
Usage guidelines
This command applies to only manual IPsec policies.
You must set a key for both inbound and outbound SAs.
The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA.
If you configure a key in different formats, only the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab, respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab
Related commands
· display ipsec sa
· sa hex-key
security acl
Use security acl to reference an ACL for an IPsec policy.
Use undo security acl to remove the ACL referenced by an IPsec policy.
Syntax
security acl { acl-number | name acl-name } [ aggregation | per-host ]
undo security acl
Default
An IPsec policy references no ACL.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.
aggregation: Specifies the data protection mode as aggregation.
per-host: Specifies the data protection mode as per-host.
Usage guidelines
An IKE-based IPsec policy supports the following data flow protection modes:
· Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it. The standard mode is used if you do not specify the aggregation or the per-host mode.
· Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL. This mode is only used to communicate with old-version devices.
· Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode consumes more system resources when multiple data flows exist between two subnets to be protected.
A manual IPsec policy supports only the standard mode.
Examples
# Reference ACL 3001 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[Sysname-acl-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001
# Reference ACL 3002 for the IPsec policy policy2 and specify the data protection mode as aggregation.
<Sysname> system-view
[Sysname] acl number 3002
[Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255
[Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255
[Sysname] ipsec policy policy2 1 isakmp
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
Related commands
· display ipsec sa
· display ipsec tunnel
snmp-agent trap enable ipsec
Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec.
Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.
Syntax
snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] *
undo snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] *
Default
All SNMP notifications for IPsec are disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
auth-failure: Specifies SNMP notifications for authentication failures.
decrypt-failure: Specifies SNMP notifications for decryption failures.
encrypt-failure: Specifies SNMP notifications for encryption failures.
global: Specifies SNMP notifications globally.
invalid-sa-failure: Specifies SNMP notifications for invalid-SA failures.
no-sa-failure: Specifies SNMP notifications for SA-not-found failures.
policy-add: Specifies SNMP notifications for events of adding IPsec policies.
policy-attach: Specifies SNMP notifications for events of applying IPsec policies to interfaces.
policy-delete: Specifies SNMP notifications for events of deleting IPsec policies.
policy-detach: Specifies SNMP notifications for events of removing IPsec policies from interfaces.
tunnel-start: Specifies SNMP notifications for events of creating IPsec tunnels.
tunnel-stop: Specifies SNMP notifications for events of deleting IPsec tunnels.
Usage guidelines
If you do not specify any keywords, this command enables or disables all SNMP notifications for IPsec.
To generate and output SNMP notifications for IPsec for a specific failure type or event type, enable SNMP notifications for IPsec globally and for the specified failure type or event type.
Examples
To enable SNMP notifications when an IPsec tunnel is created, execute the following commands:
# Enable SNMP notifications for IPsec globally.
<Sysname> system-view
[Sysname] snmp-agent trap enable ipsec global
# Enable SNMP notifications for events of creating IPsec tunnels.
[Sysname] snmp-agent trap enable ipsec tunnel-start
transform-set
Use transform-set to reference an IPsec transform set for an IPsec policy.
Use undo transform-set to remove the IPsec transform set referenced by an IPsec policy.
Syntax
transform-set transform-set-name&<1-6>
undo transform-set [ transform-set-name ]
Default
An IPsec policy references no IPsec transform set.
Views
IPsec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
transform-set-name&<1-6>: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters. &<1-6> means that you can specify up to six IPsec transform sets.
Usage guidelines
A manual IPsec policy can reference only one IPsec transform set. If you specify an IPsec transform set for the manual IPsec policy multiple times, the most recent configuration takes effect.
An IKE-based IPsec policy can reference six IPsec transform sets at most. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.
If you do not specify the transform-set-name argument, the undo transform-set command removes all referenced IPsec transform sets.
Examples
# Reference the IPsec transform set prop1 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] transform-set prop1
Related commands
· ipsec policy
· ipsec transform-set
IKE commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
authentication-algorithm
Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.
Use undo authentication-algorithm to restore the default.
Syntax
In non-FIPS mode:
authentication-algorithm { md5 | sha }
undo authentication-algorithm
In FIPS mode:
authentication-algorithm sha
undo authentication-algorithm
Default
The IKE proposal uses the authentication algorithm of HMAC-SHA1.
Views
IKE proposal view
Predefined user roles
network-admin
mdc-admin
Parameters
md5: Specifies HMAC-MD5 as the authentication algorithm.
sha: Specifies HMAC-SHA1 as the authentication algorithm.
Examples
# Specify HMAC-SHA1 as the authentication algorithm for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] authentication-algorithm sha
Related commands
display ike proposal
authentication-method
Use authentication-method to specify an authentication method to be used in an IKE proposal.
Use undo authentication-method to restore the default.
Syntax
authentication-method { dsa-signature | pre-share | rsa-signature }
undo authentication-method
Default
The IKE proposal uses the pre-shared key as the authentication method.
Views
IKE proposal view
Predefined user roles
network-admin
mdc-admin
Parameters
dsa-signature: Specifies the DSA signatures as the authentication method. This keyword is available in Release 1138P01 and later versions.
pre-share: Specifies the pre-shared key as the authentication method.
rsa-signature: Specifies the RSA signatures as the authentication method. This keyword is available in Release 1138P01 and later versions.
Usage guidelines
Pre-shared key authentication does not require certificates as signature authentication does, and it is usually used in a simple network. Signature authentication provides higher security, and it is usually deployed in a large-scale network, such as a network with many branches. In a network with many branches, using pre-shared key authentication requires the headquarters to configure a pre-shared key for each branch. Using signature authentication only requires the headquarters to configure one PKI domain.
Authentication methods configured on both IKE ends must match.
If you specify RSA or DSA signatures, you must configure the IKE peer to obtain certificates from a CA.
If you specify pre-shared keys, you must configure the same pre-shared key on both IKE ends.
Examples
# Specify pre-shared key authentication in IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] authentication-method pre-share
Related commands
· display ike proposal
· ike keychain
· pre-shared-key
certificate domain
Use certificate domain to specify a PKI domain for signature authentication.
Use undo certificate domain to remove a PKI domain for signature authentication.
Syntax
certificate domain domain-name
undo certificate domain domain-name
Default
No PKI domains are specified for signature authentication.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command is available in Release 1138P01 and later versions.
You can specify a maximum of six PKI domains for an IKE profile by executing this command multiple times.
IKE uses the specified PKI domains for enrollment, authentication, certificate issuing, validation, and signature. If you do not specify any PKI domains, IKE uses all PKI domains configured on the device.
Follow these restrictions and guidelines for the device to obtain the CA certificate during IKE negotiation:
· On the initiator:
¡ If the IKE profile has a PKI domain and the automatic certificate request mode is configured for the PKI domain, the initiator automatically obtains the CA certificate.
¡ If the IKE profile has no PKI domain, you must manually obtain the CA certificate.
· On the responder:
¡ If main mode is used in IKE phase 1, the responder does not automatically obtain the CA certificate. You must manually obtain the CA certificate.
¡ If aggressive mode is used in IKE phase 1, the responder automatically obtains the CA certificate if the following conditions are met:
- A matching IKE profile is found.
- An PKI domain is specified in the IKE profile.
- The automatic certificate request mode is configured for the PKI domain.
If the conditions are not met, you must manually obtain the CA certificate.
IKE first automatically obtains the CA certificate, and then requests a local certificate. If the CA certificate already exists locally, IKE automatically requests a local certificate.
Examples
# Specify the PKI domain abc for IKE profile 1.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] certificate domain abc
Related commands
· authentication-method
· pki domain
dh
Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.
Use undo dh to restore the default.
Syntax
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 }
undo dh
In FIPS mode:
dh group14
undo dh
Default
In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used.
In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used.
Views
IKE proposal view
Predefined user roles
network-admin
mdc-admin
Parameters
group1: Uses the 768-bit Diffie-Hellman group.
group14: Uses the 2048-bit Diffie-Hellman group.
group2: Uses the 1024-bit Diffie-Hellman group.
group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
group5: Uses the 1536-bit Diffie-Hellman group.
Usage guidelines
A DH group that uses more bits provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose a proper Diffie-Hellman group for your network.
Examples
# Specify the 2048-bit Diffie-Hellman group group1 to be used in key negotiation phase 1 for an IKE proposal.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] dh group14
Related commands
display ike proposal
display ike proposal
Use display ike proposal to display configuration information about all IKE proposals.
Syntax
display ike proposal
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Usage guidelines
This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, the command displays the default IKE proposal.
Examples
# Display the configuration information about all IKE proposals.
<Sysname> display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
1 RSA-SIG SHA1 DES-CBC Group 1 5000
11 PRE-SHARED-KEY SHA1 DES-CBC Group 1 50000
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
Table 31 Command output
|
Field |
Description |
|
Priority |
Priority of the IKE proposal |
|
Authentication method |
Authentication method used by the IKE proposal. |
|
Authentication algorithm |
Authentication algorithm used in the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. |
|
Encryption algorithm |
Encryption algorithm used by the IKE proposal: · 3DES-CBC—168-bit 3DES algorithm in CBC mode. · AES-CBC-128—128-bit AES algorithm in CBC mode. · AES-CBC-192—192-bit AES algorithm in CBC mode. · AES-CBC-256—256-bit AES algorithm in CBC mode. · DES-CBC—56-bit DES algorithm in CBC mode. |
|
Diffie-Hellman group |
DH group used in IKE negotiation phase 1. |
|
Duration (seconds) |
IKE SA lifetime (in seconds) of the IKE proposal |
Related commands
ike proposal
display ike sa
Use display ike sa to display information about the current IKE SAs.
Syntax
display ike sa [ verbose [ connection-id connection-id | remote-address remote-address [ vpn-instance vpn-name ] ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
verbose: Displays detailed information.
connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.
remote-address remote-address: Displays detailed information about IKE SAs with the specified remote address.
vpn-instance vpn-name: Displays detailed information about IKE SAs in an MPLS L3VPN instance. The vpn-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To display information about IKE SAs on the public network, do not specify this option.
Usage guidelines
If you do not specify any parameter, the command displays a summary about all IKE SAs.
Examples
# Display information about the current IKE SAs.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
----------------------------------------------------------
1 202.38.0.2 RD IPSEC
Flags:
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING
Table 32 Command output
|
Field |
Description |
|
Connection-ID |
Identifier of the IKE SA. |
|
Remote |
Remote IP address of the SA. |
|
Flags |
Status of the SA: · RD (READY)—The SA has been established. · ST (STAYALIVE)—This end is the initiator of the tunnel negotiation. · RL (REPLACED)—The SA has been replaced by a new one and will be deleted later. · FD (FADING)—The SA is in use, but it is about to expire and will be deleted soon. |
|
DOI |
Interpretation domain to which the SA belongs. |
# Display detailed information about the current IKE SAs.
<Sysname> display ike sa verbose
---------------------------------------------
Connection ID: 2
Outside VPN: 1
Inside VPN: 1
Profile: prof1
Transmitting entity: Initiator
---------------------------------------------
Local IP: 4.4.4.4
Local ID type: IPV4_ADDR
Local ID: 4.4.4.4
Remote IP: 4.4.4.5
Remote ID type: IPV4_ADDR
Remote ID: 4.4.4.5
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: AES-CBC-128
Life duration(sec): 86400
Remaining key duration(sec): 86379
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Not detected
# Display detailed information about the IKE SA with the remote address of 4.4.4.5.
<Sysname> display ike sa verbose remote-address 4.4.4.5
---------------------------------------------
Connection ID: 2
Outside VPN: 1
Inside VPN: 1
Profile: prof1
Transmitting entity: Initiator
---------------------------------------------
Local IP: 4.4.4.4
Local ID type: IPV4_ADDR
Local ID: 4.4.4.4
Remote IP: 4.4.4.5
Remote ID type: IPV4_ADDR
Remote ID: 4.4.4.5
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: AES-CBC-128
Life duration(sec): 86400
Remaining key duration(sec): 86379
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Not detected
Table 33 Command output
|
Field |
Description |
|
Connection ID |
Identifier of the IKE SA. |
|
Outside VPN |
VPN instance name of the MPLS L3VPN to which the receiving interface belongs. |
|
Inside VPN |
VPN instance name of the MPLS L3VPN to which the protected data belongs. |
|
Profile |
Name of the matching IKE profile found in the IKE SA negotiation. If no matching profile is found, this field is blank. |
|
Transmitting entity |
Role of the IKE negotiation entity: Initiator or Responder. |
|
Local IP |
IP address of the local gateway. |
|
Local ID type |
Identifier type of the local gateway. |
|
Local ID |
Identifier of the local gateway. |
|
Remote IP |
IP address of the remote gateway. |
|
Remote ID type |
Identifier type of the remote gateway. |
|
Remote ID |
Identifier of the remote security gateway. |
|
Authentication-method |
Authentication method used by the IKE proposal. |
|
Authentication-algorithm |
Authentication algorithm used by the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. |
|
Encryption-algorithm |
Encryption algorithm used by the IKE proposal. |
|
Life duration(sec) |
Lifetime of the IKE SA in seconds. |
|
Remaining key duration(sec) |
Remaining lifetime of the IKE SA in seconds. |
|
Exchange-mode |
IKE negotiation mode in phase 1: main mode or aggressive mode. |
|
Diffie-Hellman group |
DH group used for key negotiation in IKE phase 1. |
|
NAT traversal |
Whether NAT traversal is detected. |
dpd
Use dpd to enable the device to send DPD messages.
Use undo dpd to disable the IKE DPD feature.
Syntax
dpd interval interval-seconds [ retry seconds ] { on-demand | periodic }
undo dpd interval
Default
IKE DPD is disabled.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300.
· If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send.
· If the periodic keyword is specified, this parameter specifies a DPD triggering interval.
retry seconds: Specifies the number of seconds between DPD retries if the DPD message fails. The value for the second argument is from 1 to 60 seconds, and it defaults to 5 seconds.
on-demand: Sends DPD messages on demand.
periodic: Sends DPD messages at regular intervals.
Usage guidelines
DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.
Examples
# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] dpd interval 10 retry 5 on-demand
Related commands
ike dpd
encryption-algorithm
Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.
Use undo encryption-algorithm to restore the default.
Syntax
In non-FIPS mode:
encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc }
undo encryption-algorithm
In FIPS mode:
encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }
undo encryption-algorithm
Default
In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.
In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode.
Views
IKE proposal view
Predefined user roles
network-admin
mdc-admin
Parameters
3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption.
aes-cbc-128: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 128-bit key for encryption.
aes-cbc-192: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 192-bit key for encryption.
aes-cbc-256: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 256-bit key for encryption.
des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses a 56-bit key for encryption.
Usage guidelines
Different algorithms provide different levels of protection. Generally, an algorithm with a longer key is stronger. A stronger algorithm provides more resistance to decryption but uses more resources. The algorithm strength from low to high is des-cbc, 3des-cbc, aes-cbc-128, aes-cbc-192, and aes-cbc-256.
Examples
# Use the 128-bit AES in CBC mode as the encryption algorithm for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] encryption-algorithm aes-cbc-128
Related commands
display ike proposal
exchange-mode
Use exchange-mode to select an IKE negotiation mode for phase 1.
Use undo exchange-mode to restore the default.
Syntax
In non-FIPS mode:
exchange-mode { aggressive | main }
undo exchange-mode
In FIPS mode:
exchange-mode main
undo exchange-mode
Default
Main mode is used for phase 1.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
aggressive: Specifies the aggressive mode.
main: Specifies the main mode.
Usage guidelines
As a best practice, specify the aggressive mode at the local end if the following conditions are met:
· The local end, for example, a dialup user, obtains an IP address automatically.
· Pre-shared key authentication is used.
Examples
# Specify that IKE negotiation operates in main mode.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] exchange-mode main
Related commands
display ike proposal
ike dpd
Use ike dpd to enable sending DPD messages.
Use undo ike dpd to disable the DPD feature.
Syntax
ike dpd interval interval-seconds [ retry seconds ] { on-demand | periodic }
undo ike dpd interval
Default
IKE DPD is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300.
· If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send.
· If the periodic keyword is specified, this parameter specifies a DPD triggering interval.
retry seconds: Specifies the number of seconds between DPD retries if the DPD message fails. The value for the second argument is from 1 to 60 seconds, and it defaults to 5 seconds.
on-demand: Sends DPD messages on demand.
periodic: Sends DPD messages at regular intervals.
Usage guidelines
DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU.
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.
Examples
# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.
<Sysname> system-view
[Sysname] ike dpd interval 10 retry 5 on-demand
Related commands
dpd
ike identity
Use ike identity to specify the global identity used by the local end during IKE negotiations.
Use undo ike identity to remove the configuration and restore the default.
Syntax
ike identity { address ipv4-address | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }
undo ike identity
Default
By default, the IP address of the interface where the IPsec policy applies is used for the IKE identity.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
address ipv4-address: Uses an IPv4 address as the identity.
dn: Uses the DN in the digital signature as the identity.
fqdn fqdn-name: Uses the FQDN name as the identity. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
user-fqdn user-fqdn-name: Uses the user FQDN name as the identity. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, [email protected]. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.
Usage guidelines
The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile.
In pre-shared key authentication, you cannot set the DN as the identity.
Examples
# Set the IP address 2.2.2.2 as the identity.
<sysname> system-view
[sysname] ike identity address 2.2.2.2
Related commands
local-identity
ike invalid-spi-recovery enable
Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.
Use undo ike invalid-spi-recovery enable to restore the default.
Syntax
ike invalid-spi-recovery enable
undo ike invalid-spi-recovery enable
Default
SPI recovery is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.
Use caution when you enable the invalid SPI recovery feature, because using this feature can result in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ike invalid-spi-recovery enable
ike keepalive interval
Use ike keepalive interval to enable sending IKE keepalives and set the sending interval.
Use undo ike keepalive interval to restore the default.
Syntax
ike keepalive interval seconds
undo ike keepalive interval
Default
No IKE keepalives are sent.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800.
Usage guidelines
To detect the status of the peer, configure IKE DPD instead of the IKE keepalive feature, unless IKE DPD is not supported on the peer.
The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer. Because it seldom occurs that more than three consecutive packets are lost on a network, you can set the keepalive timeout timer to three times as long as the keepalive interval.
Examples
# Set the keepalive interval to 200 seconds
<Sysname> system-view
[Sysname] ike keepalive interval 200
Related commands
ike keepalive timeout
ike keepalive timeout
Use ike keepalive timeout to set the IKE keepalive timeout time.
Use undo ike keepalive timeout to restore the default.
Syntax
ike keepalive timeout seconds
undo ike keepalive timeout
Default
The negotiated aging time for the IKE SA applies.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the number of seconds between IKE keepalives. The value is in the range of 20 to 28800.
Usage guidelines
If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on a network, you can set the keepalive timeout timer to three times as long as the keepalive interval.
Examples
# Set the keepalive timeout time to 20 seconds.
<Sysname> system-view
[Sysname] ike keepalive timeout 20
Related commands
ike keepalive interval
ike keychain
Use ike keychain to create an IKE keychain and enter IKE keychain view.
Use undo ike keychain to delete an IKE keychain.
Syntax
ike keychain keychain-name [ vpn-instance vpn-name ]
undo ike keychain keychain-name [ vpn-instance vpn-name ]
Default
No IKE keychain is configured.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.
vpn-instance vpn-name: Specifies the MPLS L3VPN instance to which the IKE keychain belongs. The vpn-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.
Usage guidelines
To use pre-shared key authentication, you must create and specify an IKE keychain for the IKE profile.
Examples
# Create IKE keychain key1 and enter its view.
<Sysname> system-view
[Sysname] ike keychain key1
[Sysname-ike-keychain-key1]
Related commands
· authentication-method
· pre-shared-key
ike limit
Use ike limit to set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.
Use undo ike limit to restore the default.
Syntax
ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit }
undo ike limit { max-negotiating-sa | max-sa }
Default
There is no limit to the maximum number of IKE SAs.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs, in the range of 1 to 99999.
max-sa sa-limit: Specifies the maximum number of established IKE SAs, in the range of 1 to 99999.
Usage guidelines
The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.
The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system.
Examples
# Set the maximum number of half-open IKE SAs to 200.
<Sysname> system-view
[Sysname] ike limit max-negotiating-sa 200
# Set the maximum number of established IKE SAs to 200.
<Sysname> system-view
[Sysname] ike limit max-sa 5000
ike nat-keepalive
Use ike nat-keepalive to set the NAT keepalive interval.
Use undo ike nat-keepalive to restore the default.
Syntax
ike nat-keepalive seconds
undo ike nat-keepalive
Default
The NAT keepalive interval is 20 seconds.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300.
Usage guidelines
This command takes effect only for a device behind a NAT server. When the device resides behind a NAT server, the IKE gateway behind the NAT server needs to send NAT keepalive packets to its peer IKE gateway to keep the NAT session alive.
Examples
# Set the NAT keepalive interval to 5 seconds.
<Sysname> system-view
[Sysname] ike nat-keepalive 5
ike profile
Use ike profile to create an IKE profile and enter IKE profile view.
Use undo ike profile to delete an IKE profile.
Syntax
ike profile profile-name
undo ike profile profile-name
Default
No IKE profile is configured.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters.
Examples
# Create IKE profile 1 and enter its view.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1]
ike proposal
Use ike proposal to create an IKE proposal and enter IKE proposal view.
Use undo ike proposal to delete an IKE proposal.
Syntax
ike proposal proposal-number
undo ike proposal proposal-number
Default
The system has an IKE proposal that is used as the default IKE proposal. This proposal has the lowest priority and uses the following settings:
· Encryption algorithm—DES-CBC in non-FIPS mode and AES-CBC-128 in FIPS mode.
· Authentication method—HMAC-SHA1.
· Authentication algorithm—Pre-shared key authentication.
· DH group—Group1 in non-FIPS mode and group14 in FIPS mode.
· IKE SA lifetime—86400 seconds.
You cannot change the settings of the default IKE proposal.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal.
Usage guidelines
During IKE negotiation:
· The initiator sends its IKE proposals to the peer.
¡ If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.
¡ If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority.
· The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are mismatched, the two peers use their default IKE proposals to establish the IKE SA.
Examples
# Create IKE proposal 1 and enter its view.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1]
Related commands
display ike proposal
ike signature-identity from-certificate
Use ike signature-identity from-certificate to configure the local device to obtain the identity information from the local certificate for signature authentication.
Use undo ike signature-identity from-certificate to restore the default.
Syntax
ike signature-identity from-certificate
undo ike signature-identity from-certificate
Default
The local end uses the identity information specified by local-identity or ike identity for signature authentication.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command requires the local device to always use the identity information in the local certificate for signature authentication, regardless of the local-identity or ike identity configuration.
Configure this command when the aggressive mode and signature authentication are used and the device interconnects with a Comware V5-based peer device. Comware V5 supports only DN for signature authentication.
If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.
Examples
# Configure the local device to always obtain the identity information from the local certificate for signature authentication.
<Sysname> system-view
[sysname] ike signature-identity from-certificate
Related commands
· local-identity
· ike identity
keychain
Use keychain to specify an IKE keychain for pre-shared key authentication.
Use undo keychain to remove the IKE keychain reference.
Syntax
keychain keychain-name
undo keychain keychain-name
Default
No IKE keychain is specified for an IKE profile.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IKE profile can reference up to six IKE keychains. An IKE keychain specified earlier has a higher priority.
Examples
# Specify IKE profile 1 for IKE keychain abc.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] keychain abc
Related commands
ike keychain
local-identity
Use local-identity to configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation.
Use undo local-identity to delete the local ID.
Syntax
local-identity { address ipv4-address | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }
undo local-identity
Default
No local ID is configured for an IKE profile. An IKE profile uses the local ID configured in system view by using the ike identity command. If the local ID is not configured in system view, the IKE profile uses the IP address of the interface to which the IPsec policy is applied as the local ID.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
address ipv4-address: Uses an IPv4 address as the local ID.
dn: Uses the DN in the local certificate as the local ID.
fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
user-fqdn user-fqdn-name: Uses a user FQDN as the local ID. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as [email protected]. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.
Usage guidelines
An IKE profile can have only one local ID.
For pre-shared key authentication, the device can use any type of ID other than the DN.
An IKE profile with no local ID specified uses the local ID configured by using the ike identity command in system view.
Examples
# Set the local ID to IP address 2.2.2.2.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] local-identity address 2.2.2.2
Related commands
· match remote
· ike identity
match local address (IKE keychain view)
Use match local address to specify a local interface or IP address to which an IKE keychain can be applied.
Use undo match local address to restore the default.
Syntax
match local address { interface-type interface-number | ipv4-address [ vpn-instance vpn-name ] }
undo match local address
Default
An IKE keychain can be applied to any local interface or IP address.
Views
IKE keychain view
Predefined user roles
network-admin
mdc-admin
Parameters
interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
vpn-instance vpn-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option.
Usage guidelines
Use this command to specify which address or interface can use the IKE keychain for IKE negotiation.
Specify the local address configured in IPsec policy view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that references the IPsec policy.
You can specify up to six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. To give an IKE keychain a higher priority, you can configure this command for the keychain. For example, suppose you configured IKE keychain A before configuring IKE keychain B, and you configured the peer ID 2.2.0.0/16 for IKE profile A and the peer ID 2.2.2.0/24 for IKE profile B. For peer 2.2.2.2, IKE keychain A is preferred because IKE profile A was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the application scope of IKE keychain B to address 2.2.2.2.
Examples
# Create IKE keychain key1.
<Sysname> system-view
[Sysname] ike keychain key1
# Apply the IKE keychain key1 to the interface with the IP address 2.2.2.2 in VPN instance vpn1.
[sysname-ike-keychain-key1] match local address 2.2.2.2 vpn-instance vpn1
match local address (IKE profile view)
Use match local address to specify a local interface or IP address to which an IKE profile can be applied.
Use undo match local address to restore the default.
Syntax
match local address { interface-type interface-number | ipv4-address [ vpn-instance vpn-name ] }
undo match local address
Default
An IKE profile can be applied to any local interface or IP address.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
vpn-instance vpn-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option.
Usage guidelines
Use this command to specify which address or interface can use the IKE profile for IKE negotiation.
Specify the local address configured in IPsec policy view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that references the IPsec policy.
An IKE profile configured earlier has a higher priority. To give an IKE profile that is configured later a higher priority, you can configure this command for the profile. For example, suppose you configured IKE profile A before configuring IKE profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKE profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKE profile B. For peer 2.2.2.2, IKE profile A is preferred because IKE profile A was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the application scope of IKE profile B to address 2.2.2.2.
Examples
# Create IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
# Apply the IKE profile prof1 to the interface with the IP address 2.2.2.2 in VPN instance vpn1.
[sysname-ike-profile-prof1] match local address 2.2.2.2 vpn-instance vpn1
match remote
Use match remote to configure a peer ID for IKE profile matching.
Use undo match remote to delete a peer ID.
Syntax
match remote { certificate policy-name | identity { address { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }
undo match remote { certificate policy-name | identity { address { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }
Default
No peer ID is configured for IKE profile matching.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile matching. The policy-name argument is a string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKE profile matching. The specified information is configured on the peer by using the local-identity command.
· address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKE profile matching. The mask-length argument is in the range of 0 to 32.
· address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.
· fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
· user-fqdn user-fqdn-name: Uses the peer's user FQDN as the peer ID for IKE profile matching. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as [email protected].
vpn-instance vpn-name: Specifies the MPLS L3VPN instance to which the specified address or addresses belong. The vpn-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the address or addresses belong to the public network, do not specify this option.
Usage guidelines
When an end needs to select an IKE profile, it matches the peer's ID received against the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the peer ID for IKE negotiation.
Each IKE profile must have at least one peer ID configured.
To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is selected for IKE negotiation is unpredictable.
For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority.
Examples
# Create IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
# Configure a peer ID with the identity type of FQDN and the value of www.test.com.
[Sysname-ike-profile-prof1] match remote identity fqdn www.test.com
# Configure a peer ID with the identity type of IP address and the value of 10.1.1.1.
[Sysname-ike-profile-prof1] match remote identity address 10.1.1.1
Related commands
local-identity
pre-shared-key
Use pre-shared-key to configure a pre-shared key.
Use undo pre-shared-key to remove a pre-shared key.
Syntax
pre-shared-key { address ipv4-address [ mask | mask-length ] | hostname host-name } key { cipher cipher-key | simple simple-key }
undo pre-shared-key { address ipv4-address [ mask | mask-length ] | hostname host-name }
Default
No pre-shared key is configured.
Views
IKE keychain view
Predefined user roles
network-admin
mdc-admin
Parameters
address: Specifies a peer by its address.
ipv4-address: Specifies the IPv4 address of the peer.
mask: Specifies the mask in dotted decimal notation. The default mask is 255.255.255.255.
mask-length: Specifies the mask length in the range of 0 to 32. The default mask length is 32.
hostname host-name: Specifies a peer by its hostname, a case-sensitive string of 1 to 255 characters.
key: Specifies a pre-shared key.
simple: Specifies a pre-shared key in plain text.
simple-key: Specifies a plaintext key. In non-FIPS mode, it is a case-sensitive string of 1 to 128 characters. In FIPS mode, it is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters.
cipher: Specifies a pre-shared key in cipher text.
cipher-key: Specifies a ciphertext key. In non-FIPS mode, it is a case-sensitive string of 1 to 201 characters. In FIPS mode, it is a case-sensitive string of 15 to 201 characters.
Usage guidelines
The address option or the hostname option specifies the peer with which the device can use the pre-shared key to perform IKE negotiation.
Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.
For security purposes, all pre-shared keys, including those configured in plain text, are saved in cipher text to the configuration file.
Examples
# Create IKE keychain key1 and enter IKE keychain view.
<Sysname> system-view
[Sysname] ike keychain key1
# Set the pre-shared key to be used for IKE negotiation with peer 1.1.1.2 to 123456TESTplat&!.
[Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456TESTplat&!
Related commands
· authentication-method
· keychain
priority (IKE keychain view)
Use priority to specify a priority for an IKE keychain.
Use undo priority to restore the default.
Syntax
priority number
undo priority
Default
The priority of an IKE keychain is 100.
Views
IKE keychain view
Predefined user roles
network-admin
mdc-admin
Parameters
priority number: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority.
Usage guidelines
To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address command configured.
Examples
# Set the priority to 10 for IKE keychain key1.
<Sysname> system-view
[Sysname] ike keychain key1
[Sysname-ike-keychain-key1] priority 10
priority (IKE profile view)
Use priority to specify a priority for an IKE profile.
Use undo priority to restore the default.
Syntax
priority number
undo priority
Default
The priority of an IKE profile is 100.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
priority number: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority.
Usage guidelines
To determine the priority of an IKE profile, the device examines the existence of the match local address command before examining the priority number. An IKE profile with the match local address command configured has a higher priority than an IKE profile that does not have the match local address command configured.
Examples
# Set the priority to 10 for IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] priority 10
proposal
Use proposal to specify the IKE proposals for an IKE profile to reference.
Use undo proposal to remove the IKE proposal references.
Syntax
proposal proposal-number&<1-6>
undo proposal
Default
An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
proposal-number&<1-6>: Specifies up to six IKE proposal numbers, each in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority.
Usage guidelines
When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation. When acting as the responder, the device uses the IKE proposals configured in system view to match the IKE proposals received from the initiator.
Examples
# Specify IKE proposal 10 for IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] proposal 10
Related commands
ike proposal
reset ike sa
Use reset ike sa to delete IKE SAs.
Syntax
reset ike sa [ connection-id connection-id ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000.
Usage guidelines
When you delete an IKE SA, the device automatically sends a notification to the peer.
Examples
# Display the current IKE SAs.
<Sysname> display ike sa
Total IKE SAs: 2
Connection-ID Remote Flag DOI
----------------------------------------------------------
1 202.38.0.2 RD|ST IPSEC
2 202.38.0.3 RD|ST IPSEC
Flags:
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT
# Delete the IKE SA with the connection ID 2.
<Sysname> reset ike sa 2
# Display the current IKE SAs.
<Sysname> display ike sa
Total IKE SAs: 1
Connection-ID Remote Flag DOI
----------------------------------------------------------
1 202.38.0.2 RD|ST IPSEC
Flags:
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT
reset ike statistics
Use reset ike statistics command to clear IKE statistics.
Syntax
reset ike statistics
Views
User view
Predefined user roles
network-admin
mdc-admin
Examples
# Clears IKE statistics.
<Sysname> reset ike statistics
Related commands
snmp-agent trap enable ike
sa duration
Use sa duration to set the IKE SA lifetime for an IKE proposal.
Use undo sa duration to restore the default.
Syntax
undo sa duration
Default
The IKE SA lifetime is 86400 seconds.
Views
IKE proposal view
Predefined user roles
network-admin
mdc-admin
Parameters
seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800.
Usage guidelines
If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect.
Before an IKE SA expires, IKE negotiates a new SA. The new SA takes effect immediately after it is negotiated. The old IKE SA will be cleared when it expires.
Examples
# Set the IKE SA lifetime to 600 seconds for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] sa duration 600
Related commands
display ike proposal
snmp-agent trap enable ike
Use snmp-agent trap enable ike command to enable SNMP notifications for IKE.
Use undo snmp-agent trap enable ike to disable SNMP notifications for IKE.
Syntax
snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] *
undo snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] *
Default
All SNMP notifications for IKE are enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
attr-not-support: Specifies SNMP notifications for attribute-unsupported failures.
auth-failure: Specifies SNMP notifications for authentication failures.
cert-type-unsupport: Specifies SNMP notifications for certificate-type-unsupported failures.
cert-unavailable: Specifies SNMP notifications for certificate-unavailable failures.
decrypt-failure: Specifies SNMP notifications for decryption failures.
encrypt-failure: Specifies SNMP notifications for encryption failures.
global: Specifies SNMP notifications globally.
invalid-cert-auth: Specifies SNMP notifications for invalid-certificate-authentication failures.
invalid-cookie: Specifies SNMP notifications for invalid-cookie failures.
invalid-id: Specifies SNMP notifications for invalid-ID failures.
invalid-proposal: Specifies SNMP notifications for invalid-IKE-proposal failures.
invalid-protocol: Specifies SNMP notifications for invalid-protocol failures.
invalid-sign: Specifies SNMP notifications for invalid-signature failures.
no-sa-failure: Specifies SNMP notifications for SA-not-found failures.
proposal-add: Specifies SNMP notifications for events of adding IKE proposals.
proposal-delete: Specifies SNMP notifications for events of deleting IKE proposals.
tunnel-start: Specifies SNMP notifications for events of creating IKE tunnels.
tunnel-stop: Specifies SNMP notifications for events of deleting IKE tunnels.
unsupport-exch-type: Specifies SNMP notifications for negotiation-type-unsupported failures.
Usage guidelines
If you do not specify any keywords, this command enables or disables all SNMP notifications for IKE.
To generate and output SNMP notifications for IKE for a specific failure type or event type, enable SNMP notifications for IKE globally and for the specified failure type or event type.
Examples
To enable SNMP notifications when an IKE tunnel is created, execute the following commands:
# Enable SNMP notifications for IKE globally.
<Sysname> system-view
[Sysname] snmp-agent trap enable ike global
# Enable SNMP notifications for events of creating IKE tunnels.
[Sysname] snmp-agent trap enable ike tunnel-start
SSH commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
SSH server commands
display ssh server
Use display ssh server on an SSH server to display the SSH server status or sessions.
Syntax
display ssh server { session | status }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
session: Displays the SSH server sessions.
status: Displays the SSH server status.
Examples
# Display the SSH server status.
<Sysname> display ssh server status
Stelnet server: Disable
SSH version : 1.99
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH authentication retries : 3 time(s)
SFTP server: Disable
SFTP server Idle-Timeout: 10 minute(s)
NETCONF server: Disable
SCP server: Disable
Table 34 Command output
|
Field |
Description |
|
Stelnet server |
Whether the Stelnet server is enabled. |
|
SSH version |
SSH protocol version. When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. |
|
SSH authentication-timeout |
Authentication timeout timer. |
|
SSH server key generating interval |
SSH server key pair update interval. |
|
SSH authentication retries |
Maximum number of authentication attempts for SSH users. |
|
SFTP server |
Whether the SFTP server is enabled. |
|
SFTP server Idle-Timeout |
SFTP connection idle timeout timer. |
|
NETCONF server |
Whether NETCONF over SSH is enabled. |
|
SCP server |
Whether the SCP server is enabled. |
# Display the SSH server sessions.
<Sysname> display ssh server session
UserPid SessID Ver Encrypt State Retries Serv Username
184 0 2.0 aes128-cbc Established 1 Stelnet abc@123
Table 35 Command output
|
Field |
Description |
|
UserPid |
User process ID. |
|
SessID |
Session ID. |
|
Ver |
Protocol version of the SSH server. |
|
Encrypt |
Encryption algorithm used on the SSH server. |
|
State |
Session state: · Init—Initialization. · Ver-exchange—Version negotiation. · Keys-exchange—Keys exchange. · Auth-request—Authentication request. · Serv-request—Session service request. · Established—The session is established. · Disconnected—The session is disconnected. |
|
Retries |
Number of authentication failures. |
|
Serv |
Service type: SCP, SFTP, Stelnet, and NETCONF. |
|
Username |
Name of a user for logging in to the server. |
display ssh user-information
Use display ssh user-information to display information about SSH users on an SSH server.
Syntax
display ssh user-information [ username ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users.
Usage guidelines
This command only displays information about SSH users configured by using the ssh user command on the SSH server.
Examples
# Display information about all SSH users.
<Sysname> display ssh user-information
Total ssh users:2
Username Authentication-type User-public-key-name Service-type
yemx password null Stelnet|SFTP
test publickey pubkey SFTP
Table 36 Command output
|
Field |
Description |
|
Total ssh users |
Total number of SSH users. |
|
Authentication-type |
Authentication methods: · Password authentication. · Publickey authentication. · Password-publickey authentication. · Any authentication. |
|
User-public-key-name |
Public key name of the user. If password authentication is used, the public key of the user displays null. |
|
Service-type |
Service type: Stelnet, SFTP, SCP, and NETCONF. If multiple service types are available for an SSH user, they are separated by vertical bars (|). |
Related commands
ssh user
scp server enable
Use scp server enable to enable the SCP server.
Use undo scp server enable to restore the default.
Syntax
scp server enable
undo scp server enable
Default
The SCP server is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Examples
# Enable the SCP server.
<Sysname> system-view
[Sysname] scp server enable
Related commands
display ssh server
sftp server enable
Use sftp server enable to enable the SFTP server.
Use undo sftp server enable to restore the default.
Syntax
sftp server enable
undo sftp server enable
Default
The SFTP server is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Examples
# Enable the SFTP server.
<Sysname> system-view
[Sysname] sftp server enable
Related commands
display ssh server
sftp server idle-timeout
Use sftp server idle-timeout to set the SFTP connection idle timeout timer on an SFTP server.
Use undo sftp server idle-timeout to restore the default.
Syntax
sftp server idle-timeout time-out-value
undo sftp server idle-timeout
Default
The idle timeout timer is 10 minutes.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
time-out-value: Specifies a timeout timer in the range of 1 to 35791 minutes.
Usage guidelines
If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a small value so that the connection resources can be promptly released.
Examples
# Set the SFTP connection idle timeout timer to 500 minutes.
<Sysname> system-view
[Sysname] sftp server idle-timeout 500
Related commands
display ssh server
ssh server acl
Use ssh server acl to specify an ACL to control IPv4 SSH user connections.
Use undo ssh server acl to restore the default.
Syntax
ssh server acl acl-number
undo ssh server acl
Default
No ACLs are specified and all IPv4 SSH users can initiate SSH connections to the device.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
acl-number: Specifies an ACL number in the range of 2000 to 4999.
Usage guidelines
The specified ACL filters IPv4 SSH users' connection requests. Only the IPv4 SSH users that the ACL permits can initiate SSH connections to the device.
All IPv4 SSH users can initiate SSH connections to the device when any one of the following conditions exists:
· You do not specify any ACL.
· The specified ACL does not exist.
· The specified ACL does not have any rules.
The ACL takes effect only on SSH connections that are initiated after the ACL configuration.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure ACL 2001 and permit only the users at 1.1.1.1 to initiate SSH connections to the server.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 1.1.1.1 0
[Sysname-acl-basic-2001] quit
[Sysname] ssh server acl 2001
Related commands
display ssh server
ssh server authentication-retries
Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users.
Use undo ssh server authentication-retries to restore the default.
Syntax
ssh server authentication-retries times
undo ssh server authentication-retries
Default
The maximum number of authentication attempts for SSH users is 3.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5.
Usage guidelines
You can set this limit to prevent malicious hacking of usernames and passwords.
This configuration does not affect logged-in users. It affects only new SSH users.
If the authentication method is any, the total number of publickey authentication attempts and password authentication attempts must not exceed the upper limit.
If the authentication method is password-publickey, the server first uses publickey authentication, and then uses password authentication to authenticate the SSH user. The process is considered one authentication attempt.
Examples
# Set the maximum number of authentication attempts to 4 for SSH users.
<Sysname> system-view
[Sysname] ssh server authentication-retries 4
Related commands
display ssh server
ssh server authentication-timeout
Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server.
Use undo ssh server authentication-timeout to restore the default.
Syntax
ssh server authentication-timeout time-out-value
undo ssh server authentication-timeout
Default
The authentication timeout timer is 60 seconds.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
time-out-value: Specifies an authentication timeout timer in the range of 1 to 120 seconds.
Usage guidelines
If a user does not finish the authentication when the timeout timer expires, the connection cannot be established.
You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended.
Examples
# Set the SSH user authentication timeout timer to 10 seconds.
<Sysname> system-view
[Sysname] ssh server authentication-timeout 10
Related commands
display ssh server
ssh server compatible-ssh1x enable
Use ssh server compatible-ssh1x enable to enable the SSH server to support SSH1 clients.
Use undo ssh server compatible-ssh1x [ enable ] to disable the SSH server from supporting SSH1 clients.
Syntax
ssh server compatible-ssh1x enable
undo ssh server compatible-ssh1x [ enable ]
Default
The SSH server supports SSH1 clients.
Views
System view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Usage guidelines
This command is not available in FIPS mode.
This configuration does not affect logged-in users. It affects only new SSH users.
Examples
# Enable the SSH server to support SSH1 clients.
<Sysname> system-view
[Sysname] ssh server compatible-ssh1x enable
Related commands
display ssh server
ssh server dscp
Use ssh server dscp to set the DSCP value in the IPv4 packets that the SSH server sends to the SSH clients.
Use undo ssh server dscp to restore the default.
Syntax
ssh server dscp dscp-value
undo ssh server dscp
Default
The DSCP value in IPv4 packets sent by the SSH server is 48.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
dscp-value: Specifies the DSCP value in the outbound IPv4 packets, in the range of 0 to 63.
Usage guidelines
The DSCP value of a packet specifies the priority of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Examples
# Set the DSCP value to 30 for IPv4 packets sent by the SSH server.
<Sysname> system-view
[Sysname] ssh server dscp 30
ssh server enable
Use ssh server enable to enable the Stelnet server.
Use undo ssh server enable to restore the default.
Syntax
ssh server enable
undo ssh server enable
Default
The Stelnet server is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Examples
# Enable the Stelnet server.
<Sysname> system-view
[Sysname] ssh server enable
Related commands
display ssh server
ssh server rekey-interval
Use ssh server rekey-interval to set an interval for updating the RSA server key pair.
Use undo ssh server rekey-interval to restore the default.
Syntax
ssh server rekey-interval hours
undo ssh server rekey-interval
Default
The interval for updating the RSA server key pair is 0. The system does not update the RSA server key pair.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
hours: Specifies an interval for updating the server key pair, in the range of 1 to 24 hours.
Usage guidelines
This command is not available in FIPS mode.
Updating the RSA server key pair periodically can prevent malicious hacking to the key pair and enhance security of the SSH connections.
This command takes effect only on the SSH clients that use SSH1 client software.
Examples
# Set the RSA server key pair update interval to 3 hours.
<Sysname> system-view
[Sysname] ssh server rekey-interval 3
Related commands
display ssh server
ssh user
Use ssh user to create an SSH user and specify the service type and authentication method.
Use undo ssh user to delete an SSH user.
Syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname }
undo ssh user username
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | password-publickey assign publickey keyname }
undo ssh user username
Default
No SSH users exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If the username contains ISP domain name, the form is pureusername@domain. The pureusername argument is a string of 1 to 55 characters. The domain argument is a string of 1 to 24 characters.
service-type: Specifies a service type for an SSH user:
· all: Specifies Stelnet, SFTP, SCP, and NETCONF.
· scp: Specifies the service type as SCP.
· sftp: Specifies the service type as SFTP.
· stelnet: Specifies the service type as Stelnet.
· netconf: Specifies the service type as NETCONF.
authentication-type: Specifies an authentication method for an SSH user:
· password: Specifies password authentication. This authentication method provides easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting.
· any: Specifies either password authentication or publickey authentication.
· password-publickey: Specifies both password authentication and publickey authentication (featuring higher security) if the client runs SSH2, and specifies either type of authentication if the client runs SSH1.
· publickey: Specifies publickey authentication. This authentication method has complicated and slow encryption, but it provides strong authentication that can defend against brute-force attacks. This authentication method is easy to use. If this method is configured, the authentication process completes automatically without the need of entering any password.
assign publickey keyname: Assigns an existing host public key to an SSH user. The keyname argument is a string of 1 to 64 characters.
Usage guidelines
Use this command to configure an SSH user depending on the authentication method:
· If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.
· If the authentication method is password, you must perform one of the following tasks:
¡ For local authentication, configure a local user on the SSH server.
¡ For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
You do not need to create an SSH user by using the ssh user command. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
· If the authentication method is password-publickey or any, you must create an SSH user on the SSH server and perform one of the following tasks:
¡ For local authentication, configure a local user on the SSH server.
¡ For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user.
If you use the ssh user command to configure a host public key for a user who has already had a host public key, the most recent configuration takes effect.
You can change the authentication parameters for a logged-in SSH user, but your changes take effect only on the clients at next login.
For an SFTP or SCP user, the working directory depends on the authentication method:
· If the authentication method is password, the working directory is authorized by AAA.
· If the authentication method is publickey or password-publickey, the working directory is specified by the authorization-attribute command in the associated local user view.
For an SSH user, the user role also depends on the authentication method:
· If the authentication method is password, the user role is authorized by the remote AAA server or the local device.
· If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view.
Examples
# Create an SSH user named user1, and specify the service type as sftp and the authentication method as password-publickey for the user. Assign the host public key key1 to the user.
<Sysname> system-view
[Sysname] ssh user user1 service-type sftp authentication-type password-publickey assign publickey key1
# Create a local device management user named user1, specify the password as 123456TESTplat&! in plain text and the service type as ssh for the user. Assign the working directory flash: and the user role network-admin to the user.
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] password simple 123456TESTplat&!
[Sysname-luser-manage-user1] service-type ssh
[Sysname-luser-manage-user1] authorization-attribute work-directory flash: user-role network-admin
Related commands
· authorization-attribute
· display ssh user-information
· local-user
SSH client commands
bye
Use bye to terminate the connection with an SFTP server and return to user view.
Syntax
bye
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command has the same function as the exit and quit commands.
Examples
# Terminate the connection with the SFTP server.
sftp> bye
<Sysname>
cd
Use cd to change the working directory on an SFTP server.
Syntax
cd [ remote-path ]
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
remote-path: Specifies the name of a directory on the server.
Usage guidelines
You can use the cd .. command to return to the upper-level directory.
You can use the cd / command to return to the root directory of the system.
Examples
# Change the working directory to new1.
sftp> cd new1
Current Directory is:/new1
sftp> pwd
Remote working directory: /new1
sftp>
cdup
Use cdup to return to the upper-level directory.
Syntax
cdup
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Example
# Return to the upper-level directory from the current working directory /test1.
sftp> cd test1
Current Directory is:/test1
sftp> pwd
Remote working directory: /test1
sftp> cdup
Current Directory is:/
sftp> pwd
Remote working directory: /
sftp>
delete
Use delete to delete a file from the SFTP server.
Syntax
delete remote-file
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
remote-file: Specifies a file.
Usage guidelines
This command has the same function as the remove command.
Examples
# Delete the file temp.c from the server.
sftp> delete temp.c
Removing /temp.c
dir
Use dir to display information about the files and subdirectories under a directory.
Syntax
dir [ -a | -l ] [ remote-path ]
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
-a: Displays the names of the files and subdirectories under a directory.
-l: Displays detailed information about the files and subdirectories under a directory in a list.
remote-path: Specifies the name of the directory to be queried. If you do not specify this argument, the command displays detailed information about the files and subdirectories under the current working directory.
Usage guidelines
If you do not specify both of the –a and –l keywords, this command displays the names of the files and subdirectories under a directory.
This command has the same function as the ls command.
Examples
# Display the names of the files and subdirectories under the current working directory.
sftp> dir –a
config.cfg
pubkey2
pubkey1
pub1
new1
new2
pub2
# Display detailed information about the files and subdirectories under the current working directory in a list.
sftp> dir –l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2
display sftp client source
Use display sftp client source to display the source IP address configured for the SFTP client.
Syntax
display sftp client source
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Usage guidelines
This command only displays the SFTP client's source IP address that is configured by using the sftp client source command.
The default source IP address of the SFTP client is not provided in the command output.
Examples
# Display the source IP address configured for the SFTP client.
<Sysname> display sftp client source
The source IP address of the SFTP client is 192.168.0.1
Related commands
sftp client source
display ssh client source
Use display ssh client source to display the source IP address configured for the Stelnet client.
Syntax
display ssh client source
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Usage guidelines
This command only displays the Stelnet client's source IP address that is configured by using the ssh client source command.
The default source IP address of the Stelnet client is not provided in the command output.
Examples
# Display the source IP address configured for the Stelnet client.
<Sysname> display ssh client source
The source IP address of the SSH client is 192.168.0.1
Related commands
ssh client source
exit
Use exit to terminate the connection with an SFTP server and return to user view.
Syntax
exit
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command has the same function as the bye and quit commands.
Examples
# Terminate the connection with the SFTP server.
sftp> exit
<Sysname>
get
Use get to download a file from an SFTP server and save it locally.
Syntax
get remote-file [ local-file ]
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
remote-file: Specifies the name of a file on the SFTP server.
local-file: Specifies the name for the local file. If you do not specify this argument, the file will be saved locally with the same name as the file on the server.
Examples
# Download the file temp1.c and save it as temp.c locally.
sftp> get temp1.c temp.c
Fetching /temp1.c to temp.c
/temp.c 100% 1424 1.4KB/s 00:00
help
Use help to display help information of an SFTP client command.
Syntax
help
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The help command has the same function as entering the question mark (?).
Examples
# Display help information.
sftp> help
Available commands:
bye Quit sftp
cd [path] Change remote directory to 'path'
cdup Change remote directory to the parent directory
delete path Delete remote file
dir [-a|-l][path] Display remote directory listing
-a List all filenames
-l List filename including the specific
information of the file
exit Quit sftp
get remote-path [local-path] Download file
help Display this help text
ls [-a|-l][path] Display remote directory
-a List all filenames
-l List filename including the specific
information of the file
mkdir path Create remote directory
put local-path [remote-path] Upload file
pwd Display remote working directory
quit Quit sftp
rename oldpath newpath Rename remote file
remove path Delete remote file
rmdir path Delete remote empty directory
? Synonym for help
ls
Use ls to display information about the files and subdirectories under a directory.
Syntax
ls [ -a | -l ] [ remote-path ]
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
-a: Displays the names of the files and subdirectories under a directory.
-l: Displays detailed information about the files and subdirectories under a directory in a list.
remote-path: Specifies the name of the directory to be queried. If you do not specify this argument, the command displays detailed information about the files and subdirectories under the current working directory.
Usage guidelines
If you do not specify both of the –a and –l keywords, this command displays the names of the files and subdirectories under a directory.
This command has the same function as the dir command.
Examples
# Display the names of the files and subdirectories under the current working directory.
sftp> ls –a
config.cfg
pubkey2
pubkey1
pub1
new1
new2
pub2
# Display detailed information about the files and subdirectories under the current working directory in a list.
sftp> ls -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2
mkdir
Use mkdir to create a directory on an SFTP server.
Syntax
mkdir remote-path
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
remote-path: Specifies the name of a directory.
Examples
# Create a directory test on the SFTP server.
sftp> mkdir test
put
Use put to upload a local file to an SFTP server.
Syntax
put local-file [ remote-file ]
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
local-file: Specifies the name of a local file.
remote-file: Specifies the name of a file on an SFTP server. If you do not specify this argument, the file will be remotely saved with the same name as the local file.
Examples
# Upload the local file startup.bak to the SFTP server and save it as startup01.bak.
sftp> put startup.bak startup01.bak
Uploading startup.bak to /startup01.bak
startup01.bak 100% 1424 1.4KB/s 00:00
pwd
Use pwd to display the current working directory of an SFTP server.
Syntax
pwd
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Examples
# Display the current working directory of the SFTP server.
sftp> pwd
Remote working directory: /
The output shows that the current working directory is the root directory.
quit
Use quit to terminate the connection with an SFTP server and return to user view.
Syntax
quit
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command has the same function as the bye and exit commands.
Examples
# Terminate the connection with the SFTP server.
sftp> quit
<Sysname>
remove
Use remove to delete a file from an SFTP server.
Syntax
remove remote-file
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
remote-file: Specifies a file.
Usage guidelines
This command has the same function as the delete command.
Examples
# Delete the file temp.c from the SFTP server.
sftp> remove temp.c
Removing /temp.c
rename
Use rename to change the name of a file or directory on an SFTP server.
Syntax
rename old-name new-name
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
oldname: Specifies the name of an existing file or directory.
newname: Specifies a new name for the file or directory.
Examples
# Change the name of a file on the SFTP server from temp1.c to temp2.c.
sftp> dir
aa.pub temp1.c
sftp> rename temp1.c temp2.c
sftp> dir
aa.pub temp2.c
rmdir
Use rmdir to delete a directory from an SFTP server.
Syntax
rmdir remote-path
Views
SFTP client view
Predefined user roles
network-admin
mdc-admin
Parameters
remote-path: Specifies a directory.
Examples
# Delete the subdirectory temp1 under the current directory on the SFTP server.
sftp> rmdir temp1
scp
Use scp to establish a connection to an IPv4 SCP server and transfer files with the server.
Syntax
In non-FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ip ip-address } ] *
In FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ip ip-address } ] *
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
get: Downloads the file.
put: Uploads the file.
source-file-path: Specifies the directory of the source file.
destination-file-path: Specifies the directory of the target file. If you do not specify this argument, the directory names of the source and target files are same.
identity-key: Specifies a public key algorithm for the client. The default is dsa in non-FIPS mode and is rsa in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature by using the local private key that is associated with the algorithm.
· dsa: Specifies the public key algorithm dsa.
· rsa: Specifies the public key algorithm rsa.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.
Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time.
· 3des: Specifies the encryption algorithm 3des-cbc.
· aes128: Specifies the encryption algorithm aes128-cbc.
· aes256: Specifies the encryption algorithm aes256-cbc.
· des: Specifies the encryption algorithm des-cbc.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. The algorithms sha1 and sha1-96 provide stronger security but cost more computation time than the algorithms md5 and md5-96.
· md5: Specifies the HMAC algorithm hmac-md5.
· md5-96: Specifies the HMAC algorithm hmac-md5-96.
· sha1: Specifies the HMAC algorithm hmac-sha1.
· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode.
Algorithm dh-group14 provides stronger security but costs more time in calculation than dh-group1.
· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1.
publickey keyname: Specifies the host public key of the sever, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
source: Specifies a source IP address or source interface for SCP packets. By default, the SCP packets use the primary IPv4 address of the output interface specified in the routing entry as their source address. For successful SCP connections, use one of the following methods:
· Specify the loopback interface as the source interface.
· Specify the IP address of the loopback interface as the source IP address.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv4 address of this interface is the source IP address of the SCP packets.
ip ip-address: Specifies a source IPv4 address.
Examples
# Connect an SCP client to the SCP server 200.1.1.1, specify the public key of the server as svkey, and download the file abc.txt from the server. The SCP client uses publickey authentication. Use the following algorithms:
· Preferred key exchange algorithm dh-group14.
· Preferred server-to-client encryption algorithm aes128.
· Preferred client-to-server HMAC algorithm sha1.
· Preferred server-to-client HMAC algorithm sha1-96.
· Preferred compression algorithm zlib.
<Sysname> scp 200.1.1.1 get abc.txt prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey
sftp
Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view.
Syntax
In non-FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | publickey keyname | source { interface interface-type interface-number s | ip ip-address } ] *
In FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number s | ip ip-address } ] *
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
identity-key: Specifies a public key algorithm for the client. The default is dsa in non-FIPS mode and is rsa in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature by using the local private key that is associated with the algorithm.
· dsa: Specifies the public key algorithm dsa.
· rsa: Specifies the public key algorithm rsa.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time.
· 3des: Specifies the encryption algorithm 3des-cbc.
· aes128: Specifies the encryption algorithm aes128-cbc.
· aes256: Specifies the encryption algorithm aes256-cbc.
· des: Specifies the encryption algorithm des-cbc.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. The algorithms sha1 and sha1-96 provide stronger security but cost more computation time than the algorithms md5 and md5-96.
· md5: Specifies the HMAC algorithm hmac-md5.
· md5-96: Specifies the HMAC algorithm hmac-md5-96.
· sha1: Specifies the HMAC algorithm hmac-sha1.
· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode. Algorithm dh-group14 provides stronger security but costs more time in calculation than dh-group1.
· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1.
dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets sent by the SFTP client, in the range of 0 to 63. The default value is 48. The DSCP value determines the transmission priority of the packet.
publickey keyname: Specifies the host public key of the sever, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
source: Specifies a source IP address or source interface for the SFTP packets. By default, the SFTP packets use the primary IPv4 address of the output interface specified in the routing entry as the source IP address. For successful SFTP connections, use one of the following methods:
· Specify the loopback interface as the source interface.
· Specify the IP address of the loopback interface as the source IP address.
interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IP address of the SFTP packets.
ip ip-address: Specifies a source IPv4 address.
Examples
# Connect an SFTP client to the IPv4 SFTP server 10.1.1.2 and specify the public key of the server as svkey. The SFTP client uses publickey authentication. Use the following algorithms:
· Preferred key exchange algorithm dh-group14.
· Preferred server-to-client encryption algorithm aes128.
· Preferred client-to-server HMAC algorithm sha1.
· Preferred server-to-client HMAC algorithm sha1-96.
· Preferred compression algorithm zlib.
<Sysname> sftp 10.1.1.2 prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey
sftp client source
Use sftp client source to specify the source IPv4 address for SFTP packets.
Use undo sftp client source to restore the default.
Syntax
sftp client source { interface interface-type interface-number | ip ip-address }
undo sftp client source
Default
The source IP address for SFTP packets is not configured. The SFTP packets use the primary IPv4 address of the output interface specified in the routing entry as their source IP address.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the primary IP address of the interface as their source address.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
The IPv4 address specified by this command also acts as the source IPv4 address of the SFTP client.
This command takes effect on all SFTP connections. The source IP address specified in the sftp command takes effect only on the current SFTP connection.
If you specify the source IP address both in this command and the sftp command, the source IP address specified in the sftp command takes effect.
Examples
# Specify the source IP address as 192.168.0.1 for SFTP packets.
<Sysname> system-view
[Sysname] sftp client source ip 192.168.0.1
Related commands
display sftp client source
ssh client source
Use ssh client source to specify the source IPv4 address for SSH packets.
Use undo ssh client source to restore the default.
Syntax
ssh client source { interface interface-type interface-number | ip ip-address }
undo ssh client source
Default
The source IP address for SSH packets is not configured. The SSH packets use the primary IPv4 address of the output interface specified in the routing entry as their source IP address.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number. The SSH packets use the primary IP address of the interface as their source address.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
The IPv4 address specified by this command also acts as the source IPv4 address of the Stelnet client.
This command takes effect on all Stelnet connections. The source IP address specified in the ssh2 command takes effect only on the current Stelnet connection.
If you specify the source IP address both in this command and the ssh2 command, the source IP address specified in the ssh2 command takes effect.
Examples
# Specify the source IPv4 address as 192.168.0.1 for SSH packets.
<Sysname> system-view
[Sysname] ssh client source ip 192.168.0.1
Related commands
display ssh client source
ssh2
Use ssh2 to establish a connection to an IPv4 Stelnet server.
Syntax
In non-FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | escape character | publickey keyname | source { interface interface-type interface-number | ip ip-address } ] *
In FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ escape character | publickey keyname | source { interface interface-type interface-number | ip ip-address } ] *
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
identity-key: Specifies a public key algorithm for the client. The default is dsa in non-FIPS mode and is rsa in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature by using the local private key that is associated with the algorithm.
· dsa: Specifies the public key algorithm dsa.
· rsa: Specifies the public key algorithm rsa.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128. Algorithms des, 3des, aes128, and aes256 are arranged in ascending order in the aspects of security strength and calculation time.
· 3des: Specifies the encryption algorithm 3des-cbc.
· aes128: Specifies the encryption algorithm aes128-cbc.
· aes256: Specifies the encryption algorithm aes256-cbc.
· des: Specifies the encryption algorithm des-cbc.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. The algorithms sha1 and sha1-96 provide stronger security but cost more computation time than the algorithms md5 and md5-96.
· md5: Specifies the HMAC algorithm hmac-md5.
· md5-96: Specifies the HMAC algorithm hmac-md5-96.
· sha1: Specifies the HMAC algorithm hmac-sha1.
· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode. Algorithm dh-group14 provides stronger security but costs more time in calculation than dh-group1.
· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1.
dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets sent by the SSH client, in the range of 0 to 63. The default value is 48. The DSCP value determines the transmission priority of the packet.
escape character: Specifies an escape character. By default, the escape character is a tilde (~).
publickey keyname: Specifies the host public key of the server, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
source: Specifies a source IP address or source interface for SSH packets. By default, the SSH packets use the primary IPv4 address of the output interface specified in the routing entry as the source IP address. For successful Stelnet connections, use one of the following methods:
· Specify the loopback interface as the source interface.
· Specify the IP address of the loopback interface as the source IP address.
interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IP address of SSH packets.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
The combination of an escape character and a dot (.) works as an escape sequence for fast terminating an SSH connection. For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line.
As a best practice, use the default escape character (~). Do not use any characters in SSH usernames as the escape character.
Examples
# Establish a connection to the IPv4 Stelnet server 3.3.3.3 and specify the public key of the server as svkey. The Stelnet client uses publickey authentication. Specify the dollar sign ($) as the escape character. Use the following algorithms:
· Preferred key exchange algorithm dh-group14.
· Preferred server-to-client encryption algorithm aes128.
· Preferred client-to-server HMAC algorithm sha1.
· Preferred server-to-client HMAC algorithm sha1-96.
· Preferred compression algorithm zlib.
<Sysname> ssh2 3.3.3.3 prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey escape $
IP source guard commands
The IPSG feature is available on Layer 2 and Layer 3 Ethernet interfaces and VLAN interfaces. The term "interface" in this chapter collectively refers to these types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide).
display ip source binding
Use display ip source binding to display IPv4SG bindings.
Syntax
In standalone mode:
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
In IRF mode:
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
static: Displays static IPv4SG bindings.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The VPN instance name is a case-sensitive string of 1 to 31 characters. To display dynamic IPv4SG bindings for the public network, do not specify a VPN instance.
dhcp-relay: Specifies the DHCP relay module.
dhcp-server: Specifies the DHCP server module.
dhcp-snooping: Specifies the DHCP snooping module.
ip-address ip-address: Specifies an IPv4 address.
mac-address mac-address: Specifies a MAC address in H-H-H format.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies the number of the slot that holds the card. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument specifies the ID of the IRF member device. The slot-number argument specifies the number of the slot that holds the card. (In IRF mode.)
Usage guidelines
If you do not specify any parameter, the command displays the following bindings:
· Static and dynamic IPv4SG bindings on all interfaces on the public network.
· Global static IPv4SG bindings.
In standalone mode, if you specify neither an interface nor a card, the command displays IPv4SG bindings that the MPU obtained from all interfaces.
In IRF mode, if you specify neither an interface nor an IRF member, the command displays IPv4SG bindings that the MPU obtained from all interfaces on the current IRF member device.
Examples
# Display all interface-specific and global IPv4SG bindings on the public network.
<Sysname> display ip source binding
Total entries found: 5
IP Address MAC Address Interface VLAN Type
10.1.0.5 040a-0000-4000 FGE1/0/1 1 DHCP snooping
10.1.0.6 040a-0000-3000 FGE1/0/1 1 DHCP snooping
10.1.0.7 040a-0000-2000 FGE1/0/1 1 DHCP snooping
10.1.0.8 040a-0000-1000 FGE1/0/2 N/A DHCP relay
10.1.0.9 040a-0000-2000 FGE1/0/2 N/A Static
Table 37 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv4SG bindings. |
|
IP Address |
IPv4 address in the IPv4SG binding. If no IP address is bound in the binding, this field displays N/A. |
|
MAC Address |
MAC address in the IPv4SG binding. If no MAC address is bound in the binding, this field displays N/A. |
|
Interface |
Interface of the binding. This field displays N/A for a global IPv4SG binding. |
|
VLAN |
VLAN information in the IPv4SG binding. If the binding contains no VLAN information, this field displays N/A. |
|
Type |
IPSG binding type: · Static—Manually configured by using the ip source binding command. Static bindings are for packet filtering in IPSG. · DHCP relay—Dynamically generated based on DHCP relay agent. The binding is for packet filtering in IPSG. · DHCP server—Dynamically generated based on DHCP server. The binding is used by other modules to provide security services. · DHCP snooping—Dynamically generated based on DHCP snooping. The binding is for packet filtering in IPSG. |
Related commands
· ip source binding
· ip verify source
ip source binding (interface view)
Use ip source binding to configure a static IPv4SG binding on an interface.
Use undo ip source binding to remove the static IPv4SG bindings configured on an interface.
Syntax
ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
Default
No static IPv4SG binding exists on an interface.
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
all: Removes all static IPv4SG bindings on the interface.
ip-address ip-address: Specifies an IPv4 address for the static binding. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address.
mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast address), or a multicast address.
vlan vlan-id: Specifies a VLAN ID for the static binding. The value range is 1 to 4094. This option is supported only in Layer 2 Ethernet interface view.
Usage guidelines
Static IPv4SG bindings on an interface implement the following functions:
· Filter incoming IPv4 packets on the interface.
· Cooperate with ARP detection for user validity check.
The IPSG does not use the VLAN ID in a static binding as a matching criterion to filter packets. To configure a static IPv4SG binding for the ARP detection function, the vlan vlan-id option must be specified, and ARP detection must be enabled for the specified VLAN. For more information about ARP detection, see Security Configuration Guide.
Examples
# Configure a static IPv4SG binding on FortyGigE 1/0/1.
<Sysname> system-view
[Sysname] interface fortygige 1/0/1
[Sysname-FortyGigE1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001
Related commands
· display ip source binding
· ip source binding (system view)
ip source binding (system view)
Use ip source binding to configure a global static IPv4SG binding.
Use undo ip source binding to remove one or all global static IPv4SG bindings.
Syntax
ip source binding ip-address ip-address mac-address mac-address
undo ip source binding { all | ip-address ip-address mac-address mac-address }
Default
No global static IPv4SG binding exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address ip-address: Specifies the IPv4 address for the static binding. The IPv4 address cannot be 127.x.x.x, 0.0.0.0, or a multicast IP address.
mac-address mac-address: Specifies the MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast address), or a multicast address.
all: Removes all global static IPv4SG bindings.
Usage guidelines
A global static IPv4SG binding takes effect on all interfaces.
Examples
# Configure a global static IPv4SG binding.
<Sysname> system-view
[Sysname] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001
Related commands
· display ip source binding static
· ip source binding (interface view)
ip verify source
Use ip verify source to enable both static and dynamic IPv4SG on an interface.
Use undo ip verify source to restore the default.
Syntax
ip verify source { ip-address | ip-address mac-address | mac-address }
undo ip verify source
Default
The IPv4SG feature is disabled on an interface.
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Filters incoming packets by source IPv4 addresses.
ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses.
mac-address: Filters incoming packets by source MAC addresses.
Usage guidelines
The matching criterion in this command applies only to dynamic IPSG. Static IPv4SG uses static bindings configured by using the ip source binding command.
Dynamic bindings generated from different source modules (DHCP relay agent, DHCP snooping, and DHCP server) are for different security services. For more information, see Security Configuration Guide.
Examples
# Enable IPv4SG on Layer 2 Ethernet interface FortyGigE 1/0/1 and verify the source IPv4 address and MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface fortygige 1/0/1
[Sysname-FortyGigE1/0/1] ip verify source ip-address mac-address
# Enable IPv4SG on VLAN-interface 100 and verify the source IPv4 address and MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname-Vlan-interface100] ip verify source ip-address mac-address
# Enable IPv4SG on Layer 3 Ethernet interface FortyGigE 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface fortygige 1/0/2
[Sysname-FortyGigE1/0/2] ip verify source ip-address mac-address
# Enable IPv4SG on Layer 3 Ethernet interface FortyGigE 1/0/2 and verify the source MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface fortygige 1/0/2
[Sysname-FortyGigE1/0/2] ip verify source mac-address
Related commands
ARP attack protection commands
Unresolvable IP attack protection commands
arp resolving-route enable
Use arp resolving-route enable to enable ARP blackhole routing.
Use undo arp resolving-route enable to disable ARP blackhole routing.
Syntax
arp resolving-route enable
undo arp resolving-route enable
Default
ARP blackhole routing is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Configure this command on the gateways.
Examples
# Enable ARP blackhole routing.
<Sysname> system-view
[Sysname] arp resolving-route enable
arp resolving-route probe-count
Use arp resolving-route probe-count to set the number of ARP blackhole route probes for each unresolved IP address.
Use undo arp resolving-route probe-count to remove the configuration.
Syntax
arp resolving-route probe-count count
undo arp resolving-route probe-count
Default
The device probes ARP blackhole routes only once for each unresolved IP address.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
count: Sets the number of probes, in the range of 1 to 25.
Examples
# Configure the device to perform three ARP blackhole route probes for each unresolved IP address.
<Sysname> system-view
[Sysname] arp resolving-route probe-count 3
arp resolving-route probe-interval
Use arp resolving-route probe-interval to set the interval at which the device probes ARP blackhole routes.
Use undo arp resolving-route probe-interval to remove the configuration.
Syntax
arp resolving-route probe-interval interval
undo arp resolving-route probe-interval
Default
The device probes ARP blackhole routes every 1 second.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interval: Sets the probe interval in the range of 1 to 5 seconds.
Examples
# Configure the device to probe ARP blackhole routes every 3 seconds.
<Sysname> system-view
[Sysname] arp resolving-route probe-interval 3
arp source-suppression enable
Use arp source-suppression enable to enable the ARP source suppression feature.
Use undo arp source-suppression enable to restore the default.
Syntax
arp source-suppression enable
undo arp source-suppression enable
Default
The ARP source suppression feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Configure this feature on the gateways.
Examples
# Enable the ARP source suppression feature.
<Sysname> system-view
[Sysname] arp source-suppression enable
Related commands
display arp source-suppression
arp source-suppression limit
Use arp source-suppression limit to set the maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.
Use undo arp source-suppression limit to restore the default.
Syntax
arp source-suppression limit limit-value
undo arp source-suppression limit
Default
The device can process a maximum of 10 unresolvable packets per source IP address within 5 seconds.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
limit-value: Specifies the limit in the range of 2 to 1024.
Usage guidelines
If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse.
Examples
# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
<Sysname> system-view
[Sysname] arp source-suppression limit 100
Related commands
display arp source-suppression.
display arp source-suppression
Use display arp source-suppression to display information about the current ARP source suppression configuration.
Syntax
display arp source-suppression
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display information about the current ARP source suppression configuration.
<Sysname> display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 100
Table 38 Command output
|
Field |
Description |
|
Current suppression limit |
Maximum number of unresolvable packets that can be received from a host in 5 seconds. |
ARP packet rate limit commands
The ARP packet rate limit feature is available in Release 1138P01 and later versions.
arp rate-limit
Use arp rate-limit to enable the ARP packet rate limit feature on an interface and specify a rate limit value. Exceeded packets are discarded.
Use undo arp rate-limit to disable the ARP packet rate limit feature or restore the default rate limit value.
Syntax
arp rate-limit [ pps ]
undo arp rate-limit [ pps ]
Default
ARP packet rate limit is enabled, and the rate limit is 100 pps.
Views
Layer 2 Ethernet interface view, Layer 2 aggregate interface view
Predefined user roles
network-admin
mdc-admin
Parameters
pps: Specifies the upper limit for ARP packet rate. The value range is 5 to 2000 pps.
Usage guidelines
If you do not specify a value for the pps argument in the arp rate-limit command, the default rate limit value applies.
If you do not specify a value for the pps argument, the undo arp rate-limit command disables the ARP packet rate limit feature. If you specify a value for the pps argument, the undo arp rate-limit command restores the default rate limit value.
Examples
# Set the maximum ARP packet rate to 50 pps on FortyGigE 1/0/1.
<Sysname> system-view
[Sysname] interface fortygige 1/0/1
[Sysname-FortyGigE1/0/1] arp rate-limit 50
arp rate-limit log enable
Use arp rate-limit log enable to enable logging for ARP packet rate limit.
Use undo arp rate-limit log enable to disable logging for ARP packet rate limit.
Syntax
arp rate-limit log enable
undo arp rate-limit log enable
Default
Logging for ARP packet rate limit is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
When the receiving rate of ARP packets on an interface exceeds the rate limit, the device generates log messages.
The device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for ARP packet rate limit.
<Sysname> system-view
[Sysname] arp rate-limit log enable
arp rate-limit log interval
Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.
Use undo arp rate-limit log interval to restore the default.
Syntax
arp rate-limit log interval seconds
undo arp rate-limit log interval
Default
The device sends notifications or log messages every 60 seconds when the rate of ARP packets received on an interface exceeds the limit.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
Seconds: Specifies an interval in the range of 1 to 86400 seconds.
Usage guidelines
To change the default interval and activate it, you must enable ARP packet rate limit and enable sending of notifications or log messages for ARP packet rate limit.
Examples
# Set the device to send notifications and log messages every 120 seconds when the rate of ARP packets received on an interface exceeds the limit.
<Sysname> system-view
[Sysname] arp rate-limit log interval 120
Related commands
· arp rate-limit
· arp rate-limit log enable
· snmp-agent trap enable arp
snmp-agent trap enable arp
Use snmp-agent trap enable arp to enable SNMP notifications for ARP.
Use undo snmp-agent trap enable arp to disable SNMP notifications for ARP.
Syntax
snmp-agent trap enable arp [ rate-limit ]
undo snmp-agent trap enable arp [ rate-limit ]
Default
SNMP notifications for ARP is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
rate-limit: Specifies the ARP packet rate limit feature.
Usage guidelines
After you enable SNMP notifications for ARP, the device generates a notification that includes the highest threshold-crossed ARP packet rate within the sending interval.
For ARP event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable SNMP notifications for ARP packet rate limit.
<Sysname> system-view
[Sysname] snmp-agent trap enable arp rate-limit
Source MAC-based ARP attack detection commands
The source MAC-based ARP attack detection feature is available in Release 1138P01 and later versions.
arp source-mac
Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.
Use undo arp source-mac to restore the default.
Syntax
arp source-mac { filter | monitor }
undo arp source-mac [ filter | monitor ]
Default
The source MAC-based ARP attack detection feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
filter: Generates log messages and discards subsequent ARP packets from the MAC address.
monitor: Only generates log messages.
Usage guidelines
Configure this feature on the gateways.
This feature checks the number of ARP packets delivered to the CPU. If the number of ARP packets from the same MAC address within 5 seconds exceeds a threshold, the device takes the preconfigured method to handle the attack.
If you do not specify both the filter and monitor keywords in the undo arp source-mac command, the command disables this feature.
Examples
# Enable the source MAC-based ARP attack detection feature and specify the filter handling method.
<Sysname> system-view
[Sysname] arp source-mac filter
arp source-mac aging-time
Use arp source-mac aging-time to set the aging time for ARP attack entries.
Use undo arp source-mac aging-time to restore the default.
Syntax
arp source-mac aging-time time
undo arp source-mac aging-time
Default
The aging time for ARP attack entries is 300 seconds.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.
Examples
# Set the aging time for ARP attack entries to 60 seconds.
<Sysname> system-view
[Sysname] arp source-mac aging-time 60
arp source-mac exclude-mac
Use arp source-mac exclude-mac to exclude specified MAC addresses from source MAC-based ARP attack detection.
Use undo arp source-mac exclude-mac to remove the excluded MAC addresses.
Syntax
arp source-mac exclude-mac mac-address&<1-10>
undo arp source-mac exclude-mac [ mac-address&<1-10> ]
Default
No MAC addresses are excluded from source MAC-based ARP attack detection.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
mac-address&<1-10>: Specifies a MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-10> indicates that you can specify a maximum of 10 excluded MAC addresses.
Usage guidelines
If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.
Examples
# Exclude a MAC address from source MAC-based ARP attack detection.
<Sysname> system-view
[Sysname] arp source-mac exclude-mac 2-2-2
arp source-mac threshold
Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection. If the number of ARP packets sent from a MAC address within 5 seconds exceeds this threshold, the device recognizes this as an attack.
Use undo arp source-mac threshold to restore the default.
Syntax
arp source-mac threshold threshold-value
undo arp source-mac threshold
Default
The threshold for source MAC-based ARP attack detection is 30.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range is 1 to 5000.
Examples
# Set the threshold for source MAC-based ARP attack detection to 30.
<Sysname> system-view
[Sysname] arp source-mac threshold 30
display arp source-mac
Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.
Syntax
In standalone mode:
display arp source-mac { slot slot-number | interface interface-type interface-number }
In IRF mode:
display arp source-mac { chassis chassis-number slot slot-number | interface interface-type interface-number }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ARP attack entries for the active MPU.
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ARP attack entries for the global active MPU.
Examples
# Display the ARP attack entries detected by source MAC-based ARP attack detection.
<Sysname> display arp source-mac slot 1
Source-MAC VLAN ID Interface Aging-time
23f3-1122-3344 4094 FGE1/0/1 10
23f3-1122-3355 4094 FGE1/0/2 30
23f3-1122-33ff 4094 FGE1/0/3 25
23f3-1122-33ad 4094 FGE1/0/4 30
23f3-1122-33ce 4094 FGE1/0/5 2
ARP packet source MAC consistency check commands
The ARP packet source MAC address consistency check feature is available in Release 1138P01 and later versions.
arp valid-check enable
Use arp valid-check enable to enable ARP packet source MAC address consistency check.
Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.
Syntax
arp valid-check enable
undo arp valid-check enable
Default
ARP packet source MAC address consistency check is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.
Examples
# Enable ARP packet source MAC address consistency check.
<Sysname> system-view
[Sysname] arp valid-check enable
ARP active acknowledgement commands
The ARP active acknowledgement feature is available in Release 1138P01 and later versions.
arp active-ack enable
Use arp active-ack enable to enable the ARP active acknowledgement feature.
Use undo arp active-ack enable to restore the default.
Syntax
arp active-ack [ strict ] enable
undo arp active-ack [ strict ] enable
Default
The ARP active acknowledgement feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
strict: Enables strict mode for ARP active acknowledgement.
Usage guidelines
Configure this feature on gateways to prevent user spoofing.
In strict mode, a gateway learns an entry only when ARP active acknowledgement is successful based on the correct ARP resolution.
Examples
# Enable the ARP active acknowledgement feature.
<Sysname> system-view
[Sysname] arp active-ack enable
Authorized ARP commands
The authorized ARP feature is available in Release 1138P01 and later versions.
arp authorized enable
Use arp authorized enable to enable authorized ARP on an interface.
Use undo arp authorized enable to restore the default.
Syntax
arp authorized enable
undo arp authorized enable
Default
Authorized ARP is disabled on the interface.
Views
Layer 3 Ethernet interface view, Layer 3 aggregate interface view, VLAN interface view
Predefined user roles
network-admin
mdc-admin
Examples
# Enable authorized ARP on VLAN-interface 1.
<Sysname> system-view
[Sysname] interface interface vlan-interface 1
[Sysname-Vlan-interface1] arp authorized enable
ARP detection commands
arp detection enable
Use arp detection enable to enable ARP detection.
Use undo arp detection enable to restore the default.
Syntax
arp detection enable
undo arp detection enable
Default
ARP detection is disabled.
Views
VLAN view
Predefined user roles
network-admin
mdc-admin
Examples
# Enable ARP detection for VLAN 2.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] arp detection enable
arp detection log enable
Use arp detection log enable to enable ARP detection logging.
Use undo arp detection log enable to disable ARP detection logging.
Syntax
arp detection log enable
undo arp detection log enable
Default
ARP detection logging is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command is available in Release 1138P01 and later versions.
Examples
# Enable ARP detection logging.
<Sysname> system-view
[Sysname] arp detection log enable
arp detection trust
Use arp detection trust to configure a port as an ARP trusted port.
Use undo arp detection trust to restore the default.
Syntax
arp detection trust
undo arp detection trust
Default
An interface is an ARP untrusted interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
mdc-admin
Examples
# Configure FortyGigE 1/0/1 as an ARP trusted interface.
<Sysname> system-view
[Sysname] interface fortygige 1/0/1
[Sysname-FortyGigE1/0/1] arp detection trust
arp detection validate
Use arp detection validate to enable ARP packet validity check. You can specify one or more objects to be checked in one command line.
Use undo arp detection validate to disable ARP packet validity check. If no keyword is specified, this command deletes all objects.
Syntax
arp detection validate { dst-mac | ip | src-mac } *
undo arp detection validate [ dst-mac | ip | src-mac ] *
Default
ARP packet validity check is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
ip: Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.
src-mac: Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.
Examples
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.
<Sysname> system-view
[Sysname] arp detection validate dst-mac src-mac ip
arp restricted-forwarding enable
Use arp restricted-forwarding enable to enable ARP restricted forwarding.
Use undo arp restricted-forwarding enable to disable ARP restricted forwarding.
Syntax
arp restricted-forwarding enable
undo arp restricted-forwarding enable
Default
ARP restricted forwarding is disabled.
Views
VLAN view
Predefined user roles
network-admin
mdc-admin
Examples
# Enable ARP restricted forwarding in VLAN 2.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] arp restricted-forwarding enable
display arp detection
Use display arp detection to display the VLANs enabled with ARP detection.
Syntax
display arp detection
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display the VLANs enabled with ARP detection.
<Sysname> display arp detection
ARP detection is enabled in the following VLANs:
1-2, 4-5
Related commands
arp detection enable
display arp detection statistics
Use display arp detection statistics to display ARP detection statistics.
Syntax
display arp detection statistics [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Displays the ARP detection statistics of a specific interface.
Usage guidelines
This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces.
Examples
# Display the ARP detection statistics for all interfaces.
<Sysname> display arp detection statistics
State: U-Untrusted T-Trusted
ARP packets dropped by ARP inspect checking:
Interface(State) IP Src-MAC Dst-MAC Inspect
FGE1/0/1(U) 0 0 0 0
FGE1/0/2(U) 0 0 0 0
FGE1/0/3(U) 0 0 0 0
FGE1/0/4(U) 0 0 0 0
FGE1/0/5(U) 0 0 0 0
FGE1/0/6(U) 0 0 0 0
FGE1/0/7(U) 0 0 0 0
FGE1/0/8(U) 0 0 0 0
FGE1/0/9(U) 0 0 0 0
FGE1/0/10(U) 0 0 0 0
FGE1/0/11(U) 0 0 0 0
FGE1/0/12(U) 0 0 0 0
Table 39 Command output
|
Field |
Description |
|
State |
State of an interface: · U—ARP untrusted interface. · T—ARP trusted interface. |
|
Interface(State) |
Inbound interface of ARP packets. State specifies the port state, trusted or untrusted. |
|
IP |
Number of ARP packets discarded due to invalid source and destination IP addresses. |
|
Src-MAC |
Number of ARP packets discarded due to invalid source MAC address. |
|
Dst-MAC |
Number of ARP packets discarded due to invalid destination MAC address. |
|
Inspect |
Number of ARP packets failed to pass user validity check. |
reset arp detection statistics
Use reset arp detection statistics to clear ARP detection statistics.
Syntax
reset arp detection statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
interface interface-type interface-number: Clears the ARP detection statistics of a specific interface.
Usage guidelines
If you do not specify any interface, this command clears the statistics of all interfaces.
Examples
# Clear the ARP detection statistics of all interfaces.
<Sysname> reset arp detection statistics
ARP scanning and fixed ARP commands
The ARP scanning and fixed ARP features are available in Release 1138P01 and later versions.
arp fixup
Use arp fixup to convert existing dynamic ARP entries to static ARP entries.
Use undo arp fixup to convert existing static ARP entries to dynamic ARP entries.
Syntax
arp fixup
undo arp fixup
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.
The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.
The static ARP entries after conversion can include the following entries:
· Existing dynamic and static ARP entries before conversion.
· New dynamic ARP entries learned during the conversion.
Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.
To delete a static ARP entry converted from dynamic or a dynamic ARP entry converted from static, use the undo arp ip-address [ vpn-instance-name ] command. You can also use the reset arp all command to delete all ARP entries including the converted entries.
Examples
# Convert existing dynamic ARP entries to static ARP entries.
<Sysname> system-view
[Sysname] arp fixup
# Convert existing static ARP entries to dynamic ARP entries.
<Sysname> system-view
[Sysname] undo arp fixup
arp scan
Use arp scan to trigger an ARP scanning in an address range.
Syntax
arp scan [ start-ip-address to end-ip-address ]
Views
Layer 3 Ethernet interface view, Layer 3 aggregate interface view, VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
start-ip-address: Specifies the start IP address of the scanning range.
end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.
Usage guidelines
ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.
If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.
If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.
The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.
ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
Examples
# Configure the device to scan the neighbors on the network where the primary IP address of VLAN-interface 2 resides.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] arp scan
# Configure the device to scan neighbors in an address range.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20
ARP gateway protection commands
The ARP gateway protection feature is available in Release 1138P01 and later versions.
arp filter source
Use arp filter source to enable ARP gateway protection for a gateway.
Use undo arp filter source to disable ARP gateway protection for a gateway.
Syntax
arp filter source ip-address
undo arp filter source ip-address
Default
ARP gateway protection is disabled.
Views
Layer 2 Ethernet interface view, Layer 2 aggregate interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Specifies the IP address of a protected gateway.
Usage guidelines
You can enable ARP gateway protection for a maximum of eight gateways on an interface.
You cannot configure both the arp filter source and arp filter binding commands on the same interface.
Examples
# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.
<Sysname> system-view
[Sysname] interface fortygige 1/0/1
[Sysname-FortyGigE1/0/1] arp filter source 1.1.1.1
ARP filtering commands
The ARP filtering feature is available in Release 1138P01 and later versions.
arp filter binding
Use arp filter binding to enable ARP filtering and configure an ARP permitted entry.
Use undo arp filter binding to remove an ARP permitted entry.
Syntax
arp filter binding ip-address mac-address
undo arp filter binding ip-address
Default
ARP filtering is disabled.
Views
Layer 2 Ethernet interface view, Layer 2 aggregate interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Specifies a permitted sender IP address.
mac-address: Specifies a permitted sender MAC address.
Usage guidelines
You can configure a maximum of eight ARP permitted entries on an interface.
You cannot configure both the arp filter source and arp filter binding commands on the same interface.
Examples
# Configure an ARP permitted entry.
<Sysname> system-view
[Sysname] interface fortygige 1/0/1
[Sysname-FortyGigE1/0/1] arp filter binding 1.1.1.1 2-2-2
uRPF commands
display ip urpf
Use display ip urpf to display uRPF configuration.
Syntax
In standalone mode:
display ip urpf [ slot slot-number ]
In IRF mode:
display ip urpf [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies a card by slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument specifies the ID of the IRF member device, and the slot number argument specifies the number of the slot that holds the card. (In IRF mode.)
Examples
# (In standalone mode.) Display uRPF configuration for the card in slot 3.
<Sysname> display ip urpf slot 3
Global uRPF configuration information(failed):
Check type: strict
Allow default route
Table 40 Command output
|
Field |
Description |
|
Global uRPF configuration information |
Global uRPF configuration. |
|
(failed) |
Failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources. If this field does not exist, the delivery is successful. |
|
Check type |
uRPF check mode: loose or strict. |
|
Allow default route |
Allow use of the default route. |
ip urpf
Use ip urpf to enable uRPF.
Use undo ip urpf to disable uRPF.
Syntax
ip urpf { loose | strict }
undo ip urpf
Default
uRPF is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry.
Usage guidelines
uRPF can be deployed on a PE connected to a CE or another ISP, or on a CE.
Configure strict uRPF check on a PE interface connected to a CE, and configure loose uRPF check on a PE interface connected to another ISP.
For asymmetrical routing where the interface receiving upstream traffic is different from the interface forwarding downstream traffic on a PE device, configure loose uRPF to avoid discarding valid packets. If the two interfaces are the same (symmetrical routing), configure strict uRPF. An ISP usually adopts symmetrical routing on a PE device.
Examples
# Enable strict uRPF check globally.
<Sysname> system-view
[Sysname]ip urpf strict
Related commands
display ip urpf
FIPS commands
display fips status
Use display fips status to display the current FIPS mode state.
Syntax
display fips status
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display the current FIPS mode state.
<Sysname> display fips status
FIPS mode is enabled.
Related commands
fips mode enable
fips mode enable
Use fips mode enable to enable FIPS mode.
Use undo fips mode enable to disable FIPS mode.
Syntax
fips mode enable
undo fips mode enable
Default
FIPS mode is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
After you enable FIPS mode and reboot the device, the device operates in FIPS mode. The FIPS device has strict security requirements, and performs self-tests on cryptography modules to verify that they are operating correctly.
After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode:
· Automatic reboot
Select the automatic reboot method. The system automatically performs the following tasks:
a. Create a default FIPS configuration file named fips-startup.cfg.
b. Specify the default file as the startup configuration file.
c. Require you to configure the username and password for next login.
You can press Ctrl+C to exit the configuring process so the fips mode enable command will not be executed.
The system automatically uses the specified startup configuration file to reboot the device after you configure the administrator's username and password.
· Manual reboot
This method requires that you manually complete the configurations for entering FIPS mode, and then reboot the device.
To use manual reboot to enter FIPS mode:
d. Enable the password control feature globally.
e. Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character.
f. Set the minimum length of user passwords to 15 characters.
g. Add a local user account for device management, including the following items:
- A username.
- A password that must comply with the password control policies.
- A user role of network-admin or mdc-admin.
- A service type of terminal.
h. Delete the FIPS-incompliant local user service types Telnet and FTP.
i. Save the configuration file and specify it as the startup configuration file.
j. Delete the original startup configuration file in binary format.
k. Reboot the device.
After the fips mode enable command is executed, the system prompts you to choose a reboot method. If you do not make a choice within 30 seconds, the system uses the manual reboot method by default.
After the undo fips mode enable command is executed, the system provides the following methods to exit FIPS mode:
· Automatic reboot
Select the automatic reboot method. The system automatically creates a default non-FIPS configuration file named non-fips-startup.cfg, and specifies the file as the startup configuration file. The system reboots the device by using the default non-FIPS configuration file. After the reboot, you are directly logged into the device.
· Manual reboot
This method requires that you manually complete the configurations for entering non-FIPS mode, and then reboot the device. After the device reboots, you must enter user information according to the authentication mode to log in to the device.
Examples
# Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
Reboot the device automatically? [Y/N]:y
The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically.
Enter username(1-55 characters): root
Enter password(15-63 characters):
Confirm password:
Waiting for reboot... After reboot, the device will enter FIPS mode.
# Enable FIPS mode, and choose the manual reboot method to enter FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
Reboot the device automatically? [Y/N]:n
Change the configuration to meet FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode.
# Disable FIPS mode, and choose the automatic reboot method to enter non-FIPS mode.
[Sysname] undo fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
The system will create a new startup configuration file for non-FIPS mode and then reboot automatically. Continue? [Y/N]:y
Waiting for reboot... After reboot, the device will enter non-FIPS mode.
# Disable FIPS mode, and choose the manual reboot method to enter non-FIPS mode.
[Sysname] undo fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
The system will create a new startup configuration file for non-FIPS mode, and then reboot automatically. Continue? [Y/N]:n
Change the configuration to meet non-FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter non-FIPS mode.
Related commands
display fips status
fips self-test
Use fips self-test to trigger a self-test on the cryptographic algorithms.
Syntax
fips self-test
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test.
A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots.
Examples
# Trigger a self-test on the cryptographic algorithms.
<Sysname> system-view
[Sysname] fips self-test
FIPS Known-Answer Tests are running ...
Slot 16 in chassis 1:
Starting Known-Answer tests in the user space.
Known-answer test for SHA1 passed.
Known-answer test for SHA224 passed.
Known-answer test for SHA256 passed.
Known-answer test for SHA384 passed.
Known-answer test for SHA512 passed.
Known-answer test for HMAC-SHA1 passed.
Known-answer test for HMAC-SHA224 passed.
Known-answer test for HMAC-SHA256 passed.
Known-answer test for HMAC-SHA384 passed.
Known-answer test for HMAC-SHA512 passed.
Known-answer test for AES passed.
Known-answer test for RSA(signature/verification) passed.
Known-answer test for RSA(encrypt/decrypt) passed.
Known-answer test for DSA(signature/verification) passed.
Known-answer test for random number generator passed.
Known-Answer tests in the user space passed.
Starting Known-Answer tests in the kernel.
Known-answer test for SHA1 passed.
Known-answer test for HMAC-SHA1 passed.
Known-answer test for AES passed.
Known-answer test for random number generator passed.
Known-Answer tests in the kernel passed.
FIPS Known-Answer Tests passed.
Attack detection and prevention commands
attack-defense tcp fragment enable
Use attack-defense tcp fragment enable to enable TCP fragment attack prevention.
Use undo attack-defense tcp fragment enable to disable TCP fragment attack prevention.
Syntax
attack-defense tcp fragment enable
undo attack-defense tcp fragment enable
Default
TCP fragment attack prevention is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command enables the device to drop attack TCP fragments to prevent TCP fragment attacks.
This command takes effect only on Layer 3 packets.
Examples
# Enable TCP fragment attack prevention.
<Sysname> System-view
[Sysname] attack-defense tcp fragment enable
# Disable TCP fragment attack prevention.
<Sysname> System-view
[Sysname] undo attack-defense tcp fragment enable
aaa session-limit,1
access-limit,16
accounting command,2
accounting default,2
accounting login,3
accounting-on enable,26
ah authentication-algorithm,174
arp active-ack enable,288
arp authorized enable,289
arp detection enable,289
arp detection log enable,290
arp detection trust,290
arp detection validate,291
arp filter binding,297
arp filter source,296
arp fixup,294
arp rate-limit,281
arp rate-limit log enable,282
arp rate-limit log interval,283
arp resolving-route enable,278
arp resolving-route probe-count,278
arp resolving-route probe-interval,279
arp restricted-forwarding enable,292
arp scan,295
arp source-mac,284
arp source-mac aging-time,285
arp source-mac exclude-mac,285
arp source-mac threshold,286
arp source-suppression enable,279
arp source-suppression limit,280
arp valid-check enable,287
attack-defense tcp fragment enable,304
attribute,111
attribute 15 check-mode,27
authentication default,5
authentication login,6
authentication super,7
authentication-algorithm,214
authentication-method,214
authorization command,8
authorization default,9
authorization login,11
authorization-attribute,17
bye,255
ca identifier,112
cd,255
cdup,256
certificate domain,215
certificate request entity,113
certificate request from,114
certificate request mode,115
certificate request polling,116
certificate request url,117
ciphersuite,163
client-verify enable,164
common-name,117
country,118
crl check,119
crl url,119
data-flow-format (HWTACACS scheme view),53
data-flow-format (RADIUS scheme view),28
delete,257
description,175
dh,217
dir,257
display arp detection,292
display arp detection statistics,293
display arp source-mac,287
display arp source-suppression,281
display domain,12
display fips status,300
display hwtacacs scheme,54
display ike proposal,217
display ike sa,218
display ip source binding,273
display ip urpf,298
display ipsec policy,175
display ipsec sa,178
display ipsec statistics,180
display ipsec transform-set,182
display ipsec tunnel,183
display local-user,18
display password-control,75
display password-control blacklist,76
display pki certificate access-control-policy,120
display pki certificate attribute-group,122
display pki certificate domain,123
display pki certificate request-status,127
display pki crl,129
display public-key local public,94
display public-key peer,97
display radius scheme,29
display radius statistics,31
display sftp client source,258
display ssh client source,259
display ssh server,244
display ssh user-information,245
display ssl client-policy,165
display ssl server-policy,166
display user-group,20
domain,13
domain default enable,14
dpd,221
encapsulation-mode,186
encryption-algorithm,222
esp authentication-algorithm,187
esp encryption-algorithm,188
exchange-mode,223
exit,259
fips mode enable,300
fips self-test,302
fqdn,130
get,260
group,21
help,260
hwtacacs nas-ip,57
hwtacacs scheme,58
ike dpd,224
ike identity,225
ike invalid-spi-recovery enable,226
ike keepalive interval,227
ike keepalive timeout,227
ike keychain,228
ike limit,229
ike nat-keepalive,230
ike profile,230
ike proposal,231
ike signature-identity from-certificate,232
ike-profile,189
ip,131
ip source binding (interface view),274
ip source binding (system view),275
ip urpf,298
ip verify source,276
ipsec anti-replay check,189
ipsec anti-replay window,190
ipsec apply policy,191
ipsec decrypt-check enable,192
ipsec df-bit,193
ipsec global-df-bit,194
ipsec logging packet enable,192
ipsec policy,194
ipsec policy local-address,195
ipsec sa global-duration,196
ipsec sa idle-time,197
ipsec transform-set,198
key (HWTACACS scheme view),59
key (RADIUS scheme view),33
keychain,232
ldap-server,132
local-address,199
local-identity,233
locality,133
local-user,22
ls,261
match local address (IKE keychain view),234
match local address (IKE profile view),235
match remote,236
mkdir,262
nas-ip (HWTACACS scheme view),60
nas-ip (RADIUS scheme view),34
organization,133
organization-unit,134
password,23
password-control { aging | composition | history | length } enable,77
password-control aging,78
password-control alert-before-expire,79
password-control complexity,80
password-control composition,81
password-control enable,83
password-control expired-user-login,84
password-control history,85
password-control length,85
password-control login idle-time,87
password-control login-attempt,87
password-control super aging,89
password-control super composition,90
password-control super length,91
password-control update-interval,92
peer-public-key end,99
pfs,199
pki abort-certificate-request,134
pki certificate access-control-policy,135
pki certificate attribute-group,136
pki delete-certificate,136
pki domain,138
pki entity,138
pki export,139
pki import,146
pki request-certificate,150
pki retrieve-certificate,151
pki retrieve-crl,152
pki storage,153
pki validate-certificate,154
pki-domain,167
prefer-cipher,167
pre-shared-key,237
primary accounting (HWTACACS scheme view),61
primary accounting (RADIUS scheme view),35
primary authentication (HWTACACS scheme view),62
primary authentication (RADIUS scheme view),36
primary authorization,64
priority (IKE keychain view),238
priority (IKE profile view),239
proposal,240
protocol,200
public-key dsa,155
public-key local create,100
public-key local destroy,103
public-key local export dsa,104
public-key local export rsa,106
public-key peer,108
public-key peer import sshkey,109
public-key rsa,157
put,262
pwd,263
qos pre-classify,201
quit,263
radius nas-ip,38
radius scheme,39
radius session-control enable,39
remote-address,201
remove,264
rename,264
reset arp detection statistics,294
reset hwtacacs statistics,65
reset ike sa,240
reset ike statistics,241
reset ipsec sa,203
reset ipsec statistics,204
reset password-control blacklist,92
reset password-control history-record,93
reset radius statistics,40
retry,41
retry realtime-accounting,41
rmdir,265
root-certificate fingerprint,158
rule,159
sa duration,242
sa duration,204
sa hex-key authentication,205
sa hex-key encryption,206
sa idle-time,207
sa spi,208
sa string-key,209
scp,265
scp server enable,246
secondary accounting (HWTACACS scheme view),66
secondary accounting (RADIUS scheme view),42
secondary authentication (HWTACACS scheme view),67
secondary authentication (RADIUS scheme view),44
secondary authorization,69
security acl,210
security-policy-server,46
server-verify enable,169
service-type,24
session cachesize,170
sftp,267
sftp client source,269
sftp server enable,247
sftp server idle-timeout,247
snmp-agent trap enable arp,283
snmp-agent trap enable ike,242
snmp-agent trap enable ipsec,211
snmp-agent trap enable radius,46
source,160
ssh client source,270
ssh server acl,248
ssh server authentication-retries,249
ssh server authentication-timeout,250
ssh server compatible-ssh1x enable,250
ssh server dscp,251
ssh server enable,252
ssh server rekey-interval,252
ssh user,253
ssh2,270
ssl client-policy,170
ssl server-policy,171
ssl version ssl3.0 disable,172
state,161
state (ISP domain view),15
state (local user view),25
state primary,47
state secondary,48
timer quiet (HWTACACS scheme view),70
timer quiet (RADIUS scheme view),49
timer realtime-accounting (HWTACACS scheme view),71
timer realtime-accounting (RADIUS scheme view),50
timer response-timeout (HWTACACS scheme view),72
timer response-timeout (RADIUS scheme view),51
transform-set,212
usage,162
user-group,26
user-name-format (HWTACACS scheme view),73
user-name-format (RADIUS scheme view),52
version,173
vpn-instance (HWTACACS scheme view),73
vpn-instance (RADIUS scheme view),53
