Login
- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-DAE proxy commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Session management commands
- 10-Object group commands
- 11-Attack detection and prevention commands
- 12-IP-based attack prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-uRPF commands
- 17-SAVA commands
- 18-SAVA-P commands
- 19-Crypto engine commands
- 20-Trust level commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-DAE proxy commands | 84.43 KB |
DAE proxy commands
client
Use client to configure a DAE client.
Use undo client to remove a DAE client.
Syntax
client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]
undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
No DAE clients are configured.
Views
DAE proxy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address of a DAE client. It cannot be an all 0s address, all 1s address, type D address, type E address, or loopback address.
ipv6 ipv6-address: Specifies the IPv6 address of a DAE client. It must be a unicast address and cannot be a loopback address or local link address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the DAE client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the DAE client belongs to the public network, do not specify this option.
key: Specifies the shared key for authenticating the DAE client. It must be the same as the shared key configured on the DAE client.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key in plaintext form will be stored in encrypted form.
string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
The DAE proxy forwards DAE requests from only DAE clients that are configured by using this command.
Upon receiving a DAE request, the DAE proxy searches the configured client information for a shared key by the source IP address and VPN instance in the request. If a shared key is found, the DAE proxy uses the shared key to verify the Authenticator field of the request. If no shared key is found or the Authenticator field verification fails, the DAE proxy discards the request.
To configure multiple DAE clients, execute this command multiple times.
Examples
# Configure a DAE client in VPN instance vpn1 that uses IP address 192.168.0.1 and plaintext shared key 123456.
<Sysname> system-view
[Sysname] radius dynamic-author proxy
[Sysname-radius-da-proxy] client ip 192.168.0.1 vpn-instance vpn1 key simple 123456
Related commands
display radius dynamic-author proxy
display radius dynamic-author proxy
Use display radius dynamic-author proxy to display DAE proxy settings and statistics.
Syntax
display radius dynamic-author proxy
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display DAE proxy settings and statistics.
<Sysname> display radius dynamic-author proxy
Status: Enabled
Listening port: 2000
RADIUS DAE clients:
IP address VPN instance
192.168.0.244 VPN1
192:168::0:244 N/A
RADIUS DAE servers:
IP address VPN instance
192.168.1.10 VPN1
192:168::1:10 N/A
RADIUS DAE packet statistics (DAE proxy<--->DAE client):
Invalid packets: 0
PacketName DM_REQ DM_ACK DM_NAK COA_REQ COA_ACK COA_NAK
Received 5 0 0 6 0 0
Duplicated 1 0 0 0 0 0
CheckError 0 0 0 0 0 0
NASNotFound 0 0 0 0 0 0
Sent 0 3 2 0 6 0
FailedToSend 0 0 0 0 0 0
RADIUS DAE packet statistics (DAE proxy<--->DAE server):
Invalid packets: 0
PacketName DM_REQ DM_ACK DM_NAK COA_REQ COA_ACK COA_NAK
Sent 10 0 0 12 0 0
FailedToSend 0 0 0 0 0 0
Received 0 8 2 0 12 0
NoContext 0 0 0 0 0 0
Table 1 Command output
|
Field |
Description |
|
Status |
Whether DAE proxy is enabled or disabled. |
|
Listening port |
Port used to listen for DAE requests from DAE clients. |
|
RADIUS DAE clients |
IP addresses of DAE clients and VPN instances to which DAE clients belong. |
|
RADIUS DAE servers |
IP addresses of DAE servers and VPN instances to which DAE servers belong. |
|
IP address |
IP addresses of DAE clients or servers. |
|
VPN instance |
VPN instances to which DAE clients or servers belong. |
|
PacketName |
Type of the DAE packet: · DM_REQ—DM request packet. · COA_REQ—CoA request packet. · DM_ACK—DM acknowledgment packet. · DM_NAK—DM negative acknowledgment packet. · COA_ACK—CoA acknowledgment packet. · COA_NAK—CoA negative acknowledgment packet. |
|
RADIUS DAE packet statistics (DAE proxy <---> DAE client) |
Statistics of DAE packets between the DAE proxy and DAE clients. |
|
RADIUS DAE packet statistics (DAE proxy <---> DAE server) |
Statistics of DAE packets between the DAE proxy and DAE servers. |
|
Invalid packets |
The number of invalid packets received, the packet length or type of which are incorrect. |
|
Received |
The number of received valid DAE packets. Retransmitted packets are counted as one packet. |
|
Duplicated |
The number of duplicate DAE packets received from DAE clients. This field is available only for COA_REQ and DM_REQ packets. |
|
CheckError |
The number of packets received, in which the Authenticator field verification fails. This field is available only for COA_REQ and DM_REQ packets. |
|
NASNotFound |
The number of DAE packets for which the DAE server (acting as the NAS) cannot be found. |
|
Sent |
The number of DAE packets that were sent to the DAE clients or servers. |
|
FailedToSend |
The number of DAE packets that failed to be sent to the DAE server. |
|
Duplicated |
The number of duplicate DAE packets received. This field is available only for COA_REQ and DM_REQ packets. |
|
NoContext |
The number of packets received from the DAE servers, the context of which cannot be found. |
Related commands
listen-port
server
listen-port
Use listen-port to specify the UDP port used to listen for DAE requests from DAE clients.
Use undo listen-port to restore the default.
Syntax
listen-port port-number
undo listen-port
Default
The listening port for DAE requests is 3799.
Views
DAE proxy view
Predefined user roles
network-admin
Parameters
port-number: Specifies a UDP port number in the range of 1 to 65535.
Usage guidelines
The port configured by using this command must be the same as the destination port of DAE requests sent by DAE clients.
To prevent loss of DAE requests, disable DAE proxy before you change the listening port.
The device can act as both the DAE proxy and a DAE server at the same time, and both roles use UDP port 3799 as the default listening port. To use the device as the DAE proxy and a DAE server at the same time, specify different listening ports for the two features.
Examples
# Set the listening port for DAE requests to 3798.
<Sysname> system-view
[Sysname] radius dynamic-author proxy
[Sysname-radius-da-proxy] listen-port 3798
Related commands
radius dynamic-author proxy
radius dynamic-author proxy
Use radius dynamic-author proxy to enable DAE proxy and enter DAE proxy view.
Use undo radius dynamic-author proxy to disable DAE proxy.
Syntax
radius dynamic-author proxy [ listen-port port-number ]
undo radius dynamic-author proxy
Default
DAE proxy is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
listen-port port-number: Specifies the UDP port used to listen for DAE requests from DAE clients. The value range is 1 to 65535, and the default is 3799.
Usage guidelines
The DAE proxy feature enables the device to act as the DAE proxy to forward DAE requests and responses between a DAE client and a DAE server.
Disabling DAE proxy also performs the following operations:
· Deletes DAE proxy view and all DAE proxy settings.
· Disables the configured and ephemeral UDP ports used to listen for DAE packets.
The port configured by using this command must be the same as the destination port of DAE requests sent by DAE clients.
You can specify the DAE proxy listening port number by using this command in system view or using the listen-port port-number command in DAE proxy view. The configurations have the same priority, and the most recent configuration takes effect.
Examples
# Enable DAE proxy and enter DAE proxy view.
<Sysname> system-view
[Sysname] radius dynamic-author proxy
[Sysname-radius-da-proxy]
Related commands
display radius dynamic-author
listen-port
reset radius dynamic-author proxy statistics
Use reset radius dynamic-author proxy statistics to clear DAE proxy statistics.
Syntax
reset radius dynamic-author proxy statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear DAE proxy statistics.
<Sysname> reset radius dynamic-author proxy statistics
Related commands
display radius dynamic-author proxy
server
Use server to configure a DAE server.
Ues undo server to remove a DAE server.
Syntax
server { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
undo server { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
No DAE servers are configured.
Views
DAE proxy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address of a DAE server. It cannot be an all 0s address, all 1s address, class D address, class E address, or loopback address.
ipv6 ipv6-address: Specifies the IPv6 address of a DAE server. It must be a unicast address and cannot be a loopback address or local link address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the DAE server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the DAE server belongs to the public network, do not specify this option.
Usage guidelines
The DAE proxy forwards DAE requests to and receives DAE responses from only DAE servers that are configured by using this command.
To configure multiple DAE servers, execute this command multiple times.
Examples
# Configure a DAE server that uses IPv4 address 10.1.1.1.
<Sysname> system-view
[Sysname] radius dynamic-author proxy
[Sysname-radius-da-proxy] server ip 10.1.1.1
Related commands
radius dynamic-author proxy
server port
Use server port to configure the DAE server listening port.
Use undo server port to restore the default.
Syntax
server port dest-port
undo server port
Default
The DAE server listening port is 3799.
Views
DAE proxy view
Predefined user roles
network-admin
Parameters
dest-port: Specifies a port number in the range of 1 to 65535.
Usage guidelines
The DAE proxy uses the configured port as the destination port in a DAE request that is forwarded to DAE servers.
The port configured by using this command must be the same as the listening port configured on DAE servers by using the port command in RADIUS DAS view.
To prevent loss of DAE responses, disable DAE proxy before you modify this port setting.
Examples
# Set the DAE server listening port to 30000.
<Sysname> system-view
[Sysname] radius dynamic-author proxy
[Sysname-radius-da-proxy] server port 30000
Related commands
port (BRAS Services Command Reference)
radius dynamic-author proxy
