HP 6125G HP 6125G & 6125G/XG Blade Switches Security Command Reference
HP 6125G Manual
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 6125G manual content summary:
- HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 1
HP 6125 Blade Switch Series Security Command Reference Part number: 5998-3171 Software version: Release 2103 Document version: 6W100-20120907 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 2
, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 3
25 display local-user 26 display user-group 28 expiration-date (local user view 30 group 30 group-attribute allow-guest 31 local-user 31 password (local user view 32 service-type 33 state (local user view 34 user-group 35 validity-date 35 RADIUS configuration commands 36 accounting-on - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 4
timer realtime-accounting (RADIUS scheme view 66 timer response-timeout (RADIUS scheme view 67 user-name-format (RADIUS scheme view 68 vpn-instance (RADIUS scheme view 69 HWTACACS configuration commands 70 data-flow-format (HWTACACS scheme view 70 display hwtacacs 70 display stop-accounting - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 5
-authentication 117 mac-authentication domain 118 mac-authentication max-user 119 mac-authentication timer 120 mac-authentication user-name-format 120 reset mac-authentication statistics 122 Port security configuration commands 123 display port-security 123 display port-security mac-address - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 6
-attempt 156 password-control password update interval 158 password-control super aging 158 password-control super composition 159 password-control super length 159 reset password-control blacklist 160 reset password-control history-record 160 Public key configuration commands 162 display - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 7
-ssh1x 202 ssh server dscp 202 ssh server enable 203 ssh server ipv6 dscp 203 ssh server rekey-interval 204 ssh user 205 SSH2.0 client configuration commands 206 display ssh client source 206 display ssh server-info 207 ssh client authentication server 208 ssh client dscp 208 ssh - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 8
client ipv6 dscp 227 sftp client ipv6 source 227 sftp client source 228 sftp ipv6 229 SCP configuration commands 231 SCP client configuration commands 231 scp 231 SSL configuration commands 233 ciphersuite 233 client-verify enable 234 client-verify weaken 234 close-mode wait 235 display - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 9
strict 270 MFF configuration commands 271 display mac-forced-forwarding interface 271 display mac-forced-forwarding vlan 271 mac-forced-forwarding 273 mac-forced-forwarding gateway probe 273 mac-forced-forwarding network-port 274 mac-forced-forwarding server 275 Support and other resources - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 10
configuration commands General AAA configuration commands aaa nas-id profile Syntax aaa nas-id profile profile-name View undo aaa nas-id profile profile-name System view Default -limit enable max-user-number View undo access-limit enable ISP domain view Default level 2: System level 1 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 11
line accounting method. Use undo accounting command to restore the default. By default, the default accounting method for the ISP domain is used for command line accounting. The specified HWTACACS scheme must have been configured. Command line accounting can use only a HWTACACS scheme. Related - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 12
configured. The default accounting method is used for all users who support the specified accounting method and have no specific accounting method configured generally provides. Related commands: local-user, hwtacacs scheme, and radius scheme. Examples # Configure the default accounting method for - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 13
lan-access to restore the default. By default, the default accounting method for the ISP domain is used for LAN users. The specified RADIUS scheme must have been configured. Related commands: local-user, accounting default, and radius scheme. Examples # Configure ISP domain test to use - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 14
to restore the default. By default, the default accounting method for the ISP domain is used for login users. The specified RADIUS or HWTACACS scheme must have been configured. Accounting is not supported for login users who use FTP. Related commands: local-user, accounting default, hwtacacs scheme - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 15
specified RADIUS or HWTACACS scheme must have been configured. The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured. Related commands: local-user, hwtacacs scheme, and radius scheme. Examples - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 16
lan-access to restore the default. By default, the default authentication method for the ISP domain is used for LAN users. The specified RADIUS scheme must have been configured. Related commands: local-user, authentication default, and radius scheme. Examples # Configure ISP domain test to use - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 17
Use undo authentication login to restore the default. By default, the default authentication method for the ISP domain is used for login users. The specified RADIUS or HWTACACS scheme must have been configured. Related commands: local-user, authentication default, hwtacacs scheme, and radius scheme - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 18
authorization command to restore the default. By default, the default authorization method for the ISP domain is used for command line authorization. The specified HWTACACS scheme must have been configured. With command line authorization configured, a user who has logged in to the switch can - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 19
directory of the switch, and other login users can access only the commands of Level 0. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use authorization default to configure the default authorization method for - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 20
authorization method of the ISP domain use the same RADIUS scheme. Related commands: local-user, authorization default, and radius scheme. Examples # Configure ISP domain test to use local authorization for LAN users. system-view [Sysname] domain test [Sysname-isp-test] authorization lan - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 21
of the ISP domain use the same RADIUS scheme. Related commands: local-user, authorization default, hwtacacs scheme, and radius scheme. Examples # Configure ISP domain test to use local authorization for login users. system-view [Sysname] domain test [Sysname-isp-test] authorization - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 22
, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. Description Use authorization-attribute user-profile to specify the default authorization user profile for an ISP domain. Use undo authorization-attribute - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 23
cut their connections by username. For example, the cut connection user-name aaa\bbb command cannot cut the connections of the user aaa\bbb. An interface that is configured with a mandatory authentication domain treats users of the corresponding access type as users in the mandatory authentication - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 24
user connections. If you specify the ucibindex ucib-index option, this command displays detailed information. Otherwise, this command displays brief information. If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), the switch - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 25
connection domain isp-name command and specify the mandatory authentication domain. How the switch displays the username of a user on an interface configured with a mandatory authentication domain depends on the format of the username entered by the user at login: • If the username does not contain - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 26
. Authorization user profile. Default level 1: Monitor level Parameters isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 27
access accounting scheme Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes : User-profile : profile1 : local : local : local : radius:test, local : hwtacacs:hw, local : local Default Domain Name: system Total 2 domain(s). Table 2 Command output Field Domain - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 28
ISP domain system, and can only modify its configuration. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. Related commands: state and display domain. Examples # Create ISP domain - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 29
exist. Otherwise, users without any domain name carried in the username cannot pass authentication. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the domain default disable command. Related commands: domain, state - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 30
on the server to make the server log out users whose traffic during the idle timeout period is less than 10240 bytes, but your setting on the server takes effect only when you disable the idle cut function on the switch. Related commands: domain. Examples # Enable the idle cut function and set - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 31
binding takes effect. Related commands: aaa nas-id profile. default. By default, the self-service server location function is disabled. With the self-service function, users can manage and control their accounts and passwords. Only the RADIUS server systems provided by IMC support the self-service - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 32
-isp-test] state block Local user configuration commands access-limit Syntax access-limit max-user-number View undo access-limit Local user view Default level 3: Manage level Parameters max-user-number: Maximum number of concurrent users of the current local user account, in the range of - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 33
the access behavior of the user. For more information about user profiles, see Security Configuration Guide. user-role: Specifies the role for the local user. This keyword is available in only local user view. Users playing different roles can access different levels of commands. If you specify no - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 34
, if the user or users use the FTP or SFTP service. The directory-name argument is a case-insensitive string of 1 to 135 characters. The directory must already exist. By default, an FTP or SFTP user can access the root directory of the switch. Description Use authorization-attribute to configure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 35
service types of the users into account. A configured binding attribute is effective for all types of users. Be cautious when deciding which binding attributes should be configured for which type of local users. For example, an IP address binding applies only to 802.1X authentication that supports - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 36
number of member devices and their member IDs in the IRF fabric. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 37
date Password aging Password length Password composition Description Status of the local user: active or blocked. Service types that the local user can use, including FTP, LAN, SSH, Telnet, terminal, and web. Whether or not to limit the number of concurrent connections of the username. Number - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 38
Default level 2: System level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 39
02:02:00-2011/02/02. Description Use expiration-date to set the expiration time of a local user. Use undo expiration-date to remove the configuration. By default, a local user has no expiration time and no time validity checking is performed. For temporary network access requirements, create - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 40
Description Use group to assign a local user to a user group. Use undo group to restore the default. By default, a local user belongs to the system default user group system. Examples # Assign local user 111 to user group abc. system-view [Sysname] local-user 111 [Sysname-luser-111] group - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 41
users. Related commands: display local-user and service-type. Examples # Add a local user named user1. system-view [Sysname] local-user user1 [Sysname-luser-user1] password (local user view) Syntax password [ { cipher | simple } password ] View undo password Local user view Default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 42
Use password to configure a password for a local user. Use undo password to delete the password of a local user. If none of the parameters is specified, you enter the interactive mode to set a plaintext password. The interactive mode is supported only on switches that support the password control - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 43
specify the service types that a user can use. Use undo service-type to delete service types configured for a user. By default, a user is authorized with no service. You can execute the service-type command repeatedly to specify multiple service types for a user. Examples # Authorize user user1 to - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 44
group. Configurable user attributes include password control attributes and authorization attributes. A user group with one or more local users cannot be removed. The system predefined user group system cannot be removed, but you can change its configurations. Related commands: display user-group - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 45
user. Use undo validity-date to remove the configuration. By default, a local user switch checks whether the current system time is between the validity time and the expiration time. If so, it permits the user to access the network. Otherwise, it denies the access request of the user. Related command - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 46
-on feature. By default, the accounting-on feature is disabled. Parameters set with the accounting-on enable command take effect immediately. After executing the accounting-on enable command, issue the save command to make sure that the command takes effect after the switch reboots. For information - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 47
data flows or packets. Use undo data-flow-format to restore the default. By default, the unit for data flows is byte and that for data packets |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. 38 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 48
commands: radius scheme. Examples # Display the configuration of all RADIUS schemes. display radius scheme SchemeName : radius1 Index : 0 Type : extended Primary Auth Server: IP: 1.1.1.1 Port: 1812 State: active Encryption Key : ****** VPN instance : 1 Probe username - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 49
Service port of the server. If no port configuration is performed, the default port Username used for server status detection. Server status detection interval, in minutes. Shared key for secure authentication communication, displayed as a series of asterisks (******). If no shared key is configured - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 50
switch the primary server. Username format Format of the usernames to be sent to } regular-expression ] Any view Default level 2: System level Parameters slot command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 51
Examples # Display statistics about RADIUS packets. display radius statistics Slot 1:state statistic(total=4096): DEAD = 4096 AuthProc = 0 AuthSucc = 0 AcctStart = 0 RLTSend = 0 RLTWait = 0 AcctStop = 0 OnLine = 0 Stop = 0 Received and Sent packets statistic: Sent PKT total = - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 52
Command User statistics, by state Number of idle users Number of users waiting for authentication Number of users who have passed authentication Number of users for whom accounting has been started Number of users that the switch failed to process Number of messages that the switch successfully - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 53
radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Any view Default level 2: System level Parameters radius-scheme radius-scheme-name: Specifies buffered stop-accounting - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 54
user. The username is a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting configured by the user-name-format command by the retry command). If the switch still receives no RADIUS scheme view Default level 2: System - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 55
the default. By default, no shared key is configured. For secrecy, all shared keys, including shared keys configured in plain configuration of the RADIUS servers, if any, take precedence. The shared keys configured on the switch must match those configured on the RADIUS servers. Related commands - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 56
an IPv6 address. It must be an address of the switch and must be a unicast address that is neither a loopback default. By default, the source IP address of an outgoing RADIUS packet is that configured by the radius nas-ip command in system view. If the radius nas-ip command is not configured - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 57
being used by users, the switch no longer sends real-time accounting or stop-accounting requests for the users, and does not buffer the stop-accounting requests. For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text. Related commands: key and vpn - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 58
. probe username: Enables the switch to detect the status of the primary RADIUS authentication/authorization server. username name: Specifies the username in the Use undo primary authentication to remove the configuration. By default, no primary RADIUS authentication/authorization server is - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 59
user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To ensure that the switch can set the server to its actual status, set a longer quiet timer for the primary server with the timer quiet command set the username used for - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 60
undo radius client to disable the RADIUS listening port of a RADIUS client. By default, the RADIUS listening port is enabled. When the listening port of the RADIUS client of user accounting. • If local authentication, authorization, or accounting is configured as the backup, the switch performs - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 61
{ ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] System view Default level 2: System level Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 62
view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. Related commands: nas-ip. Examples # Set the IP address for the switch to use as the source address of the RADIUS - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 63
RADIUS scheme referenced by ISP domains cannot be removed. Related commands: display radius scheme. Examples # Create a RADIUS scheme 1 to 100 and defaults to 30. This threshold can only be configured through the MIB. the threshold. Examples # Enable the switch to send traps in response to - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 64
:SS-YYYY/MM/DD. user-name user-name: Clears the stop-accounting requests buffered for a user. The username is a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting configured by the user-name-format command for the RADIUS - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 65
receives no response from the RADIUS server, the switch considers the request a failure. The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75. Related commands: radius scheme and timer response-timeout. Examples # Set - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 66
accounting retry-times View undo retry realtime-accounting RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of If five consecutive accounting attempts fail, the switch cuts the user connection. Related commands: retry, timer response-timeout, and timer - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 67
accounting attempts. Use undo retry stop-accounting to restore the default. By default, the maximum number of stop-accounting attempts is 500. attempt. If 20 consecutive attempts fail, the switch discards the request. Related commands: retry, retry stop-accounting, timer response-timeout - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 68
accounting server are the same as those configured on the server. You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme by executing this command repeatedly. After the configuration, if the primary server fails, the switch looks for a secondary server in active state - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 69
commands server. port-number: Specifies the service port number of the secondary the range of 1 to 65535 and defaults to 1812. key [ cipher | simple username: Enables the switch to detect the status of the secondary RADIUS authentication/authorization server. username name: Specifies the username - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 70
an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X critical VLAN, see Security Configuration Guide. To ensure that the switch can set the server to its actual status, set a longer quiet timer for the secondary server with the timer quiet command. If - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 71
RADIUS scheme radius1, set the username used for status detection of the authentication 10.110.1.1 probe username test interval 120 security all } RADIUS scheme view Default level 2: System level Parameters policy servers for a RADIUS scheme. By default, no security policy server is specified - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 72
2865 and 2866 or their successors). Description Use server-type to configure the RADIUS server type. Use undo server-type to restore the default. By default, the supported RADIUS server type is standard. Examples # Configure the RADIUS server type of RADIUS scheme radius1 as standard. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 73
out-of-service state. Description Use state secondary to set the status of a secondary RADIUS server. By default, every secondary RADIUS server specified in a RADIUS scheme is in active state. If no IP address is specified, this command changes the status of all configured secondary servers for - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 74
manually. If all configured secondary servers are unreachable, the switch considers the authentication or accounting attempt a failure. Related commands: By default, the switch buffers stop-accounting requests to which no responses are received. Stop-accounting requests affect the charge to users. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 75
As a result, when the switch attempts to send a request of the same type for another user, it still tries to send default. By default, the server quiet period is 5 minutes. If you determine that the primary server is unreachable because the switch's port connected to the server is out of service - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 76
to the RADIUS accounting server periodically. This command sets the interval. When the real-time accounting interval on the switch is zero, the switch sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server (if any) or - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 77
to be sent to a RADIUS server. By default, the ISP domain name is included in the username. A username is generally in the format userid@isp-name, of which isp-name is used by the switch to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 78
the RADIUS server regards two users in different ISP domains but with the same userid as one. For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the switch does not change the usernames from clients before forwarding them - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 79
HWTACACS configuration commands data-flow-format (HWTACACS scheme view) Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * View undo data-flow-format { data | packet } HWTACACS scheme view Default - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 80
number of member devices and their member IDs in the IRF fabric. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 81
of asterisks (******). If no shared key is configured, field displays a hyphen (-). Key for authorization, displayed as a series of asterisks (******). If no shared key is configured, field displays a hyphen (-). Key for accounting, displayed as a series of asterisks (******). If no shared key is - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 82
client packet dropped number: 4 HWTACACS authen client access request change password number: 0 HWTACACS authen client access request login number: 5 account client packet dropped number: 0 HWTACACS account client request command level number: 0 HWTACACS account client request connection number: 0 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 83
begin | exclude | include } regular-expression ] Any view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 84
view is only for the HWTACACS scheme, whereas that configured by the hwtacacs nas-ip command in system view is for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence. Related commands: nas-ip. Examples # Set the IP address for the switch to use as the source address of the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 85
to remove the configuration. By default, no shared key is configured. The shared keys configured on the switch must match those configured on the HWTACACS servers. For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text. Related commands: display - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 86
for outgoing HWTACACS packets. Use undo nas-ip to restore the default. By default, the source IP address of an outgoing HWTACACS packet is configured by the hwtacacs nas-ip command in system view. If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 87
default setting is 0.0.0.0. port-number: Service port number of the primary HWTACACS accounting server. It ranges from 1 to 65535 and defaults -instance vpn-instance-name option. If you configure the command repeatedly, only the last configuration takes effect. You can remove an accounting server - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 88
default setting is 0.0.0.0. port-number: Service port number of the primary HWTACACS authentication server. It ranges from 1 to 65535 and defaults this command takes precedence over the VPN specified for the HWTACACS scheme. If you configure the command repeatedly, only the last configuration takes - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 89
default setting is 0.0.0.0. port-number: Service port number of the primary HWTACACS authorization server. It ranges from 1 to 65535 and defaults this command takes precedence over the VPN specified for the HWTACACS scheme. If you configure the command repeatedly, only the last configuration takes - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 90
Description Use reset hwtacacs statistics to clear HWTACACS statistics. Related commands: display hwtacacs. Examples # Clear all HWTACACS statistics. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 91
of stop-accounting request transmission attempts. Use undo retry stop-accounting to restore the default. By default, the maximum number of stop-accounting request transmission attempts is 100. Related commands: reset stop-accounting-buffer and display stop-accounting-buffer. Examples # Set the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 92
. By default, no secondary HWTACACS accounting server is specified. The IP addresses of the primary and secondary accounting servers must be different. Otherwise, the configuration fails. If you configure the command repeatedly, only the last configuration takes effect. If the specified server - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 93
this command takes precedence over the VPN specified for the HWTACACS scheme. If you configure the command repeatedly, only the last configuration takes default setting is 0.0.0.0. port-number: Service port number of the secondary HWTACACS authorization server. It ranges from 1 to 65535 and defaults - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 94
by this command takes precedence over the VPN specified for the HWTACACS scheme. If you configure the command repeatedly, only the last configuration takes default, the switch buffers stop-accounting requests to which no responses are received. Stop-accounting requests affect the charge to users. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 95
found unreachable, the switch changes the status of the server from active to blocked and keeps the server in blocked state until this timer expires. Use undo timer quiet to restore the default. By default, the primary server quiet period is 5 minutes. Related commands: display hwtacacs. Examples - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 96
timer realtime-accounting to restore the default. By default, the real-time accounting interval is 12 minutes. For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval. Consider - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 97
be sent to an HWTACACS server. By default, the ISP domain name is included in the username. A username is generally in the format userid@isp-name, of which isp-name is used by the switch to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 98
undo vpn-instance HWTACACS scheme view Default level 2: System level Parameters vpn-instance scheme. Use undo vpn-instance to remove the configuration. The VPN specified here takes effect for no specific VPN instance is specified. Related commands: display hwtacacs. Examples # Specify VPN - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 99
than the end number and the two interfaces must be the same type. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 100
is Mac-based 802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: 4 Auth-fail VLAN: NOT configured Critical VLAN: 3 Critical recovery-action: reinitialize Max number of on-line users is 2048 EAPOL Packet: Tx 1087, Rx 986 Sent EAP Request/Identity Packets - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 101
The maximal retransmitting times EAD quick deploy configuration URL Free IP EAD timeout The maximum 802.1X user resource number per slot Total current used fast deployment is enabled Username request timeout timer in seconds Handshake timer in seconds Periodic online user re-authentication timer in - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 102
Controlled User(s) amount dot1x Syntax In system view: dot1x [ interface interface-list ] undo dot1x [ interface interface-list ] In Ethernet interface view: dot1x View undo dot1x System view, Ethernet interface view Default level 2: System level Description Auth-Fail VLAN configured on - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 103
interface in system view or the undo dot1x command in interface view to disable 802.1X for specified ports. By default, 802.1X is neither enabled globally nor does not function. You can configure 802.1X parameters either before or after enabling 802.1X. Related commands: display dot1x. Examples # - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 104
an HP iNode 802.1X client. • CHAP transports username in plaintext and encrypted password over user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS configuration commands." Local authentication supports - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 105
Ethernet interface view Default users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Use undo dot1x auth-fail vlan to restore the default. By default, no Auth-Fail VLAN is configured -vlan command to - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 106
Ethernet interface view Default level 2: System level Parameters vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. Make sure the VLAN has been created. Description Use dot1x critical vlan to configure an 802.1X critical VLAN on a port for 802.1X users mac-vlan command to display MAC - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 107
Layer 2 Ethernet interface view Default level 2: System level Parameters reinitialize: Enables the port to trigger 802.1X re-authentication on detection of a reachable RADIUS authentication server for users in the critical VLAN. Description Use dot1x critical recovery-action to configure the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 108
for 802.1X users. The delimiter set you configured overrides the default setting. If @ is not included in the delimiter set, the access device will not support the 802.1X users that use @ as the domain name delimiter. If a username string contains multiple configured delimiters, the leftmost - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 109
as a guest VLAN, you must remove the guest VLAN configuration first. Related commands: dot1x, dot1x port-method, and dot1x multicast-trigger; mac-vlan enable and display mac-vlan (Layer 2-LAN Switching Command Reference). Examples # Specify VLAN 999 as the 802.1X guest VLAN for port GigabitEthernet - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 110
to check whether a user is online. Use undo dot1x handshake to disable the function. By default, the function is enabled. HP recommends that you use the Ethernet Interface view Default level 2: System level Parameters None Description Use dot1x handshake secure to enable the online user - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 111
the username, and the default ISP domain. To display or cut all 802.1X connections in a mandatory domain, use the display connection domain isp-name or cut connection domain isp-name command. The output from the display connection command without any parameters displays domain names input by users - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 112
connection command to display the user connection information on GigabitEthernet 1/0/1. For more information about the display connection command, see "AAA configuration commands." [Sysname-GigabitEthernet1/0/1] display connection interface gigabitethernet 1/0/1 Slot: 1 Index=68 ,Username=usera - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 113
each to support a maximum of 32 concurrent 802.1X users. system-view [Sysname] dot1x max-user 32 interface gigabitethernet 1/0/2 to gigabitethernet 1/0/5 dot1x multicast-trigger Syntax dot1x multicast-trigger View undo dot1x multicast-trigger Ethernet interface view Default level - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 114
| auto | unauthorized-force } View undo dot1x port-control System view, Ethernet interface view Default level 2: System level Parameters authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to access the network without authentication. auto - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 115
, Ethernet interface view Default level 2: System level Parameters macbased: Uses MAC-based access control on a port to separately authenticate each user attempting dot1x port-method to restore the default. By default, MAC-based access control applies. In system view, if no interface- - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 116
[Sysname-GigabitEthernet1/0/1] dot1x port-method portbased # Configure ports GigabitEthernet 1/0/2 through GigabitEthernet 1/0/5 to implement undo dot1x quiet-period to disable the timer. By default, the quiet timer is disabled. Related commands: display dot1x and dot1x timer. Examples # Enable - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 117
updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. You can use the dot1x timer reauth-period command to configure the interval for re-authentication. Related commands: dot1x timer reauth-period. Examples # Enable the 802.1X periodic online - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 118
from the client within the username request timeout timer (set with the dot1x timer tx-period tx-period-value command) or the client timeout timer timer to set 802.1X timers. Use undo dot1x timer to restore the defaults. By default, the handshake timer is 15 seconds, the quiet timer is 60 seconds, - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 119
users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication timer applies to the users request to the client. • Username request timeout timer (tx-period)-Starts trigger Ethernet interface view Default level - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 120
period command). This process continues until the maximum number of request attempts (set with the dot1x retry command) is reached. Related commands: User view Default level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 121
IP. Users can access the segment before passing 802.1X authentication. Use undo dot1x free-ip to remove the specified or all free IP addresses. By default, no free IP is configured. When global MAC authentication, or port security is enabled, the free IP does not take effect. Related commands - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 122
free IP, the device redirects the user to the redirect URL. Use undo dot1x url to remove the redirect URL. By default, no redirect URL is defined. The redirect URL must be on the free IP subnet. If you configure the dot1x url command multiple times, the last configured URL takes effect. Related - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 123
Examples # Configure the redirect URL as http://192.168.0.1. system-view [Sysname] dot1x url http://192.168.0.1 114 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 124
Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin is enabled. User name format is MAC address in lowercase, like xxxxxxxxxxxx Fixed username:mac Fixed password:not configured Offline detect period - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 125
response timeout value Setting of the server timeout timer the max allowed user number Maximum number of users each slot supports Current user number amounts to Number of online users Current domain: not configured, use default domain Authentication domain that is currently used Silent Mac - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 126
of successful and unsuccessful authentication attempts Maximum number of concurrent online users allowed on the port. If MAC authentication is not enabled System view, Ethernet interface view Default level 2: System level Parameters interface interface-list: Specifies an Ethernet port list, in - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 127
authentication users. Use undo mac-authentication domain to restore the default. By default, the default authentication domain is used for MAC authentication users. For more information about the default authentication domain, see the domain default enable command in "AAA configuration commands - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 128
the maximum number of concurrent MAC authentication users on a port. Use undo mac-authentication max-user to restore the default. By default, maximum number of concurrent MAC authentication users on a port is 2048. Examples # Configure port GigabitEthernet 1/0/1 to support up to 32 concurrent MAC - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 129
. Related commands: display mac-authentication. Examples # Set the server timeout timer to 150 seconds. system-view [Sysname] mac-authentication timer server-timeout 150 mac-authentication user-name-format Syntax mac-authentication user-name-format { fixed [ account name ] [ password - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 130
letters. Description Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users. Use undo mac-authentication user-name-format to restore the default. By default, each user's MAC address is used as the username and password for MAC authentication, and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 131
Configure a shared account for MAC authentication users: set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg. system-view [Sysname] mac-authentication user-name-format fixed account abc password User view Default level the command clears all - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 132
security configuration commands display port-security Syntax View display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Any view Default level 2: System level Parameters interface interface-list: Specifies Ethernet ports by an Ethernet port - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 133
Max MAC address number is not configured Stored MAC address number is 0 aging type is absolute Table 12 Command output Field Equipment port-security AddressLearn If it is enabled, the port sends trap information after a user passes 802.1X authentication. Whether trapping for 802.1X logoff - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 134
mode Description Whether trapping for MAC authentication failure is enabled or not. If it is enabled, the port sends trap information when a user fails MAC address authentication. Secure MAC aging timer. The timer applies to sticky or dynamic secure MAC addresses. Silence timeout period of the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 135
| { begin | exclude | include } regular-expression ] Any view Default level 2: System level Parameters interface interface-type interface-number: Specifies a port command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 136
ADDR From Port VLAN ID 000f-3d80-0d2d GigabitEthernet1/0/1 30 --- On slot 1, 1 mac address(es) found --- --- 1 mac address(es) found --- Table 13 Command output Field MAC ADDR From Port VLAN ID x mac address(es) found On slot x, y mac address(es) found Description Blocked MAC address Port - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 137
to 4094. count: Displays only the count of the secure MAC addresses. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 138
1 Security GigabitEthernet1/0/1 NOAGED --- 1 mac address(es) found --- Table 14 Command output Field MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) x mac Ethernet interface view Default level 2: System level Parameters None Description Use port-security authorization ignore to configure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 139
commands: display port-security. Examples # Configure port undo port-security enable to disable port security. By default, port security is disabled. You must disable global You cannot disable port security when online users are present. Related commands: display port-security, dot1x, dot1x port - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 140
to restore the default. By default, intrusion protection is disabled. To restore the connection of the port, use the undo shutdown command. Related commands: display port-security, display port-security mac-address block, and port-security timer disableport. Examples # Configure port GigabitEthernet - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 141
dynamic View Layer 2 Ethernet interface view Default level 2: System default. By default, sticky MAC addresses can be saved to the configuration file, and once saved, survive a device reboot. After you execute the port-security mac-address dynamic command on a port, you cannot manually configure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 142
interface-type interface-number ] ] vlan vlan-id ] Layer 2 Ethernet interface view, system view Default level 2: System level Parameters sticky: Specifies a sticky MAC address. If you do not provide this keyword, the command configures a static secure MAC address. mac-address: Secure MAC address - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 143
MAC addresses can be manually configured or automatically learned in autoLearn mode. Sticky MAC addresses do not age out by default. You can use the port-security timer autolearn aging command to set an aging -count count-value View undo port-security max-mac-count Ethernet interface view 134 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 144
default setting. By default, port security has no limit on the number of MAC addresses on a port. In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured View undo port-security ntk-mode Ethernet interface view Default level 2: System level Parameters ntk- - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 145
16. Description Use port-security oui to configure an OUI value for user authentication. This value is used when the default, no OUI value is configured. An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you configure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 146
secure MAC addresses by using the port-security mac-address security command. A secure MAC address never ages out by default. In addition, you can configure MAC addresses manually by using the mac-address dynamic and mac-address static commands for a port in autoLearn mode. When the number of secure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 147
: If you are configuring the autoLearn mode, first set port security's limit on the number of MAC addresses by using the port-security max-mac-count command. You cannot change the setting when the port is operating in autoLearn mode. When port security is enabled, you cannot manually enable 802.1X - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 148
to all sticky or dynamic secure MAC addresses. Use undo port-security timer autolearn aging to restore the default. By default, secure MAC addresses never age out. Related commands: display port-security and port-security mac-address security. Examples # Set the secure MAC aging timer to 30 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 149
. By default, the silence period is 20 seconds. If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, use this command to set the silence period. Related commands: display port-security. Examples # Configure the intrusion protection - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 150
traps. Use undo port-security trap to disable port security traps. By default, port security traps are disabled. You can enable certain port security traps for monitoring user behaviors. Related commands: display port-security. Examples # Enable MAC address learning traps. system-view - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 151
View display user-profile [ | { begin | exclude | include } regular-expression ] Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 152
applied to authenticated users. Use undo user-profile enable to disable the specified user profile. Disabling a user profile logs out users that are using the user profile. To edit or remove the configurations in a user profile, disable the user profile first. By default, a created user profile is - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 153
profile. You cannot remove a user profile that is enabled. By default, no user profiles exist on the device. Related commands: user-profile enable. Examples # Create user profile a123. system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] # Enter the user profile view of a123 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 154
Password control configuration commands display password-control Syntax View display password-control [ super ] [ | { begin | exclude | include } regular-expression ] Any view Default level 2: System level Parameters super: Displays the password control information of the super passwords. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 155
Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 16 Command output Field Password control Password aging Password length Password composition Password history - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 156
Description Username of the user IP address of the user Number of login failures Whether the user is prohibited from logging in: • unlock-Not prohibited • lock-Prohibited temporarily or permanently, depending on the password-control login-attempt command password Syntax Password undo password 147 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 157
bracket (), comma (,), dot (.), and slash (/). A local user password configured in interactive mode must satisfy the password control requirement. For example, if the minimum password length is set to 8, the password must contain at least eight characters. Examples # Set - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 158
feature must be enabled globally. You must enable a function for its relevant configurations to take effect. For example, if the minimum password length restriction function is not enabled, the setting by the password-control length command does not take effect. The system stops recording history - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 159
of the pending password expiration. Use undo password-control alert-before-expire to restore the default. By default, a user is warned of pending password expiration 7 days before the user's password expires. Examples # Configure the device to warn a user about pending password expiration 10 days - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 160
Default level 2: System level Parameters same-character: Refuses a password that contains any character repeated consecutively three or more times. user-name: Refuses a password that contains the username or the reverse of the username. Description Use password-control complexity to configure - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 161
item. By default, no user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively. Related commands: display password-control. Examples # Configure the password complexity checking - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 162
the reset password-control history-record command. Related commands: display password-control. Examples # Enable the password control feature globally. system-view [Sysname] password-control enable password-control expired-user-login Syntax password-control expired-user-login delay - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 163
of times that a user can log in after the password expires. Use undo password-control expired-user-login to restore the defaults. By default, a user can log in three times within 30 days after the password expires. Related commands: display password-control. Examples # Specify that a user can log in - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 164
range of 4 to 32. Description Use password-control length to set the minimum password length. Use undo password-control length to restore the default. By default, the global minimum password length is 10 characters, the minimum password length of a user group equals the global setting, and the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 165
set the maximum account idle time. If a user account is idle for this period of time, it becomes invalid. Use undo password-control login idle-time to restore the default. By default, the maximum account idle time is 90 days. Related commands: display password-control. Examples # Set the maximum - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 166
is removed from the blacklist as long as the user logs in successfully or after the blacklist aging time (one minute) elapses. Related commands: display password-control, display password-control blacklist, and reset password-control blacklist. Examples # Set the maximum number of login attempts - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 167
the default. By default, the minimum password update interval is 24 hours. This function is not effective in the case that a user is prompted to change the password when the user logs in for the first time or after the password is aged out. Related commands: display password-control. Examples - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 168
composition to restore the default. By default, the super password composition policy is the same as the global password composition policy. The settings for super passwords, if present, override those configured for all passwords. Related commands: password-control composition. Examples # Set - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 169
view Default level 3: Manage level Parameters user-name name: Specifies the username of the user to be removed from the blacklist. name is a case-sensitive string of 1 to 80 characters. Description Use reset password-control blacklist to remove all or one user from the blacklist. Related commands - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 170
View User view Default level 3: Manage level Parameters user-name name: Specifies the username of the user whose password records are to be deleted. name is a case-sensitive string of 1 to 80 characters. super: Deletes the history records of the super password specified by the level level - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 171
expression ] Any view Default level 1: Monitor level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 172
374D677A7A6124EBABD59FE48796C56F3FF919F999AEB97D1F2B83D9B98AC09BC1F72E80DBE337CB29989 A23378EB21C38EE083F11ED6DC8D4DBE001BA85450CEA071C2A471C83761E4CF32C174B418612CDD597B4 41F0CAA05DC01CB93A0ABB247C06FBA4C79054 Table 18 Command output Field Description Time of - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 173
Default level 1: Monitor level Parameters brief: Displays brief information about all peer of 1 to 64 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 174
-public-key end Syntax View peer-public-key end Public key view Default level 2: System level Parameters None Description Use peer-public-key end to return from public key view to system view. Related commands: public-key peer. Examples # Exit public key view. system-view [Sysname - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 175
-code end Syntax View public-key-code end Public key code view Default level 2: System level Parameters None Description Use public-key-code end to return from public key code view to public key view and to save the configured public key. The system verifies the key before saving it. If the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 176
create to create local asymmetric key pairs. The created local key pairs are saved automatically, and can survive a reboot. By default, no asymmetric key pair is created. When using this command to create DSA or RSA key pairs, you are asked to provide the length of the key modulus. The modulus - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 177
public-key local destroy { dsa | rsa } System view Default level 2: System level Parameters dsa: DSA key pair. rsa: RSA key pair. Description Use public-key local destroy to destroy the local asymmetric key pairs. Related commands: public-key local create. Examples # Destroy the local RSA - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 178
] System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the local public key. For more information about file name, see Fundamentals Configuration Guide. Description Use - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 179
Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh1: Uses the format of SSH1.5. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the host public key. For more information about file name, see Fundamentals Configuration Guide - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 180
undo public-key peer keyname System view Default level 2: System level Parameters keyname: to remove the public key. To manually configure the peer public key on the local device configurations on the local device: 1. Execute the public-key peer command, and then the public-key-code begin command - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 181
about file name, see Fundamentals Configuration Guide. Description Use public-key peer import sshkey to import a peer host public key from the public key file. Use undo public-key peer to remove the specified peer host public key. After execution of this command, the system automatically transforms - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 182
configuration commands attribute Syntax attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value View undo attribute { id | all } Certificate attribute group view Default attribute to configure the attribute - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 183
string of 1 to 63 characters. Description Use ca identifier to specify the trusted CA and bind the switch with the CA. Use undo ca identifier to remove the configuration. By default, no trusted CA is specified for a PKI domain. Certificate request, retrieval, revocation, and query all depend on - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 184
undo certificate request entity to remove the configuration. By default, no entity is specified for certificate request. Related commands: pki entity. Examples # Specify the Syntax certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual } 175 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 185
certificate request mode. Use undo certificate request mode to restore the default. By default, manual mode is used. In auto mode, an entity automatically requests out manually. The plaintext password or ciphertext password is saved in cipher text in the configuration file. Related commands: pki - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 186
must be an IP address and does not support domain name resolution. Description Use certificate request url to specify the URL for certificate request through SCEP. Use undo certificate request url to remove the configuration. By default, no certificate request URL is specified for a PKI - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 187
the common name of an entity, which can be, for example, the user name. Use undo common-name to remove the configuration. By default, no common name is specified. Examples # Configure the common name of an entity as test. system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] common - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 188
System level Parameters disable: Disables CRL checking. enable: Enables CRL checking. Description Use crl check to enable or disable CRL checking. By default, CRL checking is enabled. CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 189
server_location, where server_location must be an IP address and does not support domain name resolution. Description Use crl url to specify the URL of the CRL distribution point. Use undo crl url to remove the configuration. By default, no CRL distribution point URL is specified. When the URL - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 190
characters. request-status: Displays the status of a certificate request. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 191
| { begin | exclude | include } regular-expression ] Any view Default level 1: Monitor level Parameters policy-name: Name of the certificate attribute-based command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 192
[ | { begin | exclude | include } regular-expression ] Any view Default level 1: Monitor level Parameters group-name: Name of a certificate attribute group command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 193
Table 23 Command output Field Default level 1: Monitor level Parameters domain-name: Name of the PKI domain, a string of 1 to 15 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 194
2012 GMT CRL entry extensions:... Serial Number: 05a278445E... Revocation Date: Feb 7 12:33:22 2012 GMT CRL entry extensions:... Table 24 Command output Field Version Signature Algorithm Issuer Last Update Next Update CRL extensions X509v3 Authority Key Identifier keyid Revoked Certificates Serial - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 195
domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters. Description Use fqdn to configure the FQDN of an entity. Use undo fqdn to remove the configuration. By default, no FQDN is specified for an entity. An FQDN is the unique identifier of an entity on a network. It - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 196
, it is 2. Description Use ldap-server to specify an LDAP server for a PKI domain. Use undo ldap-server to remove the configuration. By default, no LDP server is specified for a PKI domain. Examples # Specify an LDAP server for PKI domain 1. system-view [Sysname] pki domain 1 [Sysname - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 197
the name of the organization to which the entity belongs. Use undo organization to remove the configuration. By default, no organization name is specified for an entity. Examples # Configure the name of the organization to which an entity belongs as test-lab. system-view [Sysname - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 198
pki certificate access-control-policy to remove certificate attribute-based access control policies. No access control policy exists by default. Examples # Configure an access control policy named mypolicy and enter its view. system-view [Sysname] pki certificate access-control-policy - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 199
-pki-cert-attribute-group-mygroup] pki delete-certificate Syntax pki delete-certificate { ca | local } domain domain-name View System view Default level 2: System level Parameters ca: Deletes the locally stored CA certificate. local: Deletes the locally stored local certificate. domain-name: Name - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 200
System view Default level 2: System pki domain to remove a PKI domain. By default, no PKI domain exists. Examples # Create a pki entity entity-name System view Default level 2: System level Parameters entity PKI entity. By default, no entity exists. You can configure a variety of attributes - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 201
a CA certificate or local certificate from a file and save it locally. Related commands: pki domain. Examples # Import the CA certificate for PKI domain cer in the request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] System view Default level 2: System level 192 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 202
string of 1 to 15 characters. password: Password for certificate revocation, a case-sensitive string This operation will not be saved in the configuration file. Related commands: pki domain. Examples # Display the PKCS# } domain domain-name System view Default level 2: System level Parameters ca: - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 203
The retrieved certificates are stored in the root directory of the switch, with the file name as domain-name_ca.cer or domain-name_local.cer according to the certificate type. Related commands: pki domain. Examples # Retrieve the CA certificate from the certificate issuing server. system- - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 204
and that the certificate has neither expired nor been revoked. Related commands: pki domain. Examples # Verify the validity of the local certificate remove the configuration. By default, no fingerprint is configured for verifying the validity of the CA root certificate. Examples # Configure an MD5 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 205
control rules. Description Use rule to create a certificate attribute access control rule. Use undo rule to delete access control rules. By default, no access control rule exists. A certificate attribute group must exist to be associated with a rule. Examples # Create an access control rule - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 206
. Description Use state to specify the name of the state or province where an entity resides. Use undo state to remove the configuration. By default, no state or province is specified. Examples # Specify the state where an entity resides. system-view [Sysname] pki entity 1 [Sysname-pki - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 207
server. status: Displays the status information of the SSH server. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 208
• Disconnected-The session is disconnected. Number of authentication attempts. Service type (SCP, SFTP, and Stelnet). Name of a user for login. display ssh user-information Syntax View display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ] Any view 199 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 209
SSH users. Related commands: ssh user. Examples # Display information about all SSH users. display ssh user-information Total ssh users : 2 Username Authentication-type User-public-key-name yemx password null test publickey pubkey Service-type all sftp Table 27 Command output - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 210
server authentication-retries to restore the default. By default, the maximum number of authentication attempts for SSH users is 3. You can set this limit to prevent malicious hacking of usernames and passwords. This configuration takes effect only for the users at next login. Authentication fails - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 211
undo ssh server compatible-ssh1x to disable the SSH server from supporting SSH1 clients. By default, the SSH server supports SSH1 clients. The configuration takes effect only for clients that log in after the configuration Related commands: display ssh server. Examples # Enable the SSH server to - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 212
can communicate with the server through SSH. Use undo ssh server enable to disable the SSH server function. By default, SSH server is disabled. Related commands: display ssh server. Examples # Enable SSH server. system-view [Sysname] ssh server enable ssh server ipv6 dscp Syntax - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 213
By default, the update interval of the RSA server key is 0, and the RSA server key is not updated. Periodically updating the RSA server key can prevent malicious hacking of the key and enhance security of the SSH connections. This command is only available to SSH users using SSH1 client software - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 214
} assign publickey keyname } ssh user username service-type { all | scp | sftp } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname work-directory directory-name } View undo ssh user username System view Default level 3: Manage level Parameters - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 215
you must configure the username and the public key on the switch. For a password authentication user, you can configure the account information on either the switch or the remote authentication server, such as a RADIUS server. If you use the ssh user command to configure a public key for a user who - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 216
{ begin | exclude | include } regular-expression ] Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 217
default, the host public key of the server is not configured, and when logging into the server, the client uses the IP address or host name used for login as the public key name. A client that does not support exist. Related commands: ssh client first-time enable. Examples # Configure the public - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 218
necessary. Even if it is not specified, the command can also enable the first-time authentication function. Description default, the function is enabled. With first-time authentication, when an SSH client not configured with the server host public key accesses the server for the first time, the user - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 219
client ipv6 dscp dscp-value View undo ssh client ipv6 dscp System view Default level 2: System level Parameters dscp-value: Specifies the DSCP value in the SSH client. Use undo ssh client ipv6 dscp to restore the default. By default, the DSCP value in IPv6 protocol packets sent by the SSH - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 220
SSH client. Use undo ssh client ipv6 source to remove the configuration. By default, an SSH client uses the IPv6 address of the interface specified clients in the authentication service, HP recommends you specify a loopback interface as the source interface. Related commands: display ssh client - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 221
{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * User view Default level 0: Visit level Parameters server: Specifies an IPv4 address or host name of the server, a case-insensitive string of 1 to 20 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 222
{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * User view Default level 0: Visit level Parameters server: Specifies an IPv6 address or host name of the server, a case-insensitive string of 1 to 46 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 223
-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128. prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96. Description Use ssh2 ipv6 to establish a connection to an IPv6 SSH - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 224
SFTP configuration commands SFTP server configuration commands sftp server enable Syntax sftp server enable View undo sftp server enable System view Default level 3: Manage level Parameters None Description Use sftp server enable to enable the SFTP server function. Use undo sftp server - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 225
server. Examples # Set the idle timeout period for SFTP user connections to 500 minutes. system-view [Sysname] sftp server idle-timeout 500 SFTP client configuration commands bye Syntax bye View SFTP client view Default level 3: Manage level Parameters None Description Use bye to terminate - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 226
-level directory. You can use the cd / command to return to the root directory of the system. Examples # Change the working path to new1. sftp-client> cd new1 Current Directory is: /new1 cdup Syntax View cdup SFTP client view Default level 3: Manage level Parameters None Description Use cdup - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 227
View SFTP client view Default level 3: Manage level Parameters remote-file&: Specifies the names of files on the server. & means that you can provide up to 10 filenames, which are separated by space. Description Use delete to delete files from a server. This command functions as the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 228
begin | exclude | include } regular-expression ] Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 229
View SFTP client view Default level 3: Manage level Parameters None Description Use exit to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and quit commands. Examples # Terminate the connection with the remote SFTP server. sftp-client> - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 230
help information of an SFTP client command. With neither the argument nor the keyword specified, the command displays a list of all commands. Examples # Display the help information of the get command. sftp-client> help get get remote-path [local-path] Download file.Default local-path is the same as - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 231
0 Sep 28 08:24 new1 0 Sep 28 08:18 new2 225 Sep 28 08:30 pub2 mkdir Syntax View mkdir remote-path SFTP client view Default level 3: Manage level Parameters remote-path: Specifies the name for the directory on a remote SFTP server. Description Use mkdir to create a directory on a remote SFTP - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 232
pwd / quit Syntax quit View SFTP client view Default level 3: Manage level Parameters None Description Use quit to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and exit commands. Examples # Terminate the connection with the remote SFTP - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 233
Default level 3: Manage level Parameters remote-file&: Specifies names of files on an SFTP server. & means that you can provide up to 10 filenames, which are separated by space. Description Use remove to delete files from a remote server. This command functions as the delete command - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 234
-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * User view Default level 3: Manage level Parameters server: IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters. port - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 235
dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 Input Username: sftp client dscp Syntax sftp client dscp dscp-value View undo sftp client dscp System view Default level 2: System level Parameters dscp-value: Specifies the DSCP value in the IPv4 packets sent - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 236
sent by the SFTP client. Use undo sftp client dscp to restore the default. By default, the DSCP value in IPv4 packets sent by the SFTP client is 16 by the SFTP client. Use undo sftp client ipv6 dscp to restore the default. By default, the DSCP value in IPv6 packets sent by the SFTP client is 8. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 237
of an SFTP client. Use undo sftp client source to remove the configuration. By default, an SFTP client uses the IP address of the interface specified clients in the authentication service, HP recommends you specify a loopback interface as the source interface. Related commands: display sftp client - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 238
dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * User view Default level 3: Manage level Parameters server: Specifies an IPv6 address or host name of the server, a case-insensitive string of 1 to 46 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 239
to client: sha1-96. sftp ipv6 2:5::8:9 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 Input Username: 230 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 240
SCP configuration commands SCP client configuration commands scp Command View scp [ ipv6 ] server [ port-number ] { get | put | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * User view Default level 3: Manage level Parameters ipv6: Specifies the type of the server as IPv6. If you - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 241
-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128. prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96. Description Use scp to transfer files with an SCP server. When the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 242
the cipher suites for an SSL server policy to support. By default, an SSL server policy supports all cipher suites. With no keyword specified, the command configures an SSL server policy to support all cipher suites. If you execute the command repeatedly, the last one takes effect. Related - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 243
certificate-based authentication. Use undo client-verify enable to restore the default. By default, the SSL server does not require certificate-based SSL client authentication. If you configure the client-verify enable command and enable the SSL client weak authentication function, whether the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 244
client-verify weaken command takes effect only when the SSL server requires certificate-based client authentication. Related commands: client-verify message from the client. Use undo close-mode wait to restore the default. By default, an SSL server sends a close-notify alert message to the client - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 245
[ | { begin | exclude | include } regular-expression ] Any view Default level 1: Monitor level Parameters policy-name: SSL client policy name, a case- command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 246
[ | { begin | exclude | include } regular-expression ] Any view Default level 1: Monitor level Parameters policy-name: SSL server policy name, a case- command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 247
a CA server. Cipher suites supported by the SSL server policy. default, the handshake timeout time is 3600 seconds. If the SSL server does not receive any packet from the SSL client before the handshake timeout time expires, the SSL server will terminate the handshake process. Related commands - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 248
. By default, no PKI domain is configured for an SSL server policy or SSL client policy. If you do not specify a PKI domain for an SSL server policy, the SSL server generates a certificate for itself rather than obtaining one from a CA server. Related commands: display ssl server-policy and - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 249
the preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default. By default, the preferred cipher suite for an SSL client policy is rsa_rc4_128_md5. Related commands: display ssl client-policy. Examples # Set the preferred cipher suite for SSL client policy policy1 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 250
based SSL server authentication is disabled, it is assumed that the SSL server is valid. By default, certificate-based SSL server authentication is enabled. Related commands: display ssl client-policy. Examples # Enable certificate-based SSL server authentication. system-view [Sysname] ssl - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 251
view. Use undo ssl client-policy to delete SSL client policies. Related commands: display ssl client-policy. Examples # Create SSL client policy policy1 View undo ssl server-policy { policy-name | all } System view Default level 2: System level Parameters policy-name: SSL server policy name, - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 252
specify the SSL protocol version for an SSL client policy. Use undo version to restore the default. By default, the SSL protocol version for an SSL client policy is TLS 1.0. Related commands: display ssl client-policy. Examples # Specify the SSL protocol version for SSL client policy policy1 as - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 253
begin | exclude | include } regular-expression ] Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 254
-cookie enable View undo tcp syn-cookie enable System view Default level 2: System level Parameters None Description Use tcp syn- Use undo tcp syn-cookie enable to disable the SYN Cookie feature. By default, the SYN Cookie feature is enabled. Examples # Enable the SYN Cookie feature. < - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 255
for the argument depends on the number of member switches and their member IDs in the IRF fabric. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 256
10.1.0.12 N/A 040a-0000-0013 10.1.0.13 N/A Table 32 Command output Interface GE1/0/1 GE1/0/2 GE1/0/2 Interface GE1/0/3 GE1/0/3 Type mac-address mac-address } [ vlan vlan-id ] Layer 2 Ethernet interface view Default level 2: System level Parameters ip-address ip-address: Specifies the IPv4 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 257
Security Configuration Guide. You cannot configure the same static binding entry repeatedly on one port, but you can configure the same static entry on different ports. You cannot configure a static binding entry on a port that is in an aggregation group or a service loopback group. Related commands - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 258
or a service loopback group. Related commands: display ip source binding. Examples # Configure dynamic IPv4 binding on Layer 2 Ethernet port number View undo ip verify source max-entries Layer 2 Ethernet interface view Default level 2: System level Parameters number: Maximum number of - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 259
Examples # Set the maximum number of IPv4 source guard entries to 100 on port GigabitEthernet 1/0/1. system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] ip verify source max-entries 100 250 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 260
configuration commands ARP defense against IP packet attacks configuration commands arp resolving-route enable Syntax arp resolving-route enable View undo arp resolving-route enable System view Default route enable to disable the function. By default, the function is enabled. Examples # - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 261
to disable the function. By default, the ARP source suppression function is disabled. Related commands: display arp source-suppression. Examples arp source-suppression limit to restore the default value, which is 10. With this feature configured, whenever the number of packets with unresolvable - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 262
of cache used to record source suppression information. ARP packet rate limit configuration commands arp rate-limit Syntax arp rate-limit { disable | rate pps drop } View undo arp rate-limit Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default level 2: System level 253 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 263
50 drop Source MAC address based ARP attack detection configuration commands arp anti-attack source-mac Syntax arp anti-attack source-mac { filter | monitor } View undo arp anti-attack source-mac [ filter | monitor ] System view Default level 2: System level Parameters filter: Specifies the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 264
detection mode is specified in the undo arp anti-attack source-mac command, both detection modes are disabled. Examples # Enable filter-mode source time to restore the default. By default, the age timer for protected MAC addresses is 300 seconds (five minutes). Examples # Configure the age timer - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 265
arp anti-attack source-mac exclude-mac to remove the configured protected MAC addresses. By default, no protected MAC address is configured. If no MAC address is specified in the undo arp anti-attack source-mac exclude-mac command, all the configured protected MAC addresses are removed. Examples - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 266
begin | exclude | include } regular-expression ] Any view Default level 1: Monitor level Parameters interface interface-type interface-number: switch. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 267
ARP packet source mac address consistency check configuration commands arp anti-attack valid-check enable Syntax arp anti-attack valid-check enable View undo arp anti-attack valid-check enable System view Default level 2: System level Parameters None Description Use arp anti-attack valid- - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 268
restore the default. By default, the ARP active acknowledgement function is disabled. This feature is configured on gateway system-view [Sysname] arp anti-attack active-ack enable ARP detection configuration commands arp detection Syntax arp detection id-number { permit | deny } ip { - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 269
Use arp detection to set a rule for user validity check. Use undo arp detection to restore the default. By default, no rule is set for user validity check. User validity check inspects each ARP packet received on an ARP untrusted interface against the configured rules. If a match is found, the ARP - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 270
the port as an ARP trusted port. Use undo arp detection trust to restore the default. By default, the port is an ARP untrusted port. Examples # Configure layer 2 Ethernet port GigabitEthernet 1/0/1 as an ARP trusted port. system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 271
Use arp detection validate to configure ARP detection based on specified objects. You can specify one or more objects in one command line. Use undo arp detection validate to remove detected objects. If no keyword is specified, all the detected objects are removed. By default, ARP detection based on - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 272
Default level 1: Monitor level Parameters interface interface-type interface-number: Displays the ARP detection statistics of a specified interface. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 273
GE1/0/3(T) 0 0 0 GE1/0/4(U) 0 0 30 Inspect 78 0 0 0 Table 35 Command output Field Interface(State) IP Src-MAC Dst-MAC Inspect Description State T or U statistics [ interface interface-type interface-number ] User view Default level 1: Monitor level Parameters interface interface-type - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 274
entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static ARP entries. The static ARP entries changed from dynamic ARP entries have the same attributes as the manually configured static ARP entries. The number of static ARP entries - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 275
Default network as the primary IP address or manually configured secondary IP addresses of the interface. the scan is terminated. Examples # Configure the device to scan the network where Vlan-interface2] arp scan # Configure the device to scan a gateway protection configuration commands arp filter - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 276
/0/1] arp filter source 1.1.1.1 ARP filtering configuration commands arp filter binding Syntax arp filter binding ip-address mac-address View undo arp filter binding ip-address Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default level 2: System level Parameters ip - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 277
Examples # Configure an ARP filtering entry with permitted sender IP address 1.1.1.1 and MAC address 2-2-2. system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] arp filter binding 1.1.1.1 2-2-2 268 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 278
defense configuration commands ipv6 nd mac-check enable Syntax ipv6 nd mac-check enable View undo ipv6 nd mac-check enable System view Default ND packets. By default, source MAC consistency check is disabled for ND packets. In a typical forged ND packet, the Ethernet frame header conveys a - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 279
URPF check to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. By default, URPF check is disabled. The routing table size decreases by half when URPF is enabled on the HP 6125 Blade switches. To prevent loss of routes and packets, URPF cannot be enabled on the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 280
begin | exclude | include } regular-expression ] Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 281
View Any view Default level 1: Monitor level Parameters vlan-id: Specifies a VLAN by its number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 282
, make sure that ARP snooping works normally. For a network (or VLAN) with IP addresses manually configured, the gateway IP address should be manually configured with the mac-forced-forwarding default-gateway gateway-ip command; for a network (or VLAN) running DHCP, the gateway IP address can be - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 283
configure the Ethernet port as a network port. Use undo mac-forced-forwarding network-port to restore the default. By default, the port is a user port configuration. For more information about link aggregation, see Layer 2-LAN Switching Configuration Guide. Examples # Configure GigabitEthernet - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 284
server IP addresses. By default, no server IP address is specified. You can use this command (in either manual or automatic MFF operating mode) to specify the IP address of a DHCP server, the IP address of a server providing some other service - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 285
HP A-Series Acronyms. Websites • HP.com http://www.hp.com • HP Networking http://www.hp.com/go/networking • HP manuals http://www.hp.com/support/manuals • HP download drivers and software http://www.hp.com/support/downloads • HP software depot http://www.software.hp.com • HP Education http://www.hp - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 286
Command conventions Convention Boldface Italic [ ] { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * & # Description Bold text represents commands and menu items are in bold text. For example, the New User window appears; click OK. Multi-level menus are separated by angle - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 287
, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Port numbering in examples The port numbers in this document are for - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 288
lan-access,7 authentication login,7 authentication super,8 authorization command,9 authorization default,10 authorization lan-access,11 authorization login,12 authorization-attribute (local user view/user group view),24 authorization-attribute user-profile,13 B bind-attribute,25 bye,216 - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 289
user,26 display mac-authentication,115 display mac-forced-forwarding interface,271 display mac-forced-forwarding vlan,271 display password-control,145 display password 44 display tcp status,244 display user-group,28 display user-profile,142 domain,19 domain default enable,20 dot1x,93 dot1x - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 290
,151 password-control complexity,151 password-control composition,152 password-control enable,153 password-control expired-user-login,153 password-control history,154 password-control length,155 password-control login idle-time,156 password-control login-attempt,156 password-control password update - HP 6125G | HP 6125G & 6125G/XG Blade Switches Security Command Reference - Page 291
,122 reset password-control blacklist,160 reset password-control history-record server,62 self-service-url enable,22 server-type,63 server-verify enable,240 service-type,33 session state,196 state (ISP domain view),22 state (local user view),34 state primary,63 state secondary,64 stop-accounting-
HP 6125 Blade Switch Series
Security
Command Reference
Part number: 5998-3171
Software version: Release 2103
Document version: 6W100-20120907