H3C S9500E Series Security Configuration Manual

H3C S9500E Series Routing Switches

Security Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

No part of this manual may be reproduced or transmitted in any form or by any means without prior

written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H

3

Care,

, TOP G, , IRF, NetPilot, Neocean, NeoVTL,

SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V

2

G, V

n

G, PSPT,

XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,

Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Environmental Protection

This product has been designed to comply with the requirements on environmental protection. The

storage, use, and disposal of this product must meet the applicable national laws and regulations.

Preface

The H3C S9500E documentation set includes 13 configuration guides, which describe the software

features for the H3C S9500E Series 10G Core Routing Switches and guide you through the software

configuration procedures. These configuration guides also provide configuration examples to help you

apply software features to different network scenarios.

This preface includes:

• Audience

• Conventions

• About the H3C S9500E Documentation Set

• Obtaining Documentation

• Documentation Feedback

Audience

This documentation is intended for:

Network planners

Field technical support and servicing engineers

Network administrators working with the S9500E series

Conventions

This section describes the conventions used in this documentation set.

Command conventions

Convention Descri

p

tion

Boldface Bold text represents commands and keywords that you enter literally as shown.

italic Italic text represents arguments that you replace with actual values.

[ ]

Square brackets enclose syntax choices (keywords or arguments) that are

optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from

which you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical

bars, from which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by

vertical bars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by

4

Convention Descri

p

tion

vertical bars, from which you may select multiple choices or none.

&<1-n>

The argument or keyword and argument combination before the ampersand (&)

sign can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Descri

p

tion

< > Button names are inside angle brackets. For example, click <OK>.

[ ]

Window names, menu items, data table and field names are inside square

brackets. For example, pop up the [New User] window.

/

Multi-level menus are separated by forward slashes. For example,

[File/Create/Folder].

Symbols

Convention Descri

p

tion

Means reader be extremely careful. Improper operation may cause bodily

injury.

Means reader be careful. Improper operation may cause data loss or damage

to equipment.

Means an action or information that needs special attention to ensure successful

configuration or good performance.

Means a complementary description.

Means techniques helpful for you to make configuration with ease.

Network topology icons

Convention Descri

p

tion

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router

that supports Layer 2 forwarding and other Layer 2 features.

5

About the H3C S9500E documentation set

Cate

g

or

y

Documents Pur

p

oses

Product description and

specifications

Marketing brochures Describe product specifications and benefits.

Technology white papers

Provide an in-depth description of software features

and technologies.

Card datasheets Describe card specifications, features, and standards.

Hardware specifications

and installation

Compliance and safety

manual

Provides regulatory information and the safety

instructions that must be followed during installation.

Quick start

Guides you through initial installation and setup

procedures to help you quickly set up and use your

device with the minimum configuration.

Installation guide

Provides a complete guide to hardware installation

and hardware specifications.

Card manuals Provide the hardware specifications of cards.

H3C N68 Cabinet

Installation and Remodel

Introduction

Guides you through installing and remodeling H3C

N68 cabinets.

H3C Pluggable SFP

[SFP+][XFP] Transceiver

Modules Installation

Guide

Guides you through installing SFP/SFP+/XFP

transceiver modules.

Adjustable Slider Rail

Installation Guide

Guides you through installing adjustable slider rails to

a rack.

H3C High-End Network

Products Hot-Swappable

Module Manual

Describes the hot-swappable modules available for the

H3C high-end network products, their external views,

and specifications.

Installation videos

Show how to install the LSTM1PEMC and

LSTM1PEM2N AC-input power supply modules.

Software configuration

Configuration guides

Describe software features and configuration

procedures.

Command references Provide a quick reference to all available commands.

Configuration examples

Describe typical network scenarios and provide

configuration examples and instructions.

Operations and

maintenance

System log messages Explains the system log messages.

Trap messages Explains the trap messages.

MIB Companion Describes the MIBs for the software release.

Release notes

Provide information about the product release,

including the version history, hardware and software

compatibility matrix, version upgrade information,

technical support information, and software

upgrading.

Error code reference Explains the error codes for the QoS module.

6

7

Obtaining documentation

You can access the most up-to-date H3C product documentation on the World Wide Web at

http://www.h3c.com

.

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents]

– Provides hardware installation, software

upgrading, and software feature configuration and maintenance documentation.

[Products & Solutions]

– Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download]

– Provides the documentation released with the

software version.

Documentation feedback

You can e-mail your comments about product documentation to info@h3c.com.

We appreciate your comments.

8

Table of Contents

Preface ·········································································································································································· 3

Audience ············································································································································································ 3

Conventions ······································································································································································· 3

About the H3C S9500E documentation set ··················································································································· 5

AAA configuration ····················································································································································· 14

Introduction to AAA ······················································································································································· 14

Introduction to RADIUS ·················································································································································· 15

Client/Server model ·············································································································································· 15

Security and authentication mechanisms ············································································································ 16

Basic message exchange process of RADIUS ···································································································· 16

RADIUS packet format ·········································································································································· 17

Extended RADIUS attributes ································································································································· 22

Introduction to HWTACACS ········································································································································· 22

Differences between HWTACACS and RADIUS ································································································ 22

Basic message exchange process of HWTACACS ··························································································· 23

Domain-based user management ································································································································· 25

AAA-across-VPNs ··························································································································································· 26

Protocols and standards ················································································································································ 26

AAA configuration task list ··········································································································································· 27

Configuring AAA ··························································································································································· 28

Configuration prerequisites ·································································································································· 28

Creating an ISP domain ······································································································································· 28

Configuring ISP domain attributes ······················································································································· 29

Configuring AAA authentication method for an ISP domain············································································ 30

Configuring AAA authorization methods for an ISP domain ··········································································· 31

Configuring AAA accounting methods for an ISP domain ··············································································· 33

Configuring local user attributes ·························································································································· 34

Configuring user group attributes ························································································································ 36

Disconnect user connections ································································································································ 37

Configuring a NAS ID-VLAN binding ················································································································· 37

Displaying and maintaining AAA ································································································································ 38

Configuring RADIUS ······················································································································································ 38

Creating a RADIUS scheme ································································································································· 38

Specifying the VPN instance ································································································································ 39

Specifying the RADIUS authentication/authorization servers ·········································································· 39

Specifying the RADIUS accounting servers and relevant parameters ····························································· 40

Specifying the shared keys for RADIUS packets ································································································ 41

Setting the upper limit of RADIUS request retransmission attempts ·································································· 42

Setting the supported RADIUS server type ·········································································································· 42

9

Setting the status of RADIUS servers ···················································································································· 43

Configuring attributes related to data to be sent to the RADIUS server ·························································· 44

Enabling the RADIUS trap function ······················································································································ 45

Specifying the source IP address for RADIUS packets to be sent ····································································· 45

Setting timers regarding RADIUS servers ············································································································ 46

Specifying security policy servers ························································································································ 47

Enabling the listening port of the RADIUS client ································································································ 48

Specifying to interpret RADIUS class attribute as CAR parameters ································································· 48

Displaying and maintaining RADIUS ·················································································································· 49

Configuring HWTACACS ············································································································································· 49

Creating an HWTACACS scheme ······················································································································ 50

Specifying the VPN instance ································································································································ 50

Specifying the HWTACACS authentication servers ·························································································· 50

Specifying the HWTACACS authorization servers ···························································································· 51

Specifying the HWTACACS accounting servers ································································································ 51

Setting the shared key for HWTACACS packets ······························································································· 52

Configuring attributes related to the data sent to HWTACACS server ··························································· 53

Specifying the source IP address for HWTACACS packets to be sent ···························································· 53

Setting timers regarding HWTACACS servers ··································································································· 54

Displaying and maintaining HWTACACS ········································································································· 55

AAA configuration examples ········································································································································ 55

AAA for telnet user by an HWTACACS server ·································································································· 55

AAA for telnet users by separate servers ············································································································ 57

AAA for SSH users by a RADIUS server ············································································································· 59

Troubleshooting AAA ···················································································································································· 62

Troubleshooting RADIUS ······································································································································· 62

Troubleshooting HWTACACS ······························································································································ 64

802.1X configuration ················································································································································ 65

802.1X overview ··························································································································································· 65

Architecture of 802.1X ········································································································································· 65

Authentication modes of 802.1X ························································································································· 65

Basic concepts of 802.1X ···································································································································· 66

EAP over LAN ························································································································································ 67

EAP over RADIUS ·················································································································································· 68

802.1X authentication triggering ························································································································ 69

Authentication process of 802.1X ······················································································································· 69

802.1X access control method ···························································································································· 72

802.1X timers ························································································································································ 73

Features working together with 802.1X ············································································································· 73

802.1X basic configuration ·········································································································································· 75

Configuration prerequisites ·································································································································· 75

Configuring 802.1X globally ······························································································································· 76

Configuring 802.1X for a port ···························································································································· 77

10

Configuring the online user handshake function ········································································································ 78

Enabling the multicast trigger function ························································································································· 79

Specifying a mandatory authentication domain for a port ······················································································· 79

Enabling the quiet timer················································································································································· 80

Enabling the re-authentication function ························································································································ 80

Configuring a guest VLAN ············································································································································ 80

Configuring an Auth-Fail VLAN ···································································································································· 81

Displaying and maintaining 802.1X ··························································································································· 82

802.1X configuration example ···································································································································· 82

Guest VLAN and VLAN assignment configuration example ····················································································· 85

MAC authentication configuration ···························································································································· 88

MAC authentication overview ······································································································································ 88

RADIUS-based MAC authentication ···················································································································· 88

Local MAC authentication ···································································································································· 88

Related concepts ···························································································································································· 89

MAC authentication timers ··································································································································· 89

Quiet MAC address ·············································································································································· 89

Configuring MAC authentication ································································································································· 89

Configuration prerequisites ·································································································································· 89

Configuration procedure ······································································································································ 89

Displaying and maintaining MAC authentication ······································································································ 90

MAC authentication configuration examples ·············································································································· 91

Local MAC authentication configuration ············································································································ 91

RADIUS-based MAC authentication configuration ···························································································· 92

Portal configuration ···················································································································································· 95

Introduction to portal ············································································································································· 95

Introduction to extended portal functions ············································································································ 95

Portal system components ····································································································································· 95

Portal authentication mode ··································································································································· 97

Portal authentication process ······························································································································· 98

Basic portal configuration ············································································································································· 99

Configuration prerequisites ·································································································································· 99

Configuration procedure ······································································································································ 99

Configuring a portal-free rule ····································································································································· 100

Configuring an authentication subnet ························································································································ 101

Logging out users ························································································································································· 101

Specifying a mandatory authentication domain ······································································································· 101

Specifying a NAS ID profile for an interface ············································································································ 102

Setting the maximum number of online portal users ································································································ 103

Displaying and maintaining a portal ························································································································· 103

Portal configuration examples ···································································································································· 104

Configuring Layer 3 portal authentication ········································································································ 104

Configuring Layer 3 portal authentication with extended functions ······························································ 106

11

Troubleshooting the portal ·········································································································································· 108

Inconsistent keys on the access device and the portal server ········································································· 108

Incorrect server port number on the access device ·························································································· 108

Public key configuration ········································································································································· 110

Public key algorithm overview ···································································································································· 110

Basic concepts ····················································································································································· 110

Key algorithm types ············································································································································· 110

Asymmetric key algorithm applications ············································································································ 111

Configuring the local asymmetric key pair ··············································································································· 111

Creating an asymmetric key pair ······················································································································ 111

Displaying or exporting the local RSA or DSA host public key······································································ 112

Destroying an asymmetric key pair ··················································································································· 112

Configuring the public key of a peer ························································································································· 112

Displaying and maintaining public keys ··················································································································· 113

Public key configuration examples ····························································································································· 114

Configuring the public key of a peer manually ······························································································· 114

Importing the public key of a peer from a public key file ··············································································· 116

SSH2.0 configuration ············································································································································· 120

SSH2.0 overview ························································································································································· 120

Introduction to SSH2.0 ······································································································································· 120

Operation of SSH ················································································································································ 120

Configuring the device as an SSH server ·················································································································· 123

Enabling SSH server ··········································································································································· 123

Configuring the user interfaces for SSH clients ································································································ 123

Configuring a client public key ·························································································································· 124

Configuring an SSH user ···································································································································· 125

Setting the SSH management parameters ········································································································ 126

Configuring the device as an SSH client ··················································································································· 127

Specifying a source IP address/interface for the SSH client ·········································································· 127

Configuring whether first-time authentication is supported ············································································· 127

Establishing a connection between the SSH client and the server ································································· 128

Displaying and maintaining SSH ······························································································································· 129

SSH server configuration examples ··························································································································· 129

When switch acts as server for password authentication ··············································································· 130

When switch acts as server for public key authentication ·············································································· 131

SSH client configuration examples ····························································································································· 137

When switch acts as client for password authentication ················································································ 137

When switch acts as client for public key authentication ··············································································· 140

SFTP service ····························································································································································· 143

SFTP overview ······························································································································································· 143

Configuring an SFTP server ········································································································································· 143

Configuration prerequisites ································································································································ 143

12

Enabling the SFTP server ···································································································································· 143

Configuring the SFTP connection idle timeout period ····················································································· 143

Configuring an SFTP client ·········································································································································· 144

Specifying a source IP address or interface for the SFTP client ······································································ 144

Establishing a connection to the SFTP server ···································································································· 144

Working with the SFTP directories ···················································································································· 145

Working with SFTP files ······································································································································ 146

Displaying help information ······························································································································· 147

Terminating the connection to the remote SFTP server ···················································································· 147

SFTP client configuration example ····························································································································· 147

SFTP server configuration example ···························································································································· 151

IP source guard configuration ································································································································ 153

IP source guard overview ············································································································································ 153

Configuring a static IP source guard binding entry ·································································································· 154

Configuring the dynamic IP source guard binding function ···················································································· 155

Displaying and maintaining IP source guard ············································································································ 155

IP source guard configuration examples ··················································································································· 156

Static IP source guard binding entry configuration example ·········································································· 156

Dynamic IP source guard binding function configuration example I ····························································· 157

Dynamic IP source guard binding function configuration example II ···························································· 159

Troubleshooting IP source guard ································································································································ 160

Failed to configure static binding entries and dynamic binding function ····················································· 160

IP source guard configuration ································································································································ 161

IP source guard overview ············································································································································ 161

Configuring a static IP source guard binding entry ·································································································· 162

Configuring the dynamic IP source guard binding function ···················································································· 163

Displaying and maintaining IP source guard ············································································································ 163

IP source guard configuration examples ··················································································································· 164

Static IP source guard binding entry configuration example ·········································································· 164

Dynamic IP source guard binding function configuration example I ····························································· 165

Dynamic IP source guard binding function configuration example II ···························································· 167

Troubleshooting IP source guard ································································································································ 168

Failed to configure static binding entries and dynamic binding function ····················································· 168

URPF configuration ·················································································································································· 169

URPF overview ······························································································································································ 169

What is URPF ······················································································································································· 169

How URPF works ················································································································································· 169

Configuring URPF ························································································································································· 170

URPF configuration example ······································································································································· 171

URPF configuration ·················································································································································· 172

URPF overview ······························································································································································ 172

What is URPF ······················································································································································· 172

13

How URPF works ················································································································································· 172

Configuring URPF ························································································································································· 173

URPF configuration example ······································································································································· 174

Obtaining support for your product ······················································································································· 175

Register your product ··················································································································································· 175

Purchase value-added services ··································································································································· 175

Troubleshoot online ······················································································································································ 175

Access software downloads ········································································································································ 176

Telephone technical support and repair ···················································································································· 176

Contact us ····································································································································································· 176

Appendix A : RADIUS attributes ···························································································································· 177

Commonly used standard RADIUS attributes ············································································································ 177

Proprietary RADIUS sub-attributes of H3C ················································································································ 178

Acronyms ································································································································································· 180

Index ········································································································································································ 195

14

AAA configuration

The switch operates in IRF mode or standalone, (the default), mode. For more information about the IRF

mode, see IRF in the IRF Configuration Guide.

Introduction to AAA

Authentication, authorization, and accounting (AAA) provide a uniform framework for configuring

these three security functions when implementing network security management.

AAA usually uses a client/server model, where the client runs on the network access server (NAS)

and the server maintains user information centrally. In an AAA network, a NAS is a server for

users but a client for the AAA servers. See Figure 1.

Fi

gure 1 AAA networking diagram

When attempting to establish a connection to the NAS and to obtain the rights to access other

networks or network resources, the NAS authenticates you or the corresponding connection. The

NAS can transparently pass your AAA information to the server (RADIUS server or HWTACACS

server). The RADIUS/HWTACACS protocol defines how a NAS and a server exchange use

information.

In the AAA network, there is a RADIUS server and an HWTACACS server. See Figure 1. Y

ou can

determine the authentication, authorization, and accounting methods according to the actual

requirements. For example, you can use the HWTACACS server for authentication and

authorization, and the RADIUS server for accounting.

The three security functions are described as follows:

• Authentication: Identifies remote users and determines if they are legal.

• Authorization: Grants user’s rights. For example, a user logging into the server can be

granted the permission to access and print the files on the server.

15

• Accounting: Records all network service usage information of users. This includes the service

type, start and end time, and traffic. In this way, accounting can be used for charging and

network security surveillance.

You can use AAA to provide one or two security functions. For example, if your company only

wants employees to be authenticated before they access specific resources, you only need to

configure an authentication server. If network usage information is needs to be recorded, you must

also configure an accounting server.

AAA provides a uniform framework to implement network security management. It is a security

mechanism that enables authenticated and authorized entities to access specific resources and

records operations of the entities. The AAA framework thus allows for scalability and centralized

user information management.

AAA can be implemented through multiple protocols. Currently, the switch supports using RADIUS,

and HWTACACS for AAA, and RADIUS is often used in practice.

Introduction to RADIUS

Remote authentication dial-in user service (RADIUS) is a distributed information interaction protocol

in a client/server model. RADIUS can protect networks against unauthorized access and is often

used in network environments where both high security and remote user access are required.

Based on UDP, RADIUS uses UDP port 1812 for authentication and 1813 for accounting. RADIUS

defines the RADIUS packet format and message transfer mechanism.

RADIUS was originally designed for dial-in user access. With the diversification of access

methods, RADIUS now supports additional access methods, such as Ethernet and ADSL access.

RADIUS uses authentication and authorization when providing access services and uses

accounting to collect and record usage information of network resources.

Client/Server model

• Client: The RADIUS client runs on the NASs located throughout the network. It passes user

information to designated RADIUS servers and acts on the responses (for example, rejects or

accepts user access requests).

• Server: The RADIUS server runs on the computer or workstation at the network center and

maintains information related to user authentication and network service access. It listens to

connection requests, authenticates users, and returns the processing results (for example,

rejecting or accepting the user access request) to the clients.

In general, the RADIUS server maintains three databases: Users, Clients, and Dictionary. See

Figure 2:

16

Figure 2 RADIUS server components

• Users: Stores user information such as the username, password, applied protocols, and IP

address.

• Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses.

• Dictionary: Stores information about the meanings of RADIUS protocol attributes and their

values.

Security and authentication mechanisms

Information exchanged between a RADIUS client and the RADIUS server is authenticated with a

shared key that is never transmitted over the network. This enhances information exchange security

and prevents user passwords from being intercepted in non-secure networks. RADIUS encrypts

passwords before transmitting them.

A RADIUS server supports multiple user authentication methods. Moreover, a RADIUS server can

act as the client of another AAA server to provide authentication proxy services.

Basic message exchange process of RADIUS

Figure 3 shows the interaction of the host, the RADIUS client, and the RADIUS server.

17

Figure 3 Basic message exchange process of RADIUS

RADIUS operates in the following way:

1. The host initiates a connection request carrying the username and password to the RADIUS

client.

2. Having received the username and password, the RADIUS client sends an authentication

request (Access-Request) to the RADIUS server, with the user password encrypted by using

the Message-Digest 5 (MD5) algorithm and the shared key.

3. The RADIUS server authenticates the username and password. If the authentication succeeds,

it sends back an Access-Accept message containing the user’s authorization information. If

the authentication fails, it returns an Access-Reject message.

4. The RADIUS client permits or denies the user according to the returned authentication result.

If it permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS

server.

5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts

accounting.

6. The user accesses the network resources.

7. The host requests the RADIUS client to tear down the connection and the RADIUS client

sends a stop-accounting request (Accounting-Request) to the RADIUS server.

8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops

accounting for the user.

9. The user stops access to network resources.

RADIUS packet format

RADIUS uses UDP to transmit messages. UPD ensures a smooth message exchange between the

RADIUS server and the client through a series of mechanisms, including the timer management

18

mechanism, retransmission mechanism, and slave server mechanism. Figure 4 shows the RADIUS

packet format.

Figure 4 RADIUS packet format

Descriptions of the fields are as follows:

1. The Code field (1-byte long) indicates the type of the RADIUS packet. Table 1 shows

potential values and their meanings.

Table 1 Main values of the Code field

Code Packet type Description

1 Access-Request

From the client to the server. A packet of this type carries

user information for the server to authenticate the user. It

must contain the User-Name attribute and can optionally

contain the attributes of NAS-IP-Address, User-Password,

and NAS-Port.

2 Access-Accept

From the server to the client: If all the attribute values

carried in the Access-Request are acceptable (the

authentication succeeds), the server sends an Access-

Accept response.

3 Access-Reject

From the server to the client. If any attribute value

carried in the Access-Request is unacceptable, the server

rejects the user and sends an Access-Reject response.

4 Accounting-Request

From the client to the server: A packet of this type carries

user information for the server to start/stop accounting

for the user. It contains the Acct-Status-Type attribute,

which indicates whether the server is requested to start

the accounting or to end the accounting.

5 Accounting-Response

From the server to the client: The server sends the client

a packet to notify client that it has received the

Accounting-Request and has started recording the

accounting information.

2. The Identifier field (1-byte long) matches request packets and response packets and detects

retransmitted request packets. The request and response packets of the same type have the

same identifier.

19

3.

The Length field (2-byte long) indicates the length of the entire packet, including the Code,

Identifier, Length, Authenticator, and Attribute fields. The value of the field ranges from 20 to

4096. Bytes beyond the length are considered padding and ignored. If the length of a

received packet is less than that indicated by the Length field, the packet is dropped.

4. The Authenticator field (16-byte long) authenticates replies from the RADIUS server, and is

also used in the password hiding algorithm. There are two kinds of authenticators: request

authenticator and response authenticator.

5. The Attribute field, with a variable length, carries the specific authentication, authorization,

and accounting information for defining configuration details of the request or response. This

field is represented in triplets of Type, Length, and Value.

• Type: One byte, in the range 1 to 255. It indicates the type of the attribute. See Table 2 for

commonly used attributes for RADIUS authentication, authorization and accounting.

• Length: One byte for indicating the length of the attribute in bytes, including the Type, Length,

and Value fields.

• Value: Value of the attribute, up to 253 bytes. Its format and content depend on the Type and

Length fields.

Table 2 RADIUS attributes

No. Attribute No. Attribute

1 User-Name

4

5

Acct-Authentic

2 User-Password

4

6

Acct-Session-Time

3 CHAP-Password

4

7

Acct-Input-Packets

4 NAS-IP-Address

4

8

Acct-Output-Packets

5 NAS-Port

4

9

Acct-Terminate-Cause

6 Service-Type

5

0

Acct-Multi-Session-Id

7 Framed-Protocol

5

1

Acct-Link-Count

8 Framed-IP-Address

5

2

Acct-Input-Gigawords

9 Framed-IP-Netmask

5

3

Acct-Output-Gigawords

1

0

Framed-Routing

5

4

(unassigned)

20

No. Attribute No. Attribute

1

Filter-ID

5

Event-Timestamp

1

2

Framed-MTU

5

6

-

5

9

(unassigned)

1

3

Framed-Compression

6

0

CHAP-Challenge

1

4

Login-IP-Host

6

1

NAS-Port-Type

1

5

Login-Service

6

2

Port-Limit

1

6

Login-TCP-Port

6

3

Login-LAT-Port

1

7

(unassigned)

6

4

Tunnel-Type

1

8

Reply-Message

6

5

Tunnel-Medium-Type

1

9

Callback-Number

6

Tunnel-Client-Endpoint

2

0

Callback-ID

6

7

Tunnel-Server-Endpoint

2

1

(unassigned)

6

8

Acct-Tunnel-Connection

2

Framed-Route

6

9

Tunnel-Password

2

3

Framed-IPX-Network

7

0

ARAP-Password

2

4

State

7

1

ARAP-Features

2

5

Class

7

2

ARAP-Zone-Access

2

6

Vendor-Specific

7

3

ARAP-Security

2

7

Session-Timeout

7

4

ARAP-Security-Data

Page is loading ...

H3C S9500E Series Security Configuration Manual

H3C S9500E Series Security Configuration Manual

Related papers

Other documents