Array Networks vxAG (PAYG) - 5 Concurrent Users + 5 vSites

”, “<”, “&”, “/”, “\”, “,”, “"” and “''”.  The test certificate generated by the “ssl csr” command is only used for testing purposes, not for production systems. ssl ecc csr [curve_name] [signature_algorithm_index] This command is used to generate a CSR (Certificate Signing Request) and an SSL key pair based on the Elliptic Curve Cryptography (ECC) for the current virtual site. After this command is executed, the administrator will be led through a series of prompts so that the system can gather the required information to generate the ECC CSR. The administrator can choose to set the private key as exportable and set the passphrase for the private key to protect it. In addition, this command also generates a “test” certificate for the virtual site. If the administrator has not uploaded the intermediate CA certificates and root CA certificate of this “test” certificate using the commands “ssl import interca” and “ssl import rootca”, a warning message indicating an incomplete certificate chain will be displayed. 2000-2018 Array Networks, Inc. All Rights Reserved. 34Chapter 3 Virtual Site curve_name Optional. This parameter specifies the elliptic curve name. Its value must be “prime256v1”, “secp384r1”, or “secp521r1”. The default value is “prime256v1”. signature_algorithm_index Optional. This parameter specifies the index of the CSR signature algorithm. Its value must be sha256, sha384, sha512, and sha1. The default value is “sha256”. Note: If the elliptic curve field in the ClientHello message does not match the elliptic curve in the ECC certificate activated for the virtual site, the SSL handshake will fail. no ssl csr [csr_type] This command is used to delete the CSR of the specified type for the current virtual site. csr_type Optional. This parameter specifies the type of the CSR. Its value must be:  rsa: indicates the RSA CSR will be deleted.  sm2: indicates the SM2 CSR will be deleted.  ecc: indicates that the ECC CSR will be deleted.  all: indicates all types of CSRs will be deleted. The default value is “all”. show ssl csr [csr_type] This command is used to display the CSR of the specified type for the current virtual site. csr_type Optional. This parameter specifies the type of the CSR. Its value must be:  rsa: indicates the RSA CSR will be deleted.  sm2: indicates the SM2 CSR will be deleted.  ecc: indicates that the ECC CSR will be displayed.  all: indicates all types of CSRs will be deleted. The default value is “all”. ssl import key [key_index] [tftp_ip] [file_name] 2000-2018 Array Networks, Inc. All Rights Reserved. 35Chapter 3 Virtual Site This command is used to import a private key for the current virtual site. The administrator can import three private keys at most. The administrator can execute this command and copy-n-paste the private key directly into the CLI. The system also supports importing private keys from a remote TFTP server. key_index Optional. This parameter specifies the index to be associated with the imported key. Its value must be 1, 2 or 3, and defaults to 1. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server, which is required only when the private key is imported via TFTP. It value must be an IPv4 address. file_name Optional. This parameter specifies the file name of the key on the remote TFTP server, which is required only when the private key is imported via TFTP. Its value must be a string of 1 to 256 characters, and defaults to “ .key”. ssl export key [key_index] [key_type] This command is used to export a private key. After this command is executed, the specified key will be displayed. key_index Optional. This parameter specifies the index of the imported key to be exported. Its value must be 1, 2 or 3. If this parameter is not specified, the active key will be displayed. key_type Optional. This parameter specifies the type of the private key to be displayed. Its value must be:  rsa: indicates that the RSA private key will be displayed.  ecc: indicates that the ECC private key will be displayed.  all: indicates that both RSA and ECC private keys will be displayed. The default value is “all”. ssl import certificate [cert_index] [tftp_ip] [file_name] This command is used to import a certificate for the current virtual site. The administrator can import three certificates at most. The imported certificate can be activated by the command “ssl activate certificate [cert_index]”. The administrator can execute this command and copy-n-paste the PEM format certificate directly into the CLI. The system also supports importing PEM, DER and PFX formats as well as the certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server. 2000-2018 Array Networks, Inc. All Rights Reserved. 36Chapter 3 Virtual Site cert_index Optional. This parameter specifies the index to be associated with the imported certificate. Its value must be 1, 2 or 3, and defaults to 1. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server, which is required only when the certificate is imported via TFTP. It value must be an IPv4 address. file_name Optional. This parameter specifies the file name of the certificate on the remote TFTP server, which is required only when the certifcate is imported via TFTP. Its value must be a string of 1 to 256 characters, and defaults to “ .crt”. no ssl certificate [cert_index] [cert_type] This command is used to delete an imported certificate of the specified type for the current virtual site. cert_index Optional. This parameter specifies the index of the certificate. Its value must be 1, 2 or 3. The default value is 1. cert_type Optional. This parameter specifies the type of the certificate. Its value must be:  rsa: indicates that the RSA certificate will be deleted.  ecc: indicates that the ECC certificate will be deleted.  all: indicates that both RSA and ECC certificates will be deleted. The default value is “all”. ssl activate certificate [cert_index] [cert_type] This command is used to activate an imported certificate as the default certificate. cert_index Optional. This parameter specifies the index of the certificate to be activated. Its value must be 1, 2 or 3. The default value is 1. cert_type Optional. This parameter specifies the type of certificate to be activated. Its value must be:  rsa: indicates the RSA certificate will be activated.  sm2: indicates the SM2 certificates will be activated. 2000-2018 Array Networks, Inc. All Rights Reserved. 37Chapter 3 Virtual Site  ecc: indicates that the ECC certificate will be activated.  all: indicates all types of certificates will be activated. The default value is “all”. Note:  For each type of certificate, only one certificate/key (with the same index) pair can stay active in the system. The certificate/key pair generated by the command “ssl csr” is active by default. The certificate/key pair generated by the command “ssl ecc csr” is active by default. The certificate/key pair generated by the “ssl sm2 csr” command is inactive by default.  If the elliptic curve field in the ClientHello message does not match the elliptic curve in the ECC certificate activated for the virtual site, the SSL handshake will fail. show ssl certificate [display_mode] [cert_index] [cert_type] This command is used to display an imported certificate. display_mode Optional. This parameter specifies the display mode of certificate. Its value must be:  complete: indicates that all the information of the certificate will be displayed.  simple: indicates that only Issuer, Validity and Subject of the certificate will be displayed. The default value is “complete”. cert_index Optional. This parameter specifies the index of the imported certificate to be displayed. Its value must be 1, 2 or 3. If this parameter is not specified, the active certificate will be displayed. cert_type Optional. This parameter specifies the type of certificate to be displayed. Its value must be:  rsa: indicates the RSA certificate will be displayed.  sm2: indicates the SM2 certificates will be displayed.  ecc: indicates that the ECC certificate will be displayed.  all: indicates all types of certificates will be displayed. The default value is “all”. 2000-2018 Array Networks, Inc. All Rights Reserved. 38Chapter 3 Virtual Site show ssl certinfo This global command is used to display the information about the SSL certificate(s) of a specified virtual site. virtual_site This parameter specifies the name of an existing virtual site. For example: AN#show ssl certinfo vs RSA certificates status: Cert Index Imported Status 1 YES Active 2 NO - 3 NO - ECC certificates status: Cert Index Imported Status 1 YES Active 2 NO - 3 NO - SM2 certificates status: Cert Index Imported Status Sign/Enc 1 YES/NO - 2 NO /NO - 3 NO /NO - ssl import rootca [tftp_ip] [file_name] Under the global scope, this command is used to import a trusted CA certificate for all the virtual sites. Under the virtual site scope, this command is used to import a trusted CA certificate for the current virtual site. The administrator can execute this command and copy-n-paste the trusted CA certificate of PEM format directly into the CLI. The system also supports importing trusted CA certificate of PEM and DER formats from a remote TFTP server. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server, which is required only when the trusted CA certificate is imported via TFTP. Its value must be an IPv4 address. file_name Optional. This parameter specifies the file name of the trusted CA certificate on the remote TFTP server, which is required only when the trusted CA certificate is imported via TFTP. Its value must be a 2000-2018 Array Networks, Inc. All Rights Reserved. 39Chapter 3 Virtual Site string of 1 to 256 characters, and defaults to “ .crt”. no ssl rootca [certificate_number] Under the global scope, this command is used to delete an imported trusted CA certificate from all the virtual sites. Under the virtual site scope, this command is used to delete an imported trusted CA certificate from the current virtual site. certificate_number Optional. This parameter specifies the serial number of the trusted CA certificate to be deleted. Administrators can find the serial number of the certificate via the “show ssl rootca” command. If this parameter is not specified, all the trusted CA certificates will be deleted. show ssl rootca [display_mode] Under the global scope, this command is used to display the trusted CA certificate imported for all the virtual sites. Under the virtual site scope, this command is used to display the trusted CA certificate imported for the current virtual site. display_mode Optional. This parameter specifies the display mode of certificate. Its value must be:  complete: indicates that all the information of the certificate will be displayed.  simple: indicates that only Issuer, Validity and Subject of the certificate will be displayed. The default value is “complete”. ssl import interca [tftp_ip] [file_name] This command is used to import an intermediate CA certificate for the current virtual site. The administrator can execute this command and copy-n-paste the intermediate CA certificate of PEM format directly into the CLI. The system also supports importing intermediate CA certificate of PEM and DER formats from a remote TFTP server. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server, which is required only when the intermediate CA certificate is imported via TFTP. Its value must be an IPv4 address. 2000-2018 Array Networks, Inc. All Rights Reserved. 40Chapter 3 Virtual Site file_name Optional. This parameter specifies the file name of the intermediate CA certificate on the remote TFTP server, which is required only when the intermediate CA certificate is imported via TFTP. Its value must be a string of 1 to 256 characters, and defaults to “ .crt”. no ssl interca [certificate_number] This command is used to delete an imported intermediate CA certificate from the current virtual site. certificate_number Optional. This parameter specifies the serial number of the intermediate CA certificate to be deleted. Administrators can find the serial number of the certificate via the “show ssl interca” command. If this parameter is not specified, all the intermediate CA certificates will be deleted. show ssl interca [display_mode] This command is used to display the intermediate CA certificate imported for the current virtual site. display_mode Optional. This parameter specifies the display mode of certificate. Its value must be:  complete: indicates that all the information of the certificate will be displayed.  simple: indicates that only Issuer, Validity and Subject of the certificate will be displayed. The default value is “complete”. ssl backup certificate This command is used to back up the certificate and the private key of the current virtual site into a PFX file. This PFX file will be zipped with the trusted CA certificate (refer to “ssl import rootca” command) and intermediate CA certificate (refer to “ssl import interca” command) into a .tgz file. This .tgz file can be stored in the local system or on a specified TFTP server. If anyone wants to access the .tgz file, the correct password is required. file_name This parameter specifies the file name. Its value must be a string of 1 to 256 characters, which is recommended to be enclosed by double quotes. Only numbers, letters and underscore “_” are supported.  To store the backup file locally, use a valid local file name 2000-2018 Array Networks, Inc. All Rights Reserved. 41Chapter 3 Virtual Site (excluding the path and extension).  To store the backup file on a remote server, use a properly formatted TFTP string (e.g., "tftp://server/filename"). password This parameter specifies the password that allows access to the backup file. Its value must be a string of 1 to 128 characters, which is recommended to be enclosed by double quotes. Only numbers, letters and underscore “_” are supported. no ssl backup certificate This command is used to delete the specified backup certificate/key file stored in the local system. The parameter “file_name” must be a valid local file name. show ssl backup certificate This command is used to display the backup certificate/key file that stored in the local system. ssl restore certificate The command is used to restore the certificate and the private key from a PFX file, which can be stored in the local system or on the remote TFTP server. The password string must be identical to the string entered when this backup file was produced using the “ssl backup certificate” command. file_name This parameter specifies the file name. password This parameter specifies the password that allows access to the specified backup file. ssl settings protocol This command is used to set the supported SSL protocol version for the current virtual site. The AG appliance supports three types of protocols: SSLv3, TLSv1 and TLSv1.2. version This parameter specifies the SSL protocol version. Its value must be:  SSLv3: indicates that SSLv3 protocol is supported.  TLSv1: indicates that TLSv1 protocol is supported.  TLSv12: indicates that TLSv1.2 protocol is supported.  SM2v11: indicates that SM2v1.1 protocol is supported.  ALL: indicates that the above four SSL protocols are all supported.  To use more than one protocol, use colon “:” to separate each 2000-2018 Array Networks, Inc. All Rights Reserved. 42Chapter 3 Virtual Site other. For cipher suites supported by each protocol, please refer to ArrayOS AG 9.4 User Guide. For example: AN(config)#ssl settings protocol SSLv3 AN(config)#ssl settings protocol ALL ssl settings ciphersuite This command is used to set the supported cipher suite for the current virtual site. cipher_string This parameter specifies the cipher suite. To use more than one cipher suite, use colon “:” to separate each other. Below is a list of supported cipher suites:  DES-CBC3-SHA  RC4-SHA  RC4-MD5  EXP-RC4-MD5  AES128-SHA  AES256-SHA  AES128-SHA256  AES256-SHA256  ECDHE-RSA-AES128-SHA  ECDHE-RSA-AES256-SHA  ECDHE-RSA-AES128-SHA256  ECDHE-RSA-AES256-SHA384  ECDHE-RSA-AES128-GCM-SHA256  ECDHE-RSA-AES256-GCM-SHA384  ECDHE-ECDSA-AES128-SHA  ECDHE-ECDSA-AES256-SHA  ECDHE-ECDSA-AES128-SHA256  ECDHE-ECDSA-AES256-SHA384  ECDHE-ECDSA-AES128-GCM-SHA256 2000-2018 Array Networks, Inc. All Rights Reserved. 43Chapter 3 Virtual Site  ECDHE-ECDSA-AES256-GCM-SHA384  ECC-SM4-SM3  ECDHE-SM4-SM3 Note: Only experienced administrators should use this command. If you have any questions regarding these settings, please call customer support BEFORE using this command. ssl settings signalgo This command is used to set the signature algorithm that will be used in the ServerKeyExchange message generated during SSL handshake for the current virtual site. This command takes effect for only the negotiation of ECDHE cipher suites. If the signature algorithm field in the ClientHello message matches multiple configured signature algorithms, the first one configured in this command will be used. If the signature algorithm field in the ClientHello message does not match any configured signature algorithm, the SSL handshake will fail. Please note that this configuration takes effect only when the TLSv1.2 protocol is used. If this command is not configured, the default signature algorithms are “sha256ECDSA:sha256RSA:sha384ECDSA:sha384RSA:sha512ECDSA:sha512RSA:sha224EC DSA:sha224RSA:sha1ECDSA:sha1RSA”. signature_algorithm This parameter specifies the signature algorithm that will be used in the ServerKeyExchange message generated during SSL handshake. Its value must be “sha256ECDSA”, “sha256RSA”, “sha384ECDSA”, “sha384RSA”, “sha512ECDSA”, “sha512RSA”, “sha224ECDSA”, “sha224RSA”, “sha1ECDSA”, and “sha1RSA”. Multiple signature algorithms can be configured. To use more than one signature algorithm, use colon “:” to separate each other. ssl settings curves This command is used to set the elliptic curve that will be used in the ServerKeyExchange message generated during SSL handshake for the current virtual site. This command takes effect for only the negotiation of ECDHE cipher suites. If the elliptic curve field in the ClientHello message matches multiple configured elliptic curves, the first one configured in this command will be used. If the elliptic curve field in the ClientHello message does not match any configured elliptic curve, the SSL handshake will fail. If this command is not configured, the default elliptic curves are “secp256r1:secp384r1:secp521r1”. curve_name This parameter specifies the name of the elliptic curve that will be used in the ServerKeyExchange message generated during SSL 2000-2018 Array Networks, Inc. All Rights Reserved. 44Chapter 3 Virtual Site handshake. Its value must be “secp256r1”, “secp384r1” and “secp521r1”. Multiple elliptic curves can be configured. To use more than one elliptic curve, use colon “:” to separate each other. ssl settings clientcert signalgo This command is used to set the signature algorithm that will be used in the CertificateRequest message generated during SSL handshake for the current virtual site. For TLSv1.2, the signature algorithm field in the CertificateRequest message contains all configured signature algorithms. For other SSL versions lower than TLSv 1.2, the configured signature algorithm must contain sha1RSA or sha1ECDSA; otherwise, the SSL handshake will fail. If this command is not configured, the default signature algorithms are “sha256ECDSA:sha256RSA:sha384ECDSA:sha384RSA:sha512ECDSA:sha512RSA:sha224EC DSA:sha224RSA:sha1ECDSA:sha1RSA”. signature_algorithm This parameter specifies the signature algorithm that will be used in the CertificateRequest message generated during SSL handshake. Its value must be “sha256ECDSA”, “sha256RSA”, “sha384ECDSA:”, “sha384RSA:”, “sha512ECDSA”, “sha512RSA:”, “sha224ECDSA:”, “sha224RSA”, “sha1ECDSA” and “sha1RSA”. Multiple signature algorithms can be configured. To use more than one signature algorithm, use colon “:” to separate each other. ssl settings clientauth [subject_filter] This command is used to enable the client authentication feature. If the host is an SSL virtual site, all SSL clients connecting to this virtual site must present a client certificate in order to proceed with communication. If the host is an SSL real host, it will present a certificate to the server when requested for further communication. In addition to basic client certificate validation, the SSL virtual site can also perform pattern matching of the certificate “Subject” field against a set of configured filter rules. If no match is found, client access will be denied. subject_filter Optional. This parameter specifies one or more certificate filter rules. Its value must be enclosed in double quotes with each rule separated by “/” (e.g., “/C=US/ST=CA”). If more than one rule is specified, rules will be enforced with an “AND” relationship (all rules must be matched). If this parameter is not specified, the system will not perform filtering on the “Subject” fields. 2000-2018 Array Networks, Inc. All Rights Reserved. 45Chapter 3 Virtual Site The filter rules can be configured with any of the RDNs (Relative Distinguished Name) supported by the AG appliances, including: RDN Standard Name OID C Country Name 2.5.4.6 ST State or Province Name 2.5.4.8 L Locality Name 2.5.4.7 O Organization Name 2.5.4.10 OU Organizational Unit Name 2.5.4.11 CN Common Name 2.5.4.3 SN Serial Number 2.5.4.5 dnQualifier DN Qualifier 2.5.4.46 Pseudonym Pseudonym 2.5.4.65 Title Title 2.5.4.12 GQ Generation Qualifier 2.5.4.44 Initials Initials 2.5.4.43 Name Name 2.5.4.41 givenName Given Name 2.5.4.42 Surname Surname 2.5.4.4 DC Domain Component 0.9.2342.19200300.100.1.25 emailAddress Email Address 1.2.840.113549.1.9.1 {OID expression} OID information, for example: 1.2.3.4 For example: AN(config)#ssl settings clientauth "/C=US/O=Array/OU=QA/emailAddress=admin@arraynetworks.com" In this example, all client certificates with the country name of “US”, organization name of “Array”, organizational unit name of “QA” and email address of “admin@arraynetworks.com” in the certificate “Subject" field will pass the subject filter. AN(config)#ssl settings clientauth "/2.5.4.6=JP" In this example, the OID “2.5.4.6” represents “Country Name”. All client certificates with the OID “2.5.4.6” of “JP” in the certificate “Subject” field will pass the subject filter. no ssl settings clientauth This command is used to disable the client authentication feature. ssl settings ocsp This command is used to configure the OCSP server and enable the OCSP server online check. After this command is executed, the AG appliance will first attempt to validate client certificates online through the OCSP server specified in the client certificate. If this validation fails, the AG appliance will then attempt to validate the client certificate online through the OCSP server configured by this command. 2000-2018 Array Networks, Inc. All Rights Reserved. 46Chapter 3 Virtual Site ocsp_server This parameter specifies the IP address of the OCSP server. Its value must be an IPv4 address. Note: If both the OCSP server and CRL check are configured, only the OCSP server will be used to validate the certificate. no ssl settings ocsp This command is used to disable the OCSP server online check. ssl import crlca [tftp_ip] [file_name] This command is used to import a CRL CA certificate for the current virtual site. When the AG appliance attempts to validate client certifiates using the CRL (Certificate Revocation List) issued by CA, CRL CA certificate is needed to verify the validity of the CRL files. The administrator can execute this command and copy-n-paste the CRL CA certificate of PEM format directly into the CLI. The system also supports importing CRL CA certificate of PEM and DER formats from a remote TFTP server. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server, which is required only when the CRL CA certificate is imported via TFTP. Its value must be an IPv4 address. file_name Optional. This parameter specifies the file name of the CRL CA certificate on the remote TFTP server, which is required only when the CRL CA certificate is imported via TFTP. Its value must be a string of 1 to 256 characters, and defaults to “ .crt”. no ssl crlca [certificate_number] This command is used to delete an imported CRL CA certificate from the current virtual site. certificate_number Optional. This parameter specifies the serial number of the CRL CA certificate to be deleted. Administrators can find the serial number of the certificate via the “show ssl crlca” command. If this parameter is not specified, all the CRL CA certificates will be deleted. show ssl crlca [display_mode] This command is used to display the CRL CA certificate imported for the current virtual site. display_mode Optional. This parameter specifies the display mode of certificate. Its value must be: 2000-2018 Array Networks, Inc. All Rights Reserved. 47Chapter 3 Virtual Site  complete: indicates that all the information of the certificate will be displayed.  simple: indicates that only Issuer, Validity and Subject of the certificate will be displayed. The default value is “complete”. ssl settings crl online This command is used to enable the CRL online check. After this command is executed, the AG appliance will attempt to validate the certificate using the CRL downloaded from the CDP (CRL Distribution Point) specified in the client certificate. This command will take effect only when the client authentication feature is enabled. Note: This command cannot be used together with the “ssl settings crl offline” command. no ssl settings crl online This command is used to disable the CRL online check. ssl settings crl offline [time_interval] [delay_time] This command is used to enable the CRL offline check. After this command is executed, the AG appliance will attempt to validate the certificate using the CRL downloaded from the configured CDP at the desired time interval. HTTP, FTP and LDAP are supported protocols to fetch the CRL files. For each virtual site, the administrator can configure ten CDPs. This command will only take effect when the client authentication feature is enabled. cdp_name This parameter specifies the name of the CDP. Its value must be a string of 1 to 32 characters. Only 0-9, a-z, A-Z and underscore “_” are supported. crl_distribution_point This parameter specifies the URL address of the CDP. Its value must be a string of 1 to 512 characters. time_interval Optional. This parameter specifies the time interval between CRL file downloads in minutes. Its value must be an integer ranging from 1 to 65,535, and defaults to 1440. delay_time Optional. This parameter specifies the delay time of the CRL file expiration in minutes. Its value must be an integer ranging from 1 to 2000-2018 Array Networks, Inc. All Rights Reserved. 48Chapter 3 Virtual Site 65,535, and defaults to 0.  When it is larger than 0, the AG appliance will check for expiration after downloading the CRL file. For example, if the current time is greater than the sum of the next update time (expiration time of this file) and delay time, the CRL file is expired and the AG appliance will refuse all SSL connections that need to authenticate the client certificate via the CRL. If the current time is less than or equal to the sum of the next update time and delay time, the CRL file is valid.  When it is equal to 0, the AG appliance will not check for expiration after downloading the CRL file. Note: Before executing this command, you must first import the CRL CA certificate via the “ssl import crlca” command. no ssl settings crl offline [cdp_name] This command is used to disable the CRL offline check. cdp_name Optional. This parameter specifies the name of the CDP. Its value must be:  the CDP name: indicates that CRL files will not be downloaded from the specified CDP.  ALL: indicates that the CRL files will not be downloaded from any CDP. The default value is “ALL”. show ssl crlstatus [cdp_name] This command is used to display the information of CRL files downloaded from the specified CDP. cdp_name Optional. This parameter specifies the name of the CDP. Its value must be:  the CDP name: indicates that the system will display the CRL files downloaded from the specified CDP.  ALL: indicates that the system will display the CRL files downloaded from all the CDP. The default value is “ALL”. ssl settings authmandatory 2000-2018 Array Networks, Inc. All Rights Reserved. 49Chapter 3 Virtual Site This command is used to enable the client mandatory authentication mode. By default, the client mandatory authentication mode is enabled. no ssl settings authmandatory This command is used to disable the client mandatory authentication mode. ssl settings acceptchain This command is used to enable the accept certificate chain function. Once enabled, the SSL virtual site will utilize the certificate chain sent by the peer during an SSL handshake to verify that peer’s certificate. The SSL virtual site will try to use the certificate chain from peer to form the certificate chain until it finds one CA certificate in its own trust CA list. This command will only take effect when client authentication is enabled. no ssl settings acceptchain This command is used to disable the accept certificate chain function. ssl settings minimum This command is used to specify the minimum encryption strength of the client. If any client connecting to this virtual site does not support the encryption strength specified by the “cipher_strength” parameter, it will be redirected to the URL specified by the “redirect_url” parameter. This command should only be used with SSL virtual sites doing HTTPS. cipher_strength This parameter specifies the minimum encryption strength in bits. Its value must be 40, 56, 128,168, 256 or 512. redirect_url This parameter specifies the HTTP or HTTPS URL address to redirect to. Its value must be a string of 1 to 512 characters. no ssl settings minimum This command is used to disable the minimum encryption strength requirement. ssl settings renegotiation This command is used to enable the SSL renegotiation function for the current virtual site. By default, the SSL renegotiation function is disabled for the virtual site. Note: The SM2v1.1 protocol does not support the SSL renegotiation function. no ssl settings renegotiation This command is used to disable the SSL renegotiation function for the current virtual site. ssl settings reuse 2000-2018 Array Networks, Inc. All Rights Reserved. 50Chapter 3 Virtual Site This command is used to enable the SSL session reuse function. By default, the SSL session reuse function is enabled. no ssl settings reuse This command is used to disable the SSL session reuse function. show ssl settings This command is used to display the SSL settings for the current virtual site. ssl globals sendclosenotify {on|off} This global command is used to enable or disable the function of sending SSL close notification. By default, this function is enabled. ssl globals ignoreclosenotify {on|off} This global command is used to enable or disable the function of the AG appliance ignoring the SSL close notification sent from the client. It applies to all configured SSL virtual sites. By default, this function is enabled.  If this function is enabled, the AG appliance will ignore SSL close notify errors when a client does not terminate an SSL connection correctly (or terminates an SSL connection without sending the Close Notify Alert). Consequently, the AG appliance will continue to reuse the associated SSL sessions.  If this function is disabled, the AG appliance will require the connection to be closed with the Close Notify Alert. In this case, if a client does not send the Close Notify Alert before closing a connection then the associated SSL session will be marked as invalid and flushed.  ssl globals verifycert {on|off} This global command is used to enable or disable the server certificate verification function. This function is needed when the AG appliance needs to verify the certificates sent by the backend servers. After this function is enabled, trusted root CA certificates should be imported under the global scope. By default, this function is disabled. ssl globals renegotiation {on|off} This global command is used to enable or disable the SSL renegotiation function globally. By default, this function is disabled globally. Note: When any virtual site uses certificate authentication, the SSL renegotiation function needs to be enabled globally. ssl globals fastcrl {on|off} This global command is used to enable or disable CRL memory. When enabled, the CRL files on disk will be loaded into memory immediately. By default, this function is disabled. ssl globals sessiontimeout 2000-2018 Array Networks, Inc. All Rights Reserved. 51Chapter 3 Virtual Site This global command is used to set the SSL session cache timeout value. timeout This parameter specifies the timeout value in seconds. Its value must be an integer ranging from 60 to 86,400 characters. show ssl globals This global command is used to display SSL global settings. ssl start This command is used to enable SSL service for a specific host. All services associated with this specified SSL virtual site will be affected. The AG appliance will check the certificate chain for the SSL virtual site when starting the virtual site. A warning message, stating that the certificate chain is incomplete will be displayed if the certificate chain cannot be formed using the intermediate CA file and global trusted CA file. Note: SSL virtual site settings cannot be changed while SSL is enabled. To make changes, SSL must first be disabled (see the “ssl stop” command below). ssl stop This command is used to disable the SSL service for a specific host. It will not remove the associated information such as key and certificate data. clear ssl This command is used to clear the SSL configurations, including the key and certificate pair. If this command is executed, there is no way to retrieve the key even if there is a copy of the CSR. To reconfigure SSL for this virtual site, a new key and a replacement certificate will need to be created. Note: To execute this command, all services associated with this specified SSL virtual site will be affected. show statistics ssl This command is used to display all the SSL statistics for the current virtual site. clear statistics ssl This command is used to clear all relative SSL statistics for the current virtual site. SM2 ssl globals sm2 {on|off} This global command is used to enable or disable the SM2 function. By default, this function is disabled. 2000-2018 Array Networks, Inc. All Rights Reserved. 52Chapter 3 Virtual Site ssl sm2 csr [curve_name] [csr_format] This command is used to generate an SM2 CSR and an SM2 signature key pair for the current virtual site. Please enable the SM2 function first before executing this command. After this command is executed, the administrator will be led through a series of prompts so that the system can gather the required information to generate the CSR. The administrator can choose to set the private key as exportable and set the passphrase for the private key to protect it. In addition, this command also generates a “test” signature certificate for the virtual site. Please refer to the “ssl csr” command for the requested data and other details displayed after this command is executed. curve_name Optional. This parameter specifies the curve name used by the SM2 algorithm. Its value must only be “sm2”. The default value is “sm2”. csr_format Optional. This parameter specifies the CSR format. Its value must be “SCCA” or “CFCA”. The default value is “SCCA”. ssl sm2 import enckey [key_index] [tftp_ip] [file_name] This command is used to import an SM2 encryption key for the current virtual site. The administrator can import three private keys at most. The administrator can execute this command and copy-n-paste the private key directly into the CLI. The system also supports importing private keys from a remote TFTP server. key_index Optional. This parameter specifies the index to be associated with the imported SM2 encryption key. Its value must be 1, 2 or 3. The default value is 1. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server. This parameter needs to be specified when you want to import the SM2 encryption key from a remote TFTP server. It value must be an IPv4 address. file_name Optional. This parameter specifies the file name of the SM2 encryption key on the remote TFTP server. This parameter needs to be specified when you want to import the SM2 encryption key from a remote TFTP server. Its value must be a string of 1 to 256 characters. The default value is “ .key”. ssl sm2 export enckey [key_index] This command is used to export an SM2 encryption key. After this command is executed, the specified key will be displayed. 2000-2018 Array Networks, Inc. All Rights Reserved. 53Chapter 3 Virtual Site key_index Optional. This parameter specifies the index of the imported SM2 encryption key to be exported. Its value must be 1, 2 or 3. If this parameter is not specified, the active key will be displayed. ssl sm2 import encevp [key_index] [digital_envelope_format] [tftp_ip] [file_name] This command is used to import an SM2 digital envelope returned by CA for the current virtual site. Before importing the SM2 digital envelope of the SCCA format, please import the corresponding SM2 signature key first using the “ssl sm2 import signkey” command. The administrator can execute this command and copy-n-paste the SM2 digital envelope directly into the CLI. The system also supports importing private keys from a remote TFTP server. key_index Optional. This parameter specifies the index to be associated with the imported SM2 encryption key. Its value must be 1, 2 or 3. The default value is 1. digital_envelope_format Optional. This parameter specifies the format of the SM2 digital envelope obtained from the trusted CA. Its value must be “SCCA” or “CFCA”. The default value is “SCCA”. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server. This parameter needs to be specified when you want to import the SM2 digital envelope from a remote TFTP server. It value must be an IPv4 address. file_name Optional. This parameter specifies the file name of the SM2 digital envelope on the remote TFTP server. This parameter needs to be specified when you want to import the SM2 digital envelope from a remote TFTP server. Its value must be a string of 1 to 256 characters. The default value is “ .evp”. ssl sm2 import enccertificate [cert_index] [tftp_ip] [file_name] This command is used to import an SM2 encryption certificate for the current virtual site. The administrator can import three certificates at most. The imported certificate can be activated by the command “ssl activate certificate [cert_index]”. The administrator can execute this command and copy-n-paste the PEM format certificate directly into the CLI. The system also supports importing PEM, DER and PFX formats as well as the certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server. cert_index Optional. This parameter specifies the index to be associated with the imported SM2 encryption certificate. Its value must be 1, 2 or 3. 2000-2018 Array Networks, Inc. All Rights Reserved. 54Chapter 3 Virtual Site The default value is 1. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server. This parameter needs to be specified when you want to import the SM2 encryption certificate from a remote TFTP server. It value must be an IPv4 address. file_name Optional. This parameter specifies the file name of the SM2 encryption certificate on the remote TFTP server. This parameter needs to be specified when you want to import the SM2 encryption certificate from a remote TFTP server. Its value must be a string of 1 to 256 characters. The default value is “ .crt”. no ssl sm2 enccertificate [cert_index] This command is used to delete an imported SM2 encryption certificate. The corresponding SM2 encryption key pair will also be deleted. ssl sm2 import signkey [key_index] [tftp_ip] [file_name] This command is used to import an SM2 signature key for the current virtual site. The administrator can import three private keys at most. The administrator can execute this command and copy-n-paste the private key directly into the CLI. The system also supports importing private keys from a remote TFTP server. key_index Optional. This parameter specifies the index to be associated with the imported SM2 signature key. Its value must be 1, 2 or 3. The default value is 1. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server. This parameter needs to be specified when you want to import the SM2 signature key from a remote TFTP server. It value must be an IPv4 address. file_name Optional. This parameter specifies the file name of the SM2 signature key on the remote TFTP server. This parameter needs to be specified when you want to import the SM2 signature key from a remote TFTP server. Its value must be a string of 1 to 256 characters. The default value is “ .key”. ssl sm2 export signkey [key_index] This command is used to export an SM2 signature key. After this command is executed, the specified key will be displayed. 2000-2018 Array Networks, Inc. All Rights Reserved. 55Chapter 3 Virtual Site key_index Optional. This parameter specifies the index of the imported SM2 signature key to be exported. Its value must be 1, 2 or 3. If this parameter is not specified, the active key will be displayed. ssl sm2 import signcertificate [cert_index] [tftp_ip] [file_name] This command is used to import an SM2 signature certificate for the current virtual site. The administrator can import three certificates at most. The imported certificate can be activated by the command “ssl activate certificate [cert_index]”. The administrator can execute this command and copy-n-paste the PEM format certificate directly into the CLI. The system also supports importing PEM, DER and PFX formats as well as the certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server. cert_index Optional. This parameter specifies the index to be associated with the imported SM2 signature certificate. Its value must be 1, 2 or 3. The default value is 1. tftp_ip Optional. This parameter specifies the IP address of the remote TFTP server. This parameter needs to be specified when you want to import the SM2 signature certificate from a remote TFTP server. It value must be an IPv4 address. file_name Optional. This parameter specifies the file name of the SM2 signature certificate on the remote TFTP server. This parameter needs to be specified when you want to import the SM2 signature certificate from a remote TFTP server. Its value must be a string of 1 to 256 characters. The default value is “ .crt”. no ssl sm2 signcertificate [cert_index] This command is used to delete an imported SM2 signature certificate. The corresponding SM2 signature key pair will also be deleted. 2000-2018 Array Networks, Inc. All Rights Reserved. 56Chapter 4 AAA Chapter 4 AAA The AAA module provides user authentication, authorization and accounting functions. The commands in this chapter illustrate how to deploy this module. General Settings aaa {on|off} This command is used to enable or disable the AAA function for the virtual site. When this function is enabled, users will have to log in before gaining access to internal resources; when this function is disabled, users will automatically pass authentication and obtain authorized resources according to their assigned roles. Note that any roles depending on “Group Name” conditions will no longer work. Roles depending on other conditions still work as before such as “Username” (all users will be assigned the same “guest” username), AAA method, Source IP, and Login Time. By default, this function is enabled. show aaa configure This command is used to display the AAA configurations of the virtual site. clear aaa configure This command is used to clear the AAA configurations of the virtual site.  AAA Lockout Note:  If AAA lockout and LocalDB lockout are both configured, only the configurations of AAA lockout will take effect.  The AAA lockout function cannot take effect for the certificate authentication.  The configurations of AAA lockout cannot be synchronized to the peer HA units.  For the two-step SMS authentication, the AAA lockout function takes effect only for the static authentication, such as LocalDB and LDAP, and cannot take effect for the SMS verification code authentication.  ForAAA servers with multiple AAA methods configured, the AAA lockout function takes effect for all AAA methods in the rank list.  With the system reboot, the recorded number of login failures of all AAA accounts will be cleared. aaa lockout auto loginfailure [failure_times] [duration] 2000-2018 Array Networks, Inc. All Rights Reserved. 57Chapter 4 AAA This command is used to enable automatic login-failure lockout for all AAA accounts. A AAA account will be locked out after the number of login failures using this account reaches the specified value of the parameter “failure_times”. By default, this function is disabled. failure_times Optional. This parameter specifies the number of login failures for locking out AAA accounts. Its value must be an integer ranging from 1 to 65,535. The default value is 10. duration Optional. This parameter specifies the duration of the lockout in seconds. Its value must be an integer ranging from 0 to 4,294,967,295. The default value is 0, indicating that the AAA account will remain locked out until being manually unlocked by using the command “aaa lockout unlock”. no aaa lockout auto loginfailure This command is used to disable automatic login-failure lockout for all AAA accounts. show aaa lockout auto loginfailure This command is used to display the configuration of automatic login-failure lockout for all AAA accounts. aaa lockout manual [duration] This command is used to manually lock out a specified AAA account for a specific duration. account_name This parameter specifies the name of the AAA account to be locked out. duration Optional. This parameter specifies the duration of the lockout in seconds. Its value must be an integer ranging from 0 to 4,294,967,295. The default value is 0, indicating that the account will be locked out until being manually unlocked by using the command “aaa lockout unlock [account_name]”. aaa lockout list [lockout_type] [account_name] [start] [count] This command is used to display the currently locked AAA accounts. lockout_type Optional. This parameter specifies the type of the locked AAA accounts. Its value must be “auto”, “manual” or “all”. The default value is “all”, indicating that all types of locked AAA accounts will be displayed. account_name Optional. This parameter specifies the name of the locked AAA account. Its value must be a case-sensitive string of 1 to 64 2000-2018 Array Networks, Inc. All Rights Reserved. 58Chapter 4 AAA characters.  If the parameter is specified, the specified locked AAA account will be displayed.  If the parameter is not specified, all locked AAA accounts will be displayed. The default value is empty. start Optional. This parameter specifies the start of locked AAA accounts from which to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295 and the default value is 1. count Optional. This parameter specifies the number of locked AAA accounts to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 0, indicating all locked AAA accounts will be displayed. aaa lockout unlock [account_name] This command is used to unlock a previously locked AAA account. account_name Optional. This parameter specifies the name of the AAA account to be unlocked. The default value is empty, indicating all locked AAA accounts will be unlocked. show aaa lockout count This command is used to display the statistics of locked AAA accounts. Server aaa server name [description] This command is used to define a AAA server of a particular type. type This parameter specifies the type of the AAA server. Its value must only be:  localdb  ldap  radius  certificate 2000-2018 Array Networks, Inc. All Rights Reserved. 59Chapter 4 AAA  sms  smx  http server_name This parameter specifies the name of the AAA server, which must be unique among all servers in the same virtual site. Its value must be a string of 1 to 32 characters. For LocalDB, the server name must be the same as the virtual site name. In addition, only one LocalDB server can be defined per virtual site. For SMX, the characters for the server name must only contain 0-9, a-z, A-Z, and characters “_” and “-”. description Optional. This parameter specifies the server description. Its value must be a string of 1 to 127 characters. If it is not specified, the default description will be the value of “server_name”. Note: Please ensure that the SSL renegotiation feature has been enabled both globally and for the virtual site under the following conditions:  Multiple AAA methods are configured and one of them uses the Certificate authentication (no matter the AAA method includes the Certificate authentication only or is multi-factor authentication including Certificate authentication)  The AAA rank function is disabled. no aaa server name This command is used to delete a specified AAA server. show aaa server name This command is used to display all the configured AAA servers. LocalDB  LocalDB Server aaa server localdb usernamecaseinsensitive This command is used to set the username as case-insensitive during the LocalDB authentication. Note: Please delete LocalDB accounts with usernames different only in case sensitivity before this command is configured. 2000-2018 Array Networks, Inc. All Rights Reserved. 60Chapter 4 AAA no aaa server localdb usernamecaseinsensitive This command is used to set the username as case-sensitive during the LocalDB authentication. aaa server localdb defaultgroup This command is used to define the default group assigned to authenticated users who do not belong to any other LocalDB group. default_group This parameter specifies the name of the default LocalDB group. Its value must be a string of 1 to 80 characters. no aaa server localdb defaultgroup This command is used to delete the default LocalDB group configured for authenticated users who do not belong to any other LocalDB group. show aaa server localdb defaultgroup This command is used to display the default LocalDB group configured for authenticated users who do not belong to any other LocalDB group. aaa server localdb authmode [mode] This command is used to set the mode of the LocalDB authentication. If this command is not configured, the LocalDB server uses only the static password for authentication. mode Optional. This parameter specifies the mode of the LocalDB authentication. Its value must be:  0: indicates that users only need to input the static password to log into the virtual site.  1: indicates that users only need to input the dynamic password (generated by the MotionProOTP application installed on the mobile phone) to log into the virtual site. For example, if the dynamic code is “768950”, users should input “768950” to log into the virtual site.  2: indicates that users need to input both the static password and dynamic password to log into the virtual site. For example, if the static password is “a” and the dynamic code is “768950”, users should input “a768950” to log into the virtual site. The default value is 0. show aaa server localdb authmode This command is used to display the mode of the LocalDB authentication. aaa server localdb dynamiccode rebind {enable|disable} 2000-2018 Array Networks, Inc. All Rights Reserved. 61Chapter 4 AAA This command is used to enable or disable the dynamic code rebinding for LocalDB accounts. With this function enabled, after logging into the MotionProOTP application in one mobile client, the user can also log into the MotionProOTP application in another mobile client with the same LocalDB account. The old registered credential of the user will be replaced by the new registered credential. By default, this function is disabled.  LocalDB Account localdb account [phone] [mail] [nfs_group] [nfs_account] [custom_info1] [custom_info2] [custom_info3] [custom_info4] [custom_info5] This command is used to create a new LocalDB account or update the existing LocalDB account. If the administrator wants to use LocalDB authentication or the Site2Site VPN function, this command must be configured. For the Site2Site VPN function, a LocalDB account should be configured for each spoke to log into the virtual site. account_name This parameter specifies the name of the LocalDB account to be created or updated. Its value must be a case-sensitive string of 1 to 64 characters. password This parameter specifies the password of the LocalDB account. Its value must be a case-sensitive string of 1 to 32 characters enclosed by double quotes. Only 0-9, a-z, A-Z, the space character and some special printable ASCII characters such as ! @ # $ % ^ & * ( ) _ - ~ = { } [ ] | \ / ? : ; ’ ` < > , . are allowed. phone Optional. This parameter specifies the telephone number of the LocalDB account. Its value must be a string of 1 to 32 characters enclosed by double quotes. Only numbers, spaces, “+” and “-” are allowed. The default value is empty. mail Optional. This parameter specifies the mail address of the LocalDB account in the format of “abc@xyz.com”. Its value must be a string of 1 to 128 characters enclosed by double quotes. The default value is empty. nfs_group Optional. This parameter specifies the NFS (Network File System) group ID of the LocalDB account. Its value must be an integer ranging from 0 to 65,535. The default value is 0. nfs_account Optional. This parameter specifies the NFS (Network File System) account of the LocalDB account. Its value must be an integer ranging from 0 to 65,535. The default value is 0. 2000-2018 Array Networks, Inc. All Rights Reserved. 62Chapter 4 AAA custom_info1 Optional. This parameter specifies the customized user information of the LocalDB account. Its value must be a string of 1 to 256 characters. The default value is empty. custom_info2 Optional. This parameter specifies the customized user information of the LocalDB account. Its value must be a string of 1 to 256 characters. The default value is empty. custom_info3 Optional. This parameter specifies the customized user information of the LocalDB account. Its value must be a string of 1 to 256 characters. The default value is empty. custom_info4 Optional. This parameter specifies the customized user information of the LocalDB account. Its value must be a string of 1 to 256 characters. The default value is empty. custom_info5 Optional. This parameter specifies the customized user information of the LocalDB account. Its value must be a string of 1 to 256 characters. The default value is empty. no localdb account This command is used to delete an existing LocalDB account. show localdb account [account_name] [group_name] [start] [count] [column] [index] This command is used to display the specified LocalDB account. account_name Optional. This parameter specifies a string to match the existing LocalDB accounts. Its value must be a case-sensitive string of 1 to 64 characters.  If the parameter is specified, LocalDB accounts whose names including this string will be displayed.  If the parameter is not specified, all LocalDB accounts will be displayed. The default value is empty. group_name Optional. This parameter specifies the name of the LocalDB group to which the LocalDB accounts to be displayed belongs to.  If this parameter is specified, only LocalDB accounts belong to the LocalDB group will be displayed. 2000-2018 Array Networks, Inc. All Rights Reserved. 63Chapter 4 AAA  If this parameter is not specified, the displayed LocalDB accounts will not be filtered by the LocalDB group. The default value is empty. start Optional. This parameter specifies the start of LocalDB accounts from which to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295 and the default value is 1. count Optional. This parameter specifies the number of LocalDB accounts to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 0, indicating all LocalDB accounts will be displayed. column Optional. This parameter specifies the columns of a LocalDB account entry to be displayed. This parameter supports the following columns that must be represented by the letters in the brackets in the parameter value: user_name(U), telephone(T), e-mail(E), nfs_info(N), coutom_info1-5(C), assigned_group(G), force_passwd_change(F), lockout_manual(M), lockout_manual_expires_time(L), passwd_expire_time(P), ip(I), netmask(K), and user_passwd(W). The parameter value is case-sensitive and can support multiple columns. The default value is “UTENC”. index Optional. This parameter specifies how to sort the displayed LocalDB accounts in the output. This parameter supports sorting LocalDB accounts by: user_name (alphabetical or U), create_time(time), telephone(T), e-mail(E), coutom_info1-5(coutom_info1-5), lockout_manual_expires_time(L), passwd_expire_time(P), ip(I), or netmask(K). This parameter value is case-insensitive and the default value is “alphabetical”. clear localdb account This command is used to delete all existing LocalDB accounts. show statistics localdb account [account_name] [group_name] This command is used to display the LocalDB account statistics. account_name Optional. This parameter specifies a string to match the existing LocalDB accounts. Its value must be a case-sensitive string of 1 to 64 characters. 2000-2018 Array Networks, Inc. All Rights Reserved. 64Chapter 4 AAA  If this parameter is specified, LocalDB accounts statistics whose account names including this string will be displayed.  If the parameter is not specified, the statistics of all LocalDB accounts will be displayed. The default value is empty. group_name Optional. This parameter specifies the name of the LocalDB group to which the LocalDB accounts to be displayed belongs to.  If this parameter is specified, only LocalDB account statistics belongs to the LocalDB group will be displayed.  If this parameter is not specified, the displayed LocalDB account statistics will not be filtered by the LocalDB group. The default value is empty. localdb update accountname This command is used to change the name of the specified LocalDB account. account_name This parameter specifies the original LocalDB account name. new_account_name This parameter specifies the new account name for the LocalDB account. Its value must be a string of 1 to 64 characters. localdb update password This command is used to change the password of the specified LocalDB account. If the command “localdb passwdqc oldpasswd” is configured, the new password must not be the same as the old password. account_name This parameter specifies the name of the LocalDB account. new_password This parameter specifies the new password of the LocalDB account. Its value must be a case-sensitive string of 1 to 32 characters enclosed by double quotes. Only 0-9, a-z, A-Z, the space character and some special printable ASCII characters such as ! @ # $ % ^ & * ( ) _ - + = { } [ ] | \ / ? : ; ’ < > , . are allowed. The string cannot contain any of the characters “ ~ `”.  LocalDB Group localdb group [nfs_group] This command is used to add a LocalDB group. 2000-2018 Array Networks, Inc. All Rights Reserved. 65Chapter 4 AAA group_name This parameter specifies the name of the LocalDB group. Its value must be a case-sensitive string of 1 to 64 characters. nfs_group Optional. This parameter specifies the name of the NFS file share group. Its value must be an integer ranging from 0 to 65,535. The default value is 0. no localdb group This command is used to delete a specified LocalDB group. show localdb group [group_name] [account_name] [start] [count] [column] [index] This command is used to display the specified LocalDB group. group_name Optional. This parameter specifies a string to match the existing LocalDB groups. Its value must be a case-sensitive string of 1 to 64 characters.  If this parameter is specified, the LocalDB groups whose names including the string will be displayed.  If this parameter is not specified, all LocalDB groups will be displayed. The default value is empty. account_name Optional. This parameter specifies the name of the LocalDB account.  If this parameter is specified, only LocalDB groups including the specified LocalDB accounts will be displayed.  If this parameter is not specified, the displayed LocalDB groups will not be filtered by the LocalDB account. The default value is empty. start Optional. This parameter specifies the start of LocalDB groups from which to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 1. count Optional. This parameter specifies the number of LocalDB groups to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 0, indicating all LocalDB accounts will be displayed. 2000-2018 Array Networks, Inc. All Rights Reserved. 66Chapter 4 AAA column Optional. This parameter specifies the columns of a LocalDB group entry to be displayed. This parameter supports the following columns that must be represented by the letters in the brackets in the parameter value: user_name(U), telephone(T), e-mail(E), nfs_info(N), coutom_info1-5(C), assigned_group(G), force_passwd_change(F), lockout_manual(M), lockout_manual_expires_time(L), passwd_expire_time(P), ip(I), netmask(K), and user_passwd(W). The parameter value is case-sensitive and can support multiple columns. The default value is “UTENC”. index Optional. This parameter specifies how to sort the displayed LocalDB groups in the output. This parameter supports sorting LocalDB groups by: user_name (alphabetical or U), create_time(time), telephone(T), e-mail(E), coutom_info1-5(coutom_info1-5), lockout_manual_expires_time(L), passwd_expire_time(P), ip(I) or netmask(K). This parameter value is case-insensitive and the default value is “alphabetical”. clear localdb group This command is used to delete all existing LocalDB groups. localdb update groupname This command is used to change the name of an existing LocalDB group. group_name This parameter specifies the original name of the LocalDB group. Its value must be a string of 1 to 64 characters. new_groupname This parameter specifies the new name of the LocalDB group. Its value must be a string of 1 to 64 characters. localdb member This command is used to associate an existing LocalDB account with an existing LocalDB group. One LocalDB account can be associated with 20 LocalDB groups. group_name This parameter specifies the name of the LocalDB group. Its value must be a string of 1 to 64 characters. account_name This parameter specifies the name of the LocalDB account. Its value must be a string of 1 to 64 characters. no localdb member 2000-2018 Array Networks, Inc. All Rights Reserved. 67Chapter 4 AAA This command is used to disassociate an existing LocalDB account from an existing LocalDB group. show localdb member account [account_name] This command is used to display the associations of LocalDB groups with the specified LocalDB account. If the “account_name” parameter is not specified, all associations between LocalDB groups and accounts in the LocalDB will be displayed. show localdb member group [group_name] This command is used to display the associations of LocalDB accounts with the specified LocalDB group. If the “group_name” parameter is not specified, all associations between LocalDB groups and accounts in the LocalDB will be displayed. clear localdb member [group_name] This command is used to disassociate all LocalDB accounts from the specified LocalDB group. If the “group_name” parameter is not specified, all LocalDB accounts are disassociated with all LocalDB groups. show statistics localdb group [group_name] [account_name] This command is used to display the LocalDB group statistics. group_name Optional. This parameter specifies a string to match the existing LocalDB groups. Its value must be a case-sensitive string of 1 to 64 characters.  If this parameter is specified, LocalDB group statistics whose group names including the string will be displayed.  If this parameter is not specified, the statistics of all LocalDB groups will be displayed. The default value is empty. account_name Optional. This parameter specifies the name of the LocalDB account.  If this parameter is specified, only LocalDB group statistics including the specified LocalDB accounts will be displayed.  If this parameter is not specified, the displayed LocalDB group statistics will not be filtered by the LocalDB account. The default value is empty.  LocalDB Account Password Settings localdb passwdqc length [length] 2000-2018 Array Networks, Inc. All Rights Reserved. 68Chapter 4 AAA This command is used to enable the password checking policy requiring a minimum password length. By default, this policy is disabled. After this command is configured, to update the password of the existing LocalDB account or create a new account, the length of the new password must be greater than or equal to the value specified by the parameter “length”. length Optional. This parameter specifies the minimum length of the LocalDB account password. Its value must be an integer ranging from1 to 32. The default value is 8. no localdb passwdqc length This command is used to disable the password checking policy requiring a minimum password length. localdb passwdqc upperchar This command is used to enable the password checking policy requiring at least one upper-case character in the LocalDB account password. By default, this policy is disabled. After this command is configured, to update the password of the existing LocalDB account or create a new account, the new password must include at least one upper-case letter. no localdb passwdqc upperchar This command is used to disable the password checking policy requiring at least one upper-case letter in the LocalDB account password. localdb passwdqc lowerchar This command is used to enable the password checking policy requiring at least one lower-case character in the LocalDB account password. By default, this policy is disabled. After this command is configured, to update the password of the existing LocalDB account or create a new account, the new password must include at least one lower-case character. no localdb passwdqc lowerchar This command is used to disable the password checking policy requiring at least one lower-case letter in the LocalDB account password. localdb passwdqc numchar This command is used to enable the password checking policy requiring at least one numeric character in the LocalDB account password. By default, this policy is disabled. After this command is configured, to update the password of the existing LocalDB account or create a new account, the new password must include at least one numeric character. no localdb passwdqc numchar This command is used to disable the password checking policy requiring at least one numeric character in the LocalDB account password. localdb passwdqc nonalphanum 2000-2018 Array Networks, Inc. All Rights Reserved. 69Chapter 4 AAA This command is used to enable the password checking policy requiring at least one non-alphanumeric character in the LocalDB account password. By default, this policy is disabled. After this command is configured, to update the password of the existing LocalDB account or create a new account, the new password must include at least one non-alphanumeric character. no localdb passwdqc nonalphanum This command is used to disable the password checking policy requiring at least one non-alphanumeric character in the LocalDB account password. localdb passwdqc username This command is used to enable the password checking policy requiring that the username cannot be a subset of the password. By default, this policy is disabled. After this command is configured, to update the password of the existing LocalDB account or create a new account, the new password cannot include the account name. no localdb passwdqc username This command is used to disable the password checking policy requiring that the password cannot be a subset of the username. localdb passwdqc oldpasswd This command is used to enable the password checking policy requiring that the new password cannot be the same as the old password. By default, this policy is disabled. After this command is configured, to update the password of the existing LocalDB account or create a new account, the new password cannot be the same as the old password. no localdb passwdqc oldpasswd This command is used to disable the password checking policy requiring that the new LocalDB account password cannot be the same as the old password. localdb passwdqc minunique [unique_char] This command is used to enable the password checking policy requiring that a minimum number of unique characters included in the LocalDB account password. By default, this policy is disabled. After this command is configured, to update the password of the existing LocalDB account or create a new account, the new password must include a specified number (by the parameter “unique_char”) of unique characters. unique_char Optional. This parameter specifies the minimum number of unique characters. Its value must be a number between 1 and 32. The default value is 5. no localdb passwdqc minunique This command is used to disable the password checking policy requiring that a minimum number of unique characters included in the LocalDB account password. 2000-2018 Array Networks, Inc. All Rights Reserved. 70Chapter 4 AAA localdb passwdqc all This command is used to enable all the above password checking policies. no localdb passwdqc all This command is used to disable all the above password checking policies. show localdb passwdqc This command is used to display all the configured password checking policies. clear localdb passwdqc This command is used to clear all password checking policies. localdb passwdexpire age [account_name] [duration] [mode] This command is used to set the password expiration age for a specified LocalDB account. account_name Optional. This parameter specifies the name of an existing LocalDB account. The default value is empty, indicating the password expiration age is set for all LocalDB accounts. duration Optional. This parameter specifies the expiration age (counted from the last password change) of the LocalDB account password in seconds. Its value must be an integer ranging from 1 to 2,147,483,647. The default value is 99,999,999. mode Optional. This parameter specifies the time to execute this command. The parameter value must be empty or “repeat”. If this parameter is empty, the LocalDB user will be asked to change the password once and only when the password expiration age has elapsed since the user changes the password last time. When this parameter is set to “repeat”, the LocalDB user will be asked to change the password every time the password expiration age has elapsed after changing the password. The default value is empty. no localdb passwdexpire age This command is used to delete the password expiration age configuration for a specified LocalDB account. show localdb passwdexpire age [account_name] [mode] This command is used to display the password expiration age configuration for a specified LocalDB account. If the “account_name” parameter is not specified, the password expiration age configuration for all LocalDB accounts will be displayed. clear localdb passwdexpire age 2000-2018 Array Networks, Inc. All Rights Reserved. 71Chapter 4 AAA This command is used to delete the password expiration age configuration for all LocalDB accounts. localdb passwdexpire nextlogin [account_name] This command is used to enable forcible password expiration upon next login for the specified LocalDB account. The LocalDB user will be asked to change the password on next login. By default, this function is disabled. account_name Optional. This parameter specifies the name of an existing LocalDB account. The default value is empty, indicating the forcible password expiration upon next login for all LocalDB accounts will be enabled. no localdb passwdexpire nextlogin This command is used to disable forcible password expiration upon next login for the specified LocalDB account. show localdb passwdexpire nextlogin [account_name] This command is used to display the configuration of forcible password expiration upon next login for the specified LocalDB account. If the “account_name” parameter is not specified, the password configuration of expiration upon next login for all LocalDB accounts will be displayed. clear localdb passwdexpire nextlogin This command is used to delete the configuration of password expiration upon next login for all LocalDB accounts.  LocalDB Lockout localdb lockout auto idletime [idle_time] [duration] This command is used to enable auto idle lockout for all LocalDB accounts. LocalDB accounts will be locked out when the idle time is up. By default, this function is disabled. idle_time Optional. This parameter specifies the idle time after which the LocalDB account will be locked out, in seconds. Its value must be integer ranging from 1 to 4,294,967,295. The default value is 99,999,999. duration Optional. This parameter specifies the duration of the lockout, in seconds. Its value must be an integer ranging from 0 to 4,294,967,295. If its value is set to “0”, then the LocalDB account will remain locked out until being manually unlocked by using the command “localdb lockout unlock [account_name]”. The default value is 0. 2000-2018 Array Networks, Inc. All Rights Reserved. 72Chapter 4 AAA no localdb lockout auto idletime This command is used to disable the auto idle lockout for all LocalDB accounts. show localdb lockout auto idletime This command is used to display the configuration of the auto idle lockout for all LocalDB accounts. localdb lockout auto loginfailure [failure_times] [duration] This command is used to enable auto login failure lockout for all LocalDB accounts. LocalDB accounts will be locked out after reaching the number of login failures specified by the parameter “failure_times”. By default, this function is disabled. failure_times Optional. This parameter specifies the number of login failures after which the LocalDB account is locked out. Its value must be an integer ranging from 1 to 65,535. The default value is 10. duration Optional. This parameter specifies the duration of the lockout in seconds. Its value must be an integer ranging from 0 to 4,294,967,295. The default value is 0, indicating that the LocalDB account will remain locked out until being manually unlocked by using the command “localdb lockout unlock [account_name]”. no localdb lockout auto loginfailure This command is used to disable auto login failure lockout for all LocalDB accounts. show localdb lockout auto loginfailure This command is used to display the configuration of auto login failure lockout for all LocalDB accounts. localdb lockout manual [account_name] [duration] This command is used to manually lock out a specified LocalDB account for a specific duration. After this command is configured, the specified LocalDB account will be locked out for a specific duration. account_name Optional. This parameter specifies the name of the account to be locked out. The default value is empty, indicating all LocalDB accounts will be locked out by default. duration Optional. This parameter specifies the duration in seconds for which the account will be locked out. Its value must be an integer ranging from 0 to 4,294,967,295. If its value is set to “0”, the LocalDB account will be locked out until being manually unlocked by using the command “localdb lockout unlock [account_name]”. 2000-2018 Array Networks, Inc. All Rights Reserved. 73Chapter 4 AAA The default value is 0. show localdb lockout manual [account_name] This command is used to display the lockout duration of a specified LocalDB account. If the “account_name” parameter is not specified, the lockout duration of all LocalDB accounts will be displayed. localdb lockout list [type] [username] [start] [count] This command is used to display the currently locked LocalDB accounts. type Optional. This parameter specifies the lockout type of the locked LocalDB accounts to be displayed. Its value must only be:  “loginfailure”: indicates that the LocalDB accounts locked out due to login failures will be displayed.  “idletime”: indicates that the LocalDB accounts locked out due to idle timeout will be displayed.  “manual”: indicates that the LocalDB accounts locked out manually by the administrator will be displayed.  “all”: indicates that the LocalDB accounts of all the preceding three types will be displayed. The default value is all. username Optional. This parameter specifies a string to match the LocalDB account. Its value must be a string of 1 to 64 characters. All locked LocalDB accounts whose names including the string will be displayed. If this parameter is not specified, locked accounts will not be filtered by username. start Optional. This parameter specifies the start of locked LocalDB accounts to be displayed. Its value must be between 1 and 4,294,967,295. The default value is 1. count Optional. This parameter specifies the number of locked LocalDB accounts to be displayed. Its value must be an integer ranging from 0 to 4,294,967,295. The default value is 0, indicating all locked LocalDB accounts matching the other parameter settings will be displayed. localdb lockout unlock [account_name] This command is used to unlock a previously locked LocalDB account. 2000-2018 Array Networks, Inc. All Rights Reserved. 74Chapter 4 AAA account_name Optional. This parameter specifies the name of the LocalDB account to be unlocked. The default value is empty, indicating all locked LocalDB accounts will be unlocked. show statistics localdb lockout [account_name] This command is used to display the lockout statistics of a specified LocalDB account. account_name Optional. This parameter specifies a string to match the account. All LocalDB accounts including the string will be matched. If the parameter “account_name” is not specified, the lockout statistics for all LocalDB accounts will be displayed.  LocalDB Backup and Restoration localdb backup This command is used to back up the virtual site’s LocalDB. A maximum of 20 LocalDB backup files can be configured in the system. If 20 LocalDB backup files already exist, to create new LocalDB backup files, the old ones must be deleted. backup_name This parameter specifies the name of the LocalDB backup. Its value must be a string of 1 to 32 characters. Note: For the MotionPro-type virtual site, this command will back up all the data in the LocalDB including the MDM data but excluding the MDM CLI configurations. no localdb backup This command is used to delete the specified LocalDB backup file. show localdb backup This command is used to display the LocalDB backup files. clear localdb backup This command is used to delete all LocalDB backup files. localdb autobackup [time] [dayofweek] This command is used to configure the LocalDB auto-backup settings. If this command is not configured, the default setting “localdb autobackup 3 0:00 0” will be used, which means to automatically back up the LocalDB daily at 0:00 and at most three auto-backup files can be kept. If three auto-backup files already exist, new auto-backup files will overwrite the old ones. count This parameter specifies the number of auto-backup files to be kept in the system. Its value must be an integer ranging from 0 to 5. If the parameter is set to “0”, auto-backup will be turned off. When 2000-2018 Array Networks, Inc. All Rights Reserved. 75Chapter 4 AAA the count is exceeded, the oldest backup file would be overwritten. time Optional. This parameter specifies the time for the auto-backup in “HH:MM” (24-hour) format, for example, 6:23, 05:05, 23:59. The default value is 0:00. dayofweek Optional. This parameter specifies the day of the week for the auto-backup. Its value must be an integer ranging from 0 to 7. The default value is 0, indicating the LocalDB database will be backed up on a daily basis. If the parameter is set to “1” to “7”, the LocalDB database will be backed up once a week, respectively from Monday to Sunday. show localdb autobackup This command is used to display the settings of the existing LocalDB auto-backup. localdb restore This command is used to restore LocalDB from the specified LocalDB backup. backup_name This parameter specifies the name of the LocalDB backup database. Its value must be a string of 1 to 32 characters.  LocalDB Export and Import localdb export {account|group|member} This command is used to export accounts, groups or member relations from the LocalDB database into a configuration file on the system. file_name This parameter specifies the name of the file on the system. Its value must be a string of 1 to 32 characters. account|group|member This parameter specifies the type of information to be exported. Its value must only be “account”, “group” or “member”.  account: indicates that the account information, such as the username, password, creation time and so on, will be exported.  group: indicates that the group information, such as the group name, expiration time, creation time and so on, will be exported.  member: indicates that only the account and group name will be exported. 2000-2018 Array Networks, Inc. All Rights Reserved. 76Chapter 4 AAA Note: The files exported from LocalDB directly are in the UTF-8 encoding format. To read or edit the exported file, make sure that your file viewer or editor supports UTF-8 encoding. no localdb export {account|group|member} This command is used to delete the configuration file exported from the LocalDB database. show localdb export {account|group|member} This command is used to display the configuration of accounts, groups or member relations exported from the LocalDB database. clear localdb export {account|group|member} This command is used to delete all configurations of accounts, groups or member relations exported from the LocalDB database. localdb netexport scp {account|group|member} This command is used to export a file containing accounts, groups or member relations to an SCP server. account|group|member This parameter specifies the type of information to be exported. Its value must only be “account”, “group” or “member”.  account: indicates that the account information, such as the username, password, creation time and so on, will be exported.  group: indicates that the group information, such as the group name, the expiration time, creation time and so on, will be exported.  member: indicates that only the account and group name will be exported. server_name This parameter specifies the name of the server to which data will be exported. Its value must be a string of 1 to 128 characters. user_name This parameter specifies the name of the remote user on the SCP server. Its value must be a string of 1 to 64 characters. file_path This parameter specifies the path, which must include the file name, to export the file on the SCP server. Its value must be a string of 1 to 256 characters. 2000-2018 Array Networks, Inc. All Rights Reserved. 77Chapter 4 AAA Note: The files exported via SCP are in the UTF-8 encoding format. To read or edit the exported file, make sure that your file viewer or editor supports UTF-8 encoding. localdb netexport tftp {account|group|member} This command is used to export a file containing accounts, groups or member relations to a TFTP server. account|group|member This parameter specifies the type of information to be exported. Its value must only be “account”, “group” or “member”.  account: indicates that the account information, such as the username, password, creation time and so on, will be exported.  group: indicates that the group information, such as the group name, the expiration time, creation time and so on, will be exported.  member: indicates that only the account and group name will be exported. ip This parameter specifies the IP address of the TFTP server. file_name This parameter specifies the name of the file to export data on the TFTP server. Its value must be a string of 1 to 256 characters. Note: The files exported via TFTP are in the UTF-8 encoding format. To read or edit the exported file, make sure that your file viewer or editor supports UTF-8 encoding. localdb import {account|group|member} [overwrite|ignore] This command is used to import a file containing accounts, groups or member relations into LocalDB from the system. file_name This parameter specifies the name of the file to be imported into LocalDB. Its value must be a string of 1 to 127 characters. account|group|member This parameter specifies the type of information to be imported. Its value must only be “account”, “group” or “member”.  account: indicates that the account information, such as the username, password, creation time and so on, will be imported.  group: indicates that the group information, such as the group name, expiration time, creation time and so on, will be imported.  member: indicates that only the account and group name will 2000-2018 Array Networks, Inc. All Rights Reserved. 78Chapter 4 AAA be imported. overwrite|ignore Optional. This parameter specifies how to handle the conflicted duplicate data. Its value must only be:  overwrite: The duplicate data will be merged with the existing data.  ignore: The duplicate data will not be imported. If this parameter is not specified, the administrator must execute this command based on the CLI prompt. Note: The files imported to LocalDB directly must be in the UTF-8 encoding format. Otherwise, the importing might fail. localdb netimport http {account|group|member} {overwrite|ignore} This command is used to import a file containing accounts, groups or member relations from an HTTP resource. account|group|member This parameter specifies the type of information to be imported. Its value must only be “account”, “group” or “member”.  account: indicates that the account information, such as the username, password, creation time and so on, will be exported.  group: indicates that the group information, such as the group name, expiration time, creation time and so on, will be exported.  member: indicates that only the account and group name will be exported. url This parameter specifies the URL of the HTTP resource. Its value must be a string of 1 to 64 characters. overwrite|ignore This parameter specifies how to handle the conflicted duplicate data. Its value must be “overwrite” and “ignore”.  overwrite: The duplicate data will be merged with the existing data.  ignore: The duplicate data will not be imported. Note: The files imported via SCP must be in the UTF-8 encoding format. Otherwise, the importing might fail. 2000-2018 Array Networks, Inc. All Rights Reserved. 79Chapter 4 AAA localdb netimport scp {account|group|member} {overwrite|ignore} This command is used to import a file containing accounts, groups or member relations from an SCP server. account|group|member This parameter specifies the type of information to be imported. Its value must only be “account”, “group” or “member”.  account: indicates that the account information, such as the username, password, creation time and so on, will be imported.  group: indicates that the group information, such as the group name, expiration time, creation time and so on, will be imported.  member: indicates that only the account and group name will be imported. server_name This parameter specifies the name of the server from which data will be imported. Its value must be a string of 1 to 127 characters. user_name This parameter specifies the name of the remote user on the SCP server. Its value must be a string of 1 to 64 characters. file_path This parameter specifies the path, which must include the file name, to import the file from the SCP server. Its value must be a string of 1 to 256 characters. overwrite|ignore This parameter specifies how to handle the conflicted duplicate data. Its value must be “overwrite” and “ignore”.  overwrite: The duplicate data will be merged with the existing data.  ignore: The duplicate data will not be imported. Note: The files imported via SCP must be in the UTF-8 encoding format. Otherwise, the importing might fail. localdb netimport tftp {account|group|member} {overwrite|ignore} This command is used to import a file containing accounts, groups or member relations from a TFTP server. account|group|member This parameter specifies the type of information to be imported. Its 2000-2018 Array Networks, Inc. All Rights Reserved. 80Chapter 4 AAA value must only be “account”, “group” or “member”.  account: indicates that the account information, such as the username, password, creation time and so on, will be imported.  group: indicates that the group information, such as the group name, expiration time, creation time and so on, will be imported.  member: indicates that only the account and group name will be imported. ip This parameter specifies the IP address of the TFTP server. file_name This parameter specifies the name of the file to import data from on the TFTP server. Its value must be a string of 1 to 256 characters. overwrite|ignore This parameter specifies how to handle conflict, e.g., duplicate data. Its value must be “overwrite” and “ignore”.  overwrite: The duplicate data will be merged with the existing data.  ignore: The duplicate data will not be imported. Note: The files imported via TFTP must be in the UTF-8 encoding format. Otherwise, the importing might fail.  LocalDB IP localdb ip account This command is used to set a fixed IP address for the specified LocalDB account. After the fixed IP address is set for the specified LocalDB account:  For users accessing the backend resources through the L3VPN tunnel, the system will assign the fixed IP address to the LocalDB account while ignoring the IP address assignment by the Netpool authorized to the LocaDB account.  For users accessing the backend resources through the Site2Site VPN tunnel, the system will assign the fixed IP address (tunnel IP) to the LocalDB account. account_name This parameter specifies the name of the LocalDB account. ip_address This parameter specifies the IP address assigned to the LocalDB account. Its value must be given in dotted decimal notation. netmask This parameter specifies the netmask of subnet to which the IP 2000-2018 Array Networks, Inc. All Rights Reserved. 81Chapter 4 AAA address belongs. Its value must be given in dotted decimal notation. no localdb ip account This command is used to delete the fixed IP address set for the specified LocalDB account. show localdb ip account This command is used to display the fixed IP address set for the specified LocalDB account.  LocalDB SSO localdb sso account [sso_domain] This command is used to configure an application login credential for the specified LocalDB account in the LocalDB server. account_name This parameter specifies the LocalDB account name. Its value must be a string of 1 to 64 characters. sso_account This parameter specifies the account name of the application login credential used for Application SSO. Its value must be a string of 1 to 64 characters. sso_passwd This parameter specifies the password of the application login credential used for Application SSO. Its value must be a string of 1 to 64 characters. Only 0-9, a-z, A-Z and printable ASCII characters are allowed. sso_domain Optional. This parameter specifies the domain or workgroup used for Application SSO. Its value must be a string of 1 to 256 characters. By default, this parameter is not specified. Note:  The portal login username must be the same as the LocalDB account username associated with the application login credential.  If the Application SSO function is enabled for DesktopDirect applications, the administrator needs to associate the DesktopDirect resources with the application login name used for Application SSO instead of the binding LocalDB account using the command “art desktop assign user” or “art application associate user”. no localdb sso account This command is used to delete the application login credential configured for the specified LocalDB account. 2000-2018 Array Networks, Inc. All Rights Reserved. 82Chapter 4 AAA show localdb sso account This command is used to display the application login credential configured for the specified LocalDB account.  LocalDB Status show localdb config This global command is used to display all LocalDB configurations for a particular virtual site. show localdb config This command is used to display all LocalDB configurations of the virtual site.  LocalDB Statistics show statistics aaa This command is used to display the AAA statistics of the virtual site. show statistics aaa [virtual_site] This global command is used to display the AAA statistics of the specified virtual site. If the parameter “virtual_site” is not specified, the AAA statistics of all virtual sites will be displayed. clear statistics aaa This command is used to delete the AAA statistics of the virtual site. clear statistics aaa [virtual_site] This global command is used to delete the AAA statistics of the specified virtual site. If the parameter “virtual_site” is not specified, the AAA statistics of all virtual sites will be deleted. LDAP aaa server ldap host [index] [tls_flag] This command is used to configure an LDAP host for the specified LDAP server. A maximum of three LDAP hosts can be configured for one LDAP server. ldap_server_name This parameter specifies the name of an existing LDAP server. Its value must be a string of 1 to 32 characters. ip This parameter specifies the IP address of the LDAP host. Its value must be an IPv4 address. port This parameter specifies the port of the LDAP host. Its value must be an integer ranging from 1 to 65,535. 2000-2018 Array Networks, Inc. All Rights Reserved. 83Chapter 4 AAA username This parameter specifies the username of the LDAP server administrator. Its value must be a string of 1 to 127 characters. password This parameter specifies the password of the LDAP server administrator. base_dn This parameter specifies the Distinguished Name (DN) of the LDAP entry at which to start the search for users. Its value must be a string of 1 to 900 characters. timeout This parameter specifies the timeout value of the search in seconds. Its value must be an integer ranging from 1 to 65,535. index Optional. This parameter specifies the host index. Its value must be 1, 2 or 3. The default value is 1. tls_flag Optional. This parameter specifies whether to access the LDAP server over the TLS protocol. Its value must be:  “tls”: indicates that the LDAP server is accessed over the TLS protocol.  empty: indicates the LDAP server is not accessed over the TLS protocol. The default value is empty. no aaa server ldap host This command is used to delete an LDAP host of the specified LDAP server. show aaa server ldap host This command is used to display the LDAP server host(s) configured for the specified LDAP server. aaa server ldap idletime [idle_time] This command is used to set the idle timeout value for the specified LDAP server. The connection to the LDAP server will be terminated when the connection is idle for the specified timeout value. ldap_server_name This parameter specifies the name of an existing LDAP server. idle_time Optional. This parameter specifies the idle timeout value in seconds. Its value must be an integer ranging from 60 to 3000. The default value is 600. 2000-2018 Array Networks, Inc. All Rights Reserved. 84Chapter 4 AAA no aaa server ldap idletime This command is used to delete the idle timeout setting of the specified LDAP server. show aaa server ldap idletime This command is used to display the idle timeout value configured for the specified LDAP server. aaa server ldap searchfilter This command is used to configure a search filter for the specified LDAP server. The search filter plays an important role in authenticating and authorizing users through LDAP. For the functions of the search filter in static and dynamic binding, please refer to the commands “aaa server ldap bind dynamic” and “aaa server ldap bind static”. ldap_server_name This parameter specifies the name of an existing LDAP server. filter_string This parameter specifies a filter string used to search for the LDAP entries. Its value must be a string of 1 to 80 characters enclosed by double quotes. The filter string consists of:  attribute: Common Name (cn), Distinguished Name (dn), User Id (uid), Organization Unit (ou) and so on.  comparison operator: “>”, “<” or “=”.  logical operator: “& (and),” “| (or)”, “! (not)”, “= (equal to)”, or “* (any)”. Please refer to the RFC for details of the LDAP filter string. The filter string can contain at most three tokens represented by “ ”, which is case-insensitive. For example, if the “filter_string” parameter is set to “cn= ”, the system will generate a search filter by replacing “ ” with an end user’s real username upon receiving authentication or authorization requests. Note: If this command is not configured for the specified LDAP server, AAA uses “uid= ” as the default search filter string. For example: Search an entry with cn being the real username: vs(config)aaa server ldap searchfilter ldap1 "cn= " Search an entry without cn being the real username: 2000-2018 Array Networks, Inc. All Rights Reserved. 85Chapter 4 AAA vs(config)aaa server ldap searchfilter ldap1 "(!(cn= ))" Search an entry with objectClass being Person and with sn being the real username or cn being a value containing the real username: vs(config)aaa server ldap searchfilter ldap1 "(&(objectClass=Person)(|(sn= )(cn= *)))" no aaa server ldap searchfilter This command is used to delete the search filter configured for the specified LDAP server. show aaa server ldap searchfilter This command is used to display the search filter configured for the specified LDAP server. aaa server ldap attribute group This command is used to specify the attribute used to obtain the external LDAP group of the user from the LDAP entry for the specified LDAP server. ldap_server_name This parameter specifies the name of an existing LDAP server. attribute This parameter specifies the name of the attribute used to obtain the external LDAP group of the user from the LDAP entry. Its value must be a string of 1 to 80 characters. no aaa server ldap attribute group This command is used to delete the configuration of the attribute used to obtain the external LDAP group from the LDAP entry for the specified LDAP server. show aaa server ldap attribute group This command is used to display the configuration of the attribute used to obtain the external LDAP group from the LDAP entry for the specified LDAP server. aaa server ldap attribute phonenumber This command is used to specify the attribute used to obtain the mobile phone number of the user from the LDAP entry for the specified LDAP server. ldap_server_name This parameter specifies the name of an existing LDAP server. attribute This parameter specifies the name of the attribute used to obtain the mobile phone number of the user from the LDAP entry. Its value must be a string of 1 to 80 characters. no aaa server ldap attribute phonenumber 2000-2018 Array Networks, Inc. All Rights Reserved. 86Chapter 4 AAA This command is used to delete the configuration of the attribute used to obtain the mobile phone number of the user from the LDAP entry for the specified LDAP server. show aaa server ldap attribute phonenumber This command is used to display the configuration of the attribute used to obtain the mobile phone number of the user from the LDAP entry for the specified LDAP server. aaa server ldap attribute defaultgroup This command is used to configure the default group assigned to authenticated users for whom no LDAP group is obtained for the specified LDAP server. ldap_server_name This parameter specifies an existing name of the LDAP server. group This parameter specifies the default group name for the user for whom no LDAP group is obtained. Its value must be a string of 1 to 80 characters. no aaa server ldap attribute defaultgroup This command is used to delete the configuration of the default group assigned to authenticated users for whom no LDAP group is obtained for the specified LDAP server. show aaa server ldap attribute defaultgroup This command is used to display the configuration of the default LDAP group assigned to authenticated users for whom no LDAP group is obtained for the specified LDAP server. aaa server ldap bind dynamic This command is used to enable the “dynamic” LDAP bind mode for the specified LDAP server. In this case, AAA will fetch the DN from the LDAP server first. After the “dynamic” LDAP bind mode is enabled, AAA sends a bind request containing the end user’s username and password to the LDAP server and then a search request containing the search filter string configured by the command “aaa server ldap searchfilter” to obtain the LDAP entry of the end user. Then AAA sends the DN obtained from the LDAP entry together with the password of the end user in another bind request to the LDAP server. After the end user passes the authentication, AAA reuses the obtained LDAP entry to authorize the end user. ldap_server_name This parameter specifies the name of an existing LDAP server. no aaa server ldap bind dynamic This command is used to disable the “dynamic” LDAP bind mode for the specified LDAP server. aaa server ldap bind static This command is used to enable the “static” LDAP bind mode for the specified LDAP server. In this case, the system will construct the user’s DN by concatenating the strings 2000-2018 Array Networks, Inc. All Rights Reserved. 87Chapter 4 AAA “ ”. is the username used to log into the virtual site. “ ” and “ ”must be the same for all users using the same virtual site. After the “static” LDAP bind mode is enabled, AAA sends the DN ( ) together with the password of the end user in a bind request to the LDAP server. After the end user passes the authentication, AAA sends a search request containing the search filter string configured by the command “aaa server ldap searchfilter” to obtain the LDAP entry of this end user. Then, it authorizes the end user based on the obtained LDAP entry. ldap_server_name This parameter specifies the name of an existing LDAP server. dn_prefix This parameter specifies the DN prefix extracted from the LDAP server. Its value must be a string of 1 to 80 characters. dn_suffix This parameter specifies the DN suffix extracted from the LDAP server. Its value must be a string of 1 to 80 characters. For example: vs(config)aaa server ldap bind static "AD" "cn=" ",ou=array,dc=spxad,dc=cn" no aaa server ldap bind static This command is used to disable the “static” LDAP bind mode for the specified LDAP server. show aaa server ldap bind This command is used to display the configuration of the LDAP bind mode for the specified LDAP server. Note: The “static” and “dynamic” LDAP bind function cannot be enabled at the same time. aaa server ldap pwdexpirewarning This command is used to configure password expiry warning, that is, configure whether and when to display a password expiry warning message on the welcome page for the specified LDAP server. After this command is configured, if the remaining valid time of the LDAP user’s password is equal to or less than the value of the “password_expiry_warning” parameter at user login, a password expiry warning message will be displayed on the welcome page. If this command is not configured, no password expiry warning message will be displayed on the welcome page. ldap_server_name This parameter specifies the name of the existing LDAP server. 2000-2018 Array Networks, Inc. All Rights Reserved. 88Chapter 4 AAA password_expiry_warning This parameter specifies the time in seconds that a warning message will be displayed on the welcome page preceding to the user’s LDAP password expiry. Its value must be an integer ranging from 1 to 1,209,600. Note: Before using the LDAP password change function, please make sure that:  On related LDAP servers, the lifetime of LDAP passwords has been configured.  For the OpenLDAP server, the external default policy has been configured.  For the Windows Active Directory (AD) server, its system time must be the same as the system time of the AG appliance.  On the AG appliance, the related Windows AD servers have been configured to use port 636 and to be accessed using the TLS protocol. no aaa server ldap pwdexpirewarning This command is used to delete the configuration of the password expiry warning for the specified LDAP server. show aaa server ldap pwdexpirewarning This command is used to display the configuration of the password expiry warning for the specified LDAP server. aaa server ldap pwdpolicy This command is used to set the policy DN for the specified LDAP server when the LDAP server is an OpenLDAP server. Before configuring password expiry warning for the OpenLDAP server, you must execute this command to set the policy DN first. Otherwise, the password expiry warning configuration will not be accepted by the OpenLDAP server. ldap_server_name This parameter specifies the name of an existing LDAP server. Its value must be a string of 1 to 32 characters. password_policy_DN This parameter specifies the policy DN. Its value must be a string of 1 to 32 characters and must be the same as the default policy DN set on the OpenLDAP server. For example: vs(config)$ aaa server ldap pwdpolicy AD "cn=pwspolicy" no aaa server ldap pwdpolicy 2000-2018 Array Networks, Inc. All Rights Reserved. 89Chapter 4 AAA This command is used to delete the configuration of the policy DN for the specified LDAP server. show aaa server ldap pwdpolicy This command is used to display the configuration of the policy DN for the specified LDAP server. aaa group in dn This command is used to enable the function of extracting the DN as the user’s group. The administrator can use the command to “aaa group regex” to define which part of the DN will be extracted as the user’s group. By default, this function is disabled. no aaa group in dn This command is used to disable the function of extracting the DN as the user’s group. aaa group regex This command is used to define which part of the DN to be extracted as the user’s group. expression This parameter specifies a regular expression that indicates the part of the DN to be extracted as the user’s group. Its value must be a string of 1 to 64 characters. The “()” meta-character is supported. At most five “()” meta-characters can be configured. For example, vs(config)$ aaa group regex "OU=([^,]*), OU=([^,]*)" If the DN is “OU=Information Department, OU=Users, OU=1025, DC=staff, DC=org”, the “Information Department” and “Users” will be extracted respectively as two groups of the user.  LDAP Autosearch aaa server ldap autosearch profile This command is used to define an LDAP auto-search profile. A maximum of five LDAP auto-search profiles can be configured for a virtual site. profile_name This parameter specifies the name of the LDAP auto-search profile. Its value must be a string of 1 to 32 characters. no aaa server ldap autosearch profile This command is used to delete the specified LDAP auto-search profile. show aaa server ldap autosearch profile This command is used to display all LDAP auto-search profiles. aaa server ldap autosearch host 2000-2018 Array Networks, Inc. All Rights Reserved. 90Chapter 4 AAA This command is used to configure an LDAP host for the specified LDAP auto-search profile. The LDAP host must be configured before the profile is enabled using the command “aaa server ldap autosearch on ”. profile_name This parameter specifies the name of an existing LDAP auto-search profile. ip This parameter specifies the IP address of the LDAP host. Its value must be an IPv4 address. port This parameter specifies the port of the LDAP host. Its value must be an integer ranging from 1 to 65,535. username This parameter specifies the username of the LDAP server administrator. password This parameter specifies the password of the LDAP server administrator. base_dn This parameter specifies the DN of the LDAP entry at which to start the search for users. Its value must be a string of 1 to 900 characters. timeout This parameter specifies the maximum timeout in seconds. Its value must be an integer ranging from 1 to 65,535. tls_flag Optional. This parameter specifies whether to access the LDAP server over the TLS protocol. Its value must be:  “tls”: indicates that the LDAP server is accessed over the TLS protocol.  empty: indicates the LDAP server is not accessed over the TLS protocol. The default value is empty. no aaa server ldap autosearch host This command is used to delete the LDAP host configured for the specified LDAP auto-search profile. show aaa server ldap autosearch host This command is used to display the LDAP host configured for the specified LDAP auto-search profile. 2000-2018 Array Networks, Inc. All Rights Reserved. 91Chapter 4 AAA aaa server ldap autosearch filter This command is used to configure the search filter for the specified LDAP auto-search profile. The search filter must be configured before the profile is enabled using the command “aaa server ldap autosearch on ”. This command is also used to modify the existing configuration of the search filter for the specified LDAP auto-search profile. profile_name This parameter specifies the name of the LDAP auto-search profile. filter_string This parameter specifies a filter string used to filter the LDAP entries. Its value must be a string of 1 to 128 characters, which must be enclosed by double quotes. Please refer to the command “aaa server ldap searchfilter” for details of the parameter explanation. no aaa server ldap autosearch filter This command is used to delete the search filter configured for the specified LDAP auto-search profile. show aaa server ldap autosearch filter This command is used to display the search filter configured for the specified LDAP auto-search profile. aaa server ldap autosearch attribute This command is used to configure the LDAP attribute to be searched for the specified LDAP auto-search profile. The LDAP attribute must be configured before the profile is enabled using the command “aaa server ldap autosearch on ”. This command is also used to modify the existing configuration of the LDAP attribute to be searched for the specified LDAP auto-search profile. profile_name This parameter specifies the name of an existing LDAP auto-search profile. search_attribute This parameter specifies the name of the LDAP attribute to be searched. Its value must be a string of 1 to 32 characters. no aaa server ldap autosearch attribute This command is used to delete the configuration of the LDAP attribute to be searched for the specified LDAP auto-search profile. show aaa server ldap autosearch attribute 2000-2018 Array Networks, Inc. All Rights Reserved. 92Chapter 4 AAA This command is used to display the configuration of the LDAP attribute to be searched for the specified LDAP auto-search profile. aaa server ldap autosearch time daily This command is used to configure a daily auto-search frequency for the specified LDAP auto-search profile. By default, auto-search is performed on 0:00 daily for the LDAP auto-search profile. This command is also used to modify the existing configuration of the daily auto-search frequency for the specified LDAP auto-search profile. profile_name This parameter specifies the name of an existing LDAP auto-search profile. hour This parameter specifies the hour when the daily auto-search is carried out. Its value must be an integer ranging from 0 to 23, indicating the hour ranging from 0:00 to 23:00. aaa server ldap autosearch time weekly This command is used to configure a weekly auto-search frequency for the specified LDAP auto-search profile. This command is also used to modify the existing configuration of the weekly auto-search frequency for the specified LDAP auto-search profile. profile_name This parameter specifies the name of an existing LDAP auto-search profile. hour This parameter specifies the hour when the weekly auto-search is carried out. Its value must be an integer ranging from 0 to 23, indicating the hour ranging from 0:00 to 23:00. day This parameter specifies the day when the weekly auto-search is carried out. Its value must be “Monday”, “Tuesday”, “Wednesday”, “Thursday”, “Friday”, “Sataurday” and “Sunday”, which is case-insensitive. aaa server ldap autosearch time monthly This command is used to configure a monthly auto-search frequency for the specified LDAP auto-search profile. This command is also used to modify the existing configuration of the monthly auto-search frequency for the specified LDAP auto-search profile. 2000-2018 Array Networks, Inc. All Rights Reserved. 93Chapter 4 AAA profile_name This parameter specifies the name of an existing LDAP auto-search profile. hour This parameter specifies the hour when the monthly auto-search is carried out. Its value must be an integer ranging from 0 to 23, indicating the hour ranging from 0:00 to 23:00. date This parameter specifies the date when the monthly auto-search is carried out. Its value must be an integer ranging from 1 to 31. If a month does not have the specified date, such as 31 in June, the search will not be carried out in this month. no aaa server ldap autosearch time This command is used to delete the setting of the auto-search frequency for the specified LDAP auto-search profile. show aaa server ldap autosearch time This command is used to display the setting of auto-search frequency for the specified LDAP auto-search profile. aaa server ldap autosearch email This command is used to configure the email address for the specified LDAP auto-search profile. When the search result is different from the last search result, an email will be sent to the configured email addresses to notify the administrators of the LDAP entry changes. A maximum of five “aaa server ldap autosearch email” configurations are supported for every profile. This command configuration is optional for every profile. profile_name This parameter specifies the name of the LDAP auto-search profile. email_address This parameter specifies the email address. Its value must be a string of 1 to 128 characters enclosed by double quotes. no aaa server ldap autosearch email This command is used to delete the configuration of an email address for the specified LDAP auto-search profile. show aaa server ldap autosearch email This command is used to display all the email addresses configured for the specified LDAP auto-search profile. aaa server ldap autosearch subject 2000-2018 Array Networks, Inc. All Rights Reserved. 94Chapter 4 AAA This command is used to configure the email subject for the specified LDAP auto-search profile. The subject will be used for sending emails to all the email addresses of this profile. This command configuration is optional for every profile. profile_name This parameter specifies the name of the LDAP auto-search profile. email_subject This parameter specifies the email subject. Its value must be a string of 1 to 256 characters enclosed by double quotes. no aaa server ldap autosearch subject This command is used to delete the configuration of the email subject for the specified LDAP auto-search profile. show aaa server ldap autosearch subject This command is used to display the email subject configured for the specified LDAP auto-search profile. aaa server ldap autosearch {on|off} This command is used to enable or disable the specified LDAP auto-search profile. Before enabling the LDAP auto-search profile, make sure that related LDAP auto-search configurations have been made. profile_name This parameter specifies the name of an existing LDAP auto-search profile. show aaa server ldap autosearch status This command is used to display the status of the specified LDAP auto-search profile. aaa server ldap autosearch update This command is used to carry out a search immediately based on the specified LDAP auto-search profile. profile_name This parameter specifies the name of an exisiting LDAP auto-search profile. aaa server ldap autosearch result This command is used to display the search results and result changes of the specified LDAP auto-search profile. profile_name This parameter specifies the name of an existing LDAP auto-search profile. aaa server ldap autosearch acknowledge 2000-2018 Array Networks, Inc. All Rights Reserved. 95Chapter 4 AAA This command is used to acknowledge the search result changes of the specified LDAP auto-search profile. profile_name This parameter specifies the name of an existing LDAP auto-search profile. RADIUS aaa server radius host [index] [accounting_port] This command is used to configure a RADIUS host for a specified RADIUS server. A maximum of three RADIUS hosts can be configured for one RADIUS server. radius_server_name This parameter specifies the name of an existing RADIUS server. Its value must be a string of 1 to 32 characters. ip This parameter specifies the IP address of the RADIUS host. Its value must be an IPv4 address. authentication_port This parameter specifies the port number used for RADIUS authentication. Its value must be an integer ranging from 1 to 65,535. secret This parameter specifies the shared secret text string used by the AG appliance and the RADIUS server to encrypt passwords and exchange responses. retries This parameter specifies the retry times to connect the RADIUS server. Its value must be an integer ranging from 1 to 65,535. timeout This parameter specifies the timeout value of the search in seconds. Its value must be an integer ranging from 1 to 65,535. index Optional. This parameter specifies the host index. Its value must be 1, 2 or 3. The default value is 1. accounting_port Optional. This parameter specifies the port number used for RADIUS accounting. Its value must be an integer ranging from 1 to 65535. The default value is 1813. no aaa server radius host This command is used to delete a RADIUS host configured for the specified RADIUS server. 2000-2018 Array Networks, Inc. All Rights Reserved. 96Chapter 4 AAA show aaa server radius host This command is used to display the RADIUS host(s) configured for the specified RADIUS server. aaa server radius attribute group This command is used to specify an attribute used to obtain the external RADIUS group of the user from the RADIUS entry for the specified RADIUS server. Please note that individual attributes may vary depending on the individual network requirements. radius_server_name This parameter specifies the name of an existing RADIUS server. attribute This parameter specifies the ID of the attribute used to obtain the external RADIUS group of the user from the RADIUS entry. Its value must be an integer ranging from 1 to 63. For details of each attribute, please refer to the following list. Please note that the attributes may vary depending on the individual network requirements. 1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 7 Framed-Protocol 8 Framed-IP-Address 9 Framed-IP-Netmask 10 Framed-Routing 11 Filter-Id 12 Framed-MTU 13 Framed-Compression 14 Login-IP-Host 15 Login-Service 16 Login-TCP-Port 17 (unassigned) 2000-2018 Array Networks, Inc. All Rights Reserved. 97Chapter 4 AAA 18 Reply-Message 19 Callback-Number 20 Callback-Id 21 (unassigned) 22 Framed-Route 23 Framed-IPX-Network 24 State 25 Class 26 Vendor Specific 27 Session Timeout 28 Idle-Timeout 29 Termination-Action 30 Called-Station-Id 31 Calling-Station-Id 32 NAS-Identifier 33 Proxy-State 34 Login-LAT-Service 35 Login-LAT-Node 36 Login-LAT-Group 37 Framed-AppleTalk-Link 38 Framed-AppleTalk-Network 39 Framed-AppleTalk-Zone 40-59 (rev. for accounting) 60 CHAP-Challenge 61 NAS-Port-Type 62 Port-Limit 63 Login-LAT-Port Note: To modify the existing attribute, please delete the existing configuration using the command “no aaa server radius attribute group” first. 2000-2018 Array Networks, Inc. All Rights Reserved. 98Chapter 4 AAA no aaa server radius attribute group This command is used to delete the configuration of the attribute used to obtain the external RADIUS group of the user from the RADIUS entry for the specified RADIUS server. show aaa server radius attribute group This command is used to display the configuration of the attribute used to obtain the external RADIUS group of the user from the RADIUS entry for the specified RADIUS server. aaa server radius attribute clientip This command is used to specify the attribute used to obtain the VPN client IP and netmask of the user from the RADIUS entry for the specified RADIUS server. radius_server_name This parameter specifies the name of an existing RADIUS server. attribute_ip This parameter specifies the ID of the attribute used to obtain the VPN client IP of the user from the RADIUS entry for the specified RADIUS server. attribute_netmask This parameter specifies the ID of the attribute used to obtain the VPN netmask of the user from the RADIUS entry for the specified RADIUS server. no aaa server radius attribute clientip This command is used to delete the configuration of the attributes used to obtain the VPN client IP and netmask of the user from the RADIUS entry for the specified RADIUS server. show aaa server radius attribute clientip This command is used to display the configuration of the attributes used to obtain the VPN client IP and netmask of the user from the RADIUS entry for the specified RADIUS server. aaa server radius attribute phonenumber This command is used to specify the attribute used to obtain the mobile phone numbers of the user from the RADIUS entry for the specified RADIUS server. radius_server_name This parameter specifies the name of an existing RADIUS server. attribute This parameter specifies the mobile phone numbers of users extracted from the RADIUS server. Its value must be a string of 1 to 80 characters. no aaa server radius attribute phonenumber 2000-2018 Array Networks, Inc. All Rights Reserved. 99Chapter 4 AAA This command is used to delete the attribute used to obtain the mobile phone number of the user from the RADIUS entry for the specified RADIUS server. show aaa server radius attribute phonenumber This command is used to display the attribute used to obtain the mobile phone number of the user from the RADIUS entry for the specified RADIUS server. aaa server radius defaultgroup This command is used to configure the default group assigned to authenticated users for whom no RADIUS group is obtained for the specified RADIUS server. radius_server_name This parameter specifies the name of an existing RADIUS server. group This parameter specifies the default RADIUS group name. Its value must be a string of 1 to 80 characters. no aaa server radius defaultgroup This command is used to delete the default group assigned to authenticated users for whom no RADIUS group is obtained for the specified RADIUS server. show aaa server radius defaultgroup This command is used to display the default group assigned to authenticated users for whom no RADIUS group is obtained for the specified RADIUS server. aaa server radius nasip This command is used to set the “NAS-IP-Address” (IP address of NAS, Network Access Server) attribute in the RADIUS requests for the specified RADIUS server. If this command is not configured, the system will select an available port IP address as the NAS IP address in the sequence of “port1, port2, port3…”. radius_server_name This parameter specifies the name of an existing RADIUS server. nasip This parameter specifies the NAS IP address for the RADIUS server. Its value must be an IPv4 address. Note: The “NAS-IP-Address” attribute must be specified if only the bond or VLAN interface is configured with the IP address but no system interface is configured with the IP address on the AG appliance. no aaa server radius nasip This command is used to delete the setting of the “NAS-IP-Address” attribute for the specified RADIUS server. show aaa server radius nasip 2000-2018 Array Networks, Inc. All Rights Reserved. 100Chapter 4 AAA This command is used to display the setting of the “NAS-IP-Address” attribute for the specified RADIUS server. Certificate aaa server certificate authenticate type This command is used to set the Certificate server used for authentication and the authentication type of the Certificate server. cert_server_name This parameter specifies the name of an existing Certificate server used for authentication. authentication_type This parameter specifies the authentication type of the Certificate server. Its value must be:  anonymous: indicates the system will only authenticate the user’s SSL client certificate.  challenge: indicates the system will authenticate the user’s SSL client certificate and validate that the username and password of the user’s account exists on the LDAP or LocalDB server assisting the Certificate server in authentication.  nochallenge: indicates the system will authenticate the user’s SSL client certificate and validate that the username of the user’s account exists on the LDAP or LocalDB server assisting the Certificate server in authentication. Note: For the authentication types “challenge” and “nochallenge”, the administrator needs to set the type of the AAA server assisting this Certificate server in authentication using the “aaa server certificate authenticate server” command and configure other related settings. For the authentication types “challenge”, after passing the certificate authentication, the user will be directed to the challenge page, requiring the user to enter the (username and) password. For details, please refer to the command “aaa server certificate authenticate userid”. no aaa server certificate authenticate type This command is used to delete the configuration of the Certificate server used for authentication. show aaa server certificate authenticate type This command is used to display the configuration of the Certificate server used for authentication. 2000-2018 Array Networks, Inc. All Rights Reserved. 101Chapter 4 AAA aaa server certificate anonymous This command is used to set the certificate field used to obtain the username of the user account from the certificate for the specified Certificate server used for authentication of the “anonymous” type. If this command is not configured, the default username of the user account is “cert user”. The value of the specified certificate field will be used as the account name of the user and will be displayed on the portal welcome page when the user passes the certificate authentication. cert_server_name This parameter specifies the name of an existing Certificate server. cert_field This parameter specifies the certificate field used to obtain the username of the user account from the certificate. Its value must be a string of 1 to 256 characters and must be:  Standard certificate field names  All standard OIDs in the standard certificate fields (in the format of x.x.x.x and must be enclosed by double quotes)  Standard extension OIDs in the extension field (in the format of x.x.x.x and must be enclosed by double quotes)  Combination of the DN name and OID (in the format of DN.OID)  Standard extension field names in the extension field (only ext.subjectAltName and ext.issuerAltName). For detailed description for the values of the “cert_field” parameter, please refer to the command “aaa server certificate externalgroup”. The following table describes the values of the “cert_field” parameter in detail. Value Description The “cert_field” parameter supports the following standard certificate field names:  subject and subject.cn/c/o/ou/st/l/emailaddress/pseudonym/title/sn/name/s urname/givenname/initials/dnqualifier/gq/dn/dc (certificate’s Standard certificate field subject field) names  issuer and issuer.cn/c/o/ou/st/l/emailaddress/pseudonym/title/sn/name/su rname/givenname/initials/dnqualifier/gq/dc (certificate’s issuer field)  serial (certificate’s serial number field) 2000-2018 Array Networks, Inc. All Rights Reserved. 102Chapter 4 AAA Value Description  notbefore (certificate’s not before field)  notafter (certificate’s not after field)  commonname (certificate’s common name field, same as the subject.cn)  validity (certificate’s validity field)  publickey (certificate’s public key field) All standard OIDs in the OIDs for the standard certificate field names standard certificate fields The “cert_field” parameter supports the following standard extension OIDs enclosed by double quotes:  2.5.29.35  2.5.29.14  2.5.29.15  2.5.29.32  2.5.29.33  2.5.29.17 Standard extension OIDs in  2.5.29.18 the extension field  2.5.29.9  2.5.29.19  2.5.29.30  2.5.29.36  2.5.29.37  2.5.29.31  2.5.29.54  2.5.29.46 The “cert_field” parameter supports the following combinations of the DN name and OID:  subject.oid: for example, subject.1.2.840.113549.1.9.1 Combination of the DN indicates the OID 1.2.840.113549.1.9.1 (email address) in the name and OID certificate’s subject field.  issuer.oid: for example, issuer.1.2.840.113549.1.9.1 indicates the OID 1.2.840.113549.1.9.1 (email address) in the 2000-2018 Array Networks, Inc. All Rights Reserved. 103Chapter 4 AAA Value Description certificate’s issuer field.  ext.oid: for example, ext.2.5.29.35 indicates the OID 2.5.29.35 in the certificate’s extension field.  oid.oid: for example, oid.2.5.29.17 indicates the OID 2.5.29.17 in the entire certificate’s To Be Signed (TBS) part. The “cert_field” parameter supports only the following two standard extension field names: Standard extension field names in the extension field  ext.subjectAltName  ext.issuerAltName no aaa server certificate anonymous This command is used to delete the configuration of the certificate field used to obtain the username of the user account from the certificate for the specified Certificate server used for authentication of the “anonymous” type. show aaa server certificate anonymous This command is used to display the configuration of the certificate field used to obtain the username of the user account from the certificate for the specified Certificate server used for authentication of the “anonymous” type. aaa server certificate authenticate userid This command is used to set the user ID action for the specified Certificate server whose authentication type is “challenge”. When this command is not configured, the username text box will not be displayed for the user to enter the username on the Certificate challenge page. The value of the certificate field specified by the command “aaa server certificate ldap search” or “aaa server certificate localdb search” will be used as the username. This command is also used to modify the existing configuration of the user ID action of the specified Certificate server used for authentication. cert_server_name This parameter specifies the name of an existing Certificate server whose authentication type is “challenge”. id_action This parameter specifies the user ID action for the Certificate server. Its value must be:  showid: indicates that the username text box will be displayed on the Certificate challenge page and the value of the certificate field specified by the command “aaa server certificate ldap search” or “aaa server certificate localdb search” is displayed as the username. 2000-2018 Array Networks, Inc. All Rights Reserved. 104Chapter 4 AAA  getid: indicates that the username text box will be displayed on the Certificate challenge page and the user needs to enter the username manually. no aaa server certificate authenticate userid This command is used to delete the configuration of the user ID action for the specified Certificate server whose authentication type is “challenge”. show aaa server certificate authenticate userid This command is used to display the configuration of the user ID action for the specified Certificate server whose authentication type is “challenge”. aaa server certificate authenticate server This command is used to set the type of the AAA server assisting the specified Certificate server in authentication. This command needs to be configured only when the authentication type of the Certificate server is “challenge” or “nochallenge”. cert_server_name This parameter specifies the name of an existing Certificate server used for authentication. server_type This parameter specifies the type of the AAA server assisting the Certificate server for authentication. Its value must be:  localdb: indicates that the virtual site’s LocalDB server will assist the Certificate server in authentication.  ldap: indicates that the LDAP server specified by the “aaa server certificate ldap serverid” command will assist the Certificate server in authentication. no aaa server certificate authenticate server This command is used to delete the configuration of the type of the AAA server assisting the specified Certificate server in authentication. show aaa server certificate authenticate server This command is used to display the configuration of the type of the AAA server assisting the specified Certificate server in authentication. aaa server certificate ldap serverid This command is used to set the LDAP server used to assist the specified Certificate server in authentication or authorization. 2000-2018 Array Networks, Inc. All Rights Reserved. 105Chapter 4 AAA cert_server_name This parameter specifies the name of an existing Certificate server. ldap_server_name This parameter specifies the name of an existing LDAP server. no aaa server certificate ldap serverid This command is used to delete the configuration of the LDAP server used to assist the specified Certificate server in authentication or authorization. show aaa server certificate ldap serverid This command is used to display the configuration of the LDAP server used to assist the specified Certificate server in authentication or authorization. aaa server certificate ldap search [user_id] This command is used to configure the search filter for the specified Certificate server using an LDAP server to assist in authentication or authorization. When the authentication type of the Certificate server is “nochallenge” or “challenge”, the LDAP attribute specified by the “ldap_attribute” parameter and the value of the certificate field specified by the “cert_field” parameter in the client certificate will constitute the search filter. For the authentication type “nochallenge”, if any LDAP entry on the LDAP server matches this search filter, the user passes the authentication and the value of the certificate field specified by the “cert_field” parameter in the client certificate will be displayed as the username in the portal welcome page. For the authentication type “challenge”, if any LDAP entry on the LDAP server matches this search filter and the username and password on the Certificate challenge page, the user passes the authentication and the value of the LDAP attribute specified by the “user_id” parameter in the retrieved LDAP entry will be displayed as the username in the portal welcome page. cert_server_name This parameter specifies the name of an existing Certificate server. cert_field This parameter specifies the certificate field used to obtain the username of the user account from the certificate. Its value must be a string of 1 to 256 characters. Its value must be:  Standard certificate field names  All standard OIDs in the standard certificate fields (in the format of x.x.x.x and must be enclosed by double quotes)  Standard extension OIDs in the extension field (in the format of x.x.x.x and must be enclosed by double quotes)  Combination of the DN name and OID (in the format of DN.OID) 2000-2018 Array Networks, Inc. All Rights Reserved. 106Chapter 4 AAA  Standard extension field names in the extension field (only ext.subjectAltName and ext.issuerAltName). For detailed description for the values of the “cert_field” parameter, please refer to the command “aaa server certificate externalgroup”. ldap_attribute This parameter specifies the LDAP attribute used to constitute the search filter. Its value must be a string of 1 to 80 characters. user_id Optional. This parameter specifies the LDAP attribute used to identify the user. If this parameter is not specified, the default value is the same as the value of the “ldap_attribute” parameter. no aaa server certificate ldap search This command is used to delete the search rule configured for the specified Certificate server using an LDAP server to assist in authentication or authorization. show aaa server certificate ldap search This command is used to display the search filter configured for the specified Certificate server using an LDAP server to assist in authentication or authorization. aaa server certificate localdb search This command is used to configure the search filter for the specified Certificate server using the LocalDB server to assist in authentication or authorization. For the authentication type “nochallenge”, if the username of any LocalDB account on the LocalDB server matches the value of the certificate field specified by the “cert_field” parameter in the client certificate, the user passes the authentication and the certificate field specified by the “cert_field” parameter in the client certificate will be displayed as the username in the portal welcome page. For the authentication type “challenge”, if the username and password of any LocalDB account on the LocalDB server match the username and password on the certificate challenge page, the user passes the authentication and the username used by the certificate Challenge page will be displayed as the username in the portal welcome page. cert_server_name This parameter specifies the name of an existing Certificate server used for authentication. cert_field This parameter specifies the certificate field used to obtain the username of the user account from the certificate. Its value must be a string of 1 to 32 characters and must be:  Standard certificate field names  All standard OIDs in the standard certificate fields (in the 2000-2018 Array Networks, Inc. All Rights Reserved. 107Chapter 4 AAA format of x.x.x.x and must be enclosed by double quotes)  Standard extension OIDs in the extension field (in the format of x.x.x.x and must be enclosed by double quotes)  Combination of the DN name and OID (in the format of DN.OID)  Standard extension field names in the extension field (only ext.subjectAltName and ext.issuerAltName). For detailed description for the values of the “cert_field” parameter, please refer to the command “aaa server certificate externalgroup”. no aaa server certificate localdb search This command is used to delete the search filter configured for the specified Certificate server using the LocalDB server to assist in authentication or authorization. show aaa server certificate localdb search This command is used to display the search filter configured for the specified Certificate server using the LocalDB server to assist in authentication or authorization. The following commands are used to configure authorization using the Certificate server. During the authorization using the Certificate server, the external group name of the user can be obtained from three ways:  Specified certificate field in the client certificate  LDAP server  LocalDB The three ways are mutually exclusive for one Certificate server used for authorization. aaa server certificate externalgroup This command is used to set the certificate field used to obtain the external group name for the specified Certificate server. The value of the certificate field in the client certificate will be used as the external group name of the user. cert_server_name This parameter specifies the name of an existing Certificate server. cert_field This parameter specifies the certificate field used to obtain the external group name in the client certificate. Its value must be a string of 1 to 64 characters. Its value must be:  Standard certificate field names  All standard OIDs in the standard certificate fields (in the 2000-2018 Array Networks, Inc. All Rights Reserved. 108Chapter 4 AAA format of x.x.x.x and must be enclosed by double quotes)  Standard extension OIDs in the extension field (in the format of x.x.x.x and must be enclosed by double quotes)  Combination of the DN name and OID (in the format of DN.OID)  Standard extension field names in the extension field (only ext.subjectAltName and ext.issuerAltName). no aaa server certificate externalgroup This command is used to delete the configuration of the certificate field used to obtain the external group name for the specified Certificate server. aaa server certificate externaldefault This command is used to configure the default group assigned to a user for the specified Certificate server when the system fails to obtain the external group name from the specified certificate field in the client certificate. cert_server_name This parameter specifies the name of an existing Certificate server. default_group This parameter specifies the default group name. Its value must be a string of 1 to 64 characters. no aaa server certificate externaldefault This command is used to delete the configuration of the default group assigned to a user for the specified Certificate server when the system fails to obtain the external group name from the specified certificate field in the client certificate. aaa server certificate authorize server This command is used to sets the type of the AAA server assisting the specified Certificate server in authorization. cert_server_name This parameter specifies the name of an existing Certificate server used for authorization. Its value must be a string of 1 to 32 characters. server_type This parameter specifies the type of the AAA server assisting the specified Certificate server in authorization. Its value must be:  localdb: indicates that the virtual site’s LocalDB server will assist the Certificate server in authorization.  ldap: indicates that the LDAP server specified by the “aaa server certificate ldap serverid” command will assist the 2000-2018 Array Networks, Inc. All Rights Reserved. 109Chapter 4 AAA Certificate server in authorization. Note: If the “server_type” parameter is set to “ldap” and the system fails to obtain the external group name for the user from the LDAP server, the system will use the default group setting configured for the LDAP server itself using the command “aaa server ldap attribute defaultgroup”. no aaa server certificate authorize server This command is used to delete the configuration of the type of the AAA server assisting the specified Certificate server in authorization. show aaa server certificate authorize server This command is used to display the configuration of the type of the AAA server assisting the specified Certificate server in authorization. aaa server certificate localdb defaultgroup This command is used to configure the default group assigned to users for the specified the Certificate server when the system fails to obtain the group name for the user from the LocalDB server. If this command is not configured and the system fails to obtain the group name for the user from the LocalDB server, the group name of the user will be empty rather than the default group setting for the LocalDB server itself. cert_server_name This parameter specifies the name of an existing Certificate server. default_group This parameter specifies the name of the default group in LocalDB. no aaa server certificate localdb defaultgroup This command is used to delete the configuration of the default group assigned to users for the specified the Certificate server when the system fails to obtain the group name for the user from the LocalDB server. show aaa server certificate localdb defaultgroup This command is used to display the configuration of the default group assigned to users for the specified Certificate server when the system fails to obtain the group name for the user from the LocalDB server. aaa server certificate sms type {certificate|ldap|localdb} This command is used to set how to obtain mobile phone numbers of users from the specified Certificate server. cert_server_name This parameter specifies the name of an existing Certificate server. 2000-2018 Array Networks, Inc. All Rights Reserved. 110Chapter 4 AAA certificate|ldap|localdb This parameter specifies how to obtain mobile phone numbers of users. Its value must be:  certificate: indicates that the system obtains mobile phone numbers of users from certificates stored on the Certificate server.  ldap: indicates that the system obtains mobile phones numbers of users from the LDAP server that is used by the Certificate server for authentication or authorization.  localdb: indicates that the system obtains mobile phones numbers of users from LocalDB that is used by the Certificate server for authentication or authorization. Note: If the “certificate|ldap|localdb” parameter is set to “ldap” or “localdb”, the associated LDAP server or LocalDB configured in the command “aaa server certificate authenticate server {localdb|ldap}” or “aaa server certificate authorize server {localdb|ldap}” must be actually used for certification and authorization. Otherwise, mobile phone numbers of users cannot be obtained. no aaa server certificate sms type This command is used to delete the configuration of how to obtain mobile phone numbers of users from the specified Certificate server. show aaa server certificate sms type This command is used to display the configuration of how to obtain mobile phone numbers of users from the specified Certificate server. aaa server certificate sms certificate This command is used to set the certificate field used to obtain mobile phone numbers of users on the specified Certificate server. This command needs to be configured when the “certificate|ldap|localdb” parameter is set to “certificate” in the command “aaa server certificate sms type”. cert_server_name This parameter specifies the name of an existing Certificate server. cert_field This parameter specifies the certificate field used to obtain mobile phone numbers of users. Its value must be a string of 1 to 80 characters and must be:  Standard certificate field names  All standard OIDs in the standard certificate fields (in the format of x.x.x.x and must be enclosed by double quotes) 2000-2018 Array Networks, Inc. All Rights Reserved. 111Chapter 4 AAA  Standard extension OIDs in the extension field (in the format of x.x.x.x and must be enclosed by double quotes)  Combination of the DN name and OID (in the format of DN.OID)  Standard extension field names in the extension field (only ext.subjectAltName and ext.issuerAltName). For detailed description for the values of the “cert_field” parameter, please refer to the command “aaa server certificate externalgroup”. no aaa server certificate sms certificate This command is used to delete the configuration of the certificate field used to obtain mobile phone numbers of users on the specified Certificate server. show aaa server certificate sms certificate This command is used to delete the configuration of the certificate field used to obtain mobile phone numbers of users on the specified Certificate server. aaa server certificate sms ldap This command is used to set the LDAP entry’s attribute used to obtain mobile phone numbers of users from the LDAP server used by the Certificate server for authentication or authorization. This command needs to be configured when the “certificate|ldap|localdb” parameter is set to “ldap” in the command “aaa server certificate sms type”. cert_server_name This parameter specifies the name of an existing Certificate server. attribute This parameter specifies the LDAP entry’s attribute from which the AAA obtains mobile phone numbers of users. Its value must be a string of 1 to 80 characters. no aaa server certificate sms ldap This command is used to delete the configuration of the LDAP entry’s attribute used to obtain mobile phone numbers of users from the LDAP server used by the Certificate server for authentication or authorization. show aaa server certificate sms ldap This command is used to display the configuration of the LDAP entry’s attribute used to obtain mobile phone numbers of users from the LDAP server used by the Certificate server for authentication or authorization. 2000-2018 Array Networks, Inc. All Rights Reserved. 112Chapter 4 AAA SMS aaa server sms host [user_name] [password] [service_id] [source_number] [conn_reuse|conn_close] [tls_flag] This command is used to configure a host for the specified Short Message Service (SMS) server. Only one host can be configured for each SMS server. sms_server_name This parameter specifies the name of an existing SMS server. host_ip This parameter specifies the IP address of the SMS host. Its value must be an IPv4 address. host_port This parameter specifies the port used by the host to communicate with the AAA. Its value must be an integer ranging from 0 to 65535. protocol This parameter specifies the protocol type used by the SMS server. Its value is case-insensitive and must be:  CMPP2: indicates the CMPPv2.0 protocol.  CMPP3: indicates the CMPPv3.0 protocol.  EM: indicates the EM proprietary protocol.  CUSTOM: indicates the custom protocol. If the administrator needs to use the CUSTOM protocol, the SMS authentication request template must be imported via the “aaa server sms custom import request” command and SMS authentication response filter rule must be configured via the “aaa server sms custom result” command. user_name Optional. This parameter specifies the username used to log into the host of the SMS server. Its value must be enclosed by double quotes when beginning with a non-alphabetical character. The default value is empty, indicating that authentication is not required by the SMS host. password Optional. This parameter specifies the password used to log into the host of the SMS server. Its value must be enclosed by double quotes when beginning with a non-alphabetical character. The default value is empty, indicating that authentication is not 2000-2018 Array Networks, Inc. All Rights Reserved. 113Chapter 4 AAA required by the SMS host. service_id Optional. This parameter specifies the ID of the SMS service. Its value must be a string of 1 to 10 characters. This parameter is used only when the “protocol” parameter is set to “CMPP2” or “CMPP3”. The SMS service ID can be obtained when you subscribe to SMS services from China Mobile. The default value is empty. source_number Optional. This parameter specifies the source number of SMS messages. Its value must be a string of 1 to 21 characters. This parameter is used only when the “protocol” parameter is set to “CMPP2” or “CMPP3”. The source number can be obtained when you subscribe to SMS services from China Mobile. The default value is empty. conn_reuse|conn_close Optional. This parameter specifies how to handle the connection between the AG appliance and the SMS server after the AG appliance receives SMS authentication response. Its vaule must be:  conn_reuse: indicates the connection will be reused after the AG appliance receives SMS authentication response.  conn_close: indicates the connection will be forcefully disconnected after the AG appliance receives SMS authentication response. The default value is “conn_reuse”. tls_flag Optional. This parameter specifies whether to access the SMS host over the TLS protocol. Its value must be:  “tls”: indicates that the TLS protocol is used to access the SMS host.  empty: indicates that the TLS protocol is not used to access the SMS host. The default value is empty. This parameter is used only when the “protocol” parameter is set to “CUSTOM”. no aaa server sms host This command is used to delete the host configured for the specified SMS server. 2000-2018 Array Networks, Inc. All Rights Reserved. 114Chapter 4 AAA show aaa server sms host This command is used to display the host configured for the specified SMS server. aaa server sms companyinfo

This command is used to configure the information about the company that subscribes to SMS services from Emay for the specified SMS server. The company information is required to register the SMS service account on the SMS server. sms_server_name This parameter specifies the name of an existing SMS server. company_name This parameter specifies the company name. Its value must be a string of 1 to 60 characters enclosed by double quotes when beginning with a non-alphabetical character. contactor This parameter specifies the name of the contact person of the company. Its value must be a string of 1 to 20 characters enclosed by double quotes when beginning with a non-alphabetical character. phone_number This parameter specifies the telephone number of the company. Its value must be a string of 1 to 20 characters enclosed by double quotes when beginning with a non-alphabetical character. mobile_number This parameter specifies the mobile phone number of the company. Its value must be a string of 1 to 15 characters enclosed by double quotes when beginning with a non-alphabetical character. email This parameter specifies the email of the company. Its value must be a string of 1 to 60 characters enclosed by double quotes when beginning with a non-alphabetical character. fax This parameter specifies the fax of the company. Its value must be a string of 1 to 20 characters enclosed by double quotes when beginning with a non-alphabetical character. address This parameter specifies the address of the company. Its value must be a string of 1 to 60 characters enclosed by double quotes when beginning with a non-alphabetical character. postcode This parameter specifies the postcode of the company. Its value must be a string of 1 to 6 characters enclosed by double quotes when beginning with a non-alphabetical character. 2000-2018 Array Networks, Inc. All Rights Reserved. 115Chapter 4 AAA no aaa server sms companyinfo This command is used to delete the company information setting of the specified SMS server. show aaa server sms companyinfo This command is used to display the company information on the specified SMS server. aaa server sms message [escape_flag] This command is used to modify the content of the short message sent to the mobile phone for the specified SMS server. The verification code is contained in the short message for SMS authentication. If this command is not configured, the default content of the short message sent to the mobile phone is “Verification code: ”. sms_server_name This parameter specifies the name of an existing SMS server. string This parameter specifies the content of the short message sent to the mobile phone. Its value must be a string of 1 to 60 characters enclosed by double quotes. This parameter supports regular expressions “ ” and “ ”. “ ” is mandatory in the string and stands for the verification code sent to a mobile phone; “ ” stands for the user name of a mobile phone. escape_flag Optional. This parameter specifies whether to escape the short message. This parameter needs to be specified when the short message is sent in the URL of the HTTP request. Its value must be:  0: indicates the short message will not be escaped.  1: indicates the short message will be escaped. The default value is 0. For example: vs(config)$aaa server sms message sms_server "Hi , the verification code is " 0 vs(config)$aaa server sms message sms_server "Verification code is " 0 no aaa server sms message This command is used to reset the content of the short message sent to the mobile phone to the default value “Verification code: ” for the specified SMS server. show aaa server sms message 2000-2018 Array Networks, Inc. All Rights Reserved. 116Chapter 4 AAA This command is used to display the content of the short message sent to the mobile phone for the specified SMS server. aaa server sms verificationcode This command is used to modify the length and character type of verification codes for the specified SMS server. If this command is not configured, the default length of verification codes is 8 bytes, and verification codes comprise both letters and numbers by default. sms_server_name This parameter specifies the name of an existing SMS server. length This parameter specifies the length of verification codes in bytes. Its value must be an integer ranging from 6 to 16. character_type This parameter specifies the character type of verification codes. Its value must be:  letter: indicates that verification codes comprise only letters.  num: indicates that verification codes comprise only numbers.  both: indicates that verification codes comprise both letters and numerals. no aaa server sms verificationcode This command is used to reset the length and character type of verification codes to the default configuration for the specified SMS server. show aaa server sms verificationcode This command is used to display the length and character type of verification codes for the specified SMS server. aaa server sms expiretime This command is used to modify the expiration time of verification codes for the specified SMS server. If this command is not configured, the default expiration time of verification codes is 300 seconds. sms_server_name This parameter specifies the name of an existing SMS server. time This parameter specifies the effective time of verification codes for the SMS server in seconds. Its value must be an integer ranging from 5 to 600. no aaa server sms expiretime 2000-2018 Array Networks, Inc. All Rights Reserved. 117Chapter 4 AAA This command is used to reset the expiration time of verification codes to the default value 300 seconds for the specified SMS server. show aaa server sms expiretime This command is used to display the expiration time of verification codes for the specified SMS server. aaa server sms custom import request This command is used to import the SMS authentication request template for the specified SMS server. AG constructs the SMS authentication request using the SMS authentication request template and sends the constructed SMS authentication request to the SMS server for authentication. Only one SMS authentication request template can be imported. sms_server_name This parameter specifies the name of an existing custom SMS server. url This parameter specifies the HTTP or FTP URL from which the custom SMS authentication request template is imported. Its value must be a string of 1 to 256 characters. The format of the SMS authentication request template is as follows: POST /smsend.jsp HTTP/1.1\r\n Accept: */*\r\n Accept-Encoding: NONE\r\n Host: : \r\n Connection: Keep-Alive\r\n Content-Length: Cache-Control: no-cache\r\n \r\n username= &password= &dst= &msg= &r eport=0&sendtime=0&seqid= &uname= &passwd= When preparing the SMS authentication request template, please bear the following information in the mind:  The field and will be replaced by the IP address and port of the SMS host selected by AG.  The field will be filled with the value of the transfer-length of the HTTP request body.  The fields and will be filled with the username and password used to log into the host of the SMS server. The field will be filled with the mobile phone number of the end user. 2000-2018 Array Networks, Inc. All Rights Reserved. 118Chapter 4 AAA  The field will be replaced by the message configured via the “aaa server sms message” command by AG.  The field will be filled by AG according to the request ID of the SMS authentication request.  The fields and will be filled with the username and password of the user used to log into the virtual site. Note: The SMS authentication request template must be a plain text file. show aaa server sms custom template This command is used to display the SMS authentication request template for the specified custom SMS server. sms_server_name This parameter specifies the name of an existing custom SMS server. type This parameter specifies the file type of the custom SMS authentication request template. Its value must be “request”. aaa server sms custom result This command is used to configure an SMS authentication response filter rule for the specified custom SMS server. sms_server_name This parameter specifies the name of an existing custom SMS server. regex This parameter specifies the regular expression indicating the successful SMS authentication response. Its value must be a string of 1 to 256 characters. If the SMS authentication response received by AG matches this regular expression, AG displays the SMS authentication page for the user to enter the verification code. end_flag Optional. This parameter specifies the end location of the SMS authentication response. Its value must be a string of 1 to 256 characters. If this parameter is specified:  AG will begin to parse the received SMS authentication response when the SMS authentication response received by AG contains “end_flag”. 2000-2018 Array Networks, Inc. All Rights Reserved. 119Chapter 4 AAA If this parameter is not specified or the configured “end_flag” parameter is not found in the SMS authentication response:  When the SMS authentication response received by AG contains the header “Content-Length”, AG begins to parse the received SMS authentication response after the whole body of the SMS authentication response is received. When the SMS authentication response received by AG contains the header “Transfer-Encoding: chunked”, AG begins to parse the received SMS authentication response after all data chunks of the response are received.  When the SMS authentication response received by AG does not contain the header “Content-Length”, AG begins to parse the received SMS authentication response after the first segment of the response is received. The default value is empty. Note: The SMS authentication response must include the request ID of the SMS authentication request. no aaa server sms custom result This command is used to delete the SMS authentication response matching rule for the specified custom SMS server. show aaa server sms custom settings This command is used to display the configurations of the custom SMS server. sms_server_name This parameter specifies the name of an existing SMS server. SMX aaa server smx host [host_index] This command is used to create a host for the specified SMX (SECUREMATRIX) server. A maximum of two hosts can be configured for an SMX server and they have different index values specified by the parameter “host_index”. smx_server_name This parameter specifies the name of an existing SMX server. host_name This parameter specifies the host name or IP address of the host. For the host name, its value must be a string of 1 to 128 characters; for the IP address, its value must be an IPv4 address enclosed by 2000-2018 Array Networks, Inc. All Rights Reserved. 120Chapter 4 AAA double quotes. host_port This parameter specifies the port number used by the host. Its value is an integer ranging from 0 to 65535. host_index Optional. This parameter specifies the index of the host among hosts of the SMX server. Its value must be:  1: indicates that this is a primary host.  2: indicates that this is a secondary host. The secondary host is used only when the user fails the authentication performed by the primary host or when the primary host is unavailable. The default value is 1. no aaa server smx host This command is used to delete a host from the specified SMX server. show aaa server smx host This command is used to show the host(s) created for the specified SMX server. aaa server smx certimport This command is used to import the certificate file for the specified SMX host from a remote host. smx_server_name This parameter specifies the name of an existing SMX server. host_index This parameter specifies the index of the host among hosts of the SMX server. user@remote_host This parameter specifies the remote host from which the certificate file is imported and the username for logging into the remote host. Its value must be a string of 1 to 512 characters in the format of “user@remote_host”, which must be enclosed by double quotes. password This parameter specifies the password for logging into the remote host. file_path This parameter specifies the path, which includes the certificate file name, of the certificate file on the remote host. Its value must be a string of 1 to 1024 characters. The certificate file is a .zip file 2000-2018 Array Networks, Inc. All Rights Reserved. 121Chapter 4 AAA containing the private key, cert file and CA file. HTTP aaa server http host [host_port] [tls_flag] [timeout] [retries] [index] [max_connections] This command is used to configure an HTTP host for the specified HTTP AAA server. A maximum of three HTTP hosts can be configured for one HTTP AAA server. http_server_name This parameter specifies the name of an existing HTTP AAA server. host_name This parameter specifies the host name or IP address of the HTTP host. For the host name, its value must be a string of 1 to 128 characters; for the IP address, its value must be an IPv4 address enclosed by double quotes. host_port Optional. This parameter specifies the port of the HTTP host (The HTTP host of the HTTP AAA server can be an HTTP or HTTPS server used for authentication/authorization). Its value must be an integer ranging from 0 to 65,535. The default value is 0, indicating the default port. For the HTTP server, “0” indicates the port 80; for the HTTPS server, “0” indicates the port 443. tls_flag Optional. This parameter specifies whether to access the HTTP host over the TLS protocol. Its value must be:  “tls”: indicates that the HTTPS server is used.  empty: indicates that the HTTP server is used. The default value is empty. timeout Optional. This parameter specifies the maximum time that AG waits for the HTTP response, in seconds. If not receiving the HTTP response in the specified time, AG will resend the HTTP authentication request. Its value must be an integer ranging from 0 to 65,535. “0” indicates no timeout. The default value is 5. retries Optional. This parameter specifies the retry times send the HTTP authentication request to the HTTP host. Its value must be 1, 2 or 3. The default value is 1. 2000-2018 Array Networks, Inc. All Rights Reserved. 122Chapter 4 AAA index Optional. This parameter specifies the host index. Its value must be 1, 2 or 3. The default value is 1. max_connections Optional. This parameter specifies the maximum number of concurrent connections allowed by the HTTP AAA host. Its value must be an integer ranging from 0 to 65,535. The default value is 0, indicating no limitation on the maximum number of concurrent connections. no aaa server http host This command is used to delete an HTTP host of the specified HTTP AAA server. show aaa server http host This command is used to display the HTTP hosts configured for the specified HTTP AAA server. aaa server http login template This command is used to import an HTTP authentication login template for the specified HTTP AAA server. When receiving an HTTP authentication login request from the client, AG constructs the HTTP authentication login request using the HTTP authentication login template by replacing the dynamic data in the template with user information of the user to be authenticated and sends the constructed HTTP request to the HTTP AAA server for authentication. Only one HTTP authentication request template can be configured for one HTTP AAA server. http_server_name This parameter specifies the name of an existing HTTP AAA server. request_url This parameter specifies the HTTP or FTP URL of the HTTP authentication login template to be imported. Its value must be a string of 1 to 256 characters. The format of the HTTP authentication login template is as follows: POST /iaccess/services HTTP/1.1 Accept-Encoding: NONE Host: Content-Length: SOAPAction: "http://IaccessMessageFlow/login" User-Agent: Axis2 2000-2018 Array Networks, Inc. All Rights Reserved. 123Chapter 4 AAA P 9.0.0.0 G When preparing the HTTP authentication login template, please bear the following information in the mind:  The fields , and will be filled with user information of the user to be authenticated.  The field will be replaced by the IP address of the HTTP host selected by AG.  The field will be filled by AG according the actual length of the content.  The fields and will be filled with the customized user variables configured using the “portal custom variant name” command. Note:  The HTTP authentication login template must be plain text file only.  For HTTP authentication request with customized user information, the portal theme login page should be used.  no aaa server http login template This command is used to delete the HTTP authentication login template imported for the specified HTTP AAA server. show aaa server http login template This command is used to display the HTTP authentication login template imported for the specified HTTP AAA server. http_server_name This parameter specifies the name of an existing HTTP AAA server. seperate Optional. This parameter specifies whether to display the dynamic data in the HTTP authentication login template separately. Its value must be: 2000-2018 Array Networks, Inc. All Rights Reserved. 124Chapter 4 AAA  0: indicates the dynamic data will not be displayed separately.  1: indicates the dynamic data will be displayed separately. The default value is 0. aaa server http login challengemessage This command is used to set the HTTP authentication login challenge message for the specified HTTP AAA server. This command should be configured when the backend server needs more user information to perform the authentication. A maximum of five HTTP authentication login challenge messages can be configured. http_server_name This parameter specifies the name of an existing HTTP AAA server. login_response_id This parameter specifies the ID of the HTTP authentication login response. Its value must be an integer ranging from 1 to 5. login_response_filter This parameter specifies the filter condition for the HTTP authentication login response. Its value must be a string of 1 to 255 characters. The value can contain the variables and related rules defined by the commands “aaa server http variant response name” and “aaa server http variant response profile”. message This parameter specifies the challenge message included in the HTTP authentication login response. Its value must be a string of 1 to 255 characters. The value can contain the variables defined by the “aaa server http variant response name” command. For example: When the HTTP authentication login response contains an “an_ret” variable whose vaule is 2, a challenge is required and the challenge message will be “please enter the login PIN number.” vs(config) aaa server http login challengemessage "http_server" "1" " =2" "please enter the login PIN number" no aaa server http login challengemessage This command is used to delete a specified HTTP authentication login challenge message for the specified HTTP AAA server. show aaa server http login configure This command is used to display the configuration of HTTP authentication login challenge messages for the specified HTTP AAA server. 2000-2018 Array Networks, Inc. All Rights Reserved. 125Chapter 4 AAA aaa server http challenge template This command is used to import an HTTP authentication challenge template for the specified HTTP AAA server. When receiving an HTTP authentication challenge request from the client, AG constructs the HTTP authentication challenge request using the HTTP authentication challenge template and sends the constructed HTTP authentication challenge request to the HTTP AAA server. A maximum of five HTTP authentication challenge templates can be configured for one HTTP AAA server. This command should be used together with the “aaa server http challenge require” command. The HTTP challenge template is similar to the HTTP authentication login template. For details, please refer to the “aaa server http login template” command. http_server_name This parameter specifies the name of an existing HTTP AAA server. challenge_id This parameter specifies the ID of the HTTP authentication challenge template. Its value must be an integer ranging from 1 to 5. request_url This parameter specifies the HTTP or FTP URL of the HTTP challenge template to be imported. Its value must be a string of 1 to 256 characters. no aaa server http challenge template This command is used to delete the specified HTTP authentication challenge template for the specified HTTP AAA server. show aaa server http challenge template [seperate] This command is used to display the specified HTTP authentication challenge template for the specified HTTP AAA server. http_server_name This parameter specifies the name of an existing HTTP AAA server. challenge_id This parameter specifies the ID of the HTTP authentication challenge template. seperate Optional. This parameter specifies whether to display the dynamic data in the HTTP authentication login template separately. Its value must be:  0: indicates the dynamic data will not be displayed separately.  1: indicates the dynamic data will be displayed separately. 2000-2018 Array Networks, Inc. All Rights Reserved. 126Chapter 4 AAA The default value is 0. aaa server http challenge require [challenge_condition] This command is used to set a challenge condition based upon which to select the HTTP authentication challenge template for the specified HTTP AAA server. Please define a customized user variable using the “portal custom variant name” command first before configuring this command. http_server_name This parameter specifies the name of an existing HTTP AAA server. challenge_id This parameter specifies the ID of the HTTP authentication challenge template. challenge_condition This parameter specifies the challenge condition based on which to select the HTTP authentication challenge template. Its value must be a string of 1 to 255 characters in the format of “ =yy”, such as “ =chal1”. For example: vs(config) aaa server http challenge require "http_server" "1" " =chal1" no aaa server http challenge require This command is used to delete a specified challenge condition based upon which to select the HTTP authentication challenge template for the specified HTTP AAA server. aaa server http challenge challengemessage This command is used to set the HTTP authentication challenge message for the specified HTTP AAA server. This command should be configured if a further challenge is required after the HTTP authentication login challenge. A maximum of five HTTP authentication challenge messages can be configured. http_server_name This parameter specifies the name of an existing HTTP AAA server. challenge_id This parameter specifies the ID of the HTTP authentication challenge template. login_response_id This parameter specifies the ID of the HTTP authentication login response. 2000-2018 Array Networks, Inc. All Rights Reserved. 127Chapter 4 AAA challenge_response_filter This parameter specifies the filter condition for the HTTP authentication challenge message. Its value must be a string of 1 to 255 characters. The value can contain the variables and related rules defined by the commands “aaa server http variant response name” and “aaa server http variant response profile”. message This parameter specifies the message included in the HTTP authentication challenge response. Its value must be a string of 1 to 255 characters. The value can contain the variables defined by the “aaa server http variant response name” command. For example: When the challenge response contains an “an_random” variable whose vaule is 1, a further challenge is required and the challenge message will be “Please use the UTF-8 encoding format if multi-byte characters are used.” vs(config) aaa server http challenge challengemessage http_server" "1" "1" " =1" "Please use the UTF-8 encoding format if multi-byte characters are used." no aaa server http challenge challengemessage This command is used to delete the specified HTTP authentication challenge message for the specified HTTP AAA server. show aaa server http challenge configure This command is used to display the configurations of HTTP challenge authentication for the specified HTTP AAA server. aaa server http variant response name [var_filter] This command is used to configure the customized user variable included in the HTTP authentication login response and set a single-variable parsing rule for the specified HTTP AAA server. The configured customized user variable can be used for the constitution of the HTTP authentication login challenge message. http_server_name This parameter specifies the name of an existing HTTP AAA server. var_name This parameter specifies the name of the customized user variable in the HTTP authentication login response. Its value must be a string of 1 to 32 characters in the format of , such as . 2000-2018 Array Networks, Inc. All Rights Reserved. 128Chapter 4 AAA var_filter Optional. This parameter specifies the filter used to parse this variable included in the HTTP authentication login response. Its value must be a string of 1 to 256 characters. The default value is empty. For example: vs(config) aaa server http variant response name " http_server" " " "var_AN_need_challenge= ;" no aaa server http variant response name This command is used to delete a specified customized user variable included in the HTTP authentication login response and the associated single-variable resolution rule for the specified HTTP AAA server. aaa server http variant response profile This command is used to set a multi-variable parsing rule for the specified HTTP AAA server. This command should be used together with the command “aaa server http variant response name”. The configured multi-variable parsing rule can be used for the constitution of an HTTP authentication login challenge message. http_server_name This parameter specifies the name of an existing HTTP AAA server. var_filter This parameter specifies the filter condition used to parse the single user variable included in the HTTP authentication login response. Its value must be a string of 1 to 256 characters. priority Optional. This parameter specifies the priority of the rule. Its value must be an integer ranging from 1 to 100. The lower the value, the higher the priority. The default value is 50. For example: vs(config) aaa server http variant response name "http_server" " " vs(config) aaa server http variant response name "http_server" " " vs(config) aaa server http variant response name "http_server" " " vs(config) aaa server http variant response profile "http_server" "var _AN_var= :: :: ;" no aaa server http variant response profile 2000-2018 Array Networks, Inc. All Rights Reserved. 129Chapter 4 AAA This command is used to delete a specified multi-variable parsing rule for the specified HTTP AAA server. show aaa server http variant response This command is used to display the configurations of customized user variables included in the HTTP authentication login response and the associated variable parsing rules for the specified HTTP AAA server. aaa server http result [user_name] [group_name] [phone] [picture_url] [uid] [end_flag] [error_message] This command is used to configure an HTTP response filter rule for the specified HTTP AAA server. Only one HTTP response filter rule can be configured for one HTTP AAA server. This parameter specifies the name of an existing HTTP AAA server. http_server_name regex This parameter specifies the regular expression indicating the successful HTTP authentication response. If the HTTP (authentication) response received by AG matches this regular expression, the end user passes the HTTP authentication. Its value must be a string of 1 to 256 characters. Note: It is recommended to simplify the parameter value to increase the matching efficiency. user_name Optional. This parameter specifies the way to obtain the username from the HTTP (authorization) response. If the username is successfully obtained from the HTTP response, AG will display the obtained username on the welcome portal page. Its value must be a string of 1 to 256 characters in the format of “xxx xxx”. Besides, the parameter supports the following escape characters:  \r\n: indicates the line break.  \q: indicates the quotes.  \\: indicates the backslash. The default value is empty, indicating not obtaining the username from the HTTP response. group_name Optional. This parameter specifies the way to obtain the group name of the end user from the HTTP (authorization) response. The 2000-2018 Array Networks, Inc. All Rights Reserved. 130Chapter 4 AAA obtained group name may be further used for the user authorization. Its value must be a string of 1 to 256 characters in the format of “xxx xxx”. Besides, the parameter supports the following escape characters:  \r\n: indicates the line break.  \q: indicates the quotes.  \\: indicates the backslash. The default value is empty, indicating not obtaining the group name from the HTTP response. phone Optional. This parameter specifies the way to obtain the phone number of the end user from the HTTP (authorization) response. The obtained phone number is used for SMS authentication when both HTTP authentication and SMS authentication are required. Its value must be a string of 1 to 256 characters in the format of “xxx xxx”. Besides, the parameter supports the following escape characters:  \r\n: indicates the line break.  \q: indicates the quotes.  \\: indicates the backslash. The default value is empty, indicating not obtaining the phone number from the HTTP response. picture_url Optional. This parameter specifies the way to obtain the avatar picture URL of the end user from the HTTP (authorization) response. This parameter needs to be specified when the HTTP-type AAA server is used for OAuth authentication. uid Optional. This parameter specifies the way to obtain the UID of the end user from the HTTP (authorization) response. Its value must be in the format of “uid= ”. This parameter needs to be specified when the HTTP-type AAA server is used for OAuth authentication. 2000-2018 Array Networks, Inc. All Rights Reserved. 131Chapter 4 AAA end_flag Optional. This parameter specifies the end location of the HTTP response to be filtered. Its value must be a string of 1 to 256 characters. If the “end_flag” parameter is configured:  When the HTTP response received by AG contains the “end_flag”, AG starts the HTTP response filter process. If the “end_flag” parameter is not configured or the configured “end_flag” parameter is not found in the HTTP response:  When the HTTP response received by AG contains the header “Content-Length”, AG starts the HTTP response filter process after the whole HTTP body of the HTTP response is received. When the HTTP response received by AG contains the header “Transfer-Encoding: chunked”, AG starts HTTP response filter process after all data chunks of the HTTP response are received.  When the HTTP response received by AG does not contain the header “Content-Length”, AG starts the HTTP response filter process after the first segment of the HTTP response is received. The default value is empty. error_message Optional. This parameter specifies the error message to display if the user fails to pass HTTP authentication. The default error message is empty. For example: vs(config)$aaa server http result "http" "welcome" "username \r\n" "groupname \r\n" "phonenumber \r\n" "" "" "abc" "error= ;" vs(config)$aaa server http result "oauth_server" "access_token" "username= ;" "" "" "pic_url= ;" "uid= ;" "" "error= ;" no aaa server http result This command is used to delete the HTTP response filter rule configured for the specified HTTP AAA server. show aaa server http result This command is used to display the HTTP response filter rule configured for the specified HTTP AAA server. 2000-2018 Array Networks, Inc. All Rights Reserved. 132Chapter 4 AAA aaa server http defaultgroup This command is used to configure the default group assigned to authenticated users for whom no HTTP group is obtained for the specified HTTP AAA server. http_server_name This parameter specifies the name of an existing HTTP AAA server. default_group This parameter specifies the name of the default HTTP group. Its value must be a string of 1 to 64 characters. no aaa server http defaultgroup This command is used to delete the configuration of the default group assigned to authenticated users for whom no HTTP group is obtained for the specified HTTP AAA server. show aaa server http defaultgroup This command is used to display the configuration of the default group assigned to authenticated users for whom no HTTP group is obtained for the specified HTTP AAA server. SAML Security Assertion Markup Language (SAML) is an XML-based open standard for describing and exchanging security information between on-line business partners. AG supports authentication and authorization using the SAML protocol. In the SAML architecture, AG works as a Service Provider (SP), providing resources for users and depending on the assertion of the Identity Provider (IdP) for user authentication and authorization. The section covers the commands for configuring the SAML function. aaa saml {enable|disable} This command is used to enable or disable the SAML function. By default, this function is disabled. When the SAML function is enabled, the virtual site will use only SAML for authentication and authorization, and ignore the other authentication and authorization configuration of the AAA function, such as LocalDB and LDAP. When the SAML function is disabled, the virtual site will use the authentication and authorization configuration of the AAA function. aaa saml idp name This command is used to configure an IdP. A maximum of three IdPs can be configured for one virtual site. idp_name This parameter specifies the name of an IdP. Its value must be a string of 1 to 64 characters. no aaa saml idp name 2000-2018 Array Networks, Inc. All Rights Reserved. 133Chapter 4 AAA This command is used to delete a specified IdP. aaa saml sp idp This command is used to enable the specified IdP for the SAML SP (AG). Before enabling an IdP, you need to import the metadata of the IdP using the “aaa saml idp metadata” command and specify the attributes used to obtain the user identity information from the SAML Assertion response returned by the IdP using the “aaa saml idp attributes” command. If no IdP is enabled, all available IdPs will be displayed for the user to select for authentication. idp_name This parameter specifies the name of the existing IdP specified by the “aaa saml idp name” command. no aaa saml sp idp This command is used to disable the specified IdP that has been enabled for the SAML SP. After this command is executed, all available IdPs will be displayed for the user to select for authentication. aaa saml idp metadata This command is used to import the metadata of the specified IdP to the SAML SP (AG). Please note that if the metadata of the IdP has changed, you need to import the new metadata to the SAML SP. idp_name This parameter specifies the name of the existing IdP specified by the “aaa saml idp name” command. url This parameter specifies the HTTP, HTTPS or FTP URL to obtain the metadata of the IdP. Its value must be a string of 1 to 900 characters. show aaa saml idp metadata This command is used to display the imported metadata of the specified IdP. aaa saml sp metadata This command is used to list the URLs where the metadata of the SAML SP can be downloaded. This metadata should be imported to the IdP enabled for the SAML SP. Please note that the SP metadata on the IdP should be updated if the attributes configured using the “aaa saml idp attributes” command or the binding types configured by the “aaa saml sp slo” command is changed. Note: Because multiple IP addresses and domain names can be configured for a virtual site (via the commands “virtual site ip” and “virtual site domain”), there may be multiple URLs for the metadata of the SP server. The administrator can select the 2000-2018 Array Networks, Inc. All Rights Reserved. 134Chapter 4 AAA metadata as required. aaa saml idp attributes [groupname] [external_acl] [netpool] This command is used to specify the attributes used to obtain the user identity information from a SAML Assertion response returned by the specified IdP. idp_name This parameter specifies the name of the existing IdP specified by the “aaa saml idp name” command. username This parameter specifies the attribute to obtain the username from the SAML Assertion response. The obtained username will be used for further authorization. Its value must be a string of 1 to 900 characters. Besides, the special value “subject.nameid” is also supported, indicating the NameID field in the SAML Assertion response. groupname Optional. This parameter specifies the attribute to obtain the group name from the SAML Assertion response. The obtained group name will be used for further authorization. Its value must be a string of 1 to 900 characters. The default value is empty. external_acl Optional. This parameter specifies the attribute to obtain the external ACL rule from the SAML Assertion response. The obtained external ACL rule will be used for further authorization Its value must be a string of 1 to 900 characters. The default value is empty. netpool Optional. This parameter specifies the attribute to obtain the netpool from the SAML Assertion response. The obtained netpool will be used for further authorization. Its value must be a string of 1 to 900 characters. The default value is empty. aaa saml sp acs [type] This command is used to specify the binding type of the Assertion Consumer Service (ACS) on the SP. The binding type of the ACS will be included in the SP metadata, based on which the IdP returns the SAML Assertion response to the ACS of the SP. type This parameter specifies the binding type for the ACS. Its value must be:  post: indicates the HTTP POST binding.  artifact: indicates the HTTP Artifact binding. 2000-2018 Array Networks, Inc. All Rights Reserved. 135Chapter 4 AAA The default value is “post”. For more details about SAML bindings, please refer to http://docs.oasis-open.org/security/saml/v2.0/. aaa saml sp slo [type] This command is used to specify the binding type for the Single Logout (SLO) service on the SP. The IdP uses the specified binding type when communicating with the SLO service on the SP. type This parameter specifies the binding type for the SLO service. Its value must be:  redirect: indicates the HTTP redirect binding.  post: indicates the HTTP POST binding.  both: indicates both the HTTP redirect binding and the HTTP POST binding. The default value is “both”. Note: The synchronous SOAP binding is not supported. show aaa saml config This command is used to display all the configurations of the SAML function. clear aaa saml config This command is used to reset all the configurations of the SAML function. After this command is executed, the SAML function is disabled. OAuth Authentication aaa oauth enable This command is used to enable OAuth authentication for the virtual site. When OAuth authentication is enabled for the virtual site, a program of the OAuth client is started for the virtual site in the system. To communicate with a third-party OAuth server, the OAuth client should authenticate itself to the OAuth server. Therefore, you need to register the OAuth client to obtain the Client ID and Secret and register the Redirection URL on the developer platform of the OAuth server’s service provider. For information on how to register the OAuth client and the Redirection URL, please contact the service provider of the OAuth server. By default, OAuth authentication is disabled. aaa oauth disable This command is used to disable OAuth authentication for the virtual site. 2000-2018 Array Networks, Inc. All Rights Reserved. 136Chapter 4 AAA aaa oauth id This command is used to define an OAuth server. oauth_server_id This parameter specifies the ID of a third-party OAuth server. Currently, its value must be:  google: indicates the Google OAuth server.  wechat: indicates the WeChat OAuth server. When the Google OAuth server is defined, the system automatically adds the following configurations: aaa oauth tokenurl "google" "https://accounts.google.com/o/oauth2/token" aaa oauth jwksurl "google" "https://www.googleapis.com/oauth2/v3/certs" aaa oauth authenticatorurl "google" "https://accounts.google.com/o/oauth2/auth" aaa oauth registration "google" When the WeChat OAuth server is defined, the system automatically adds the following configurations: aaa oauth tokenurl "wechat" "https://api.weixin.qq.com/sns/oauth2/access_token" aaa oauth authenticatorurl "wechat" "https://open.weixin.qq.com/connect/qrconnect" aaa oauth resourceurl "wechat" "https://api.weixin.qq.com/sns/userinfo" aaa oauth registration "wechat" aaa oauth wechat serviceauthenticatorurl "https://open.weixin.qq.com/connect/oauth2/authorize" no aaa oauth id This command is used to delete a specified OAuth server. aaa oauth authenticatorurl This command is used to set the URL of the specified OAuth server’s login page. oauth_server_id This parameter specifies an existing OAuth server. authenticator_url This parameter specifies the URL of the OAuth server’s login page. Its value must be a string of 1 to 900 characters. no aaa oauth authenticatorurl This command is used to delete the URL setting of the specified OAuth server’s login page. aaa oauth tokenurl This command is used to set the URL from which to obtain an access token from the specified OAuth server. 2000-2018 Array Networks, Inc. All Rights Reserved. 137Chapter 4 AAA oauth_server_id This parameter specifies an existing OAuth server. token_url This parameter specifies the URL where the OAuth client obtains the access token from the OAuth server. Its value must be a string of 1 to 900 characters. no aaa oauth tokenurl This command is used to delete the setting of the URL from which to obtain an access token from the specified OAuth server. aaa oauth jwksurl This command is used to set the URL from which to obtain the JSON Web Key (JWK) set of the specified OAuth server. This command needs to be configured only for the Google OAuth server currently. oauth_server_id This parameter specifies an existing OAuth server. jwks_url This parameter specifies the URL where to obtain the JWK set of the OAuth server. Its value must be a string of 1 to 900 characters. no aaa oauth jwksurl This command is used to delete the setting of the URL from which to obtain the JWK set of the specified OAuth server. aaa oauth registerid This command is used to set the registered client ID for the OAuth client to communicate with the specified OAuth server. oauth_server_id This parameter specifies an existing OAuth server. register_id This parameter specifies the registered client ID for the OAuth client. Its value must be a string of 1 to 128 characters. no aaa oauth registerid This command is used to delete the setting of the registered client ID for the OAuth client to communicate with the specified OAuth server. aaa oauth registersecret This command is used to set the registered client secret for the OAuth client to communicate with the specified OAuth server. oauth_server_id This parameter specifies an existing OAuth server. 2000-2018 Array Networks, Inc. All Rights Reserved. 138Chapter 4 AAA register_secret This parameter specifies the registered client secret for the OAuth client. Its value must be a string of 1 to 128 characters. no aaa oauth registersecret This command is used to delete the setting of the registered client secret for the OAuth client to communicate with the specified OAuth server. aaa oauth redirecturl This command is used to set the URL to which the specified OAuth server will redirect responses. oauth_server_id This parameter specifies an existing OAuth server. redirect_url This parameter specifies the URL to which the OAuth server will redirect responses. Its value must be a string of 1 to 900 characters.  For the Google OAuth server, its value must be the same as the Redirection URL (“https:// /prx/000/http/localh/oaut h_code”) registered on Google’s third-party developer platform.  For the WeChat OAuth server, its value must be its value must be in the format of “https:// /prx/000/http/localh/oaut h_wechat_code” and its virtual site domain name must have been registered on WeChat’s developer platform. no aaa oauth redirecturl This command is used to delete the setting of the URL to which the specified OAuth server will redirect responses. aaa oauth resourceurl This command is used to set the URL from which the OAuth client obtains the user information from the specified OAuth server. This command needs to be configured only for the WeChat OAuth server currently. oauth_server_id This parameter specifies an existing OAuth server. resource_url This parameter specifies the URL where the OAuth client obtains the user information from the resource server. Its value must be a string of 1 to 900 characters. Note: The Google OAuth server will return the user information in the Access Token responses and therefore this configuration is not required. 2000-2018 Array Networks, Inc. All Rights Reserved. 139Chapter 4 AAA no aaa oauth resourceurl This command is used to delete the setting of the URL from which the OAuth client obtains the user information from the specified OAuth server. aaa oauth registration This command is used to enable post-OAuth user registration for the specified OAuth server. When this function is enabled, OAuth users are required to register to the system after passing the OAuth authentication. During the user registration, users need to authenticate themselves to the authentication server in the AAA method specified by the “aaa method register” command. After the user passes the authentication, the system will bind the obtained OAuth user IDs (UIDs) with the usernames used for registration. The usernames used for registration instead of the obtained OAuth usernames will be used for further authorization and displayed on the welcome page. By default, post-OAuth user registration is enabled. oauth_server_id This parameter specifies an existing OAuth server. no aaa oauth registration This command is used to disable post-OAuth user registration for the specified OAuth server. When post-OAuth user registration is disabled, the obtained OAuth usernames (email accounts for the Google OAuth server or nicknames for the WeChat OAuth server) will be used for authorization. Therefore, the authorization server in the same AAA method as the OAuth server should have accounts with the same usernames as the obtained OAuth usernames. Otherwise, the authorization will fail. After the OAuth users pass the authorization, the OAuth usernames will be displayed. aaa oauth prefixasusername This command is used to enable the option of using an email account prefix as the OAuth username for the specified OAuth server. By default, this option is disabled. oauth_server_id This parameter specifies an existing OAuth server. Note: This option can be used when post-OAuth user registration is disabled. no aaa oauth prefixasusername This command is used to disable the option of using an email account prefix as the OAuth username for the specified OAuth server. aaa oauth authorizationfilter This command is used to configure the post-OAuth authorization filter for the specified OAuth server. The system will continue to perform authorization for an OAuth user after OAuth authentication only when the OAuth username (email account for the Google OAuth server or nickname for the WeChat OAuth server) matches the post-OAuth authorization filter. 2000-2018 Array Networks, Inc. All Rights Reserved. 140Chapter 4 AAA If the post-OAuth authorization filter is not configured, the system will continue to perform authorization for all users passing OAuth authentication. oauth_server_id This parameter specifies an existing OAuth server. authorization_filter This parameter specifies the regular expression used to filter usernames. Its value must be a string of 1 to 64 characters. no aaa oauth authorizationfilter This command is used to delete the post-OAuth authorization filter configured for the specified OAuth server. To use a WeChat service account to provide the virtual site’s resources to end users, you also need to configure the following advanced settings for successful WeChat OAuth authentication. aaa oauth wechat serviceauthenticatorurl This command is used to set the URL from which to authenticate service accounts for WeChat OAuth authentication. service_authenticator_url This parameter specifies the URL where to authenticate service accounts. Its value must be a string of 1 to 900 characters. no aaa oauth wechat serviceauthenticatorurl This command is used to delete the setting of the URL from which to authenticate service accounts for the WeChat OAuth server. aaa oauth wechat serviceregisterid This command is used to set the registered AppID of the service account for WeChat OAuth authentication. service_appid This parameter specifies the registered AppID of the service account for WeChat OAuth authentication. Its value must be a string of 1 to 128 characters. no aaa oauth wechat serviceregisterid This command is used to delete the setting of the registered AppID of the service account for WeChat OAuth authentication. aaa oauth wechat serviceregistersecret This command is used to set the registered AppSecret of the service account for WeChat OAuth authentication. service_appsecret This parameter specifies the registered AppSecret of the service account for WeChat OAuth authentication. Its value must be a 2000-2018 Array Networks, Inc. All Rights Reserved. 141Chapter 4 AAA string of 1 to 128 characters. no aaa oauth wechat serviceregistersecret This command is used to delete the setting of the registered AppSecret of the service account for WeChat OAuth authentication. show aaa oauth config This command is used to display the configurations related to OAuth authentication. clear aaa oauth config This command is used to clear the configurations related to OAuth authentication. Method aaa method name [description] This command is used to add a AAA method. AAA method specifies the AAA server(s) used for authentication and the AAA server authorization. A maximum of five AAA methods can be configured. method_name This parameter specifies the name of the AAA method. Its value must be a case-insensitive string of 1 to 32 characters enclosed by double quotes when beginning with a non-alphabetical character. description Optional. This parameter specifies the description of the method. Its value must be a string of 1 to 127 characters enclosed by double quotes when beginning with a non-alphabetical character. If this parameter is not specified, the default description will be the value of “method_name”. no aaa method name This command is used to delete the specified AAA method. show aaa method name This command is used to display all AAA methods. aaa method server [authorization_server] This command is used to configure the authentication and authorization server(s) for the specified AAA method. method_name This parameter specifies the name of the existing AAA method. 2000-2018 Array Networks, Inc. All Rights Reserved. 142Chapter 4 AAA authentication_server This parameter specifies the authentication server(s). A maximum of three authentication servers can be configured for one AAA method .These three authentication servers can be of the same type or different types. If multiple authentication servers are configured, they must be separated by comma(s) and enclosed by double quotes. authorization_server Optional. This parameter specifies the authorization server. Its value must be:  authorization server: indicates that the virtual site uses the specified AAA server as authorization server.  “none”: indicates that the virtual site skips the authorization.  empty: indicates that the only authentication server will be used as the authorization server. The default value is empty. Note:  When the “authentication_server” parameter specifies more than one authentication server, its value can only be a AAA server name or “none”. The authorization server will be the same as the authentication server.  When the “authentication_server” parameter specifies only one authentication server, the default value is empty. Note: The authorization server cannot be specified as an SMX server. no aaa method server This command is used to delete the configuration of the authentication and authorization servers for the specified AAA method. show aaa method server This command is used to display the authentication and authorization servers of the specified AAA method. Note: Different AAA server scenarios can meet specific needs. Following are examples of how to configure AAA servers:  Authentication server but no authorization server: aaa method server m1 radius none 2000-2018 Array Networks, Inc. All Rights Reserved. 143Chapter 4 AAA  Authentication server and authorization server: aaa method server m1 radius ldap  Authentication server same as authorization server: aaa method server m1 radius  Multiple authentication servers and authorization server: aaa method server m1 “radius, ldap” localdb  Multiple authentication servers but no authorization server: aaa method server m1 “radius, ldap” none aaa method otp {authentication_server|authorization_server} This command is used to configure the One-time password (OTP) server and the server from which the mobile phone numbers of users will be obtained for the specified AAA method. method_name This parameter specifies the name of the existing AAA method. otp_server_name This parameter specifies the name of an existing OTP server. The OTP server must be the SMS server configured by the command “aaa server name sms”. authentication_server|author This parameter specifies the name of an existing server from which ization_server the mobile phone numbers of users will be obtained. The server must be the one used for authentication or authorization configured by the command “aaa method server” and the server type must be LocalDB, LDAP, RADIUS or Certificate. Note: If the related authentication or authorization server is deleted by executing the command “no aaa method server”, this command configuration will also be deleted. no aaa method otp This command is used to delete the OTP server and the authentication or authorization server configured for the specified AAA method. show aaa method otp This command is used to display the OTP server and the authentication or authorization server configured for the specified AAA method. Rank aaa method rank include 2000-2018 Array Networks, Inc. All Rights Reserved. 144Chapter 4 AAA This command is used to add a AAA method to the rank list of AAA methods and set the rank number of the AAA method in the rank list. method_name This parameter specifies the name of the existing AAA method. number This parameter specifies the rank number of the AAA method in the rank list. Its value must be 1, 2, 3 or 4. The smaller the value, the higher the rank. For example, the parameter value “1” indicates that the AAA method ranks number 1 in the rank list. no aaa method rank include This command is used to delete a specified AAA method from the rank list of AAA methods. show aaa method rank This command is used to display the current AAA rank configuration. aaa method rank {on|off} This command is used to enable or disable the AAA rank function. Before the AAA rank function is enabled, please add the AAA method to the rank list of AAA methods by the “aaa method rank include” command first. By default, the AAA rank function is disabled. Note: If the administrator deletes all AAA methods from the rank list, the AAA rank function will automatically become disabled. Accounting aaa accounting {on|off} This command is used to enable or disable the RADIUS accounting function. By default, this function is disabled. aaa accounting server This command is used to configure the RADIUS server used for accounting. server_name This parameter specifies an existing RADIUS server name. no aaa accounting server This command is used to delete the RADIUS server used for accounting. aaa accounting login This command is used to enable the sending of accounting records to the RADIUS server when users login or logout. no aaa accounting login 2000-2018 Array Networks, Inc. All Rights Reserved. 145Chapter 4 AAA This command is used to disable the sending of accounting records to the RADIUS server when users login or logout. aaa accounting vpn This command is used to enable the sending of accounting records to the RADIUS server when VPN tunnels are established or terminated. no aaa accounting vpn This command is used to disable the sending of accounting records to the RADIUS server when VPN tunnels are established or terminated. aaa accounting fail allowaccess This command is used to enable the user access permission when the RADIUS accounting fails. no aaa accounting fail allowaccess This command is used to disable the user access permission when the RADIUS accounting fails. Group Mapping aaa map group This command is used to map an external group to an internal LocalDB group. The maximum number of group mappings varies with the number of LocalDB groups. ext_grp_name This parameter specifies the external group name. Its value must be a string of 1 to 64 characters. Note: This parameter value cannot contain spaces or characters like “,”, “;” and “:”. int_grp_name This parameter specifies the internal LocalDB group name. Note: This parameter value cannot contain the character “:”. no aaa map group This command is used to delete a mapping between an external group and an internal LocalDB group. show aaa map group [ext_grp_name] This command is used to display the group mappings for the specified external group. If the “ext_grp_name” parameter is not specified, all the mappings between external groups and internal LocalDB groups will be displayed. clear aaa map group 2000-2018 Array Networks, Inc. All Rights Reserved. 146Chapter 4 AAA This command is used to delete all mappings between external groups and internal LocalDB groups. Hardware ID aaa hardwareid {on|off} This command is used to enable or disable the Hardware ID authorization function. By default, the Hardware ID authorization function is disabled. aaa hardwareid initmode activex This command is used to set the initiation mode of the Hardware ID authorization component to “ActiveX”. aaa hardwareid initmode java This command is used to set the initiation mode of the Hardware ID authorization component to “Java”. aaa hardwareid initmode autoswitch This command is used to enable auto switch of the initiation mode for the Hardware ID authorization component. When the auto switch of the initiation mode is enabled, the system will switch to another initiation mode if it fails to start the Hardware ID authorization component using the first initiation mode. no aaa hardwareid initmode autoswitch This command is used to disable auto switch of the initiation mode for the Hardware ID authorization component. localdb hardwareid email This command is used to set an email address for the administrator to receive Hardware ID authorization requests from end users. email This parameter specifies the email address. Its value must be a string of 1 to 127 characters. no localdb hardwareid email This command is used to delete the configuration of the email address for the administrator to receive Hardware ID authorization requests from end users. show localdb hardwareid email This command is used to display the email address configured for the administrator to receive Hardware ID authorization requests from end users. localdb hardwareid {on|off} 2000-2018 Array Networks, Inc. All Rights Reserved. 147Chapter 4 AAA This command is used to enable or disable Hardware ID authorization for the specified LocalDB group. group_name This parameter specifies the name of an existing LocalDB group. localdb hardwareid aggregation This command is used to enable the aggregation function for the specified LocalDB group. When the aggregation function is enabled for a LocalDB group, administrators can configure the Hardware ID rule to authorize all users of this group to use the specified client device to access the virtual site. When the aggregation function is disabled for the group, administrators can configure the Hardware ID rule to authorize only a specified user in the group to use this specified client device to access the virtual site. group_name This parameter specifies the name of an existing LocalDB group. no localdb hardwareid aggregation This command is used to disable the aggregation function for the specified group. localdb hardwareid group [host_name] This command is used to configure a Hardware ID rule for the specified LocalDB group. status This parameter specifies the status of the device. Its value must be:  approve: indicates that the users in this group can use the device to access internal resources.  pending: indicates that the users in this group can use the device to access internal resources only after the administrator’s approval.  deny: indicates that the users in this group cannot use the device to access internal resources. group_name This parameter specifies the name of an existing LocalDB group. hardware_id This parameter specifies the hardware ID of the device. Its value must be a string of 1 to 511 characters. host_name Optional. This parameter specifies the host name corresponding to the hardware ID. Its value must be a string of 1 to 511 characters. The default value is “empty”. 2000-2018 Array Networks, Inc. All Rights Reserved. 148Chapter 4 AAA Note: For an external group, the administrator can map the external group to a LocalDB group using the “aaa map group” command. Then when the users in this external group access the virtual site, the Hardware ID rules for the mapping LocalDB group will work for these users. no localdb hardwareid group This command is used to delete a Hardware ID rule configured for the specified LocalDB group. localdb hardwareid policy [mac_any|mac_all|machineid] This command is used to set the Hardware ID matching policy for the specified LocalDB group. group_name This parameter specifies the name of an existing LocalDB group. mac_any|mac_all|machineid Optional. This parameter specifies the Hardware ID matching policy. Its value must be:  mac_any: indicates that a Hardware ID rule will take effect when any of the client’s MAC address matches a MAC address in the rule.  mac_all: indicates that a Hardware ID rule will take effect when all the client’s MAC addresses match the MAC addresses in the rule and the number of the client’s MAC addresses is equal to that of the MAC addresses in the rule.  machineid: indicates that a Hardware ID rule will take effect when the client’s MachineID matches the MachineID in the rule. The default value is “machineid”. show localdb hardwareid rule [type] [status] [keyword] [match_mode] [offset] [count] [orderby] This command is used to display the configured Hardware ID rules. type Optional. This parameter specifies the type of Hardware ID rules to be displayed. Its value must be:  account: indicates that Hardware ID rules configured for users will be displayed.  group: indicates that Hardware ID rules configured for groups will be displayed.  all: indicates that Hardware ID rules of both types will be 2000-2018 Array Networks, Inc. All Rights Reserved. 149Chapter 4 AAA displayed. The default value is “all”. status Optional. This parameter specifies the status of the Hardware ID rules to be displayed. Its value must be “approve”, “pending”, “deny” or “all”. The default status is “all”, indicating that Hardware ID rules of all status will be displayed. keyword Optional. This parameter specifies a string to match the hardware ID, the user account name or LocalDB group name of the Hardware ID rules. Its value must be a string of 0 to 256 characters. The default value is “empty”, indicating all matching Hardware ID rules will be displayed. match_mode Optional. This parameter specifies the matching mode of Hardware ID rules to be displayed. Its value must be:  exact: indicates that the Hardware ID rules exactly matching the keyword string will be displayed.  substring: indicates the Hardware ID rules partly matching the keyword string will be displayed. The default value is “exact”. offset Optional. This parameter specifies the start of Hardware ID rules from which to be displayed. The default value is 0, indicating all matching Hardware ID rules will be displayed. count Optional. This parameter specifies the number of Hardware ID rules to be displayed. The default value is 0, indicating all matching Hardware ID rules will be displayed. orderby Optional. This parameter specifies the order by which to display the hardware ID rules. Its value must be “name”, “type”, “status”, “hardwareid”, “hostname”, and “synced”. You can enter mulitple values separated with commas. The default value is “name”. If you want to display the hardware ID rules in reverse order, enter DESC behind the value. clear localdb hardwareid rule [type] [status] [keyword] This command is used to delete the specified Hardware ID rules. localdb hardwareid grouplimit 2000-2018 Array Networks, Inc. All Rights Reserved. 150Chapter 4 AAA This command is used to set the maximum number of Hardware ID rules with status “approve” for every LocalDB group with the aggregation function enabled. If this command is not configured, the default maximum number of Hardware ID rules for every LocalDB group with the aggregation function enabled is 16. limit This parameter specifies the maximum number of Hardware ID rules. Its value must be an integer ranging from 0 to 65,535. no localdb hardwareid grouplimit This command is used to reset the maximum number of Hardware ID rules with status “approve” for every LocalDB group with the aggregation function enabled to the default setting 16. localdb hardwareid autocollect This command is used to enable the auto collect function for the specified LocalDB group. When this function is enabled, the system automatically collects the MAC/MachineID with status set to “pending” from clients even if no matching Hardware ID rule exists. To use this function, the aggregation function must be enabled for the specified LocalDB group. group_name This parameter specifies the name of an existing LocalDB group. no localdb hardwareid autocollect This command is used to disable the auto collect function for the specified LocalDB group. localdb hardwareid autoapprove This command is used to enable the auto approve function for the specified LocalDB group. When this function is enabled, the system automatically approves the hardware ID with the status “pending” set by the auto collect function. To use this function, the aggregation and auto collect functions must be enabled for the specified LocalDB group. group_name This parameter specifies the name of an existing LocalDB group. no localdb hardwareid autoapprove This command is used to disable the auto approve function for the specified LocalDB group. localdb hardwareid account [host_name] This command is used to configure a Hardware ID rule for the specified user account. status This parameter specifies the status of the device. Its value must be:  approve: indicates that the user can use the device to access internal resources.  pending: indicates that the user can use the device to access 2000-2018 Array Networks, Inc. All Rights Reserved. 151Chapter 4 AAA internal resources only after the administrator’s approval.  deny: indicates that the user cannot use the device to access internal resources. account_name This parameter specifies the username of an existing user account. hardware_id This parameter specifies the hardware ID of the device. Its value must be a string of 1 to 511 characters. host_name Optional. This parameter specifies the host name corresponding to the hardware ID. Its value must be a string of 1 to 511 characters. The default value is “empty”. no localdb hardwareid account This command is used to delete a Hardware ID rule configured for the specified LocalDB account. localdb hardwareid userlimit This command is used to set the maximum number of Hardware ID rules with status “approve” for every user belonging to the LocalDB group with the aggregation function disabled. If this command is not configured, the default maximum number of Hardware ID rules with status “approve” for every user belonging to the LocalDB group with the aggregation function disabled is 1. limit This parameter specifies the maximum number of Hardware ID rules per user who do not belong to the aggregated group. Its value must be an integer ranging from 0 to 255. no localdb hardwareid userlimit This command is used to reset the maximum number of Hardware ID rules with status “approve” for every user belonging to the LocalDB group with the aggregation function disabled to the default setting 1. show localdb hardwareid userlimit This command is used to display the maximum number of Hardware ID rules with status “approve” for every user belonging to the LocalDB group with the aggregation function disabled. show localdb hardwareid settings [group_name] This command is used to display the settings of Hardware ID authorization for a specified LocalDB group. If the “group_name” parameter is not configured, the settings of Hardware ID authorization for all LocalDB groups will be displayed. clear localdb hardwareid config [group_name] 2000-2018 Array Networks, Inc. All Rights Reserved. 152Chapter 4 AAA This command is used to clear the configurations of Hardware ID authorization for a specified LocalDB group. If the “group_name” parameter is not configured, all configurations of Hardware ID will be cleared. localdb hardwareid devicelimit This command is used to set the maximum number of LocalDB accounts that can be bound to a device with the aggregation function disabled. If this command is not configured, the default maximum number of LocalDB accounts that can be bound to a device is 0 with the aggregation function disabled. limit This parameter specifies the maximum number of LocalDB accounts that can be bound to a device. Its value must be an integer ranging from 0 to 255. If the parameter value is set to “0”, LocalDB accouts that can be bound to a device will not be limited. no localdb hardwareid devicelimit This command is used reset the maximum number of LocalDB accounts that can be bound to a device with the aggregation function disabled to default. show localdb hardwareid devicelimit This command is used to display the maximum number of LocalDB accounts that can be bound to a device with the aggregation function disabled. localdb hardwareid sync {on|off} This command is used to enable or disable the automatic Hardware ID synchronization function. When the automatic Hardware ID synchronization is enabled, the Hardware ID rules specific to user accounts in the “Approve” status will be synchronized to the Hardware ID synchronization host (which is an external account management platform) in real time. If the status of a Hardware ID rule specific to a user account is changed from “Approve” to “Pending” or “Deny” or one Hardware ID rule specific to a user account is deleted, the corresponding Hardware ID rule specific to this user account will be deleted from the Hardware ID synchronization host too. To use this function, the Hardware ID synchronization host must be configured using the “localdb hardwareid sync host” command and the HTTP request template must be configured using the “localdb hardwareid sync req” command. localdb hardwareid sync manual [account_name] [hardware_id] This command is used to manually synchronize certain Hardware ID rules specific to user accounts in the “Approve” status to the Hardware ID synchronization host (configured using the “localdb hardwareid sync host”) command. To use this function, the Hardware ID synchronization host must be configured using the “localdb hardwareid sync host” command and the HTTP request templates must be configured using the “localdb hardwareid sync req” command. 2000-2018 Array Networks, Inc. All Rights Reserved. 153Chapter 4 AAA account_name Optional. This parameter specifies the username of an existing user account.  If this parameter is specified, the Hardware ID rules of this user will be synchronized.  If this parameter is not specified, the Hardware ID rules of all users will be synchronized. The default value is empty. hardware_id Optional. This parameter specifies the hardware ID of the device to be synchronized. Its value must be a string of 1 to 511 characters.  If this parameter is specified, the Hardware ID rules matching the Hardware ID will be synchronized.  If this parameter is not specified, the Hardware ID rules matching all Hardware IDs will be synchronized. The default value is empty. localdb hardwareid sync host [port] [key] [timeout] [retries] [tls_flag] [auth_code] [index] This command is used to configure a Hardware ID synchronization host used to receive the Hardware ID rules. This command can be also used to modify the settings of an existing Hardware ID synchronization host. A maximum of three Hardware ID synchronization hosts can be configured. sync_host This parameter specifies the host name or IP address of the Hardware ID synchronization host. For the host name, the value must be a string of 1 to 900 characters. For the IP address, the value must be an IPv4 address. Please note that the Hardware ID synchronization host should be a Web host. port Optional. This parameter specifies the port number of the Hardware ID synchronization host. Its value must be an integer ranging from 1 to 65,535. The default value is 80. key Optional. This parameter specifies the encryption key used to encrypt the Hardware ID rules to be synchronized. Its value must be a string of 1 to 18 characters. The default value is empty, indicating the data will not be encrypted. timeout Optional. This parameter specifies the timeout value of the synchronization in seconds. Its value must be an integer ranging 2000-2018 Array Networks, Inc. All Rights Reserved. 154Chapter 4 AAA from 0 to 60. If the parameter value is set to 0, the system will keep waiting for the response from the synchronization host. The default value is 5. retries Optional. This parameter specifies the retry times of the synchronization. Its value must be an integer ranging from 0 to 10. If the parameter value is set to 0, the system will keep trying to connect to the synchronization host. If the parameter value is set to 1, the synchronization operation will be performed only one time. The default value is 3. tls_flag Optional. This parameter specifies whether to access the Hardware ID synchronization host over the TLS protocol. Its value must be:  “tls”: indicates that the Hardware ID synchronization host is accessed over the TLS protocol.  empty: indicates the Hardware ID synchronization host is not accessed over the TLS protocol. The default value is empty. auth_code Optional. This parameter specifies the username and password used for accessing the Hardware ID synchronization host. Its value must be a string of 1 to 64 characters. The username and password should be separated by a colon (:). The default value is empty, indicating the no authentication is required by the Hardware ID synchronization host. index Optional. This parameter specifies the index of the Hardware ID synchronization host. Its value must be 1, 2 or 3. The default value is 1. Note: If the synchronization fails in the specified timeout and retry times, the system will try to synchronize the data again after the synchronization host is UP. no localdb hardwareid sync host This command is used to delete a Hardware ID synchronization host with a specified index. index This parameter specifies the index of the Hardware ID synchronization host to be deleted. Its value must be 1, 2 or 3. localdb hardwareid sync req [index] 2000-2018 Array Networks, Inc. All Rights Reserved. 155Chapter 4 AAA This command is used to set the HTTP request template used to synchronize Hardware ID rules for a specified Hardware ID synchronization host. type This parameter specifies the type of the Hardware ID synchronization operation. Its value must be “add” or “delete”. action This parameter specifies the HTTP method. Its value must be “get”, “post”, “put” and “delete”. url This parameter specifies the request URL. Its value must be a string of 1 to 900 characters and begin with “/”, such as “/array/addhardwareid”. index Optional. This parameter specifies the index of the Hardware ID synchronization host. Its value must be 1, 2 or 3. The default value is 1. The following table describes the mapping relationship between the parameters “type” and “action”. Type Action Get Add Post Put Get Delete Post Delete For example: vs(config)$localdb hardwareid sync req add post "/secsys/1.0/hardwareid" 1 vs(config)$localdb hardwareid sync req delete delete "/secsys/1.0/hardwareid" 2 You can also use the following example: vs(config)$localdb hardwareid sync req add post "/secsys/1.0/addhardwareid" 1 vs(config)$localdb hardwareid sync req delete post "/secsys/1.0/deletehardwareid" 2 no localdb hardwareid sync req This command is used to delete an HTTP request template of synchronizing Hardwar ID rule configured for a specified t Hardware ID synchronization host. index This parameter specifies the index of the Hardware ID synchronization host. Its value must be 1, 2 or 3. type This parameter specifies the type of the Hardware ID synchronization operation. Its value must be “add”, “delete” or 2000-2018 Array Networks, Inc. All Rights Reserved. 156Chapter 4 AAA “all”. If the parameter value is set to “all”, all the HTTP request templates for the Hardware ID synchronization host will be deleted. show localdb hardwareid sync This command is used to display the configurations of the Hardware ID synchronization. clear localdb hardwareid sync This command is used to clear the configurations of the Hardware ID synchronization. 2000-2018 Array Networks, Inc. All Rights Reserved. 157Chapter 5 User Policy Chapter 5 User Policy Role Configuration role name [description] [priority] This command is used to add a role. When the setting of “role_name” is an existing one, this command is also used to update role information. role_name This parameter specifies the name of the role. Its value must be a string of 1 to 63 characters. description Optional. This parameter specifies the description of a role. Its value must be a string of 1 to 255 characters. The default value is empty. priority Optional. This parameter specifies the priority of the role. Its value must be an integer ranging from 1 to 2000. The smaller the value, the higher the priority. Note:  When matching more than 16 roles, the user obtains only the roles with the highest 16 priorities.  When matching more than one role with available VPN Netpool resources, the user obtains only the VPN Netpool resources belonging to the role with the highest priority. The default value is 1. no role name This command is used to delete a specified role. show role name [role_name] This command is used to display specified roles. If the “role_name” parameter is not specified, all roles will be displayed. clear role name This command is used to clear all the roles. role qualification [description] This command is used to add a qualification rule to a specified role. 2000-2018 Array Networks, Inc. All Rights Reserved. 158Chapter 5 User Policy role_name This parameter specifies the name of an existing role. qual_name This parameter specifies the name of the qualification rule. Its value must be a string of 1 to 63 characters. description Optional. This parameter specifies the description of the qualification rule. Its value must be a string of 1 to 255 characters. The default value is empty. no role qualification This command is used to delete a qualification rule from a specified role. show role qualification [role_name] [qual_name] This command is used to display the qualification rules for a specified role. role_name Optional. This parameter specifies the name of an existing role.  If this parameter is specified, the qualification rules of this role will be displayed.  If this parameter is not specified, the qualification rules of all roles will be displayed. The default value is empty. qual_name Optional. This parameter specifies the name of an existing qualification rule.  If this parameter is specified, the qualification rules containing this qualification name will be displayed.  If this parameter is not specified, the qualification rules containing any qualification name will be displayed. The default value is empty. clear role qualification [role_name] This command is used to clear all the qualification rules for a specified role. If the “role_name” parameter is not specified, qualification rules of all roles will be cleared. role condition This command is used to add a condition to the associated role and qualification rule. If multiple conditions are configured for a qualification rule, users can obtain the role only when meeting all the conditions in the associated qualification rule. 2000-2018 Array Networks, Inc. All Rights Reserved. 159Chapter 5 User Policy role_name This parameter specifies the name of an existing role. qual_name This parameter specifies the name of an existing qualification rule. condi_string This parameter specifies a condition string defining the user characteristics. Its value must be a string of 1 to 511 uppercase characters enclosed by double quotes. Its format must be “condition string [IS|NOT] [value]”. For how to specify the “condition string” and “value”, please refer to the following table. For example, suppose the administrator wants to assign a “stuff” role to all users who log in on the 1st day of every month. If this “stuff” role already has an associated “work” qualification rule, the administrator can add the necessary condition rule to the “work” qualification with the following command: VS(config)$role condition stuff work “LOGINDAY IS 1” The following table displays the supported condition strings: Table 5-1 Supported Condition String Condition String Meaning Value LOGINYEAR The year when the end user logs in. 1970 to 2999. LOGINMONTH The month when the end user logs in. 1 to 12. LOGINDAY The day of month when the end user logs in. 1 to 31. LOGINWEEK The weekday when the end user logs in. 1 to 7. The date when the end user logs in, including LOGINDATE yyyyMMddhhmm the year, month, day, hour and minute. LOGINTIME The time when the end user logs in. 00:00 to 23:59 Alphanumeric, special USERNAME The user name. printable ASCII characters and multi-byte characters. Alphanumeric, special GROUPNAME The group which the user name belongs to. printable ASCII characters and multi-byte characters. Alphanumeric, special AUTHMETHOD The authentication method. printable ASCII characters and multi-byte characters. IPv4 or IPv6 address. For example: SRCIP The source IP address of the user. 10.10.10.0/24 10.10.10.0/255.255.255.0 10.10.10.1 2000-2018 Array Networks, Inc. All Rights Reserved. 160Chapter 5 User Policy Condition String Meaning Value 2012:1030::1 2012:1030::1/64 no role condition This command is used to delete the condition associated with a specified role and qualification rule. show role condition [role_name] [qual_name] This command is used to display the condition associated with a specified role and qualification rule. role_name Optional. This parameter specifies an existing role.  If this parameter is specified, the conditions of this role will be displayed.  If this parameter is not specified, the conditions of all roles will be displayed. The default value is empty. qual_name Optional. This parameter specifies the name of an existing qualification rule.  If this parameter is specified, the conditions associated with this qualification rule will be displayed.  If this parameter is not specified, the conditions associated with all qualification rules will be displayed. The default value is empty. clear role condition [role_name] [qual_name] This command is used to clear the condition associated with a specified role and qualification rule. role_name Optional. This parameter specifies an existing role.  If this parameter is specified, the conditions of this role will be cleared.  If this parameter is not specified, the conditions of all roles will be cleared.  The default value is empty. qual_name Optional. This parameter specifies the name of an existing qualification rule. 2000-2018 Array Networks, Inc. All Rights Reserved. 161Chapter 5 User Policy  If this parameter is specified, the conditions associated with this qualification rule will be cleared.  If this parameter is not specified, the conditions associated with all qualification rules will be cleared.  The default value is empty. role resource quicklink [position] [auto-permit] [FrontendSSO] [device_id] This command is used to assign a QuickLink resource to a specified role. role_name This parameter specifies the name of an existing role. resource_id This parameter specifies the name of an existing QuickLink resource configured via the command “virtual site quicklink hostname” or “virtual site quicklink port”. display_name This parameter specifies the name of the QuickLink resource displayed on the portal page. Its value must be a string of 1 to 900 characters. This parameter supports HTML tags that can be used between and , such as “ …”, “ …”, and “ …”. path Optional. This parameter specifies the path of the QuickLink resource. Its value must be a string of 1 to 512 characters. The default value is “/”. position Optional. This parameter specifies the position of the link on the portal page. Its value must be an integer ranging from 1 to 1000. The QuickLink resources will be displayed in ascending order of the parameter value. The default value is 1000. auto-permit Optional. This parameter specifies whether to enable auto-generation of the ACL “permit” configurations for this QuickLink resource.  0: indicates that auto-generation of the ACL “permit” configurations is disabled.  1: indicates that auto-generation of the ACL “permit” 2000-2018 Array Networks, Inc. All Rights Reserved. 162Chapter 5 User Policy configurations is enabled. The default value is 0. FrontendSSO Optional. This parameter specifies whether to enable Frontend SSO Post for this QuickLink resource.  0: Disabled and AG-end SSO is used. The AG appliance will construct SSO Post requests and send them to the backend application server on behalf of users.  1: Enabled. User clients’ browsers will construct SSO Post requests and send them to the AG appliance, and then the AG appliance forwards them to the backend application server. The default value is 0. device_id Optional. This parameter specifies the machine ID field used to log into the backend server. Its value must be a string of 1 to 63 characters. The default value is empty, indicating the machine ID field is not required to log into the backend server. For example: vs(config)$role resource quicklink "rn2" "p1" " Test" "/resource/test" 1000 1 0 vs(config)$role resource quicklink "rn2" "p1" " Test" "/resource/test" 1000 0 0 vs(config)$role resource quicklink "rn2" "p1" " Test" "/resource/test" 1000 0 0 vs(config)$role resource quicklink "rn2" "p1" " Test" "/resource/test" 1000 0 0 Note:  If “auto-permit” is set to 1, the system automatically executes the command “acl resourcegroup web [description]” to add a Web-type resource group named “auto_web_resgroup_for_ ”, executes the command “acl resource ” to add this QuickLink resource to this resource group, and executes the command “acl rule” to add an ACL permit rule with the priority 200 for this resource group.  The Web-type resource group named “auto_web_resgroup_for_ ”can only be generated by the system. If it has been added for the role earlier, then the system will reuse it to add ACL “permit” configurations later.  For SSO methods other than SSO Post, only the AG appliance can perform the SSO operations. In this case, please use AG-end SSO and set the “FrontendSSO” to 0. 2000-2018 Array Networks, Inc. All Rights Reserved. 163Chapter 5 User Policy  Frontend SSO Post requires the “sso post” configuration, but not the “sso on” configuration.  Frontend SSO Post requires that the value of the “post_host” and “hostname” parameters in the “sso post” configuration should be exactly the same.  Frontend SSO Post requires that the value of the “path” parameter should be the same as that of the “login_url” parameter in the “sso post” configuration.  Frontend SSO Post does not support the “bookmark” and “other_header_field” parameters of the “sso post” configuration.  Frontend SSO Post cannot generate the cookie required by some backend servers for authentication.  Frontend SSO Post cannot work for the Web resources which are accessed by using the portal URL input bar or the Web navigation tool. no role resource quicklink This command is used to delete a QuickLink resource from a specified role. Note: The auto-generated ACL “permit” configurations will be deleted when the QuickLink resource is deleted from a specified role. role resource web [position] [auto-permit] [DirectLink] [FrontendSSO] [device_id] This command is used to assign a WRM resource to a specified role. role_name This parameter specifies the name of an existing role. url This parameter specifies the URL link of the WRM resource. Its value must be a string of 1 to 512 characters. display_name This parameter specifies the name of the WRM resource displayed on the portal page. Its value must be a string of 1 to 900 characters. This parameter supports HTML tages that can be used between and , such as “ …”, “ …”, and “ …”. position Optional. This parameter specifies the position of the link on the portal page. Its value must be an integer ranging from 1 to 1000. The WRM resources will be displayed in ascending order of the parameter value. 2000-2018 Array Networks, Inc. All Rights Reserved. 164Chapter 5 User Policy The default value is 1,000. auto-permit Optional. This parameter specifies whether to enable auto-generation of the ACL “permit” configurations for this Web resource.  0: indicates that auto-generation of the ACL “permit” configurations is disabled.  1: indicates that auto-generation of the ACL “permit” configurations is enabled. The default value is 0. DirectLink Optional. This parameter specifies whether this Web resource is a direct link.  0: indicates that this Web resource is not a direct link. The AG appliances will rewrite the URL of this Web resource before allowing the user to access this Web resource.  1: indicates that this Web resource is a direct link. The AG appliance allows the user to directly access this Web resource without rewriting. The default value is 0. FrontendSSO Optional. This parameter specifies whether to enable Frontend SSO Post for this Web resource.  0: Disabled and AG-end SSO Post is used. The AG appliance will construct the SSO Post requests and send them to the backend application server on behalf of users.  1: Enabled. If “DirectLink” is set to “0”, user clients’ browsers will construct the SSO Post requests and send them to the AG appliance, and then the AG appliance forwards them to the backend application server. If “DirectLink” is set to “1”, user clients’ browsers will construct the SSO Post requests and send them to the backend application server directly. The default value is 0. device_id Optional. This parameter specifies the machine ID field used to log into the backend server. Its value must be a string of 1 to 63 characters. The default value is empty, indicating the machine ID 2000-2018 Array Networks, Inc. All Rights Reserved. 165Chapter 5 User Policy field is not required to log into the backend server. For example: vs(config)$role resource web "rn2" "http://10.3.0.67" " Test" 1000 1 0 1 "" vs(config)$role resource web "rn2" "http://10.3.0.67" " Test" 1000 0 0 0 "" vs(config)$role resource web "rn2" "http://10.3.0.67" " Test" 1000 0 0 1 "" vs(config)$role resource web "rn2" "http://10.3.0.67" " Test" 1000 0 0 0 "" Note:  If “auto-permit” is set to 1, the system automatically executes the command “acl resourcegroup web [description]” to add a Web-type resource group named “auto_web_resgroup_for_ ”, executes the command “acl resource ” to add this WRM resource to this resource group, and executes the command “acl rule” to add an ACL permit rule for this resource group with priority 200.  The web type resource group named “auto_web_resgroup_for_ ”can only be generated by the system. If it has been added for the role earlier, then the system will reuse it to add ACL “permit” configurations later.  For SSO methods other than SSO Post, only the AG appliance can perfrom the SSO operations. In this case, please use AG-end SSO and set the “FrontendSSO” to 0.  Frontend SSO Post requires the “sso post” configuration, but not the “sso on” configuration.  Frontend SSO Post requires that the value of the “post_host” and “hostname” parameters in the “sso post” configuration should be exactly the same.  Frontend SSO Post requires that the value of the parameter “url” equals to that of the “hostname + login_url” in the “sso post” configuration.  Frontend SSO Post does not support the “bookmark” and “other_header_field” parameters of the “sso post” configuration.  Frontend SSO Post cannot generate the cookie required by some backend servers for authentication.  Frontend SSO Post cannot work for the Web resources which are accessed by using the portal URL input bar or the Web navigation tool. no role resource web This command is used to delete a WRM resource from a specified role. 2000-2018 Array Networks, Inc. All Rights Reserved. 166Chapter 5 User Policy Note: The auto-generated ACL “permit” configurations will be deleted only when the WRM resource is deleted from a specified role. role resource aproxy [position] [auto_permit] This command is used to assign an IPv6 Web (Aproxy) resource to a specified role. role_name This parameter specifies the name of an existing role. url This parameter specifies the URL of the Aproxy resource. Its value must be a string of 1 to 512 characters. The host part of the URL must be an IPv6 address enclosed by square brackets, for example “http://[2012:1082::6]/test/index.html/”. display_name This parameter specifies the name displayed on the portal page. Its value must be a string of 1 to 900 characters. This parameter supports HTML tags that can be used between and , such as “ …”, “ …”, and “ …”. position Optional. This parameter specifies the position of the link displayed on the portal page. Its value must be an integer ranging from 1 to 1000. The Aproxy resources will be displayed in ascending order of the parameter value. The default value is 1,000. auto_permit Optional. This parameter specifies whether to enable auto-generation of the ACL “permit” configurations for the Aproxy resource.  0: indicates that auto-generation of the ACL “permit” configurations is disabled.  1: indicates that auto-generation of the ACL “permit” configurations is enabled. The default value is 0. Note:  If “auto-permit” is set to 1, the system automatically executes the command “acl resourcegroup web [description]” to add an Aproxy-type resource group named “auto_gen_resgroup_for_ ”, executes the 2000-2018 Array Networks, Inc. All Rights Reserved. 167Chapter 5 User Policy command “acl resource ” to add this Aproxy resource to this resource group, and executes the command “acl rule” to add an ACL permit rule for this resource group with priority 200.  The Aproxy-type resource group named “auto_gen_resgroup_for_ ”can only be generated by the system. If it has been added for the role earlier, then the system will reuse it to add ACL “permit” configurations later. For example: vs(config)$role resource aproxy "r1" "http://[2012:1082::1]" "test1" 1000 1 vs(config)$role resource aproxy "r1" "http://[2012:1082::6]/test/index.html/" "test6" 1000 1 no role resource aproxy This command is used to delete an Aproxy resource from a specified role. Note: The auto-generated ACL “permit” configurations will be deleted only when the Aproxy resource is deleted from a specified role. role resource netpool This command is used to add a Netpool resource to a specified role. This command must be configured if users need to access backend resources through the L3VPN tunnel or Site2Site VPN tunnel. role_name This parameter specifies the name of an existing role. pool_name This parameter specifies the name of an existing Netpool resource. no role resource netpool This command is used to delete a Netpool resource from a specified role. role resource vpnresourcegroup This command is used to add a VPN resource group to a specified role. This command must be configured if users need to access backend resources through the L3VPN tunnel or Site2Site VPN tunnel. role_name This parameter specifies the name of an existing role. resource_group This parameter specifies the name of an existing resource group defined via the “vpn resource group” command. no role resource vpnresourcegroup 2000-2018 Array Networks, Inc. All Rights Reserved. 168Chapter 5 User Policy This command is used to delete a VPN resource group from a specified role. role resource cifs [position] [auto-permit] This command is used to add a Common Internet File Share (CIFS) resource to a specified role. role_name This parameter specifies the name of an existing role. cifs_url This parameter specifies the URL address of the CIFS resource provided by the CIFS server. Its value must be a string of 1 to 512 characters. The format of the URL address can be “// / ”, “// / /username” or “// / / ”, for example, “//10.3.0.233/test”, “//10.3.0.233/test/username” or “//10.3.0.233/test/test”. Please note that the URL address cannot contain the chracters “\”, “:”, “*”, “<”, “>”, “?”, “|” and “"” and end with “/”. When the administrator wants to allow the login users to access only the next-level subfolder named using their usernames of the shared folder, the format “// / /username” should be used. If both “// / /username” and “// / / ” are configured, the “// / /username” will take effect first. Note: If the URL address ends with “$”, the file share function might not work. For example, “//10.10.1.21/hirai$”. display_name This parameter specifies the name displayed for this CIFS resource on the portal page. Its value must be a string of 1 to 900 characters. This parameter supports HTML tages that c9an be used between and , such as “ …”, “ …”, and “ …”. position Optional. This parameter specifies the position of the CIFS resource displayed on the portal. Its value must be an integer ranging from 1 to 1000. The CIFS resources will be displayed in ascending order of the parameter value. The default value is 1000. 2000-2018 Array Networks, Inc. All Rights Reserved. 169Chapter 5 User Policy auto-permit Optional. This parameter specifies whether to enable auto-generation of the ACL “permit” configurations for the CIFS resource.  0: indicates that auto-generation of the ACL “permit” configurations is disabled.  1: indicates that auto-generation of the ACL “permit” configurations is enabled. The default value is 0. For example: vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" " Test" 1000 1 vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" " Test" 1000 0 vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" " Test" 1000 0 vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" " Test" 1000 0 vs(config)$role resource cifs "rn2" "//10.3.75.1/3x/username" " Test" 1000 1 vs(config)$role resource cifs "rn2" "//10.3.75.1/3x/test" " Test" 1000 1 Note:  If “auto-permit” is set to 1, the system automatically executes the command “acl resourcegroup fileshare [description]” to add a fileshare-type resource group named “auto_fileshare_resgroup_for_ ”, executes the command “acl resource ” to add this CIFS resource to this resource group, and executes the command “acl rule” to add an ACL permit rule with priority 200 for this resource group.  The fileshare-type resource group named “auto_fileshare_resgroup_for_ ”can only be generated by the system. If it has been added for the role earlier, then the system will reuse it to add ACL “permit” configurations later. no role resource cifs This command is used to delete a CIFS resource from a specified role. Note: The auto-generated ACL “permit” configurations will be deleted when the CIFS resource is deleted from a specified role. show role resource [role_name] [resource_type] This command is used to display resources of a specified role. role_name Optional. This parameter specifies the name of an existing role. The default value is empty, indicating resources of all roles will 2000-2018 Array Networks, Inc. All Rights Reserved. 170Chapter 5 User Policy be displayed. resource_type Optional. This parameter specifies the resource type. Its value must be “all”, “quicklink”, “netpool”, “vpnresourcegroup”, “web” and “aproxy”. The default value is “all”. clear role resource [role_name] [resource_type] This command is used to delete resources of a specified role. role_name Optional. This parameter specifies the name of an existing role. The default value is empty, indicating resources of all roles will be deleted. resource_type Optional. This parameter specifies the resource type. Its value must be are “all”, “quicklink”, “cifs”,“netpool”, “vpnresourcegroup”, “web” and “aproxy”. The default value is “all”. role sessionpolicy This command is used to associate a custom session lifecycle policy (configured using the “session lifecyclepolicy” command) with a role. The administrator can associate only one custom session lifecycle policy with a role. If no custom session lifecycle policy is associated with a role, the session timeout settings of the virtual site (if configured using the commands “session timeout idle”, “session timeout lifetime”, “session timeout warning {on|off}” “session timeout warning threshold” and “session timeout warning extension_lifetime”) will take effect for the role. If the user has been assigned several roles:  When the role with the highest priority is associated with a custom session lifecycle policy, this custom session lifecycle policy will take effect for the user.  When the role with the highest priority is not associated with a custom session lifecycle policy, the session timeout settings of the virtual site will take effect for the user. role_name This parameter specifies the name of an existing role policy_name This parameter specifies the name of an existing custom session lifecycle policy. no role sessionpolicy This command is used to disassociate the custom session lifecycle policy from a specified role. show role sessionpolicy [role_name] 2000-2018 Array Networks, Inc. All Rights Reserved. 171Chapter 5 User Policy This command is used to display the custom session lifecycle policy associated with a specified role. If the “role_name” parameter is not specified, the custom session lifecycle policy associated with every role will be displayed. clear role sessionpolicy This command is used disassociate the custom session lifecycle policy from every role. show role config This command is used to display the current role configurations. ACL Configuration acl resourcegroup web [description] This command is used to add a “web” type resource group. resource_group This parameter specifies the name of the “web” type resource group. Its value must be a string of 1 to 64 characters. description Optional. This parameter specifies the description of the “web” type resource group. Its value must be a string of 1 to 512 characters. The default value is empty. acl resourcegroup network [description] This command is used to add a “network” type resource group. resource_group This parameter specifies the name of the “network” type resource group. Its value must be a string of 1 to 64 characters. description Optional. This parameter specifies the description of the “network” type resource group. Its value must be a string of 1 to 512 characters. The default value is empty. acl resourcegroup fileshare [description] This command is used to add a “fileshare” type resource group. resource_group This parameter specifies the name of the “fileshare” type resource group. Its value must be a string of 1 to 64 characters. description Optional. This parameter specifies the description of the “fileshare” type resource group. Its value must a string of 1 to 512 characters. The default value is empty. no acl resourcegroup 2000-2018 Array Networks, Inc. All Rights Reserved. 172Chapter 5 User Policy This command is used to delete a specified resource group. show acl resourcegroup This command is used to display all the ACL resource groups. clear acl resourcegroup This command is used to clear all the ACL resource groups. acl resource This command is used to add a resource to an ACL resource group. For Site2Site VPN, to make the subnets on the spokes and hubs accessible, you should configure them as network resources and add them to the ACL resource group. If NAT rules are configured for Site2Site VPN using the “vpn site2site forward” command, you should configure the virtual subnet specified by the parameters “virtual_subnet_IP” and “virtual_subnet_netmask” as the network resource instead of the real subnet on the spoke/hub. resource_group This parameter specifies the name of an existing resource group. resource This parameter specifies the resource to be added. Its value must be a string of 1 to 512 characters. The type of the entered resource must be the same as that of the resource group. Please note that both IPv4 and IPv6 resources are supported. For Site2Site VPN with NAT configured, the parameter value should set to the subnet specified by the parameters “virtual_subnet_IP” and “virtual_subnet_netmask”. For example: vs(config)$acl resource "web" "https://www.domain.com:443/*" vs(config)$acl resource "web" "10.10.10.1/32:*/public/*" vs(config)$acl resource "rg1" "10.10.10.0/24" vs(config)$acl resource "rg2" "2012:1810::10:8:10:12/128" vs(config)$acl resource "file" "\\10.10.10.1\directory" no acl resource This command is used to delete a resource from a specified resource group. show acl resource [resource_group] This command is used to display the resources of a specified resource group. If the “resource_group” parameter is not specified, resources of all resource groups will be displayed. clear acl resource [resource_group] 2000-2018 Array Networks, Inc. All Rights Reserved. 173Chapter 5 User Policy This command is used to clear the resources of a specified resource group. If the “resource_group” parameter is not specified, resources of all resource groups will be cleared. acl rule [priority] [target_type] This command is used to add an ACL rule to permit or deny the access to a specified resource group for a specified target, which can be a role, user, or group. target_name This parameter specifies the name of an existing target. Its value must be the name of an existing role, user, or group. resource_group This parameter specifies the name of an existing resource group. action This parameter specifies the action (“permit” or “deny”) of the ACL rule. Its value must be “permit” or “deny”. priority Optional. This parameter specifies the priority of the ACL rule. Its value must be an integer ranging from 0 to 1000. The default value is 1000. The smaller the value, the higher the priority. target_type Optional. This parameter specifies the type of a specified target. Its value must be:  R: indicates the role.  U: indicates the user.  G: indicates the group. The default value is R. no acl rule [target_type] This command is used to delete the ACL rule associated with a specified resource group and a specified target. If multiple types of targets have the same name, you need to specify the “target_type” parameter to distinguish them. If it is not specified, the ACL rule associated with the role-type target will be deleted. show acl rule [target_name] [resource_group] [target_type] This command is used to display the ACL rule associated with a specified resource group and a specified target type. target_name Optional. This parameter specifies the name of an existing target.  If this parameter is specified, the ACL rules associated with a specified target will be displayed.  If this parameter is not specified, the ACL rules associated 2000-2018 Array Networks, Inc. All Rights Reserved. 174Chapter 5 User Policy with all targets will be displayed. The default value is empty. resource_group Optional. This parameter specifies the name of an existing resource group.  If this parameter is specified, the ACL rules associated with a specified resource group will be displayed.  If this parameter is not specified, the ACL rules associated with all resource groups will be displayed. The default value is empty. target_type Optional. This parameter specifies the type of the target. Its value must be:  A: indicates all types.  R: indicates the role.  U: indicates the user.  G: indicates the group. The default value is A. clear acl rule [target_name] [resource_group] This command is used to clear the ACL rules associated with a specified resource group and a specified target. target_name Optional. This parameter specifies the name of the target.  If this parameter is specified, the ACL rules associated with a specified target will be cleared.  If this parameter is not specified, the ACL rules associated with all targets will be cleared. The default value is empty. resource_group Optional. This parameter specifies the name of an existing resource group.  If this parameter is specified, the ACL rules associated with a specified resource group will be cleared.  If this parameter is not specified, the ACL rules associated 2000-2018 Array Networks, Inc. All Rights Reserved. 175Chapter 5 User Policy with all resource groups will be cleared. The default value is empty. acl dynamic {on|off} This command is used to enable or disable the Dynamic ACL function. By default, this function is disabled. When this function is enabled, the system will accept dynamic ACLs generated by the clients. Dynamic ACLs will be used for matching requests only when requests matching no external ACLs or configured ACL rules. acl denylog {on|off} This commad is used to enable or disable logging for access denied by ACL rules. By default, this function is disabled. show acl config This command is used to display the ACL configurations. clear acl config This command is used to reset the ACL configurations to default. Session Management Global Settings virtual site session limit This global command is used to set the maximum concurrent session number for a specified virtual site. virtual_site This parameter specifies the name of an existing virtual site. limit_number This parameter specifies the maximum concurrent session number. Its value must be an integer ranging from 0 to 4,294,967,295. 0 indicates the AG appliance will not limit the maximum concurrent session number for a specified virtual site. no virtual site session limit This global command is used to delete the setting of the maximum concurrent session number for a specified virtual site. show virtual site session limit [virtual_site] 2000-2018 Array Networks, Inc. All Rights Reserved. 176Chapter 5 User Policy This global command is used to display the setting of the maximum concurrent session number for a specified virtual site. If the “virtual_site” parameter is not specified, the settings of the maximum concurrent session number for all virtual sites will be displayed. virtual site session group name This global command is used to configure a session group. The session group function allows multiple virtual sites to share the concurrent sessions permitted for the session group. To use this function, the administrator should follow these steps:  Define the session group first using “virtual site session group name” command  Set the maximum number of concurrent sessions permitted for the session group using the “virtual site session group limit” command  Associate virtual sites with the session group using the “virtual site session group member” command. group_name This parameter specifies the name of a session group. Its value must be a string of 1 to 64 characters. no virtual site session group name This global command is used to delete a specified session group. show virtual site session group name This global command is used to display session groups. clear virtual site session group This global command is used to clear all session groups. virtual site session group limit This global command is used to set the maximum concurrent session number for a specified session group. group_name This parameter specifies the name of an existing session group. limit_number This parameter specifies the maximum concurrent session number. Its value must be an integer ranging from 0 to 4,294,967,295. 0 indicates the AG appliance will not limit the maximum concurrent session number. no virtual site session group limit This global command is used to delete the setting of the maximum concurrent session number for a specified session group. show virtual site session group limit [group_name] 2000-2018 Array Networks, Inc. All Rights Reserved. 177Chapter 5 User Policy This global command is used to display the setting of the maximum concurrent session number for a specified session group. If the “group_name” parameter is not specified, the settings of the maximum concurrent session number for all session groups will be displayed. virtual site session group member This global command is used to associate a virtual site with a session group. group_name This parameter specifies the name of an existing session group. virtual_site This parameter specifies the name of an existing virtual site. no virtual site session group member This global command is used to disassociate a virtual site from a specified session group. show virtual site session group member [group_name] This global command is used to display virtual sites associated with a specified session group. If the “group_name” parameter is not specified, virtual sites associated with all session groups will be displayed. virtual site session reuse {on|off} This global command is used to enable or disable the session reuse function for a specified virtual site. This function can be enabled for a specified virtual site only when the AAA function is enabled for that virtual site. By default, this function is disabled. virtual_site This parameter specifies the name of an existing virtual site. Note: When the session reuse function becomes enabled or disabled, all current sessions will be killed. show virtual site session reuse [virtual_site] This global command is used to display the status of the session reuse function for a specified virtual site. If the “virtual_site” parameter is not specified, the status of the session reuse function of all virtual sites will be displayed. show virtual site session config This global command is used to display session configurations of all virtual sites. show maxsession This global command is used to display the maximum number of concurrent user sessions in every of the past 12 months. show session usage [start_date] [end_date] 2000-2018 Array Networks, Inc. All Rights Reserved. 178Chapter 5 User Policy This global command is used to display the daily maximum session usage records under the global scope and each virtual site scope during a specified period in descending order. start_date Optional. This parameter specifies the start date of the daily maximum session usage records to be displayed. Its value must be a string in the format of “yyyymmdd”.  “yyyy” indicates the year. It must be an integer ranging from 2000 to 2037.  “mm” indicates the month. It must be an integer ranging from 01 to 12.  “dd” indicates the date. It must be an integer ranging from 01 to 31. If this parameter is not specified, the default start date will be the date in which the device is put to use. end_date Optional. This parameter specifies the end date of the daily maximum session usage records to be displayed. Its value must be a string in the format of “yyyymmdd”. The parameter value must be equal to or larger than that of “start_date”. If this parameter is not specified, the default end date is the current date. For example: AN(config)#show session usage 20130903 20130903 2013-9-3: Global Maximum Sessions of the Day: 3( 0 from SSF) 0( 0 from SSF) : vs 0( 0 from SSF) : xn 1( 0 from SSF) : vs_smx 0( 0 from SSF) : shared 0( 0 from SSF) : alias 2( 0 from SSF) : mp1 show hourlysession [month_number] This global command is used to display the hourly concurrent user session report for a specified month of the current year. month_number Optional. This parameter specifies the month for which the hourly concurrent user session report will be displayed. Its value must be an integer ranging from 0 to 12. The default value is 0, indicating the last month. 2000-2018 Array Networks, Inc. All Rights Reserved. 179Chapter 5 User Policy Per-VS Settings session maxperuser This command is used to set the maximum sessions per user. maximum_session This parameter specifies the maximum number of concurrent sessions per user. Its value must be an integer ranging from 0 to 4,294,967,295. 0 indicates that the AG appliance will not limit the session. no session maxperuser This command is used to delete the configuration of maximum sessions per user. show session maxperuser This command is used to display the configuration of maximum sessions per user. session kill legacy [on|off] This command is used to enable or disable the function of terminating a legacy session when the session number of the end user has reached the maximum limit (configured using the “session maxperuser” command). This function is disabled by default. on|off Optional. This parameter enables or disables the function of terminating a legacy session when the session number of the end user has reached the maximum limit. Its value must be:  on: enables the function of terminating a legacy session. AG will terminate a legacy session when the session number of the end user has reached the maximum limit.  off: disables the function of terminating a legacy session. The end user will be directly denied login when the session number of the end user has reached the maximum limit. The default value is “off”. session cookie expire This command is used to enable the cookie expire function, which inserts an “Expires” HTTP header field into the HTTP response to set the expiration time of the session cookie. By default, this function is disabled. no session cookie expire This command is used to disable the cookie expire function. show session cookie expire 2000-2018 Array Networks, Inc. All Rights Reserved. 180Chapter 5 User Policy This command is used to display the configuration of the cookie expire function. session cookie passthrough This command is used to enable the session cookie passthrough function, which allows session cookies to be passed from the requests to backend servers. By default, this function is disabled. no session cookie passthrough This command is used to disable the session cookie passthrough function. show session cookie passthrough This command is used to display the session cookie passthrough function. session kill id This command is used to kill the active session with a specified session ID. sessison_id This parameter specifies the session ID of the active sessions to be killed. Its value must be a string of 1 to 8 characters. session kill user [type] This command is used to kill active sessions initiated by a specified user. username This parameter specifies an existing username of the user whose active sessions will be killed. type Optional. This parameter specifies the type of the active sessions to be killed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl” or “all”. The default value is “all”. session kill deviceid This command is used to kill active sessions initiated by a specified device. device_id This parameter specifies the DeviceID of a specified device whose active sessions will be killed. session kill status This command is used to kill the active sessions in the specified status. auth_type This parameter specifies the status of the active sessions to be killed. Its value must be:  Auth: indicates authenticated active sessions.  Unauth: indicates unauthenticated active sessions. 2000-2018 Array Networks, Inc. All Rights Reserved. 181Chapter 5 User Policy session kill all [type] This command is used to kill active sessions of a specified type. type Optional. This parameter specifies the type of the active sessions to be killed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl” or “all. The default value is “all”, indicating active sessions of all types will be killed. session timeout idle This command is used to set session idle timeout (the amount of time that a session can remain idle before it expires). The default session idle timeout value is 3600 seconds. time This parameter specifies the maximum idle time in seconds. Its value must be an integer ranging from 1 to 86,400. no session timeout idle This command is used to reset the session idle timeout value to default. show session timeout idle This command is used to display the setting of the session idle timeout value. session timeout lifetime This command is used to set the session lifetime timeout value (the amount of time that a session can exist before it expires). The default session lifetime timeout value is 86,400 seconds. time This parameter specifies the maximum session lifetime in seconds. Its value must be an integer ranging from 1 to 94,608,000. Note: If the Site2Site VPN function is used, the session lifetime timeout value should be set to the maximum value (94,608,000). no session timeout lifetime This command is used to reset the session lifetime timeout value to default. show session timeout lifetime This command is used to display the setting of the session lifetime timeout value. session timeout unauth This command is used to set the session lifetime timeout value for unauthenticated sessions (the amount of time that an unauthenticated session can exist before it expires or gets authenticated). The session lifetime timeout value for unauthenticated sessions is 300 seconds. 2000-2018 Array Networks, Inc. All Rights Reserved. 182Chapter 5 User Policy time This parameter specifies the maximum unauthenticated session lifetime in seconds. Its value must be an integer ranging from 1 to 86,400. Note: Unauthenticated sessions here include challenge and change-password sessions. no session timeout unauth This command is used to reset the session lifetime timeout value for unauthenticated sessions to default. show session timeout unauth This command is used to display the setting of session lifetime timeout value for unauthenticated sessions. session timeout warning {on|off} This command is used to enable or disable the Session Timeout Warning function for the virtual site. By default, this function is disabled. session timeout warning threshold [idle_warning] [lifetime_warning] This command is used to set the amount of time that users will be warned prior to session timeout.  When being warned of the session idle timeout, the user is provided with the option to reset the session idle timeout timer. The default time that users will be warned prior to session idle timeout is 300 seconds.  When being warned of the session lifetime timeout, the user is provided with the option to extend the session lifetime. The amount of time by which the user can extend the session lifetime manually each time can be configured using the “session timeout warning extension_lifetime” command. The default time that users will be warned prior to session lifetime timeout is 300 seconds. idle_warning Optional. This parameter specifies the amount of time that users will be warned prior to session idle timeout in seconds. Its value must be an integer ranging from 1 to 86,400. The default value is 300. lifetime_warning Optional. This parameter specifies the amount of time that users will be warned prior to session lifetime timeout in seconds. Its value must be an integer ranging from 1 to 94,608,000. The default value is 300. session timeout warning extension_lifetime [extension_lifetime] 2000-2018 Array Networks, Inc. All Rights Reserved. 183Chapter 5 User Policy This command is used to set the amount of time by which the user can extend the session lifetime manually each time. The default time to be extended is 300 seconds. extension_lifetime Optional. This parameter specifies the amount of time to be extended in seconds. Its value must be an integer ranging from 1 to 94,608,000. The default value is 300. show session timeout warning This command is used to display the settings of Session Timeout Warning function. session lifecyclepolicy [idle_timeout] [life_timeout] [warning] [idle_warning] [lifetime_warning] [extension_time] This command is used to configure a custom session lifecycle policy. The custom session lifecycle policy needs to be associated with the role using the “role sessionpolicy” command to take effect. The custom session lifecycle policy has a higher priority than the session timeout settings of the virtual site (configured using the commands “session timeout idle”, “session timeout lifetime”, “session timeout warning {on|off}” “session timeout warning threshold” and “session timeout warning extension_lifetime”). A maximum of 200 custom session lifecycle policies can be configured. policy_name This parameter specifies the name of the custom session lifecycle policy. Its value must be a string of 1 to 63 characters. idle_timeout Optional. This parameter specifies the time that a session can remain idle before it expires, in seconds. Its value must be an integer ranging from 1 to 86,400. The default value is 3600. life_timeout Optional. This parameter specifies the time that a session can exist before it expires, in seconds. Its value must be an integer ranging from 1 to 94,608,000. The default value is 86,400. warning Optional. This parameter specifies whether to enable the session timeout warning function. Its value must be “on” or “off”. The default value is “off”. idle_warning Optional. This parameter specifies the time in seconds that users will be warned prior to the session idle timeout. Its value must be an integer ranging from 1 to 86,400. The default value is 300. If the “warning” parameter is set to “on”, when being warned of the session idle timeout, the user is provided with the option to reset the session idle timeout timer. lifetime_warning Optional. This parameter specifies the time in seconds that users will be warned prior to the session lifetime timeout. Its value must 2000-2018 Array Networks, Inc. All Rights Reserved. 184Chapter 5 User Policy be an integer ranging from 1 to 94,608,000. The default value is 300. If the “warning” parameter is set to “on”, when being warned of the session lifetime timeout, the user is provided with the option to extend the session lifetime by the amount of time specified by the “extention_time” parameter. extention_time Optional. This parameter specifies the amount of time by which the user can extend the session lifetime manually each time, in seconds. Its value must be an integer ranging from 1 to 94,608,000. The default value is 300. no session lifecyclepolicy This command is used to delete a specified custom session lifecycle policy. show session lifecyclepolicy [policy_name] This command is used to display a specified custom session lifecycle policy. If the “policy_name” parameter is not specified, all configured custom session lifecycle policies will be displayed. clear session lifecyclepolicy This command is used to clear all configured custom session lifecycle policies. show session settings This command is used to display all the session settings. clear session settings This command is used to clear all the session settings. show session count [username] This command is used to display the number of active sessions for the specified user. username Optional. This parameter specifies the username of the user for whom the number of active sessions will be displayed. Its value must be a string of 1 to 64 characters. The default value is empty, indicating the number of active sessions for every user will be displayed. show session active [type] [username] [device_id] [start] [count] This command is used to display the active sessions matching specified filter condition. type Optional. This parameter specifies the type of active sessions to be displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl” or “all”. The default value is “all”, indicating all types of sessions. 2000-2018 Array Networks, Inc. All Rights Reserved. 185Chapter 5 User Policy username Optional. This parameter specifies the name of the user for whom active sessions will be displayed. Its value must be a string of 1 to 64 characters. The default value is empty, indicating active sessions for all users will be displayed. device_id Optional. This parameter specifies the DeviceID of the device for which active sessions will be displayed. Its value must be a string of 1 to 64 characters. The default value is empty, indicating active sessions for all devices will be displayed. start Optional. This parameter specifies the sequence number of the active session from which active sessions to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 1. count Optional. This parameter specifies the number of active sessions to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 1,000,000. show session external acl [type] [username] [start] [number] This command is used to display the sessions that match external ACLs. type Optional. This parameter specifies the type of sessions to be displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl” or “all”. The default value is “all”, indicating all types of sessions. username Optional. This parameter specifies the name of the user for whom sessions will be displayed. Its value must be a string of 1 to 64 characters. The default value is empty, indicating the matching sessions of all users will be displayed. start Optional. This parameter specifies the sequence number of the session from which matching sessions will be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 1. number Optional. This parameter specifies the number of sessions to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 1,000,000. For example: vs(config)$show session external acl User Name Session Type Session ID ACL 2000-2018 Array Networks, Inc. All Rights Reserved. 186Chapter 5 User Policy test012 ssl A1E6A606 0 http:172.16.12.212/ AND ALL PERMIT 0 file:172.16.12.212/ AND ALL PERMIT 2 ip tcp:0.0.0.0:80 AND ALL PERMIT 2 ip tcp:172.16.12.0/255.255.255.0 AND ALL PERMIT 1 ip udp:10.3.0.0/255.255.255.0 AND ALL PERMIT 0 ip icmp:172.16.12.0/255.255.255.0 AND ALL PERMIT 1 ip icmp:10.3.0.0/255.255.255.0 AND ALL PERMIT show session policy [type] [username] [start] [count] This command is used to display targets (roles, users or groups) and ACL resources associated with the active session of a specified type and username. type Optional. This parameter specifies the type of the active sessions to be displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl” or “all”. The default value is “all”. username Optional. This parameter specifies the name of the user for whom the active sessions will be displayed. Its value must be a string of 1 to 64 characters. The default value is “ ”, indicating all usernames. start Optional. This parameter specifies the sequence number of the session from which sessions will be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 1. count Optional. This parameter specifies the number of sessions to be displayed. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is 1,000,000. 2000-2018 Array Networks, Inc. All Rights Reserved. 187Chapter 6 Access Method Chapter 6 Access Method Web Access Web Access provides a clientless way to access internal Web resources with the standard web browser. This section covers the commands for configuring this module. QuickLink virtual site quicklink hostname This global command is used to configure a QuickLink resource in hostname mode for the specified virtual site. hostname This parameter specifies the public hostname used for mapping to the internal Web resource. Its value must be a string of 5 to 64 characters. resource_id This parameter specifies the name of the QuickLink resource. Its value must be a string of 1 to 20 characters. Only 0-9, a-z, A-Z and characters “_” and “-” are supported. virtual_site This parameter specifies the name of the existing virtual site for which the QuickLink rule is configured. no virtual site quicklink hostname This global command is used to delete a specified QuickLink resource in hostname mode configured for the specified virtual site. show virtual site quicklink hostname [virtual_site] This global command is used to display the QuickLink resources in hostname mode configured for the specified virtual site. If the “virtual_site” parameter is not specified, the QuickLink resources in hostname mode configured for all the virtual sites will be displayed. clear virtual site quicklink hostname This global command is used to clear all the QuickLink resources in hostname mode configured for the specified virtual site. virtual site quicklink port This global command is used to configure a QuickLink resource in port mode for the specified virtual site. port This parameter specifies the port used for mapping to the internal Web resource. Its value must be an integer ranging from 1 to 2000-2018 Array Networks, Inc. All Rights Reserved. 188Chapter 6 Access Method 65,535. To avoid port conflict, it is recommended to set this parameter to the value above 10,000. resource_id This parameter specifies the name of the QuickLink resource. Its value must be a string of 1 to 20 characters. Only 0-9, a-z, A-Z and characters “_” and “-” are supported. virtual_site This parameter specifies the name of the existing virtual site of with the QuickLink rule configured. no virtual site quicklink port This global command is used to delete a specified QuickLink resource in port mode for the specified virtual site. show virtual site quicklink port [virtual_site] This global command is used to display the QuickLink resources in port mode of the specified virtual site. If the “virtual_site” parameter is not specified, the QuickLink resources in port mode of all the virtual sites will be displayed. clear virtual site quicklink port This global command is used to clear all QuickLink resources in port mode of the specified virtual site. portal quicklink rule [rewrite_option1] [rewrite_option2] [rewrite_option3] [rewrite_option4] [rewrite_option5] This command is used to configure a QuickLink rule to map an internal Web resource to the specified QuickLink resource. backend_url This parameter specifies the URL of the internal Web resource. Its value must be a string of 1 to 900 characters. resource_id This parameter specifies the name of an existing QuickLink resource. The parameter value must be the name predefined by the command “virtual site quicklink hostname” or “virtual site quicklink port”. rewrite_option1 Optional. This parameter specifies the rewrite option. Its value must only be:  “norewrite”: indicates that the web content will not be rewritten. By default, the web content will be rewritten.  “rewriteexternal”: indicates that external URLs contained in the web content but not matching any QuickLink rules will be 2000-2018 Array Networks, Inc. All Rights Reserved. 189Chapter 6 Access Method rewritten into the WRM format. By default, external URLs will not be rewritten.  “rewritexml”: indicates that the XML formatted web content will be rewritten. By default, the XML formatted web content will not be rewritten.  “blockcookie”: indicates that cookies from backend servers will be blocked. By default, cookies from backend servers will not be blocked.  “forwardheader”: indicates the HTTP header will be replaced by the new HTTP header of the QuickLink rule in hostname mode. By default, the HTTP header will not be replaced. Note: 1. For OWA, “rewritexml” is a mandatory option while other options (including “norewrite”, “rewriteexternal” “forwardheader”, and “blockcookie”) cannot be configured. 2. The “norewrite” option and other options are mutually exclusive. rewrite_option2 Optional. This parameter specifies the rewrite option. Its value must only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie” or “forwardheader”. rewrite_option3 Optional. This parameter specifies the rewrite option. Its value must only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie” or “forwardheader”. rewrite_option4 Optional. This parameter specifies the rewrite option. Its value must only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie” or “forwardheader”. rewrite_option5 Optional. This parameter specifies the rewrite option. Its value must only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie” or “forwardheader”. no portal quicklink rule This command is used to delete a specified QuickLink rule. show portal quicklink rule This command is used to display all QuickLink rules under the virtual site scope. clear portal quicklink rule This command is used to clear all QuickLink rules under the virtual site scope. 2000-2018 Array Networks, Inc. All Rights Reserved. 190Chapter 6 Access Method show portal quicklink global This command is used to display all QuickLink resources configured in the global scope. portal quicklink alias This command is used to configure a QuickLink alias rule for the specified QuickLink resource. This allows administrators to define additional URLs that can be mapped to the same QuickLink resource identified by the “resource_id” parameter. backend_url This parameter specifies the additional URL of the internal Web resource. Its value must be a string of 1 to 900 characters. resource_id This parameter specifies the name of the QuickLink resource. The parameter value must be the name predefined by the command “virtual site quicklink hostname” or “virtual site quicklink port”. no portal quicklink alias This command is used to delete a specified QuickLink alias rule. show portal quicklink alias This command is used to display all QuickLink alias rules. clear portal quicklink alias This command is used to delete all QuickLink alias rules. WRM  General Settings rewrite {on|off} This command is used to enable or disable the Web Resource Mapping (WRM) function. By default, this function is enabled. show rewrite status This command is used to display the status (enabled or disabled) of the WRM function. show rewrite config This command is used to display all configurations of the WRM function. clear rewrite config This command is used to delete all configurations of the WRM function.  WRM Rule rewrite param {url|host} [separator] [index] 2000-2018 Array Networks, Inc. All Rights Reserved. 191Chapter 6 Access Method This command is used to configure a WRM rewrite rule. rule_id This parameter specifies the ID of WRM rewrite rule. Its value must be an integer ranging from 0 to 1024. parameter_name This parameter specifies the name obtained from the value of the HTML “name” attribute in the HTML “param” tag. url|host This parameter specifies the value type obtained from the HTML “value” attribute of the HTML “param” tag. Its value must only be “url” or “host”. separator Optional. This parameter specifies the separator between multiple URLs or hosts. The default value is empty. index Optional. This parameter specifies the index of the URL or host to be rewritten. Its value must be an integer ranging from 1 to 4,294,967,295. The default value is empty. For example, if the HTML file of the backend Web server contains the HTML “param” tag , the WRM rule should be: vs(config)$ rewrite param 1 "param" "url" no rewrite param This command is used to delete a specified WRM rewrite rule. show rewrite param This command is used to display the configured WRM rewrite rules. rewrite matchparam substring This command is used to set the parameter matching mode to “substring”. In “substring” mode, the WRM rewrite rule will be hit when the value of “parameter_name” parameter in the “rewrite param” command matches a part of the value of the HTML “name” attribute in the HTML “param” tag. By default, the “substring” mode is used for HTML parameter matching. rewrite matchparam exact This command is used to set the parameter matching mode to “exact”. In “exact” mode, the WRM rewrite rule will be hit when the value of the “parameter_name” parameter in the “rewrite param” command match exactly the value of the HTML “name” attribute in the HTML “param” tag. show rewrite matchparam This command is used to display the parameter matching mode. rewrite relative 2000-2018 Array Networks, Inc. All Rights Reserved. 192Chapter 6 Access Method This command is used to enable the rewrite of the relative URLs. By default, this function is disabled. no rewrite relative This command is used to disable the rewrite of the relative URLs. show rewrite relative This command is used to display the status (enabled or disabled) of the rewrite of the relative URLs.  URL Masking rewrite urlmask [file_name] This command is used to enable the URL masking function. To mask the internal URLs, the “rewrite relative” command must be configured first. If the URL masking function is enabled, the system will rewrite the URL with a pre-set algorithm to hide the backend server and path. By default, this function is disabled. file_name Optional. This parameter specifies the file name. Its value must only be “filename” or its prefix. If this parameter is specified, the name of file of the internal resource will also be masked. The default value is empty. no rewrite urlmask This command is used to disable the URL masking function. show rewrite urlmask This command is used to display the status (enabled or disabled) of the URL masking function.  URL Property urlproperty mask wrm This command is used to add a URL to the list of URLs that will not be rewritten by the WRM rewrite rule. url This parameter specifies the URL that will not be rewritten by the WRM rewrite rule. Its value must be a string of 9 to 1000 characters. no urlproperty mask wrm This command is used to delete a URL from the list of URLs that will not be rewritten by the WRM rewrite rule. clear urlproperty mask wrm 2000-2018 Array Networks, Inc. All Rights Reserved. 193Chapter 6 Access Method This command is used to clear the list of URLs that will not be rewritten by the WRM rewrite rule. urlproperty mask acceptencoding This command is used to disable the insertion of the “Accept Encoding” header for the specified URL. This is used primarily for Web servers that are non-compliant with the HTTP RFC standards. url This parameter specifies the URL for which “Accept Encoding” headers will be masked. Its value must be a string of 9 to 990 characters. no urlproperty mask acceptencoding This command is used to enable the insertion of the “Accept Encoding” header for the specified URL. clear urlproperty mask acceptencoding This command is used to enable the insertion of the “Accept Encoding” header for all URLs. show urlproperty mask This command is used to display all URL property mask configurations. Custom Rewrite rewrite custom {on|off} This command is used to enable or disable the custom rewrite function. By default, this function is enabled. To use this function, the administrator also needs to configure custom rewrite rules using the “rewrite custom rules” command. show rewrite custom status This command is used to display the status (enabled or disabled) of the custom rewrite function. rewrite custom rules