Contents

home

Configuring AAA
AAA overview
RADIUS
HWTACACS
Domain-based user management
RADIUS server feature of the switch
Protocols and standards
RADIUS attributes
FIPS compliance
AAA configuration considerations and task list
Configuring AAA schemes
Configuring local users
Configuring RADIUS schemes
Configuring HWTACACS schemes
Configuring AAA methods for ISP domains
Configuration prerequisites
Creating an ISP domain
Configuring ISP domain attributes
Configuring AAA authentication methods for an ISP domain
Configuring AAA authorization methods for an ISP domain
Configuring AAA accounting methods for an ISP domain
Tearing down user connections
Configuring a NAS ID-VLAN binding
Configuring a switch as a RADIUS server
RADIUS server functions configuration task list
Configuring a RADIUS user
Specifying a RADIUS client
Displaying and maintaining AAA
AAA configuration examples
AAA for Telnet users by an HWTACACS server
AAA for Telnet users by separate servers
Authentication/authorization for SSH/Telnet users by a RADIUS server
Level switching authentication for Telnet users by an HWTACACS server
RADIUS authentication and authorization for Telnet users by a switch
Troubleshooting AAA
Troubleshooting RADIUS
Troubleshooting HWTACACS
802.1X overview
802.1X architecture
Controlled/uncontrolled port and port authorization status
802.1X-related protocols
Packet formats
EAP over RADIUS
Initiating 802.1X authentication
802.1X client as the initiator
Access device as the initiator
802.1X authentication procedures
A comparison of EAP relay and EAP termination
EAP relay
EAP termination
Configuring 802.1X
Hewlett Packard Enterprise implementation of 802.1X
Access control methods
Using 802.1X authentication with other features
Configuration prerequisites
802.1X configuration task list
Enabling 802.1X
Configuration guidelines
Configuration procedure
Enabling EAP relay or EAP termination
Setting the port authorization state
Specifying an access control method
Setting the maximum number of concurrent 802.1X users on a port
Setting the maximum number of authentication request attempts
Setting the 802.1X authentication timeout timers
Configuring the online user handshake function
Configuration guidelines
Configuration procedure
Configuring the authentication trigger function
Configuration guidelines
Configuration procedure
Specifying a mandatory authentication domain on a port
Configuring the quiet timer
Enabling the periodic online user re-authentication function
Configuration guidelines
Configuration procedure
Configuring a port to send EAPOL frames untagged
Setting the maximum number of 802.1X authentication attempts for MAC authentication users
Configuring a VLAN group
Configuring an 802.1X guest VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Configuring an 802.1X Auth-Fail VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Configuring an 802.1X critical VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Sending EAP-Success packets to 802.1X users in the critical VLAN
Configuring an 802.1X voice VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Specifying supported domain name delimiters
Configuring 802.1X MAC address binding
Displaying and maintaining 802.1X
802.1X authentication configuration example
Network requirements
Configuration procedure
Verifying the configuration
802.1X with guest VLAN and VLAN assignment configuration example
Network requirements
Configuration procedure
Verifying the configuration
802.1X with ACL assignment configuration example
Network requirements
Configuration procedure
Verifying the configuration
Configuring EAD fast deployment
Overview
Free IP
URL redirection
Configuration prerequisites
Configuring a free IP
Configuring the redirect URL
Setting the EAD rule timer
Displaying and maintaining EAD fast deployment
EAD fast deployment configuration example
Network requirements
Configuration procedure
Verifying the configuration
Troubleshooting EAD fast deployment
Web browser users cannot be correctly redirected
Configuring MAC authentication
Overview
User account policies
Authentication approaches
MAC authentication timers
Using MAC authentication with other features
VLAN assignment
ACL assignment
Guest VLAN
Critical VLAN
Configuration task list
Basic configuration for MAC authentication
Configuring MAC authentication globally
Configuring MAC authentication on a port
Specifying a MAC authentication domain
Configuring a MAC authentication guest VLAN
Configuring a MAC authentication critical VLAN
Configuring a MAC authentication voice VLAN
Configuration prerequisites
Configuration guidelines
Configuration procedure
Configuring MAC authentication delay
Enabling MAC authentication multi-VLAN mode
Displaying and maintaining MAC authentication
MAC authentication configuration examples
Local MAC authentication configuration example
RADIUS-based MAC authentication configuration example
ACL assignment configuration example
Configuring portal authentication
Overview
Extended portal functions
Portal system components
Portal system using the local portal server
Portal authentication modes
Portal support for EAP
Layer 2 portal authentication process
Layer 3 portal authentication process
Portal configuration task list
Configuration prerequisites
Specifying the portal server
Specifying the local portal server for Layer 2 portal authentication
Specifying a portal server for Layer 3 portal authentication
Configuring the local portal server
Customizing authentication pages
Configuring the local portal server
Enabling portal authentication
Enabling Layer 2 portal authentication
Enabling Layer 3 portal authentication
Controlling access of portal users
Configuring a portal-free rule
Configuring an authentication source subnet
Setting the maximum number of online portal users
Specifying an authentication domain for portal users
Configuring Layer 2 portal authentication to support Web proxy
Enabling support for portal user moving
Specifying an Auth-Fail VLAN for portal authentication
Configuring RADIUS related attributes
Specifying NAS-Port-Type for an interface
Specifying a NAS ID profile for an interface
Specifying a source IP address for outgoing portal packets
Specifying an auto redirection URL for authenticated portal users
Configuring portal detection functions
Configuring online Layer 2 portal user detection
Configuring the portal server detection function
Configuring portal user information synchronization
Logging off portal users
Displaying and maintaining portal
Portal configuration examples
Configuring direct portal authentication
Configuring re-DHCP portal authentication
Configuring cross-subnet portal authentication
Configuring direct portal authentication with extended functions
Configuring re-DHCP portal authentication with extended functions
Configuring cross-subnet portal authentication with extended functions
Configuring portal server detection and portal user information synchronization
Configuring Layer 2 portal authentication
Troubleshooting portal
Inconsistent keys on the access device and the portal server
Incorrect server port number on the access device
Configuring triple authentication
Overview
Triple authentication mechanism
Using triple authentication with other features
Configuring triple authentication
Triple authentication configuration examples
Triple authentication basic function configuration example
Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example
Configuring port security
Overview
Port security features
Port security modes
Working with guest VLAN and Auth-Fail VLAN
Configuration task list
Enabling port security
Setting port security's limit on the number of MAC addresses on a port
Setting the port security mode
Configuration prerequisites
Configuration procedure
Configuring port security features
Configuring NTK
Configuring intrusion protection
Enabling port security traps
Configuring secure MAC addresses
Configuration prerequisites
Configuration procedure
Ignoring authorization information
Displaying and maintaining port security
Port security configuration examples
Configuring the autoLearn mode
Configuring the userLoginWithOUI mode
Configuring the macAddressElseUserLoginSecure mode
Troubleshooting port security
Cannot set the port security mode
Cannot configure secure MAC addresses
Cannot change port security mode when a user is online
Configuring a user profile
Overview
User profile configuration task list
Creating a user profile
Applying a QoS policy
Enabling a user profile
Displaying and maintaining user profiles
Configuring password control
Overview
FIPS compliance
Password control configuration task list
Configuring password control
Enabling password control
Setting global password control parameters
Setting user group password control parameters
Setting local user password control parameters
Setting super password control parameters
Setting a local user password in interactive mode
Displaying and maintaining password control
Password control configuration example
Configuring HABP
Overview
Configuring HABP
Configuring the HABP server
Configuring an HABP client
Displaying and maintaining HABP
HABP configuration example
Managing public keys
Overview
FIPS compliance
Configuration task list
Creating a local asymmetric key pair
Displaying or exporting the local host public key
Destroying a local asymmetric key pair
Specifying the peer public key on the local device
Displaying and maintaining public keys
Public key configuration examples
Manually specifying the peer public key on the local device
Importing a peer public key from a public key file
Configuring PKI
Overview
PKI terms
PKI architecture
PKI operation
PKI applications
PKI configuration task list
Configuring an entity DN
Configuring a PKI domain
Configuration guidelines
Configuration procedure
Submitting a PKI certificate request
Submitting a certificate request in auto mode
Submitting a certificate request in manual mode
Retrieving a certificate manually
Configuration guidelines
Configuration procedure
Configuring PKI certificate verification
Configuration guidelines
Configuring CRL-checking-enabled PKI certificate verification
Configuring CRL-checking-disabled PKI certificate verification
Destroying a local RSA key pair
Deleting a certificate
Configuring an access control policy
Displaying and maintaining PKI
PKI configuration examples
Certificate request from an RSA Keon CA server
Certificate request from a Windows 2003 CA server
Certificate attribute access control policy configuration example
Troubleshooting PKI
Failed to retrieve a CA certificate
Failed to request a local certificate
Failed to retrieve CRLs
Configuring IPsec
Overview
Basic concepts
Protocols and standards
FIPS compliance
Configuring IPsec
Implementing ACL-based IPsec
Feature restrictions and guidelines
ACL-based IPsec configuration task list
Configuring ACLs
Configuring an IPsec proposal
Configuring an IPsec policy
Applying an IPsec policy group to an interface
Configuring the IPsec session idle timeout
Enabling ACL checking of de-encapsulated IPsec packets
Configuring the IPsec anti-replay function
Configuring packet information pre-extraction
Displaying and maintaining IPsec
IPsec configuration examples
IKE-based IPsec tunnel for IPv4 packets configuration example
Configuring IKE
Overview
IKE security mechanism
IKE operation
IKE functions
Relationship between IKE and IPsec
Protocols and standards
IKE configuration task list
Configuring a name for the local security gateway
Configuring an IKE proposal
Configuring an IKE peer
Setting keepalive timers
Setting the NAT keepalive timer
Configuring a DPD detector
Disabling next payload field checking
Displaying and maintaining IKE
IKE configuration example
Troubleshooting IKE
Invalid user ID
Proposal mismatch
Failing to establish an IPsec tunnel
ACL configuration error
Configuring SSH2.0
Overview
SSH operation
FIPS compliance
Configuring the switch as an SSH server
SSH server configuration task list
Generating local key pairs
Enabling the SSH server function
Configuring the user interfaces for SSH clients
Configuring a client's host public key
Configuring an SSH user
Setting the SSH management parameters
Setting the DSCP value for packets sent by the SSH server
Configuring the switch as an SSH client
SSH client configuration task list
Specifying a source IP address/interface for the SSH client
Configuring whether first-time authentication is supported
Establishing a connection between the SSH client and server
Setting the DSCP value for packets sent by the SSH client
Displaying and maintaining SSH
SSH server configuration examples
When the switch acts as a server for password authentication
When the switch acts as a server for publickey authentication
SSH client configuration examples
When switch acts as client for password authentication
When switch acts as client for publickey authentication
Configuring SFTP
Overview
FIPS compliance
Configuring the switch as an SFTP server
Enabling the SFTP server
Configuring the SFTP connection idle timeout period
Configuring the switch as an SFTP client
Specifying a source IP address or interface for the SFTP client
Establishing a connection to the SFTP server
Working with SFTP directories
Working with SFTP files
Displaying help information
Terminating the connection to the remote SFTP server
Setting the DSCP value for packets sent by the SFTP client
SFTP client configuration example
SFTP server configuration example
Configuring SCP
Overview
FIPS compliance
Configuring the switch as an SCP server
Configuring the switch as the SCP client
SCP client configuration example
SCP server configuration example
Configuring SSL
Overview
SSL security mechanism
SSL protocol stack
FIPS compliance
Configuration task list
Configuring an SSL server policy
SSL server policy configuration example
Configuring an SSL client policy
Displaying and maintaining SSL
Troubleshooting SSL
Configuring TCP attack protection
Overview
Enabling the SYN Cookie feature
Configuring TCP fragment attack protection
Displaying and maintaining TCP attack protection
Configuring IP source guard
Overview
Static IP source guard binding entries
Dynamic IP source guard binding entries
Configuration task list
Configuring the IPv4 source guard feature
Configuring IPv4 source guard on an interface
Configuring a static IPv4 source guard binding entry
Setting the maximum number of IPv4 source guard binding entries
Configuring the IPv6 source guard feature
Configuring IPv6 source guard on an interface
Configuring a static IPv6 source guard binding entry
Setting the maximum number of IPv6 source guard binding entries
Displaying and maintaining IP source guard
IP source guard configuration examples
Static IPv4 source guard configuration example
Dynamic IPv4 source guard using DHCP snooping configuration example
Dynamic IPv4 source guard using DHCP relay configuration example
Static IPv6 source guard configuration example
Dynamic IPv6 source guard using DHCPv6 snooping configuration example
Dynamic IPv6 source guard using ND snooping configuration example
Global static IP source guard configuration example
Troubleshooting IP source guard
Configuring ARP attack protection
Overview
ARP attack protection configuration task list
Configuring ARP defense against IP packet attacks
Configuring ARP source suppression
Enabling ARP black hole routing
Displaying and maintaining ARP defense against IP packet attacks
Configuration example
Configuring ARP packet rate limit
Introduction
Configuration procedure
Configuring source MAC address based ARP attack detection
Configuration procedure
Displaying and maintaining source MAC address based ARP attack detection
Configuration example
Configuring ARP packet source MAC address consistency check
Introduction
Configuration procedure
Configuring ARP active acknowledgement
Introduction
Configuration procedure
Configuring ARP detection
Introduction
Configuring user validity check
Configuring ARP packet validity check
Configuring ARP restricted forwarding
Configuring the ARP detection logging function
Displaying and maintaining ARP detection
User validity check configuration example
User validity check and ARP packet validity check configuration example
ARP restricted forwarding configuration example
Configuring ARP automatic scanning and fixed ARP
Configuration guidelines
Configuration procedure
Configuring ARP gateway protection
Configuration guidelines
Configuration procedure
Configuration example
Configuring ARP filtering
Configuration guidelines
Configuration procedure
Configuration example
Configuring ND attack defense
Overview
Enabling source MAC consistency check for ND packets
Configuring the ND detection function
Introduction to ND detection
Configuration guidelines
Configuration procedure
Displaying and maintaining ND detection
ND detection configuration example
Network requirements
Configuration procedure
Configuring MFF
Overview
Basic concepts
Operation modes
Working mechanism
Protocols and standards
Configuring MFF
Configuration prerequisites
Enabling MFF
Configuring a network port
Enabling periodic gateway probe
Specifying the IP addresses of servers
Displaying and maintaining MFF
MFF configuration examples
Auto-mode MFF configuration example in a tree network
Auto-mode MFF configuration example in a ring network
Manual-mode MFF configuration example in a tree network
Manual-mode MFF configuration example in a ring network
Configuring SAVI
Overview
Configuring global SAVI
SAVI configuration in DHCPv6-only address assignment scenario
Network requirements
Configuration considerations
Packet check principles
Configuration procedure
SAVI configuration in SLAAC-only address assignment scenario
Network requirements
Configuration considerations
Packet check principles
Configuration procedure
SAVI configuration in DHCPv6+SLAAC address assignment scenario
Network requirements
Configuration considerations
Packet check principles
Configuration procedure
Configuring blacklist
Overview
Configuring the blacklist feature
Displaying and maintaining the blacklist
Blacklist configuration example
Network requirements
Configuration procedure
Verifying the configuration
Configuring FIPS
Overview
FIPS self-tests
Power-up self-test
Conditional self-tests
Triggering a self-test
Configuration procedure
Enabling the FIPS mode
Triggering a self-test
Displaying and maintaining FIPS
FIPS configuration example
Network requirements
Configuration procedure
Verifying the configuration
Document conventions and icons
Conventions
Network topology icons
Support and other resources
Accessing Hewlett Packard Enterprise Support
Accessing updates
Websites
Customer self repair
Remote support
Documentation feedback