Contents

home

Configuring AAA
Overview
RADIUS
HWTACACS
LDAP
AAA implementation on the device
Protocols and standards
RADIUS attributes
FIPS compliance
AAA configuration considerations and task list
Configuring AAA schemes
Configuring local users
Configuring RADIUS schemes
Configuring HWTACACS schemes
Configuring LDAP schemes
Configuring AAA methods for ISP domains
Configuration prerequisites
Creating an ISP domain
Configuring ISP domain attributes
Configuring authentication methods for an ISP domain
Configuring authorization methods for an ISP domain
Configuring accounting methods for an ISP domain
Enabling the session-control feature
Setting the maximum number of concurrent login users
Configuring a NAS-ID profile
Displaying and maintaining AAA
AAA configuration examples
AAA for SSH users by an HWTACACS server
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users
Authentication and authorization for SSH users by a RADIUS server
Authentication for SSH users by an LDAP server
Troubleshooting RADIUS
RADIUS authentication failure
RADIUS packet delivery failure
RADIUS accounting error
Troubleshooting HWTACACS
Troubleshooting LDAP
LDAP authentication failure
802.1X overview
802.1X architecture
Controlled/uncontrolled port and port authorization status
802.1X-related protocols
Packet formats
EAP over RADIUS
802.1X authentication initiation
802.1X client as the initiator
Access device as the initiator
802.1X authentication procedures
Comparing EAP relay and EAP termination
EAP relay
EAP termination
Configuring 802.1X
Access control methods
802.1X VLAN manipulation
Authorization VLAN
Guest VLAN
Auth-Fail VLAN
Critical VLAN
Critical voice VLAN
Using 802.1X authentication with other features
ACL assignment
User profile assignment
EAD assistant
Configuration prerequisites
802.1X configuration task list
Enabling 802.1X
Enabling EAP relay or EAP termination
Setting the port authorization state
Specifying an access control method
Setting the maximum number of concurrent 802.1X users on a port
Setting the maximum number of authentication request attempts
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users
Setting the 802.1X authentication timeout timers
Configuring the online user handshake feature
Configuration guidelines
Configuration procedure
Configuring the authentication trigger feature
Configuration guidelines
Configuration procedure
Specifying a mandatory authentication domain on a port
Configuring the quiet timer
Enabling the periodic online user reauthentication feature
Configuring an 802.1X guest VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Enabling 802.1X guest VLAN assignment delay
Configuring an 802.1X Auth-Fail VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Configuring an 802.1X critical VLAN
Configuration guidelines
Configuration prerequisites
Configuring the 802.1X critical VLAN on a port
Sending EAP-Success packets to users in the 802.1X critical VLAN
Enabling the 802.1X critical voice VLAN
Configuration restrictions and guidelines
Configuration prerequisites
Configuration procedure
Specifying supported domain name delimiters
Configuring the EAD assistant feature
Displaying and maintaining 802.1X
802.1X authentication configuration examples
Basic 802.1X authentication configuration example
802.1X guest VLAN and authorization VLAN configuration example
802.1X with ACL assignment configuration example
802.1X with EAD assistant configuration example
Troubleshooting 802.1X
EAD assistant for Web browser users
Configuring MAC authentication
Overview
User account policies
Authentication methods
VLAN assignment
ACL assignment
User profile assignment
Periodic MAC reauthentication
Configuration prerequisites
Configuration task list
Enabling MAC authentication
Specifying a MAC authentication domain
Configuring the user account format
Configuring MAC authentication timers
Setting the maximum number of concurrent MAC authentication users on a port
Enabling MAC authentication multi-VLAN mode on a port
Configuring MAC authentication delay
Enabling parallel processing of MAC authentication and 802.1X authentication
Configuration restrictions and guidelines
Configuration procedure
Configuring a MAC authentication guest VLAN
Configuring a MAC authentication critical VLAN
Enabling the MAC authentication critical voice VLAN
Configuration prerequisites
Configuration procedure
Configuring the keep-online feature
Enabling MAC authentication offline detection
Displaying and maintaining MAC authentication
MAC authentication configuration examples
Local MAC authentication configuration example
RADIUS-based MAC authentication configuration example
ACL assignment configuration example
Configuring portal
Overview
Extended portal functions
Portal system components
Portal system using the local portal Web server
Interaction between portal system components
Portal authentication modes
Portal authentication process
Portal configuration task list
Configuration prerequisites
Configuring a portal authentication server
Configuring a portal Web server
Enabling portal authentication on an interface
Configuration restrictions and guidelines
Configuration procedure
Referencing a portal Web server for an interface
Controlling portal user access
Configuring a portal-free rule
Configuring an authentication source subnet
Configuring an authentication destination subnet
Setting the maximum number of portal users
Specifying a portal authentication domain
Configuring portal detection features
Configuring online detection of portal users
Configuring portal authentication server detection
Configuring portal Web server detection
Configuring portal user synchronization
Configuring the portal fail-permit feature
Configuring BAS-IP for portal packets sent to the portal authentication server
Applying a NAS-ID profile to an interface
Enabling portal roaming
Logging out portal users
Configuring the local portal Web server feature
Customizing authentication pages
Configuring a local portal Web server
Displaying and maintaining portal
Portal configuration examples
Configuring direct portal authentication
Configuring re-DHCP portal authentication
Configuring cross-subnet portal authentication
Configuring extended direct portal authentication
Configuring extended re-DHCP portal authentication
Configuring extended cross-subnet portal authentication
Configuring portal server detection and portal user synchronization
Configuring direct portal authentication using local portal Web server
Troubleshooting portal
No portal authentication page is pushed for users
Cannot log out portal users on the access device
Cannot log out portal users on the RADIUS server
Users logged out by the access device still exist on the portal authentication server
Re-DHCP portal authenticated users cannot log in successfully
Configuring port security
Overview
Port security features
Port security modes
Configuration task list
Enabling port security
Setting port security's limit on the number of secure MAC addresses on a port
Setting the port security mode
Configuring port security features
Configuring NTK
Configuring intrusion protection
Configuring secure MAC addresses
Configuration prerequisites
Configuration procedure
Ignoring authorization information from the server
Enabling MAC move
Applying a NAS-ID profile to port security
Enabling the authorization-fail-offline feature
Enabling SNMP notifications for port security
Displaying and maintaining port security
Port security configuration examples
autoLearn configuration example
userLoginWithOUI configuration example
macAddressElseUserLoginSecure configuration example
Troubleshooting port security
Cannot set the port security mode
Cannot configure secure MAC addresses
Configuring password control
Overview
Password setting
Password updating and expiration
User login control
Password not displayed in any form
Logging
FIPS compliance
Password control configuration task list
Enabling password control
Setting global password control parameters
Setting user group password control parameters
Setting local user password control parameters
Setting super password control parameters
Displaying and maintaining password control
Password control configuration example
Network requirements
Configuration procedure
Verifying the configuration
Managing public keys
Overview
FIPS compliance
Creating a local key pair
Distributing a local host public key
Exporting a host public key
Displaying a host public key
Destroying a local key pair
Configuring a peer host public key
Importing a peer host public key from a public key file
Entering a peer host public key
Displaying and maintaining public keys
Examples of public key management
Example for entering a peer host public key
Example for importing a public key from a public key file
Configuring PKI
Overview
PKI terminology
PKI architecture
PKI operation
PKI applications
FIPS compliance
PKI configuration task list
Configuring a PKI entity
Configuring a PKI domain
Requesting a certificate
Configuration guidelines
Configuring automatic certificate request
Manually requesting a certificate
Aborting a certificate request
Obtaining certificates
Configuration prerequisites
Configuration guidelines
Configuration procedure
Verifying PKI certificates
Verifying certificates with CRL checking
Verifying certificates without CRL checking
Specifying the storage path for the certificates and CRLs
Exporting certificates
Removing a certificate
Configuring a certificate-based access control policy
Displaying and maintaining PKI
PKI configuration examples
Requesting a certificate from an RSA Keon CA server
Requesting a certificate from a Windows Server 2003 CA server
Requesting a certificate from an OpenCA server
Certificate import and export configuration example
Troubleshooting PKI configuration
Failed to obtain the CA certificate
Failed to obtain local certificates
Failed to request local certificates
Failed to obtain CRLs
Failed to import the CA certificate
Failed to import a local certificate
Failed to export certificates
Failed to set the storage path
Configuring IPsec
Overview
Security protocols and encapsulation modes
Security association
Authentication and encryption
IPsec implementation
Protocols and standards
FIPS compliance
IPsec tunnel establishment
Implementing ACL-based IPsec
Feature restrictions and guidelines
ACL-based IPsec configuration task list
Configuring an ACL
Configuring an IPsec transform set
Configuring a manual IPsec policy
Configuring an IKE-based IPsec policy
Applying an IPsec policy to an interface
Enabling ACL checking for de-encapsulated packets
Configuring IPsec anti-replay
Configuring IPsec anti-replay redundancy
Binding a source interface to an IPsec policy
Enabling QoS pre-classify
Enabling logging of IPsec packets
Configuring the DF bit of IPsec packets
Configuring IPsec for IPv6 routing protocols
Configuration task list
Configuring a manual IPsec profile
Configuring SNMP notifications for IPsec
Displaying and maintaining IPsec
IPsec configuration examples
Configuring a manual mode IPsec tunnel for IPv4 packets
Configuring an IKE-based IPsec tunnel for IPv4 packets
Configuring IPsec for RIPng
Configuring IKE
Overview
IKE negotiation process
IKE security mechanism
Protocols and standards
FIPS compliance
IKE configuration prerequisites
IKE configuration task list
Configuring an IKE profile
Configuring an IKE proposal
Configuring an IKE keychain
Configuring the global identity information
Configuring the IKE keepalive feature
Configuring the IKE NAT keepalive feature
Configuring IKE DPD
Enabling invalid SPI recovery
Setting the maximum number of IKE SAs
Configuring SNMP notifications for IKE
Displaying and maintaining IKE
IKE configuration examples
Main mode IKE with pre-shared key authentication configuration example
Verifying the configuration
Troubleshooting IKE
IKE negotiation failed because no matching IKE proposals were found
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly
IPsec SA negotiation failed because no matching IPsec transform sets were found
IPsec SA negotiation failed due to invalid identity information
Configuring IKEv2
Overview
IKEv2 negotiation process
New features in IKEv2
Protocols and standards
Feature and software version compatibility
IKEv2 configuration task list
Configuring an IKEv2 profile
Configuring an IKEv2 policy
Configuring an IKEv2 proposal
Configuring an IKEv2 keychain
Configure global IKEv2 parameters
Enabling the cookie challenging feature
Configuring the IKEv2 DPD feature
Configuring the IKEv2 NAT keepalive feature
Displaying and maintaining IKEv2
IKEv2 configuration examples
IKEv2 with pre-shared key authentication configuration example
IKEv2 with RSA signature authentication configuration example
Troubleshooting IKEv2
IKEv2 negotiation failed because no matching IKEv2 proposals were found
IPsec SA negotiation failed because no matching IPsec transform sets were found
IPsec tunnel establishment failed
Configuring SSH
Overview
How SSH works
SSH authentication methods
SSH support for Suite B
Feature and software version compatibility
FIPS compliance
Configuring the device as an SSH server
SSH server configuration task list
Generating local key pairs
Setting the SSH listening port
Enabling the Stelnet server
Enabling the SFTP server
Enabling the SCP server
Configuring NETCONF over SSH
Configuring user lines for SSH login
Configuring a client's host public key
Configuring an SSH user
Configuring the SSH management parameters
Specifying a PKI domain for the SSH server
Configuring the device as an Stelnet client
Stelnet client configuration task list
Specifying the source IP address for SSH packets
Establishing a connection to an Stelnet server
Establishing a connection to an Stelnet server based on Suite B
Configuring the device as an SFTP client
SFTP client configuration task list
Specifying the source IP address for SFTP packets
Establishing a connection to an SFTP server
Establishing a connection to an SFTP server based on Suite B
Working with SFTP directories
Working with SFTP files
Displaying help information
Terminating the connection with the SFTP server
Configuring the device as an SCP client
Establishing a connection to an SCP server
Establishing a connection to an SCP server based on Suite B
Specifying algorithms for SSH2
Specifying key exchange algorithms for SSH2
Specifying public key algorithms for SSH2
Specifying encryption algorithms for SSH2
Specifying MAC algorithms for SSH2
Displaying and maintaining SSH
Stelnet configuration examples
Password authentication enabled Stelnet server configuration example
Publickey authentication enabled Stelnet server configuration example
Password authentication enabled Stelnet client configuration example
Publickey authentication enabled Stelnet client configuration example
Stelnet configuration example based on 128-bit Suite B algorithms
SFTP configuration examples
Password authentication enabled SFTP server configuration example
Publickey authentication enabled SFTP client configuration example
SFTP configuration example based on 192-bit Suite B algorithms
SCP configuration examples
SCP file transfer with password authentication
SCP configuration example based on Suite B algorithms
NETCONF over SSH configuration example with password authentication
Network requirements
Configuration procedure
Verifying the configuration
Configuring SSL
Overview
SSL security services
SSL protocol stack
FIPS compliance
SSL configuration task list
Configuring an SSL server policy
Configuring an SSL client policy
Displaying and maintaining SSL
Configuring IP source guard
Overview
Static IPSG bindings
Dynamic IPSG bindings
IPSG configuration task list
Configuring the IPv4SG feature
Enabling IPv4SG on an interface
Configuring a static IPv4SG binding
Configuring the IPv6SG feature
Enabling IPv6SG on an interface
Configuring a static IPv6SG binding
Displaying and maintaining IPSG
IPSG configuration examples
Static IPv4SG configuration example
Dynamic IPv4SG using DHCP snooping configuration example
Dynamic IPv4SG using DHCP relay agent configuration example
Static IPv6SG configuration example
Dynamic IPv6SG using DHCPv6 snooping configuration example
Configuring ARP attack protection
ARP attack protection configuration task list
Configuring unresolvable IP attack protection
Configuring ARP source suppression
Configuring ARP blackhole routing
Displaying and maintaining unresolvable IP attack protection
Configuration example
Configuring ARP packet rate limit
Configuration guidelines
Configuration procedure
Configuring source MAC-based ARP attack detection
Configuration procedure
Displaying and maintaining source MAC-based ARP attack detection
Configuration example
Configuring ARP packet source MAC consistency check
Configuring ARP active acknowledgement
Configuring authorized ARP
Configuration procedure
Configuring ARP attack detection
Configuring user validity check
Configuring ARP packet validity check
Configuring ARP restricted forwarding
Enabling ARP attack detection logging
Displaying and maintaining ARP attack detection
User validity check and ARP packet validity check configuration example
ARP restricted forwarding configuration example
Configuring ARP scanning and fixed ARP
Configuration restrictions and guidelines
Configuration procedure
Configuring ARP gateway protection
Configuration guidelines
Configuration procedure
Configuration example
Configuring ARP filtering
Configuration guidelines
Configuration procedure
Configuration example
Configuring MFF
Overview
Basic concepts
MFF operation modes
MFF working mechanism
Protocols and standards
Configuring MFF
Enabling MFF
Configuring a network port
Enabling periodic gateway probe
Specifying the IP addresses of servers
Displaying and maintaining MFF
MFF configuration examples
Manual-mode MFF configuration example in a tree network
Manual-mode MFF configuration example in a ring network
Configuring uRPF
Overview
uRPF check modes
uRPF operation
Network application
Enabling uRPF
Displaying and maintaining uRPF
uRPF configuration example
Configuring crypto engines
Overview
Displaying and maintaining crypto engines
Configuring FIPS
Overview
Configuration restrictions and guidelines
Configuring FIPS mode
Entering FIPS mode
Configuration changes in FIPS mode
Exiting FIPS mode
FIPS self-tests
Power-up self-tests
Conditional self-tests
Triggering self-tests
Displaying and maintaining FIPS
FIPS configuration examples
Entering FIPS mode through automatic reboot
Entering FIPS mode through manual reboot
Exiting FIPS mode through automatic reboot
Exiting FIPS mode through manual reboot
Configuring user profiles
Overview
Configuration task list
Configuration restrictions and guidelines
Creating a user profile
Configuring parameters for a user profile
Configuring QoS parameters for traffic management
Displaying and maintaining user profiles
User profile configuration examples
Local 802.1X authentication/authorization with QoS policy configuration example
Configuring attack detection and prevention
Overview
Configuring TCP fragment attack prevention
Configuring MACsec
Overview
Basic concepts
MACsec services
MACsec applications
MACsec operating mechanism
Protocols and standards
Compatibility information
Feature and hardware compatibility
Feature and software version compatibility
MACsec configuration task list
Enabling MKA
Enabling MACsec desire
Configuring a preshared key
Configuring the MKA key server priority
Configuring MACsec protection parameters in interface view
Configuring the MACsec confidentiality offset
Configuring MACsec replay protection
Configuring the MACsec validation mode
Configuring MACsec protection parameters by MKA policy
Configuring an MKA policy
Applying an MKA policy
Displaying and maintaining MACsec
MACsec configuration examples
Client-oriented MACsec configuration example
Device-oriented MACsec configuration example
Troubleshooting MACsec
Configuring ND attack defense
Overview
Feature and software version compatibility
ND attack defense configuration task list
Configuring ND attack detection
About ND attack detection
Configuration guidelines
Configuration procedure
Displaying and maintaining ND attack detection
ND attack detection configuration example
Configuring RA guard
About RA guard
Specifying the role of the attached device
Configuring and applying an RA guard policy
Enabling the RA guard logging feature
Displaying and maintaining RA guard
RA guard configuration example
Document conventions and icons
Conventions
Network topology icons
Support and other resources
Accessing Hewlett Packard Enterprise Support
Accessing updates
Websites
Customer self repair
Remote support
Documentation feedback