Contents
-
Configuring AAA -
Overview -
RADIUS -
HWTACACS -
LDAP -
AAA implementation on the device -
Protocols and standards -
RADIUS attributes -
FIPS compliance -
AAA configuration considerations and task list -
Configuring AAA schemes -
Configuring local users -
Configuring RADIUS schemes -
Configuring HWTACACS schemes -
Configuring LDAP schemes -
Configuring AAA methods for ISP domains -
Configuration prerequisites -
Creating an ISP domain -
Configuring ISP domain attributes -
Configuring authentication methods for an ISP domain -
Configuring authorization methods for an ISP domain -
Configuring accounting methods for an ISP domain -
Enabling the session-control feature -
Setting the maximum number of concurrent login users -
Configuring a NAS-ID profile -
Displaying and maintaining AAA -
AAA configuration examples -
AAA for SSH users by an HWTACACS server -
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users -
Authentication and authorization for SSH users by a RADIUS server -
Authentication for SSH users by an LDAP server -
Troubleshooting RADIUS -
RADIUS authentication failure -
RADIUS packet delivery failure -
RADIUS accounting error -
Troubleshooting HWTACACS -
Troubleshooting LDAP -
LDAP authentication failure -
802.1X overview -
802.1X architecture -
Controlled/uncontrolled port and port authorization status -
802.1X-related protocols -
Packet formats -
EAP over RADIUS -
802.1X authentication initiation -
802.1X client as the initiator -
Access device as the initiator -
802.1X authentication procedures -
Comparing EAP relay and EAP termination -
EAP relay -
EAP termination -
Configuring 802.1X -
Access control methods -
802.1X VLAN manipulation -
Authorization VLAN -
Guest VLAN -
Auth-Fail VLAN -
Critical VLAN -
Critical voice VLAN -
Using 802.1X authentication with other features -
ACL assignment -
User profile assignment -
EAD assistant -
Configuration prerequisites -
802.1X configuration task list -
Enabling 802.1X -
Enabling EAP relay or EAP termination -
Setting the port authorization state -
Specifying an access control method -
Setting the maximum number of concurrent 802.1X users on a port -
Setting the maximum number of authentication request attempts -
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users -
Setting the 802.1X authentication timeout timers -
Configuring the online user handshake feature -
Configuration guidelines -
Configuration procedure -
Configuring the authentication trigger feature -
Configuration guidelines -
Configuration procedure -
Specifying a mandatory authentication domain on a port -
Configuring the quiet timer -
Enabling the periodic online user reauthentication feature -
Configuring an 802.1X guest VLAN -
Configuration guidelines -
Configuration prerequisites -
Configuration procedure -
Enabling 802.1X guest VLAN assignment delay -
Configuring an 802.1X Auth-Fail VLAN -
Configuration guidelines -
Configuration prerequisites -
Configuration procedure -
Configuring an 802.1X critical VLAN -
Configuration guidelines -
Configuration prerequisites -
Configuring the 802.1X critical VLAN on a port -
Sending EAP-Success packets to users in the 802.1X critical VLAN -
Enabling the 802.1X critical voice VLAN -
Configuration restrictions and guidelines -
Configuration prerequisites -
Configuration procedure -
Specifying supported domain name delimiters -
Configuring the EAD assistant feature -
Displaying and maintaining 802.1X -
802.1X authentication configuration examples -
Basic 802.1X authentication configuration example -
802.1X guest VLAN and authorization VLAN configuration example -
802.1X with ACL assignment configuration example -
802.1X with EAD assistant configuration example -
Troubleshooting 802.1X -
EAD assistant for Web browser users -
Configuring MAC authentication -
Overview -
User account policies -
Authentication methods -
VLAN assignment -
ACL assignment -
User profile assignment -
Periodic MAC reauthentication -
Configuration prerequisites -
Configuration task list -
Enabling MAC authentication -
Specifying a MAC authentication domain -
Configuring the user account format -
Configuring MAC authentication timers -
Setting the maximum number of concurrent MAC authentication users on a port -
Enabling MAC authentication multi-VLAN mode on a port -
Configuring MAC authentication delay -
Enabling parallel processing of MAC authentication and 802.1X authentication -
Configuration restrictions and guidelines -
Configuration procedure -
Configuring a MAC authentication guest VLAN -
Configuring a MAC authentication critical VLAN -
Enabling the MAC authentication critical voice VLAN -
Configuration prerequisites -
Configuration procedure -
Configuring the keep-online feature -
Enabling MAC authentication offline detection -
Displaying and maintaining MAC authentication -
MAC authentication configuration examples -
Local MAC authentication configuration example -
RADIUS-based MAC authentication configuration example -
ACL assignment configuration example -
Configuring portal -
Overview -
Extended portal functions -
Portal system components -
Portal system using the local portal Web server -
Interaction between portal system components -
Portal authentication modes -
Portal authentication process -
Portal configuration task list -
Configuration prerequisites -
Configuring a portal authentication server -
Configuring a portal Web server -
Enabling portal authentication on an interface -
Configuration restrictions and guidelines -
Configuration procedure -
Referencing a portal Web server for an interface -
Controlling portal user access -
Configuring a portal-free rule -
Configuring an authentication source subnet -
Configuring an authentication destination subnet -
Setting the maximum number of portal users -
Specifying a portal authentication domain -
Configuring portal detection features -
Configuring online detection of portal users -
Configuring portal authentication server detection -
Configuring portal Web server detection -
Configuring portal user synchronization -
Configuring the portal fail-permit feature -
Configuring BAS-IP for portal packets sent to the portal authentication server -
Applying a NAS-ID profile to an interface -
Enabling portal roaming -
Logging out portal users -
Configuring the local portal Web server feature -
Customizing authentication pages -
Configuring a local portal Web server -
Displaying and maintaining portal -
Portal configuration examples -
Configuring direct portal authentication -
Configuring re-DHCP portal authentication -
Configuring cross-subnet portal authentication -
Configuring extended direct portal authentication -
Configuring extended re-DHCP portal authentication -
Configuring extended cross-subnet portal authentication -
Configuring portal server detection and portal user synchronization -
Configuring direct portal authentication using local portal Web server -
Troubleshooting portal -
No portal authentication page is pushed for users -
Cannot log out portal users on the access device -
Cannot log out portal users on the RADIUS server -
Users logged out by the access device still exist on the portal authentication server -
Re-DHCP portal authenticated users cannot log in successfully -
Configuring port security -
Overview -
Port security features -
Port security modes -
Configuration task list -
Enabling port security -
Setting port security's limit on the number of secure MAC addresses on a port -
Setting the port security mode -
Configuring port security features -
Configuring NTK -
Configuring intrusion protection -
Configuring secure MAC addresses -
Configuration prerequisites -
Configuration procedure -
Ignoring authorization information from the server -
Enabling MAC move -
Applying a NAS-ID profile to port security -
Enabling the authorization-fail-offline feature -
Enabling SNMP notifications for port security -
Displaying and maintaining port security -
Port security configuration examples -
autoLearn configuration example -
userLoginWithOUI configuration example -
macAddressElseUserLoginSecure configuration example -
Troubleshooting port security -
Cannot set the port security mode -
Cannot configure secure MAC addresses -
Configuring password control -
Overview -
Password setting -
Password updating and expiration -
User login control -
Password not displayed in any form -
Logging -
FIPS compliance -
Password control configuration task list -
Enabling password control -
Setting global password control parameters -
Setting user group password control parameters -
Setting local user password control parameters -
Setting super password control parameters -
Displaying and maintaining password control -
Password control configuration example -
Network requirements -
Configuration procedure -
Verifying the configuration -
Managing public keys -
Overview -
FIPS compliance -
Creating a local key pair -
Distributing a local host public key -
Exporting a host public key -
Displaying a host public key -
Destroying a local key pair -
Configuring a peer host public key -
Importing a peer host public key from a public key file -
Entering a peer host public key -
Displaying and maintaining public keys -
Examples of public key management -
Example for entering a peer host public key -
Example for importing a public key from a public key file -
Configuring PKI -
Overview -
PKI terminology -
PKI architecture -
PKI operation -
PKI applications -
FIPS compliance -
PKI configuration task list -
Configuring a PKI entity -
Configuring a PKI domain -
Requesting a certificate -
Configuration guidelines -
Configuring automatic certificate request -
Manually requesting a certificate -
Aborting a certificate request -
Obtaining certificates -
Configuration prerequisites -
Configuration guidelines -
Configuration procedure -
Verifying PKI certificates -
Verifying certificates with CRL checking -
Verifying certificates without CRL checking -
Specifying the storage path for the certificates and CRLs -
Exporting certificates -
Removing a certificate -
Configuring a certificate-based access control policy -
Displaying and maintaining PKI -
PKI configuration examples -
Requesting a certificate from an RSA Keon CA server -
Requesting a certificate from a Windows Server 2003 CA server -
Requesting a certificate from an OpenCA server -
Certificate import and export configuration example -
Troubleshooting PKI configuration -
Failed to obtain the CA certificate -
Failed to obtain local certificates -
Failed to request local certificates -
Failed to obtain CRLs -
Failed to import the CA certificate -
Failed to import a local certificate -
Failed to export certificates -
Failed to set the storage path -
Configuring IPsec -
Overview -
Security protocols and encapsulation modes -
Security association -
Authentication and encryption -
IPsec implementation -
Protocols and standards -
FIPS compliance -
IPsec tunnel establishment -
Implementing ACL-based IPsec -
Feature restrictions and guidelines -
ACL-based IPsec configuration task list -
Configuring an ACL -
Configuring an IPsec transform set -
Configuring a manual IPsec policy -
Configuring an IKE-based IPsec policy -
Applying an IPsec policy to an interface -
Enabling ACL checking for de-encapsulated packets -
Configuring IPsec anti-replay -
Configuring IPsec anti-replay redundancy -
Binding a source interface to an IPsec policy -
Enabling QoS pre-classify -
Enabling logging of IPsec packets -
Configuring the DF bit of IPsec packets -
Configuring IPsec for IPv6 routing protocols -
Configuration task list -
Configuring a manual IPsec profile -
Configuring SNMP notifications for IPsec -
Displaying and maintaining IPsec -
IPsec configuration examples -
Configuring a manual mode IPsec tunnel for IPv4 packets -
Configuring an IKE-based IPsec tunnel for IPv4 packets -
Configuring IPsec for RIPng -
Configuring IKE -
Overview -
IKE negotiation process -
IKE security mechanism -
Protocols and standards -
FIPS compliance -
IKE configuration prerequisites -
IKE configuration task list -
Configuring an IKE profile -
Configuring an IKE proposal -
Configuring an IKE keychain -
Configuring the global identity information -
Configuring the IKE keepalive feature -
Configuring the IKE NAT keepalive feature -
Configuring IKE DPD -
Enabling invalid SPI recovery -
Setting the maximum number of IKE SAs -
Configuring SNMP notifications for IKE -
Displaying and maintaining IKE -
IKE configuration examples -
Main mode IKE with pre-shared key authentication configuration example -
Verifying the configuration -
Troubleshooting IKE -
IKE negotiation failed because no matching IKE proposals were found -
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly -
IPsec SA negotiation failed because no matching IPsec transform sets were found -
IPsec SA negotiation failed due to invalid identity information -
Configuring IKEv2 -
Overview -
IKEv2 negotiation process -
New features in IKEv2 -
Protocols and standards -
Feature and software version compatibility -
IKEv2 configuration task list -
Configuring an IKEv2 profile -
Configuring an IKEv2 policy -
Configuring an IKEv2 proposal -
Configuring an IKEv2 keychain -
Configure global IKEv2 parameters -
Enabling the cookie challenging feature -
Configuring the IKEv2 DPD feature -
Configuring the IKEv2 NAT keepalive feature -
Displaying and maintaining IKEv2 -
IKEv2 configuration examples -
IKEv2 with pre-shared key authentication configuration example -
IKEv2 with RSA signature authentication configuration example -
Troubleshooting IKEv2 -
IKEv2 negotiation failed because no matching IKEv2 proposals were found -
IPsec SA negotiation failed because no matching IPsec transform sets were found -
IPsec tunnel establishment failed -
Configuring SSH -
Overview -
How SSH works -
SSH authentication methods -
SSH support for Suite B -
Feature and software version compatibility -
FIPS compliance -
Configuring the device as an SSH server -
SSH server configuration task list -
Generating local key pairs -
Setting the SSH listening port -
Enabling the Stelnet server -
Enabling the SFTP server -
Enabling the SCP server -
Configuring NETCONF over SSH -
Configuring user lines for SSH login -
Configuring a client's host public key -
Configuring an SSH user -
Configuring the SSH management parameters -
Specifying a PKI domain for the SSH server -
Configuring the device as an Stelnet client -
Stelnet client configuration task list -
Specifying the source IP address for SSH packets -
Establishing a connection to an Stelnet server -
Establishing a connection to an Stelnet server based on Suite B -
Configuring the device as an SFTP client -
SFTP client configuration task list -
Specifying the source IP address for SFTP packets -
Establishing a connection to an SFTP server -
Establishing a connection to an SFTP server based on Suite B -
Working with SFTP directories -
Working with SFTP files -
Displaying help information -
Terminating the connection with the SFTP server -
Configuring the device as an SCP client -
Establishing a connection to an SCP server -
Establishing a connection to an SCP server based on Suite B -
Specifying algorithms for SSH2 -
Specifying key exchange algorithms for SSH2 -
Specifying public key algorithms for SSH2 -
Specifying encryption algorithms for SSH2 -
Specifying MAC algorithms for SSH2 -
Displaying and maintaining SSH -
Stelnet configuration examples -
Password authentication enabled Stelnet server configuration example -
Publickey authentication enabled Stelnet server configuration example -
Password authentication enabled Stelnet client configuration example -
Publickey authentication enabled Stelnet client configuration example -
Stelnet configuration example based on 128-bit Suite B algorithms -
SFTP configuration examples -
Password authentication enabled SFTP server configuration example -
Publickey authentication enabled SFTP client configuration example -
SFTP configuration example based on 192-bit Suite B algorithms -
SCP configuration examples -
SCP file transfer with password authentication -
SCP configuration example based on Suite B algorithms -
NETCONF over SSH configuration example with password authentication -
Network requirements -
Configuration procedure -
Verifying the configuration -
Configuring SSL -
Overview -
SSL security services -
SSL protocol stack -
FIPS compliance -
SSL configuration task list -
Configuring an SSL server policy -
Configuring an SSL client policy -
Displaying and maintaining SSL -
Configuring IP source guard -
Overview -
Static IPSG bindings -
Dynamic IPSG bindings -
IPSG configuration task list -
Configuring the IPv4SG feature -
Enabling IPv4SG on an interface -
Configuring a static IPv4SG binding -
Configuring the IPv6SG feature -
Enabling IPv6SG on an interface -
Configuring a static IPv6SG binding -
Displaying and maintaining IPSG -
IPSG configuration examples -
Static IPv4SG configuration example -
Dynamic IPv4SG using DHCP snooping configuration example -
Dynamic IPv4SG using DHCP relay agent configuration example -
Static IPv6SG configuration example -
Dynamic IPv6SG using DHCPv6 snooping configuration example -
Configuring ARP attack protection -
ARP attack protection configuration task list -
Configuring unresolvable IP attack protection -
Configuring ARP source suppression -
Configuring ARP blackhole routing -
Displaying and maintaining unresolvable IP attack protection -
Configuration example -
Configuring ARP packet rate limit -
Configuration guidelines -
Configuration procedure -
Configuring source MAC-based ARP attack detection -
Configuration procedure -
Displaying and maintaining source MAC-based ARP attack detection -
Configuration example -
Configuring ARP packet source MAC consistency check -
Configuring ARP active acknowledgement -
Configuring authorized ARP -
Configuration procedure -
Configuring ARP attack detection -
Configuring user validity check -
Configuring ARP packet validity check -
Configuring ARP restricted forwarding -
Enabling ARP attack detection logging -
Displaying and maintaining ARP attack detection -
User validity check and ARP packet validity check configuration example -
ARP restricted forwarding configuration example -
Configuring ARP scanning and fixed ARP -
Configuration restrictions and guidelines -
Configuration procedure -
Configuring ARP gateway protection -
Configuration guidelines -
Configuration procedure -
Configuration example -
Configuring ARP filtering -
Configuration guidelines -
Configuration procedure -
Configuration example -
Configuring MFF -
Overview -
Basic concepts -
MFF operation modes -
MFF working mechanism -
Protocols and standards -
Configuring MFF -
Enabling MFF -
Configuring a network port -
Enabling periodic gateway probe -
Specifying the IP addresses of servers -
Displaying and maintaining MFF -
MFF configuration examples -
Manual-mode MFF configuration example in a tree network -
Manual-mode MFF configuration example in a ring network -
Configuring uRPF -
Overview -
uRPF check modes -
uRPF operation -
Network application -
Enabling uRPF -
Displaying and maintaining uRPF -
uRPF configuration example -
Configuring crypto engines -
Overview -
Displaying and maintaining crypto engines -
Configuring FIPS -
Overview -
Configuration restrictions and guidelines -
Configuring FIPS mode -
Entering FIPS mode -
Configuration changes in FIPS mode -
Exiting FIPS mode -
FIPS self-tests -
Power-up self-tests -
Conditional self-tests -
Triggering self-tests -
Displaying and maintaining FIPS -
FIPS configuration examples -
Entering FIPS mode through automatic reboot -
Entering FIPS mode through manual reboot -
Exiting FIPS mode through automatic reboot -
Exiting FIPS mode through manual reboot -
Configuring user profiles -
Overview -
Configuration task list -
Configuration restrictions and guidelines -
Creating a user profile -
Configuring parameters for a user profile -
Configuring QoS parameters for traffic management -
Displaying and maintaining user profiles -
User profile configuration examples -
Local 802.1X authentication/authorization with QoS policy configuration example -
Configuring attack detection and prevention -
Overview -
Configuring TCP fragment attack prevention -
Configuring MACsec -
Overview -
Basic concepts -
MACsec services -
MACsec applications -
MACsec operating mechanism -
Protocols and standards -
Compatibility information -
Feature and hardware compatibility -
Feature and software version compatibility -
MACsec configuration task list -
Enabling MKA -
Enabling MACsec desire -
Configuring a preshared key -
Configuring the MKA key server priority -
Configuring MACsec protection parameters in interface view -
Configuring the MACsec confidentiality offset -
Configuring MACsec replay protection -
Configuring the MACsec validation mode -
Configuring MACsec protection parameters by MKA policy -
Configuring an MKA policy -
Applying an MKA policy -
Displaying and maintaining MACsec -
MACsec configuration examples -
Client-oriented MACsec configuration example -
Device-oriented MACsec configuration example -
Troubleshooting MACsec -
Configuring ND attack defense -
Overview -
Feature and software version compatibility -
ND attack defense configuration task list -
Configuring ND attack detection -
About ND attack detection -
Configuration guidelines -
Configuration procedure -
Displaying and maintaining ND attack detection -
ND attack detection configuration example -
Configuring RA guard -
About RA guard -
Specifying the role of the attached device -
Configuring and applying an RA guard policy -
Enabling the RA guard logging feature -
Displaying and maintaining RA guard -
RA guard configuration example -
Document conventions and icons -
Conventions -
Network topology icons -
Support and other resources -
Accessing Hewlett Packard Enterprise Support -
Accessing updates -
Websites -
Customer self repair -
Remote support -
Documentation feedback