Contents

home

Configuring AAA
Overview
RADIUS
HWTACACS
Domain-based user management
RADIUS server feature of the device
AAA for MPLS L3VPNs
Protocols and standards
RADIUS attributes
FIPS compliance
Configuration considerations and task list
Configuring AAA schemes
Configuring local users
Configuring RADIUS schemes
Configuring HWTACACS schemes
Configuring AAA methods for ISP domains
Configuration prerequisites
Creating an ISP domain
Configuring ISP domain attributes
Configuring authentication methods for an ISP domain
Configuring authorization methods for an ISP domain
Configuring accounting methods for an ISP domain
Tearing down user connections
Configuring a NAS ID-VLAN binding
Specifying the device ID used in stateful failover mode
Configuring a network device as a RADIUS server
RADIUS server functions configuration task list
Configuring a RADIUS user
Specifying a RADIUS client
Displaying and maintaining AAA
AAA configuration examples
AAA for Telnet users by an HWTACACS server
Local authentication and authorization for Telnet users
Authentication/authorization for SSH/Telnet users by a RADIUS server
Level switching authentication for Telnet users by an HWTACACS server
RADIUS authentication and authorization for Telnet users by a network device
Troubleshooting AAA
Troubleshooting RADIUS
Troubleshooting HWTACACS
802.1X overview
802.1X architecture
Controlled/uncontrolled port and port authorization status
802.1X-related protocols
Packet formats
EAP over RADIUS
Initiating 802.1X authentication
802.1X client as the initiator
Access device as the initiator
802.1X authentication procedures
A comparison of EAP relay and EAP termination
EAP relay
EAP termination
Configuring 802.1X
Hewlett Packard Enterprise implementation of 802.1X
Access control methods
Using 802.1X authentication with other features
Configuration prerequisites
802.1X configuration task list
Enabling 802.1X
Enabling EAP relay or EAP termination
Setting the port authorization state
Specifying an access control method
Setting the maximum number of concurrent 802.1X users on a port
Setting the maximum number of authentication request attempts
Setting the 802.1X authentication timeout timers
Configuring the online user handshake function
Configuration guidelines
Configuration procedure
Configuring the authentication trigger function
Configuration guidelines
Configuration procedure
Specifying a mandatory authentication domain on a port
Configuring the quiet timer
Enabling the periodic online user re-authentication function
Configuring a VLAN group
Configuring an 802.1X guest VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Configuring an 802.1X Auth-Fail VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Configuring an 802.1X critical VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Specifying supported domain name delimiters
Configuring a port to send EAPOL frames untagged
Configuring an 802.1X voice VLAN
Configuration guidelines
Configuration prerequisites
Configuration procedure
Displaying and maintaining 802.1X
802.1X authentication configuration example
Network requirements
Configuration procedure
Verifying the configuration
802.1X guest VLAN and VLAN assignment configuration example
Network requirements
Configuration procedure
Verifying the configuration
802.1X with ACL assignment configuration example
Network requirements
Configuration procedure
Verifying the configuration
Configuring EAD fast deployment
Overview
Free IP
URL redirection
Configuration prerequisites
Configuring a free IP
Configuring the redirect URL
Setting the EAD rule timer
Displaying and maintaining EAD fast deployment
EAD fast deployment configuration example
Network requirements
Configuration procedure
Verifying the configuration
Troubleshooting EAD fast deployment
Web browser users cannot be correctly redirected
Configuring MAC authentication
Overview
User account policies
Authentication approaches
MAC authentication timers
Using MAC authentication with other features
VLAN assignment
ACL assignment
Guest VLAN
Critical VLAN
Configuration task list
Basic configuration for MAC authentication
Configuring MAC authentication globally
Configuring MAC authentication on a port
Specifying a MAC authentication domain
Configuring a MAC authentication guest VLAN
Configuring a MAC authentication critical VLAN
Configuring MAC authentication delay
Enabling MAC authentication multi-VLAN mode
Displaying and maintaining MAC authentication
MAC authentication configuration examples
Local MAC authentication configuration example
RADIUS-based MAC authentication configuration example
ACL assignment configuration example
Configuring portal authentication
Overview
Extended portal functions
Portal system components
Portal system using the local portal server
Portal authentication modes
Portal support for EAP
Layer 2 portal authentication process
Layer 3 portal authentication process
Portal stateful failover
Portal authentication across VPNs
Portal configuration task list
Configuration prerequisites
Specifying the portal server
Specifying the local portal server for Layer 2 portal authentication
Specifying a portal server for Layer 3 portal authentication
Configuring the local portal server
Customizing authentication pages
Configuring the local portal server
Enabling portal authentication
Enabling Layer 2 portal authentication
Enabling Layer 3 portal authentication
Controlling access of portal users
Configuring a portal-free rule
Configuring an authentication source subnet
Setting the maximum number of online portal users
Specifying a portal authentication domain
Configuring Layer 2 portal authentication to support Web proxy
Enabling support for portal user moving
Specifying an Auth-Fail VLAN for portal authentication
Configuring RADIUS related attributes
Specifying NAS-Port-Type for an interface
Specifying a NAS ID profile for an interface
Specifying a source IP address for outgoing portal packets
Configuring portal stateful failover
Specifying an autoredirection URL for authenticated portal users
Configuring portal detection functions
Configuring online Layer 2 portal user detection
Configuring the portal server detection function
Configuring portal user information synchronization
Logging off portal users
Displaying and maintaining portal
Portal configuration examples
Configuring direct portal authentication
Configuring re-DHCP portal authentication
Configuring cross-subnet portal authentication
Configuring direct portal authentication with extended functions
Configuring re-DHCP portal authentication with extended functions
Configuring cross-subnet portal authentication with extended functions
Configuring portal stateful failover
Configuring portal server detection and portal user information synchronization
Cross-subnet portal authentication across VPNs
Configuring Layer 2 portal authentication
Troubleshooting portal
Inconsistent keys on the access device and the portal server
Incorrect server port number on the access device
Configuring port security
Port security features
Port security modes
Working with guest VLAN and Auth-Fail VLAN
Configuration task list
Enabling port security
Setting port security's limit on the number of MAC addresses on a port
Setting the port security mode
Configuration prerequisites
Configuration procedure
Configuring port security features
Configuring NTK
Configuring intrusion protection
Enabling port security traps
Configuring secure MAC addresses
Configuration prerequisites
Configuration procedure
Ignoring authorization information from the server
Displaying and maintaining port security
Port security configuration examples
Configuring the autoLearn mode
Configuring the userLoginWithOUI mode
Configuring the macAddressElseUserLoginSecure mode
Troubleshooting port security
Cannot set the port security mode
Cannot configure secure MAC addresses
Cannot change port security mode when a user is online
Configuring triple authentication
Overview
Triple authentication mechanism
Using triple authentication with other features
Configuring triple authentication
Triple authentication basic function configuration example
Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example
Configuring a user profile
User profile configuration task list
Creating a user profile
Applying a QoS policy
Configuration guidelines
Configuration procedure
Enabling a user profile
Displaying and maintaining user profiles
Configuring password control
FIPS compliance
Password control configuration task list
Enabling password control
Setting global password control parameters
Setting user group password control parameters
Setting local user password control parameters
Setting super password control parameters
Setting a local user password in interactive mode
Displaying and maintaining password control
Password control configuration example
Configuring HABP
Configuring an HABP server
Configuring an HABP client
Displaying and maintaining HABP
HABP configuration example
Managing public keys
Overview
FIPS compliance
Configuration task list
Creating a local asymmetric key pair
Distributing the local host public key
Displaying a host public key
Exporting a host public key
Destroying a local asymmetric key pair
Configuring a peer host public key
Importing a peer host public key from a public key file
Entering a peer host public key
Displaying public keys
Public key configuration examples
Manually specifying the peer public key on the local device
Importing a public key from a public key file
Configuring PKI
Overview
PKI terms
PKI architecture
PKI operation
PKI applications
PKI configuration task list
Configuring an entity DN
Configuring a PKI domain
Submitting a PKI certificate request
Submitting a certificate request in auto mode
Submitting a certificate request in manual mode
Retrieving a certificate manually
Configuring PKI certificate verification
Configuring PKI certificate verification with CRL checking
Configuring PKI certificate verification without CRL checking
Destroying the local RSA key pair
Deleting a certificate
Configuring an access control policy
Displaying and maintaining PKI
PKI configuration examples
Certificate request from an RSA Keon CA server
Certificate request from a Windows 2003 CA server
Certificate attribute-based access control policy configuration
Troubleshooting PKI
Failed to retrieve a CA certificate
Failed to request a local certificate
Failed to retrieve CRLs
Configuring IPsec
Overview
Basic concepts
IPsec for IPv6 routing protocols
Protocols and standards
FIPS compliance
Configuring IPsec
Implementing ACL-based IPsec
Feature restrictions and guidelines
ACL-based IPsec configuration task list
Configuring ACLs
Configuring an IPsec transform set
Configuring an IPsec policy
Applying an IPsec policy group to an interface
Configuring the IPsec session idle timeout
Enabling ACL checking of de-encapsulated IPsec packets
Configuring the IPsec anti-replay function
Configuring packet information pre-extraction
Configuring IPsec for IPv6 routing protocols
Displaying and maintaining IPsec
IPsec configuration examples
IKE-based IPsec tunnel for IPv4 packets configuration example
IPsec for RIPng configuration example
Configuring IKE
Overview
IKE security mechanism
IKE operation
IKE functions
Relationship between IKE and IPsec
Protocols and standards
IKE configuration task list
Configuring a name for the local security gateway
Configuring an IKE proposal
Configuring an IKE peer
Setting keepalive timers
Setting the NAT keepalive timer
Configuring a DPD detector
Disabling next payload field checking
Displaying and maintaining IKE
IKE configuration example
Troubleshooting IKE
Invalid user ID
Proposal mismatch
Failure to establish an IPsec tunnel
ACL configuration error
Configuring SSH
Overview
How SSH operates
SSH authentication methods
SSH support for MPLS L3VPN
FIPS compliance
Configuring the device as an SSH server
SSH server configuration task list
Generating local key pairs
Enabling the SSH server function
Enabling the SFTP server function
Configuring the user interfaces for SSH clients
Configuring a client's host public key
Configuring an SSH user
Setting the SSH management parameters
Setting the DSCP value for packets sent by the SSH server
Configuring the device as an Stelnet client
Stelnet client configuration task list
Specifying a source IP address or source interface for the Stelnet client
Enabling and disabling first-time authentication
Establishing a connection to an Stelnet server
Setting the DSCP value for packets sent by the Stelnet client
Configuring the device as an SFTP client
SFTP client configuration task list
Specifying a source IP address or source interface for the SFTP client
Establishing a connection to an SFTP server
Working with SFTP directories
Working with SFTP files
Displaying help information
Terminating the connection with the SFTP server
Setting the DSCP value for packets sent by the SFTP client
Configuring the device as an SCP client
SCP client configuration task list
Transferring files with an SCP server
Displaying and maintaining SSH
Stelnet configuration examples
Password authentication enabled Stelnet server configuration example
Publickey authentication enabled Stelnet server configuration example
Password authentication enabled Stelnet client configuration example
Publickey authentication enabled Stelnet client configuration example
SFTP configuration examples
Password authentication enabled SFTP server configuration example
Publickey authentication enabled SFTP client configuration example
SCP file transfer with password authentication
Network requirements
Configuration procedure
Configuring SSL
Overview
SSL security services
SSL protocol stack
FIPS compliance
Configuration task list
Configuring an SSL server policy
Configuring an SSL client policy
Displaying and maintaining SSL
SSL server policy configuration example
Troubleshooting SSL
SSL handshake failure
Configuring TCP attack protection
Enabling the SYN Cookie feature
Enabling TCP fragment attack protection
Displaying and maintaining TCP attack protection
Configuring IP source guard
IP source guard overview
Static IP source guard entries
Dynamic IP source guard entries
Configuration task list
Configuring the IPv4 source guard function
Enabling IPv4 source guard on a port
Configuring a static IPv4 source guard entry
Setting the maximum number of IPv4 source guard entries allowed on a port
Configuring the IPv6 source guard function
Enabling IPv6 source guard on a port
Configuring a static IPv6 source guard entry
Setting the maximum number of IPv6 source guard entries allowed on a port
Displaying and maintaining IP source guard
IP source guard configuration examples
Static IPv4 source guard entry configuration
Dynamic IPv4 source guard using DHCP snooping
Dynamic IPv4 source guard using DHCP relay
Static IPv6 source guard entry configuration
Dynamic IPv6 source guard using DHCPv6 snooping
Dynamic IPv6 source guard using ND snooping
Global static IP source guard configuration
Troubleshooting IP source guard
Configuring ARP attack protection
ARP attack protection configuration task list
Configuring unresolvable IP attack protection
Configuring ARP source suppression
Enabling ARP black hole routing
Displaying and maintaining ARP source suppression
Unresolvable IP attack protection configuration example
Configuring ARP packet rate limit
Configuring ARP packet rate limit
Configuring source MAC-based ARP attack detection
Displaying and maintaining source MAC-based ARP attack detection
Source MAC-based ARP attack detection configuration example
Configuring ARP packet source MAC consistency check
Configuring ARP active acknowledgement
Configuring ARP detection
Configuring user validity check
Configuring ARP packet validity check
Displaying and maintaining ARP detection
User validity check configuration example
User validity check and ARP packet validity check configuration example
Configuring ARP automatic scanning and fixed ARP
Configuration guidelines
Configuration procedure
Configuring ARP gateway protection
ARP gateway protection configuration example
Configuring ARP filtering
ARP filtering configuration example
Configuring ND attack defense
Overview
Enabling source MAC consistency check for ND packets
Configuring ND detection
Displaying and maintaining ND detection
ND detection configuration example
Configuring URPF
Overview
URPF check modes
URPF work flow
Network application
Configuring URPF
URPF configuration example
Network requirements
Configuration procedure
Configuring MFF
Overview
Basic concepts
MFF operation modes
MFF work flow
Protocols and standards
Configuring MFF
Prerequisites
Enabling MFF and specifying an MFF operating mode
Configuring a network port
Enabling periodic gateway probe
Specifying the IP addresses of servers
Displaying and maintaining MFF
MFF configuration examples
Configuring auto-mode MFF in a tree network
Configuring auto-mode MFF in a ring network
Configuring manual-mode MFF in a tree network
Configuring manual-mode MFF in a ring network
Configuring SAVI
Overview
Configuring SAVI globally
SAVI configuration examples
SAVI configuration in DHCPv6-only address assignment
SAVI configuration in SLAAC-only address assignment scenario
SAVI configuration in DHCPv6+SLAAC address assignment scenario
Configuring blacklist
Overview
Configuring the blacklist feature
Displaying and maintaining the blacklist
Blacklist configuration example
Network requirements
Configuration procedure
Verifying the configuration
Configuring FIPS
Overview
FIPS self-tests
Power-up self-tests
Conditional self-tests
Triggering self-tests
Configuration procedure
Enabling the FIPS mode
Configuration changes in FIPS mode
Displaying and maintaining FIPS
FIPS configuration example
Network requirements
Configuration procedure
Verifying the configuration
Document conventions and icons
Conventions
Network topology icons
Support and other resources
Accessing Hewlett Packard Enterprise Support
Accessing updates
Websites
Customer self repair
Remote support
Documentation feedback