Contents
-
Configuring AAA -
-
About AAA -
FIPS compliance -
AAA tasks at a glance -
Configuring local users -
-
About local users -
Local user configuration tasks at a glance -
Configuring attributes for device management users -
Configuring attributes for network access users -
Configuring user group attributes -
Configuring the local user auto-delete feature -
Display and maintenance commands for local users and local user groups
-
-
Configuring RADIUS -
-
RADIUS tasks at a glance -
Configuring a test profile for RADIUS server status detection -
Creating a RADIUS scheme -
Specifying RADIUS authentication servers -
Specifying the RADIUS accounting servers -
Specifying the shared keys for secure RADIUS communication -
Specifying the MPLS L3VPN instance for a RADIUS scheme -
Setting the status of RADIUS servers -
Setting RADIUS timers -
Specifying the source IP address for outgoing RADIUS packets -
Setting the username format and traffic statistics units -
Setting the maximum number of RADIUS request transmission attempts -
Setting the maximum number of real-time accounting attempts -
Setting the DSCP priority for RADIUS packets -
Configuring the Login-Service attribute check method for SSH, FTP, and terminal users -
Interpreting the RADIUS class attribute as CAR parameters -
Configuring the MAC address format for RADIUS attribute 31 -
Setting the data measurement unit for the Remanent_Volume attribute -
Configuring the RADIUS attribute translation feature -
Configuring RADIUS stop-accounting packet buffering -
Enabling forcibly sending stop-accounting packets -
Enabling the RADIUS server load sharing feature -
Configuring the RADIUS accounting-on feature -
Configuring the RADIUS session-control feature -
Configuring the RADIUS DAS feature -
Enabling SNMP notifications for RADIUS -
Display and maintenance commands for RADIUS
-
-
Configuring HWTACACS -
-
HWTACACS tasks at a glance -
Creating an HWTACACS scheme -
Specifying the HWTACACS authentication servers -
Specifying the HWTACACS authorization servers -
Specifying the HWTACACS accounting servers -
Specifying the shared keys for secure HWTACACS communication -
Specifying an MPLS L3VPN instance for the scheme -
Setting HWTACACS timers -
Specifying the source IP address for outgoing HWTACACS packets -
Setting the username format and traffic statistics units -
Configuring HWTACACS stop-accounting packet buffering -
Display and maintenance commands for HWTACACS
-
-
Configuring LDAP -
-
LDAP tasks at a glance -
Creating an LDAP server -
Configuring the IP address of the LDAP server -
Specifying the LDAP version -
Setting the LDAP server timeout period -
Configuring administrator attributes -
Configuring LDAP user attributes -
Configuring an LDAP attribute map -
Creating an LDAP scheme -
Specifying the LDAP authentication server -
Specifying the LDAP authorization server -
Specifying an LDAP attribute map for LDAP authorization -
Display and maintenance commands for LDAP
-
-
Creating an ISP domain -
Configuring ISP domain attributes -
Configuring AAA methods for an ISP domain -
Setting the maximum number of concurrent login users -
Configuring and applying an ITA policy -
Configuring a NAS-ID -
Configuring the device ID -
Configuring the connection recording policy -
AAA configuration examples -
-
Example: Configuring AAA for SSH users by an HWTACACS server -
Example: Configuring local authentication, HWTACACS authorization, and RADIUS accounting for SSH users -
Example: Configuring authentication and authorization for SSH users by a RADIUS server -
Example: Configuring authentication for SSH users by an LDAP server -
Example: Configuring AAA for 802.1X users by a RADIUS server
-
-
Troubleshooting AAA -
Appendixes
-
-
802.1X overview -
Configuring 802.1X -
-
Restrictions and guidelines: 802.1X configuration -
802.1X tasks at a glance -
Prerequisites for 802.1X -
Enabling 802.1X -
Enabling EAP relay or EAP termination -
Setting the port authorization state -
Specifying an access control method -
Specifying a mandatory authentication domain on a port -
Setting the 802.1X authentication timeout timers -
Configuring 802.1X reauthentication -
Setting the quiet timer -
Configuring an 802.1X guest VLAN -
Enabling 802.1X guest VLAN assignment delay -
Configuring an 802.1X Auth-Fail VLAN -
Configuring an 802.1X critical VLAN -
Enabling the 802.1X critical voice VLAN -
Configuring an 802.1X guest VSI -
Enabling 802.1X guest VSI assignment delay -
Configuring an 802.1X Auth-Fail VSI -
Configuring an 802.1X critical VSI -
Configuring the authentication trigger feature -
Setting the maximum number of concurrent 802.1X users on a port -
Setting the maximum number of authentication request attempts -
Configuring online user handshake -
Specifying supported domain name delimiters -
Sending 802.1X protocol packets out of a port without VLAN tags -
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users -
Enabling 802.1X user IP freezing -
Configuring 802.1X MAC address binding -
Configuring the EAD assistant feature -
Enabling logging for 802.1X users -
Display and maintenance commands for 802.1X -
802.1X authentication configuration examples -
-
Example: Configuring basic 802.1X authentication -
Example: Configuring 802.1X guest VLAN and authorization VLAN -
Example: Configuring 802.1X with ACL assignment -
Example: Configuring 802.1X guest VSI and authorization VSI -
Example: Configuring 802.1X with EAD assistant (with DHCP relay agent) -
Example: Configuring 802.1X with EAD assistant (with DHCP server)
-
-
Troubleshooting 802.1X
-
-
Configuring MAC authentication -
-
About MAC authentication -
Restrictions and guidelines: MAC authentication configuration -
MAC authentication tasks at a glance -
Prerequisites for MAC authentication -
Enabling MAC authentication -
Specifying a MAC authentication domain -
Configuring the user account format -
Configuring MAC authentication timers -
Configuring a MAC authentication guest VLAN -
Configuring a MAC authentication critical VLAN -
Enabling the MAC authentication critical voice VLAN -
Configuring a MAC authentication guest VSI -
Configuring a MAC authentication critical VSI -
Enabling MAC authentication offline detection -
Setting the maximum number of concurrent MAC authentication users on a port -
Enabling MAC authentication multi-VLAN mode on a port -
Configuring MAC authentication delay -
Configuring periodic MAC reauthentication -
Including user IP addresses in MAC authentication requests -
Enabling parallel processing of MAC authentication and 802.1X authentication -
Enabling logging for MAC authentication users -
Display and maintenance commands for MAC authentication -
MAC authentication configuration examples
-
-
Configuring portal authentication -
-
About portal authentication -
Restrictions and guidelines: Portal configuration -
Portal authentication tasks at a glance -
Prerequisites for portal authentication -
Configuring a remote portal authentication server -
Configuring a portal Web server -
Configuring local portal service features -
Enabling portal authentication on an interface -
Specifying a portal Web server on an interface -
Configuring a portal preauthentication domain -
Specifying a preauthentication IP address pool -
Specifying a portal authentication domain -
Controlling portal user access -
-
Configuring a portal-free rule -
Configuring an authentication source subnet -
Configuring an authentication destination subnet -
Setting the maximum number of portal users -
Enabling strict-checking on portal authorization information -
Allowing only users with DHCP-assigned IP addresses to pass portal authentication -
Configuring support of Web proxy for portal authentication -
Enabling portal roaming -
Configuring the portal fail-permit feature
-
-
Configuring portal detection features -
Configuring portal packet attributes -
Configuring attributes for RADIUS packets -
Disabling the Rule ARP or ND entry feature for portal clients -
Logging out online portal users -
Enabling portal user login/logout logging -
Configuring Web redirect -
Display and maintenance commands for portal -
Portal configuration examples -
-
Example: Configuring direct portal authentication -
Example: Configuring re-DHCP portal authentication -
Example: Configuring cross-subnet portal authentication -
Example: Configuring extended direct portal authentication -
Example: Configuring extended re-DHCP portal authentication -
Example: Configuring extended cross-subnet portal authentication -
Example: Configuring portal server detection and portal user synchronization -
Example: Configuring cross-subnet portal authentication for MPLS L3VPNs -
Example: Configuring direct portal authentication with a preauthentication domain -
Example: Configuring re-DHCP portal authentication with a preauthentication domain -
Example: Configuring direct portal authentication using a local portal Web service
-
-
Troubleshooting portal
-
-
Configuring Web authentication -
-
About Web authentication -
Restrictions and guidelines: Web authentication configuration -
Web authentication task at a glance -
Prerequisites for Web authentication -
Configuring a Web authentication server -
Enabling Web authentication -
Specifying a Web authentication domain -
Setting the redirection wait time -
Configuring a Web authentication-free subnet -
Setting the maximum number of Web authentication users -
Configuring online Web authentication user detection -
Configuring an Auth-Fail VLAN -
Configuring Web authentication to support Web proxy -
Display and maintenance commands for Web authentication -
Web authentication configuration examples -
Troubleshooting Web authentication
-
-
Configuring triple authentication -
Configuring port security -
-
About port security -
Restrictions and guidelines: Port security configuration -
Port security tasks at a glance -
Enabling port security -
Setting the port security mode -
Setting port security's limit on the number of secure MAC addresses on a port -
Configuring secure MAC addresses -
Configuring NTK -
Configuring intrusion protection -
Ignoring authorization information from the server -
Enabling MAC move -
Enabling the authorization-fail-offline feature -
Setting port security's limit on the number of MAC addresses for specific VLANs on a port -
Enabling open authentication mode -
Applying a NAS-ID profile to port security -
Configuring the escape critical VSI feature -
Enabling SNMP notifications for port security -
Enabling logging for port security users -
Display and maintenance commands for port security -
Port security configuration examples -
Troubleshooting port security
-
-
Configuring user profiles -
Configuring password control -
-
About password control -
FIPS compliance -
Restrictions and guidelines: Password control configuration -
Password control tasks at a glance -
Enabling password control -
Setting global password control parameters -
Setting user group password control parameters -
Setting local user password control parameters -
Setting super password control parameters -
Display and maintenance commands for password control -
Password control configuration examples
-
-
Configuring keychains -
Managing public keys -
Configuring PKI -
-
About PKI -
FIPS compliance -
PKI tasks at a glance -
Configuring a PKI entity -
Configuring a PKI domain -
-
About PKI domain -
PKI domain tasks at a glance -
Creating a PKI domain -
Specifying the trusted CA -
Specifying the PKI entity name -
Specifying the certificate request reception authority -
Specifying the certificate request URL -
Setting the SCEP polling interval and maximum polling attempts -
Specifying the LDAP server -
Specifying the fingerprint for root CA certificate verification -
Specifying the key pair for certificate request -
Specifying the intended purpose for the certificate -
Specifying the source IP address for PKI protocol packets
-
-
Specifying the storage path for certificates and CRLs -
Requesting a certificate -
-
About certificate request configuration -
Restrictions and guidelines for certificate request configuration -
Prerequisites for certificate request configuration -
Enabling the automatic online certificate request mode -
Manually submitting an online certificate request -
Manually submitting a certificate request in offline mode
-
-
Aborting a certificate request -
Obtaining certificates -
Verifying PKI certificates -
Exporting certificates -
Removing a certificate -
Configuring a certificate-based access control policy -
Display and maintenance commands for PKI -
PKI configuration examples -
-
Example: Requesting a certificate from an RSA Keon CA server -
Example: Requesting a certificate from a Windows Server 2003 CA server -
Example: Requesting a certificate from an OpenCA server -
Example: Configuring IKE negotiation with RSA digital signature from a Windows Server 2003 CA server -
Example: Configuring a certificate-based access control policy -
Example: Importing and exporting certificates
-
-
Troubleshooting PKI configuration
-
-
Configuring IPsec -
-
About IPsec -
FIPS compliance -
Restrictions and guidelines: IPsec configuration -
Implementing ACL-based IPsec -
-
ACL-based IPsec tasks at a glance -
Configuring an ACL -
Configuring an IPsec transform set -
Configuring a manual IPsec policy -
Configuring an IKE-based IPsec policy -
Applying an IPsec policy to an interface -
Enabling ACL checking for de-encapsulated packets -
Configuring IPsec anti-replay -
Configuring IPsec anti-replay redundancy -
Binding a source interface to an IPsec policy -
Enabling QoS pre-classify -
Configuring the DF bit of IPsec packets -
Configuring IPsec RRI
-
-
Configuring IPsec for IPv6 routing protocols -
Configuring the global IPsec SA lifetime and idle timeout -
Configuring IPsec fragmentation -
Setting the maximum number of IPsec tunnels -
Enabling logging for IPsec packets -
Configuring SNMP notifications for IPsec -
Display and maintenance commands for IPsec -
IPsec configuration examples
-
-
Configuring IKE -
-
About IKE -
FIPS compliance -
IKE tasks at a glance -
Prerequisites for IKE configuration -
Configuring an IKE profile -
-
Creating an IKE profile -
Configuring peer IDs for the IKE profile -
Specifying the IKE keychain or PKI domain -
Configuring the IKE phase 1 negotiation mode -
Specifying IKE proposals for the IKE profile -
Configuring the local ID for the IKE profile -
Specifying an inside VPN instance for the IKE profile -
Configuring optional features for the IKE profile
-
-
Configuring an IKE proposal -
Configuring an IKE keychain -
Configuring the global identity information -
Configuring the IKE keepalive feature -
Configuring the IKE NAT keepalive feature -
Configuring global IKE DPD -
Enabling invalid SPI recovery -
Setting the maximum number of IKE SAs -
Configuring SNMP notifications for IKE -
Display and maintenance commands for IKE -
IKE configuration examples -
Troubleshooting IKE -
-
IKE negotiation failed because no matching IKE proposals were found -
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly -
IPsec SA negotiation failed because no matching IPsec transform sets were found -
IPsec SA negotiation failed due to invalid identity information
-
-
-
Configuring IKEv2 -
-
About IKEv2 -
IKEv2 tasks at a glance -
Prerequisites for IKEv2 configuration -
Configuring an IKEv2 profile -
-
Creating an IKEv2 profile -
Specifying the local and remote identity authentication methods -
Configuring the IKEv2 keychain or PKI domain -
Configuring the local ID for the IKEv2 profile -
Configuring peer IDs for the IKEv2 profile -
Specifying a VPN instance for the IKEv2 profile -
Specifying an inside VPN instance for the IKEv2 profile -
Configuring optional features for the IKEv2 profile
-
-
Configuring an IKEv2 policy -
Configuring an IKEv2 proposal -
Configuring an IKEv2 keychain -
Configure global IKEv2 parameters -
Display and maintenance commands for IKEv2 -
Troubleshooting IKEv2
-
-
Configuring SSH -
-
About SSH -
FIPS compliance -
Configuring the device as an SSH server -
-
SSH server tasks at a glance -
Generating local key pairs -
Specifying the SSH service port -
Enabling the Stelnet server -
Enabling the SFTP server -
Enabling the SCP server -
Enabling NETCONF over SSH -
Configuring the user lines for SSH login -
Configuring a client's host public key -
Configuring an SSH user -
Configuring the SSH management parameters -
Specifying a PKI domain for the SSH server -
Disconnecting SSH sessions
-
-
Configuring the device as an Stelnet client -
-
Stelnet client tasks at a glance -
Generating local key pairs -
Specifying the source IP address for outgoing SSH packets -
Establishing a connection to an Stelnet server -
Deleting server public keys saved in the public key file on the Stelnet client -
Establishing a connection to an Stelnet server based on Suite B
-
-
Configuring the device as an SFTP client -
-
SFTP client tasks at a glance -
Generating local key pairs -
Specifying the source IP address for outgoing SFTP packets -
Establishing a connection to an SFTP server -
Deleting server public keys saved in the public key file on the SFTP client -
Establishing a connection to an SFTP server based on Suite B -
Working with SFTP directories -
Working with SFTP files -
Displaying help information -
Terminating the connection with the SFTP server
-
-
Configuring the device as an SCP client -
Specifying algorithms for SSH2 -
Display and maintenance commands for SSH -
Stelnet configuration examples -
-
Example: Configuring the device as an Stelnet server (password authentication) -
Example: Configuring the device as an Stelnet server (publickey authentication) -
Example: Configuring the device as an Stelnet client (password authentication) -
Example: Configuring the device as an Stelnet client (publickey authentication) -
Example: Configuring Stelnet based on 128-bit Suite B algorithms
-
-
SFTP configuration examples -
SCP configuration examples -
NETCONF over SSH configuration examples
-
-
Configuring SSL -
Configuring attack detection and prevention -
-
About attack detection and prevention -
Attacks that the device can prevent -
IP blacklist feature -
Attack detection and prevention tasks at a glance -
Configuring and applying an attack defense policy -
Enabling log non-aggregation for single-packet attack events -
Configuring TCP fragment attack prevention -
Configuring the IP blacklist feature -
Configuring login attack prevention -
Enabling the login delay -
Display and maintenance commands for attack detection and prevention -
Attack detection and prevention configuration examples
-
-
Configuring TCP attack prevention -
Configuring IP source guard -
-
About IPSG -
Restrictions and guidelines: IPSG configuration -
IPSG tasks at a glance -
Configuring the IPv4SG feature -
Configuring the IPv6SG feature -
Display and maintenance commands for IPSG -
IPSG configuration examples -
-
Example: Configuring static IPv4SG -
Example: Configuring DHCP snooping-based dynamic IPv4SG -
Example: Configuring DHCP relay agent-based dynamic IPv4SG -
Example: Configuring static IPv6SG -
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG address bindings -
Example: Configuring DHCPv6 snooping-based dynamic IPv6SG prefix bindings -
Example: Configuring DHCPv6 relay agent-based dynamic IPv6SG
-
-
-
Configuring ARP attack protection -
-
About ARP attack protection -
ARP attack protection tasks at a glance -
Configuring unresolvable IP attack protection -
Configuring ARP packet rate limit -
Configuring source MAC-based ARP attack detection -
Configuring ARP packet source MAC consistency check -
Configuring ARP active acknowledgement -
Configuring authorized ARP -
Configuring ARP attack detection -
-
About ARP attack detection -
Configuring user validity check -
Configuring ARP packet validity check -
Configuring ARP restricted forwarding -
Ignoring ingress ports of ARP packets during user validity check -
Enabling ARP attack detection logging -
Display and maintenance commands for ARP attack detection -
Example: Configuring user validity check -
Example: Configuring user validity check and ARP packet validity check -
Example: Configuring ARP restricted forwarding
-
-
Configuring ARP scanning and fixed ARP -
Configuring ARP gateway protection -
Configuring ARP filtering -
Configuring ARP sender IP address checking
-
-
Configuring ND attack defense -
Configuring uRPF -
Configuring MFF -
Configuring crypto engines -
Configuring FIPS -
Configuring MACsec -
-
About MACsec -
Restrictions: Hardware compatibility with MACsec -
MACsec tasks at a glance -
Enabling MKA -
Enabling MACsec desire -
Configuring a preshared key -
Configuring the MKA key server priority -
Configuring MACsec protection parameters -
Enabling MKA session logging -
Display and maintenance commands for MACsec -
MACsec configuration examples -
Troubleshooting MACsec
-
-
Document conventions and icons -
Support and other resources