Contents
About this document Configuring Username and Password Security Console access Creating password security Security credentials Include-Credentials include-credentials radius-tacacs-only option Displaying the status of include-credentials on the switch Executing include-credentials or include-credentials store-in-config Storage states when using include-credentials [no]include-credentials store-in-config option Enabling the storage and display of security credentials
Setting an encrypted password Front panel security Front panel security Configuring front panel security Disabling the clear password function of the Clear button Setting the Clear button functionality Changing what the Reset+Clear button combination does Restoring the factory default configuration Enabling and disabling password recovery Recovering passwords Password recovery
Saving user name and password security Operating Notes
Virus throttling (connection-rate filtering) Configuring connection-rate filtering Blocked hosts Configuring and applying connection-rate ACLs Connection-rate filtering Overview Configuring connection-rate filtering for low risk networks Configuring connection-rate filtering for high risk networks
Web-based and MAC authentication Configuring MAC authentication on the switch Prerequisites for web-based or MAC authentication Preparation for configuring MAC authentication Configuring a global MAC authentication password Commands to configure the global MAC authentication password Configuring a MAC address format Enabling/disabling MAC authentication Specifying the maximum authenticated MACs allowed on a port Allowing addresses to move without re-authentication Specifying the VLAN for an authorized client Specifying the time period enforced for implicit logoff Specifying how many authentication attempts can time-out before failure Specifying how long the switch waits before processing a request from a MAC address that failed authentication Specifying time period enforced on a client to re-authenticate Forcing re-authentication of clients Specifying the period to wait for a server response to an authentication request Specifying the VLAN to use when authentication fails Configuring custom messages for failed logins web page display of access denied message Redirecting HTTP when MAC address not found Registering HTTP redirect Using the restrictive-filter option Reauthenticating a MAC Authenticated client Configuring the registration server URL Unconfiguring a MAC Authenticated registration server
Configuring web-based authentication Preparation for web-based authentication Configuration commands for web-based authentication Controlled directions Disable web-based authentication Specifying the VLAN Clearing statistics Maximum authenticated clients Specifies base address Specifies lease length Configures web server connection Specifying the period Specifying the number of authentication attempts Specifying maximum retries Specifying the time period Specifying the re-authentication period Specifying a forced reauthentication Specifying the URL Specifying the timeout
Configuring the RADIUS server to support MAC authentication Configuring the switch to access a RADIUS server
Customizing Viewing Viewing the status and settings of ports enabled for web-based authentication Viewing status of ports enabled for web-based authentication Viewing session details for web-Auth clients Viewing status details of web-based authentication sessions on specified ports Viewing web-based authentication settings for ports Viewing details of web-based authentication settings for ports Viewing web-based authentication settings for ports, including RADIUS server specific Viewing web-based authentication settings for ports, including web specific settings
Viewing the show commands for MAC authentication Viewing session information for MAC authenticated clients on a switch Viewing detail on status of MAC authenticated client sessions Error logEd: Added from Spokane S WC update Viewing MAC authentication settings on ports Viewing details of MAC Authentication settings on ports Viewing MAC Authentication settings including RADIUS server-specific
Overview About web and MAC authentication Web-based authentication MAC authentication Concurrent web-based and MAC authentication Authorized and unauthorized client VLANs RADIUS-based authentication Wireless clients How web-based and MAC authentication operate Web-based authentication Order of priority for assigning VLANs Clientless Endpoint IntegrityDID WE KILL THIS SECTION? MAC authentication Operating notes and guidelines Customizing HTML templates Configuring a DNS Server for Enhanced web authentication Operating notes and guidelines for implementing customized web-Auth pages Customizable HTML templates
Local MAC Authentication MAC ACLs Overview MAC ACL configuration commands Mac-access-list creation syntax Mac-access-list standard configuration context Mac-access-list extended configuration context Remark command Mac-access-list application syntax (PACL) Mac-access-list application syntax (VACL) Show access-list Show access-list by name Show access-list config Show access-list port Show access-list vlan Show access-list resources Show statistics clear statistics
Event Log messages
ACL Grouping Infrastructure MACsec Overview MACsec configuration commands Create, modify or delete a MACsec policy Configuring mode of MACsec policy MACsec policy: configuring confidentiality (policy context) Configuring replay protection Configuring include-sci-tag Apply policy on a port-list MKA configuration on a port-list Clearing MKA statistics on ports Clearing MACsec statistics on ports
Show commands Mutually exclusive commands with MACsec configuration on a port MACsec Log messages
TACACS+ Authentication and Accounting Overview Configuring TACACS+ on the switch Before you begin Selecting the access method for configuration Configuring the switch authentication method Command to configure the TACACS+ server Configuring the TACACS+ server for single login Configuring the switch TACACS+ server access Command to enable authorization Command to enable accounting Command to configure dead time Command to enable authorization Command to enable accounting Show all authorization configurations Show all accounting configurations Show current authentication configurations Show key information Show TACACS+ Show TACACS+ host details Show accounting sessions Specifying devices Specifying switch response Encryption options in the switch Using the privilege-mode option for login Adding, removing, or changing the priority of a TACACS+ server
Controlling webagent access when using TACACS+ authentication Event Messages
RADIUS Authentication, Authorization, and Accounting Overview Accounting services Radius-administered CoS and rate-limiting Radius-administered commands authorization SNMP access to the switch's authentication configuration MIB About the dynamic removal of authentication limits RADIUS operation Commands authorization on HTTPS overview WebAgent windows when using command authorization MAC-based VLANs
Configuring Preparation procedures for RADIUS Configuring the switch for RADIUS authentication Connecting a RADIUS server with a server group Configuring the primary password authentication method for console, Telnet, SSH and WebAgent Configuring the primary password authentication method for port-access, MAC-based, and web-based access Configuring RADIUS accounting Configuring commands authorization on a RADIUS server Configuring the RADIUS VSAs Enhanced commands
Viewing Using Using multiple RADIUS server groups Adding and deleting servers to the RADIUS configuration Setting accounting type, and how data is sent Allowing reauthentication when RADIUS server is unavailable Setting the time period to allow cached reauthentication Enabling authorization to control access to CLI commands Creating Local Privilege Levels Changing RADIUS-server access order Using SNMP to view and configure switch authentication features Cached reauthentication Local authentication process Controlling WebAgent access Commands authorization VLAN assignment in an authentication session Tagged and untagged VLAN attributes Additional RADIUS attributes Accounting services Acct-Session-ID options in a management session Dynamic removal of authentication limits
Messages related to RADIUS operation Security event log Security user log access Creating a security user Security user commands Authentication and Authorization through RADIUS Authentication and Authorization through TACACS+ Restrictions Event log wrap Configuring concurrent sessions Configuring concurrent sessions per user Configuring concurrent sessions per Failed login attempts delay
RADIUS services supported on HPE switches RADIUS client and server requirements RADIUS server support Optional HPE PCM and IDM network management applications RADIUS server configuration for CoS (802.1p priority) and rate-limiting Applied rates for RADIUS-assigned rate limits Per-port bandwidth override Configuring and using dynamic (RADIUS-assigned) access control lists Contrasting RADIUS-assigned and static ACLs How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port General ACL features, planning, and configuration The packet-filtering process Operating rules for RADIUS-assigned ACLs Configuring an ACL in a RADIUS server Nas-Filter-Rule-Options ACE syntax in RADIUS servers Configuration notes Monitoring shared resources Event log messages
Configuring Radius assigned ACLs Viewing RADIUS filter-id
RBAC Password Complexity Password complexity overview Password expiration periods Requirements Limitations Configuring Password Complexity password configuration commands password configuration-control password configuration password minimum-length password aaa authentication local-user password complexity password composition show password-configuration Troubleshooting
Secure web management Configuring Secure Shell (SSH) with two-factor authentication Overview Two-factor authentication configuration commands aaa authentication ssh aaa authentication ssh two-factor aaa authentication ssh two-factor two-factor-type aaa authentication ssh two-factor two-factor-type publickey-password aaa authentication ssh two-factor two-factor-type certificate-password Two-factor authentication restrictions Two-factor authentication validation rules Two-factor authentication event log messages
IPv4 Access Control Lists (ACLs) Configuring Viewing Viewing an ACL summary Viewing the content of all ACLs on the switch Viewing the RACL and VACL assignments for a VLAN Viewing static port (and trunk) ACL assignments Viewing specific ACL configuration details Viewing all ACLs and their assignments in the routing switch startup-config and running-config files
Using Adding or removing an ACL assignment on an interface Creating ACLs Deleting an ACL Inserting an ACE in an existing ACL Deleting an ACE from an existing ACL Resequencing the ACEs in an ACL Attaching a remark to an ACE Appending remarks and related ACEs to the end of an ACL Inserting remarks and related ACEs within an existing list Inserting a remark for an ACE that already exists in an ACL Removing a remark from an existing ACE Enable ACL “Deny” or “Permit” Logging Requirements for using ACL Logging ACL Logging Operation Enabling ACL logging on the switch Monitoring static ACL performance ACE counter operation Resetting ACE Hit counters to zero Using IPv6 counters with multiple interface assignments Using IPv4 counters with multiple interface assignments
Additional configuration guidelines Introduction General ACL operating notes About IPv4 static ACL operation Introduction to IPv4 static ACL operation Options for applying IPv4 ACLs on the switch Types of IPv4 ACLs ACL applications Multiple ACLs on an interface Features common to all ACL applications General steps for planning and configuring ACLs The packet-filtering process Operating notes for remarks Planning an ACL application Configuring standard ACLs Editing an existing ACL IPv4 ACL configuration and operating rules How an ACE uses a mask to screen packets for matches Using CIDR notation to enter the IPv4 ACL mask General steps for implementing ACLs Options for permit/deny policies ACL configuration structure ACL configuration factors Enabling ACL "Deny" logging Requirements for using ACL logging ACL logging operation
ACL/ACE match-related logging commands
Port Security Configuring Planning port security Configuring port security Eavesdrop Prevention is Disabled Blocked unauthorized traffic Configuring Trusted Ports for Dynamic ARP Protection Configuring Additional Validation Checks on ARP Packets Verifying the configuration of dynamic ARP protection Configuring DHCP snooping trusted ports Configuring authorized server addresses Configuring MAC Lockdown Configuring MAC Lockout Configuring instrumentation monitor
Viewing Using Port Security Enabling port security eavesdrop-prevention Configuring DHCP snooping Enabling Dynamic ARP protection Enabling Dynamic IP Lockdown Removing MAC Addresses Removing a MAC Address from the Authorized list for a port Clear MAC address table Deploying MAC Lockdown Adding an IP-to-MAC Binding to the DHCP Database Verifying the dynamic IP lockdown configuration Adding a MAC Address to a port Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI) Checking for intrusions, listing intrusion alerts, and resetting alert flags (Menu) Using the event log to find intrusion alerts CLI Using the event log to find intrusion alerts menu
Overview DHCP Snooping DHCP Operational Notes Dynamic ARP Protection Dynamic IP Lockdown Adding an IP-to-MAC binding to the DHCP binding database Using the instrumentation monitor About port security Basic operation Eavesdrop prevention Blocking unauthorized traffic Trunk group exclusion Retention of static addresses How MAC Lockdown works MAC Lockdown operating notes Differences between MAC lockdown and port security Deploying MAC lockdown How MAC Lockout works Port security and MAC Lockout Reading intrusion alerts and resetting alert flags Operating notes for port security
Log Messages
Authorized IP Managers Key Management System Traffic/Security Features and Monitors Configuring traffic/security Viewing Using HPE switch security features Physical security Using the Management Interface wizard SNMP security guidelines Precedence of security options HPE E-Network Immunity Manager Arbitrating client-specific attributes HPE PCM+ Identity-Driven Manager (IDM) Access security features Network security features Using named source-port filters Editing a source-port filter Displaying traffic/security filters
Overview
Port-Based and User-Based Access Control (802.1X) Configuring Port-Based Access Why Use Port-Based or User-Based Access Control? User Authentication Methods General Setup Procedure for 802.1X Access Control Configuring switch ports as 802.1X authenticators Enabling 802.1X authentication on selected ports Specify User-Based Authentication or Return to Port-Based Authentication Reconfigure Settings for Port-Access Configure the 802.1X Authentication Method Enter the RADIUS Host IP Addresses Enable 802.1X Authentication on the Switch Optional: Reset Authenticator Operation Optional: Configure 802.1X Controlled Direction Wake-on-LAN Traffic
Setting Up and Configuring 802.1X Open VLAN Mode Configuring General 802.1X Operation Configuring 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices Viewing 802.1X Open VLAN Mode Status Show Commands for Port-Access Supplicant How RADIUS/802.1X Authentication Affects VLAN Operation Port-Security Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Supplicant Port Configuration
Configuring Mixed Port Access Mode General 802.1X Authenticator Operation
Viewing Using Overview Messages Related to 802.1X Operation
Secure Mode (3800, 3810, 5400zl, and 8200zl Switches) Configuring Configuring secure mode Commands affected when enhanced secure mode is enabled Feature-specific show commands Show flash and show version command output Show config commands MIB CLI commands Password commands Additional password command option Prompt for password when first logging in Behavior when changing or exiting levels Additional password commands Secret keys SSH changes SSL changes Zeroizing with HA Opacity shields command
Overview Troubleshooting
Certificate manager Configuration support Switch identity profile Local certificate enrollment – manual mode Local certificate enrollment — manual mode Removal of certificates/CSRs Zeroization File transfer Loading a local certificate Debug logging Certificate specific Profile specific—TA profile Web support Error messages
Conformance to Suite-B Cryptography requirements Configuration support Retrieve CRL Set TA profile to validate CRL and OCSP Clear CRL Create a certificate signing request Create and enroll a self-signed certificate Configure or remove the minimum levels of security minLos for TLS Install authentication files Remove authentication files show crypto client-public-key Remove the client public keys from configuration Show details of TA profile
Support and other resources