About this document |
Configuring Username and Password Security |
Console access |
Creating password security |
Security credentials |
Include-Credentials |
include-credentials radius-tacacs-only option |
Displaying the status of include-credentials on the switch |
Executing include-credentials or include-credentials store-in-config |
Storage states when using include-credentials |
[no]include-credentials store-in-config option |
Enabling the storage and display of security credentials |
Setting an encrypted password |
Front panel security |
Front panel security |
Configuring front panel security |
Disabling the clear password function of the Clear button |
Setting the Clear button functionality |
Changing what the Reset+Clear button combination does |
Restoring the factory default configuration |
Enabling and disabling password recovery |
Recovering passwords |
Password recovery |
Saving user name and password security |
Operating Notes |
Virus throttling (connection-rate filtering) |
Configuring connection-rate filtering |
Blocked hosts |
Configuring and applying connection-rate ACLs |
Connection-rate filtering |
Overview |
Configuring connection-rate filtering for low risk networks |
Configuring connection-rate filtering for high risk networks |
Web-based and MAC authentication |
Configuring MAC authentication on the switch |
Prerequisites for web-based or MAC authentication |
Preparation for configuring MAC authentication |
Configuring a global MAC authentication password |
Commands to configure the global MAC authentication password |
Configuring a MAC address format |
Enabling/disabling MAC authentication |
Specifying the maximum authenticated MACs allowed on a port |
Allowing addresses to move without re-authentication |
Specifying the VLAN for an authorized client |
Specifying the time period enforced for implicit logoff |
Specifying how many authentication attempts can time-out before failure |
Specifying how long the switch waits before processing a request from a MAC address that failed authentication |
Specifying time period enforced on a client to re-authenticate |
Forcing re-authentication of clients |
Specifying the period to wait for a server response to an authentication request |
Specifying the VLAN to use when authentication fails |
Configuring custom messages for failed logins |
web page display of access denied message |
Redirecting HTTP when MAC address not found |
Registering HTTP redirect |
Using the restrictive-filter option |
Reauthenticating a MAC Authenticated client |
Configuring the registration server URL |
Unconfiguring a MAC Authenticated registration server |
Configuring web-based authentication |
Preparation for web-based authentication |
Configuration commands for web-based authentication |
Controlled directions |
Disable web-based authentication |
Specifying the VLAN |
Clearing statistics |
Maximum authenticated clients |
Specifies base address |
Specifies lease length |
Configures web server connection |
Specifying the period |
Specifying the number of authentication attempts |
Specifying maximum retries |
Specifying the time period |
Specifying the re-authentication period |
Specifying a forced reauthentication |
Specifying the URL |
Specifying the timeout |
Configuring the RADIUS server to support MAC authentication |
Configuring the switch to access a RADIUS server |
Customizing |
Viewing |
Viewing the status and settings of ports enabled for web-based authentication |
Viewing status of ports enabled for web-based authentication |
Viewing session details for web-Auth clients |
Viewing status details of web-based authentication sessions on specified ports |
Viewing web-based authentication settings for ports |
Viewing details of web-based authentication settings for ports |
Viewing web-based authentication settings for ports, including RADIUS server specific |
Viewing web-based authentication settings for ports, including web specific settings |
Viewing the show commands for MAC authentication |
Viewing session information for MAC authenticated clients on a switch |
Viewing detail on status of MAC authenticated client sessions |
Error logEd: Added from Spokane S WC update |
Viewing MAC authentication settings on ports |
Viewing details of MAC Authentication settings on ports |
Viewing MAC Authentication settings including RADIUS server-specific |
Overview |
About web and MAC authentication |
Web-based authentication |
MAC authentication |
Concurrent web-based and MAC authentication |
Authorized and unauthorized client VLANs |
RADIUS-based authentication |
Wireless clients |
How web-based and MAC authentication operate |
Web-based authentication |
Order of priority for assigning VLANs |
Clientless Endpoint IntegrityDID WE KILL THIS SECTION? |
MAC authentication |
Operating notes and guidelines |
Customizing HTML templates |
Configuring a DNS Server for Enhanced web authentication |
Operating notes and guidelines for implementing customized web-Auth pages |
Customizable HTML templates |
Local MAC Authentication |
MAC ACLs |
Overview |
MAC ACL configuration commands |
Mac-access-list creation syntax |
Mac-access-list standard configuration context |
Mac-access-list extended configuration context |
Remark command |
Mac-access-list application syntax (PACL) |
Mac-access-list application syntax (VACL) |
Show access-list |
Show access-list by name |
Show access-list config |
Show access-list port |
Show access-list vlan |
Show access-list resources |
Show statistics |
clear statistics |
Event Log messages |
ACL Grouping |
Infrastructure MACsec |
Overview |
MACsec configuration commands |
Create, modify or delete a MACsec policy |
Configuring mode of MACsec policy |
MACsec policy: configuring confidentiality (policy context) |
Configuring replay protection |
Configuring include-sci-tag |
Apply policy on a port-list |
MKA configuration on a port-list |
Clearing MKA statistics on ports |
Clearing MACsec statistics on ports |
Show commands |
Mutually exclusive commands with MACsec configuration on a port |
MACsec Log messages |
TACACS+ Authentication and Accounting |
Overview |
Configuring TACACS+ on the switch |
Before you begin |
Selecting the access method for configuration |
Configuring the switch authentication method |
Command to configure the TACACS+ server |
Configuring the TACACS+ server for single login |
Configuring the switch TACACS+ server access |
Command to enable authorization |
Command to enable accounting |
Command to configure dead time |
Command to enable authorization |
Command to enable accounting |
Show all authorization configurations |
Show all accounting configurations |
Show current authentication configurations |
Show key information |
Show TACACS+ |
Show TACACS+ host details |
Show accounting sessions |
Specifying devices |
Specifying switch response |
Encryption options in the switch |
Using the privilege-mode option for login |
Adding, removing, or changing the priority of a TACACS+ server |
Controlling webagent access when using TACACS+ authentication |
Event Messages |
RADIUS Authentication, Authorization, and Accounting |
Overview |
Accounting services |
Radius-administered CoS and rate-limiting |
Radius-administered commands authorization |
SNMP access to the switch's authentication configuration MIB |
About the dynamic removal of authentication limits |
RADIUS operation |
Commands authorization on HTTPS overview |
WebAgent windows when using command authorization |
MAC-based VLANs |
Configuring |
Preparation procedures for RADIUS |
Configuring the switch for RADIUS authentication |
Connecting a RADIUS server with a server group |
Configuring the primary password authentication method for console, Telnet, SSH and WebAgent |
Configuring the primary password authentication method for port-access, MAC-based, and web-based access |
Configuring RADIUS accounting |
Configuring commands authorization on a RADIUS server |
Configuring the RADIUS VSAs |
Enhanced commands |
Viewing |
Using |
Using multiple RADIUS server groups |
Adding and deleting servers to the RADIUS configuration |
Setting accounting type, and how data is sent |
Allowing reauthentication when RADIUS server is unavailable |
Setting the time period to allow cached reauthentication |
Enabling authorization to control access to CLI commands |
Creating Local Privilege Levels |
Changing RADIUS-server access order |
Using SNMP to view and configure switch authentication features |
Cached reauthentication |
Local authentication process |
Controlling WebAgent access |
Commands authorization |
VLAN assignment in an authentication session |
Tagged and untagged VLAN attributes |
Additional RADIUS attributes |
Accounting services |
Acct-Session-ID options in a management session |
Dynamic removal of authentication limits |
Messages related to RADIUS operation |
Security event log |
Security user log access |
Creating a security user |
Security user commands |
Authentication and Authorization through RADIUS |
Authentication and Authorization through TACACS+ |
Restrictions |
Event log wrap |
Configuring concurrent sessions |
Configuring concurrent sessions per user |
Configuring concurrent sessions per |
Failed login attempts delay |
RADIUS services supported on HPE switches |
RADIUS client and server requirements |
RADIUS server support |
Optional HPE PCM and IDM network management applications |
RADIUS server configuration for CoS (802.1p priority) and rate-limiting |
Applied rates for RADIUS-assigned rate limits |
Per-port bandwidth override |
Configuring and using dynamic (RADIUS-assigned) access control lists |
Contrasting RADIUS-assigned and static ACLs |
How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port |
General ACL features, planning, and configuration |
The packet-filtering process |
Operating rules for RADIUS-assigned ACLs |
Configuring an ACL in a RADIUS server |
Nas-Filter-Rule-Options |
ACE syntax in RADIUS servers |
Configuration notes |
Monitoring shared resources |
Event log messages |
Configuring Radius assigned ACLs |
Viewing |
RADIUS filter-id |
RBAC |
Password Complexity |
Password complexity overview |
Password expiration periods |
Requirements |
Limitations |
Configuring Password Complexity |
password configuration commands |
password configuration-control |
password configuration |
password minimum-length |
password |
aaa authentication local-user |
password complexity |
password composition |
show password-configuration |
Troubleshooting |
Secure web management |
Configuring Secure Shell (SSH) with two-factor authentication |
Overview |
Two-factor authentication configuration commands |
aaa authentication ssh |
aaa authentication ssh two-factor |
aaa authentication ssh two-factor two-factor-type |
aaa authentication ssh two-factor two-factor-type publickey-password |
aaa authentication ssh two-factor two-factor-type certificate-password |
Two-factor authentication restrictions |
Two-factor authentication validation rules |
Two-factor authentication event log messages |
IPv4 Access Control Lists (ACLs) |
Configuring |
Viewing |
Viewing an ACL summary |
Viewing the content of all ACLs on the switch |
Viewing the RACL and VACL assignments for a VLAN |
Viewing static port (and trunk) ACL assignments |
Viewing specific ACL configuration details |
Viewing all ACLs and their assignments in the routing switch startup-config and running-config files |
Using |
Adding or removing an ACL assignment on an interface |
Creating ACLs |
Deleting an ACL |
Inserting an ACE in an existing ACL |
Deleting an ACE from an existing ACL |
Resequencing the ACEs in an ACL |
Attaching a remark to an ACE |
Appending remarks and related ACEs to the end of an ACL |
Inserting remarks and related ACEs within an existing list |
Inserting a remark for an ACE that already exists in an ACL |
Removing a remark from an existing ACE |
Enable ACL “Deny” or “Permit” Logging |
Requirements for using ACL Logging |
ACL Logging Operation |
Enabling ACL logging on the switch |
Monitoring static ACL performance |
ACE counter operation |
Resetting ACE Hit counters to zero |
Using IPv6 counters with multiple interface assignments |
Using IPv4 counters with multiple interface assignments |
Additional configuration guidelines |
Introduction |
General ACL operating notes |
About IPv4 static ACL operation |
Introduction to IPv4 static ACL operation |
Options for applying IPv4 ACLs on the switch |
Types of IPv4 ACLs |
ACL applications |
Multiple ACLs on an interface |
Features common to all ACL applications |
General steps for planning and configuring ACLs |
The packet-filtering process |
Operating notes for remarks |
Planning an ACL application |
Configuring standard ACLs |
Editing an existing ACL |
IPv4 ACL configuration and operating rules |
How an ACE uses a mask to screen packets for matches |
Using CIDR notation to enter the IPv4 ACL mask |
General steps for implementing ACLs |
Options for permit/deny policies |
ACL configuration structure |
ACL configuration factors |
Enabling ACL "Deny" logging |
Requirements for using ACL logging |
ACL logging operation |
ACL/ACE match-related logging commands |
Port Security |
Configuring |
Planning port security |
Configuring port security |
Eavesdrop Prevention is Disabled |
Blocked unauthorized traffic |
Configuring Trusted Ports for Dynamic ARP Protection |
Configuring Additional Validation Checks on ARP Packets |
Verifying the configuration of dynamic ARP protection |
Configuring DHCP snooping trusted ports |
Configuring authorized server addresses |
Configuring MAC Lockdown |
Configuring MAC Lockout |
Configuring instrumentation monitor |
Viewing |
Using Port Security |
Enabling port security eavesdrop-prevention |
Configuring DHCP snooping |
Enabling Dynamic ARP protection |
Enabling Dynamic IP Lockdown |
Removing MAC Addresses |
Removing a MAC Address from the Authorized list for a port |
Clear MAC address table |
Deploying MAC Lockdown |
Adding an IP-to-MAC Binding to the DHCP Database |
Verifying the dynamic IP lockdown configuration |
Adding a MAC Address to a port |
Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI) |
Checking for intrusions, listing intrusion alerts, and resetting alert flags (Menu) |
Using the event log to find intrusion alerts CLI |
Using the event log to find intrusion alerts menu |
Overview |
DHCP Snooping |
DHCP Operational Notes |
Dynamic ARP Protection |
Dynamic IP Lockdown |
Adding an IP-to-MAC binding to the DHCP binding database |
Using the instrumentation monitor |
About port security |
Basic operation |
Eavesdrop prevention |
Blocking unauthorized traffic |
Trunk group exclusion |
Retention of static addresses |
How MAC Lockdown works |
MAC Lockdown operating notes |
Differences between MAC lockdown and port security |
Deploying MAC lockdown |
How MAC Lockout works |
Port security and MAC Lockout |
Reading intrusion alerts and resetting alert flags |
Operating notes for port security |
Log Messages |
Authorized IP Managers |
Key Management System |
Traffic/Security Features and Monitors |
Configuring traffic/security |
Viewing |
Using HPE switch security features |
Physical security |
Using the Management Interface wizard |
SNMP security guidelines |
Precedence of security options |
HPE E-Network Immunity Manager |
Arbitrating client-specific attributes |
HPE PCM+ Identity-Driven Manager (IDM) |
Access security features |
Network security features |
Using named source-port filters |
Editing a source-port filter |
Displaying traffic/security filters |
Overview |
Port-Based and User-Based Access Control (802.1X) |
Configuring Port-Based Access |
Why Use Port-Based or User-Based Access Control? |
User Authentication Methods |
General Setup Procedure for 802.1X Access Control |
Configuring switch ports as 802.1X authenticators |
Enabling 802.1X authentication on selected ports |
Specify User-Based Authentication or Return to Port-Based Authentication |
Reconfigure Settings for Port-Access |
Configure the 802.1X Authentication Method |
Enter the RADIUS Host IP Addresses |
Enable 802.1X Authentication on the Switch |
Optional: Reset Authenticator Operation |
Optional: Configure 802.1X Controlled Direction |
Wake-on-LAN Traffic |
Setting Up and Configuring 802.1X Open VLAN Mode |
Configuring General 802.1X Operation |
Configuring 802.1X Open VLAN Mode |
Inspecting 802.1X Open VLAN Mode Operation. |
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices |
Viewing 802.1X Open VLAN Mode Status |
Show Commands for Port-Access Supplicant |
How RADIUS/802.1X Authentication Affects VLAN Operation |
Port-Security |
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches |
Supplicant Port Configuration |
Configuring Mixed Port Access Mode |
General 802.1X Authenticator Operation |
Viewing |
Using |
Overview |
Messages Related to 802.1X Operation |
Secure Mode (3800, 3810, 5400zl, and 8200zl Switches) |
Configuring |
Configuring secure mode |
Commands affected when enhanced secure mode is enabled |
Feature-specific show commands |
Show flash and show version command output |
Show config commands |
MIB CLI commands |
Password commands |
Additional password command option |
Prompt for password when first logging in |
Behavior when changing or exiting levels |
Additional password commands |
Secret keys |
SSH changes |
SSL changes |
Zeroizing with HA |
Opacity shields command |
Overview |
Troubleshooting |
Certificate manager |
Configuration support |
Switch identity profile |
Local certificate enrollment – manual mode |
Local certificate enrollment — manual mode |
Removal of certificates/CSRs |
Zeroization |
File transfer |
Loading a local certificate |
Debug logging |
Certificate specific |
Profile specific—TA profile |
Web support |
Error messages |
Conformance to Suite-B Cryptography requirements |
Configuration support |
Retrieve CRL |
Set TA profile to validate CRL and OCSP |
Clear CRL |
Create a certificate signing request |
Create and enroll a self-signed certificate |
Configure or remove the minimum levels of security minLos for TLS |
Install authentication files |
Remove authentication files |
show crypto client-public-key |
Remove the client public keys from configuration |
Show details of TA profile |
Support and other resources |
|
|
|
Copyright © 2016 Hewlett Packard Enterprise Development LP