Contents
-
Configuring AAA -
-
Overview -
FIPS compliance -
AAA configuration considerations and task list -
Configuring AAA schemes -
Configuring AAA methods for ISP domains -
Configuring the session-control feature -
Configuring the RADIUS DAE server feature -
Changing the DSCP priority for RADIUS packets -
Setting the maximum number of concurrent login users -
Configuring and applying an ITA policy -
Configuring a NAS-ID profile -
Configuring the device ID -
Displaying and maintaining AAA -
AAA configuration examples -
-
Authentication and authorization for SSH users by a RADIUS server -
Local authentication and authorization for SSH users -
AAA for SSH users by an HWTACACS server -
Authentication for SSH users by an LDAP server -
AAA for PPP users by an HWTACACS server -
ITA configuration example for IPoE users -
Local guest configuration and management example
-
-
Troubleshooting RADIUS -
Troubleshooting HWTACACS -
Troubleshooting LDAP
-
-
802.1X overview -
Configuring 802.1X -
-
Access control methods -
802.1X VLAN manipulation -
Using 802.1X authentication with other features -
Compatibility information -
Configuration prerequisites -
802.1X configuration task list -
Enabling 802.1X -
Enabling EAP relay or EAP termination -
Setting the port authorization state -
Specifying an access control method -
Setting the maximum number of concurrent 802.1X users on a port -
Setting the maximum number of authentication request attempts -
Setting the 802.1X authentication timeout timers -
Configuring online user handshake -
Configuring the authentication trigger feature -
Specifying a mandatory authentication domain on a port -
Setting the quiet timer -
Enabling the periodic online user reauthentication feature -
Configuring an 802.1X guest VLAN -
Configuring an 802.1X Auth-Fail VLAN -
Configuring an 802.1X critical VLAN -
Specifying supported domain name delimiters -
Configuring the EAD assistant feature -
Configuring 802.1X SmartOn -
Displaying and maintaining 802.1X -
802.1X authentication configuration examples -
-
Basic 802.1X authentication configuration example -
802.1X guest VLAN and authorization VLAN configuration example -
802.1X with ACL assignment configuration example -
802.1X with EAD assistant configuration example (with DHCP relay agent) -
802.1X with EAD assistant configuration example (with DHCP server) -
802.1X SmartOn configuration example
-
-
Troubleshooting 802.1X
-
-
Configuring MAC authentication -
-
Overview -
Compatibility information -
Configuration prerequisites -
Configuration task list -
Enabling MAC authentication -
Specifying a MAC authentication domain -
Configuring the user account format -
Configuring MAC authentication timers -
Setting the maximum number of concurrent MAC authentication users on a port -
Configuring MAC authentication delay -
Enabling MAC authentication multi-VLAN mode on a port -
Configuring the keep-online feature -
Including user IP addresses in MAC authentication requests -
Displaying and maintaining MAC authentication -
MAC authentication configuration examples
-
-
Configuring portal authentication -
-
Overview -
-
Extended portal functions -
Portal system components -
Portal system using the local portal Web server -
Interaction between portal system components -
Portal authentication modes -
Portal support for EAP -
Portal authentication process -
Portal packet filtering rules -
BYOD support -
MAC-based quick portal authentication
-
-
Compatibility information -
Portal configuration task list -
Configuration prerequisites -
Configuring a portal authentication server -
Configuring a portal Web server -
Enabling portal authentication -
Specifying a portal Web server -
Controlling portal user access -
-
Configuring a portal-free rule -
Configuring an authentication source subnet -
Configuring an authentication destination subnet -
Setting the maximum number of portal users -
Specifying a portal authentication domain -
Specifying a preauthentication domain -
Specifying a preauthentication IP address pool for portal users -
Enabling strict-checking on portal authorization information -
Enabling portal authentication only for DHCP users -
Enabling outgoing packets filtering on a portal-enabled interface
-
-
Configuring portal detection features -
Configuring the portal fail-permit feature -
Configuring BAS-IP for portal packets sent to the portal authentication server -
Specifying a format for the NAS-Port-ID attribute -
Specifying the device ID -
Enabling portal roaming -
Logging out online portal users -
Disabling traffic accounting for portal users -
Configuring Web redirect -
Applying a NAS-ID profile to an interface -
Configuring the local portal Web server feature -
Configuring HTTPS redirect -
Configuring MAC-based quick portal authentication -
Configuring NAS-Port-Type -
Configuring portal safe-redirect -
Setting the interval at which an AP reports traffic statistics to the AC -
Excluding an attribute from portal protocol packets -
Enabling portal logging -
Configuring portal support for third-party authentication -
Configuring portal temporary pass -
Displaying and maintaining portal -
Portal configuration examples (wired application) -
-
Configuring direct portal authentication -
Configuring re-DHCP portal authentication -
Configuring cross-subnet portal authentication -
Configuring extended direct portal authentication -
Configuring extended re-DHCP portal authentication -
Configuring extended cross-subnet portal authentication -
Configuring portal server detection and portal user synchronization -
Configuring cross-subnet portal authentication for MPLS L3VPNs -
Configuring direct portal authentication with a preauthentication domain -
Configuring re-DHCP portal authentication with a preauthentication domain -
Configuring direct portal authentication using the local portal Web server
-
-
Portal configuration examples (wireless application) -
Troubleshooting portal
-
-
Configuring port security -
-
Overview -
Feature and hardware compatibility -
Configuration task list -
Enabling port security -
Setting port security's limit on the number of secure MAC addresses on a port -
Setting the port security mode -
Configuring port security features -
Configuring secure MAC addresses -
Ignoring authorization information from the server -
Enabling MAC move -
Enabling the authorization-fail-offline feature -
Applying a NAS-ID profile to port security -
Enabling SNMP notifications for port security -
Displaying and maintaining port security -
Port security configuration examples -
Troubleshooting port security
-
-
Configuring user profiles -
Configuring password control -
-
Overview -
FIPS compliance -
Password control configuration task list -
Enabling password control -
Setting global password control parameters -
Setting user group password control parameters -
Setting local user password control parameters -
Setting super password control parameters -
Displaying and maintaining password control -
Password control configuration example
-
-
Configuring keychains -
Managing public keys -
Configuring PKI -
-
Overview -
FIPS compliance -
PKI configuration task list -
Configuring a PKI entity -
Configuring a PKI domain -
Requesting a certificate -
Aborting a certificate request -
Obtaining certificates -
Verifying PKI certificates -
Specifying the storage path for the certificates and CRLs -
Exporting certificates -
Removing a certificate -
Configuring a certificate-based access control policy -
Displaying and maintaining PKI -
PKI configuration examples -
-
Requesting a certificate from an RSA Keon CA server -
Requesting a certificate from a Windows Server 2003 CA server -
Requesting a certificate from an OpenCA server -
IKE negotiation with RSA digital signature from a Windows Server 2003 CA server -
Certificate-based access control policy configuration example -
Certificate import and export configuration example
-
-
Troubleshooting PKI configuration
-
-
Configuring IPsec -
-
Overview -
FIPS compliance -
IPsec tunnel establishment -
Implementing ACL-based IPsec -
-
Configuring an ACL -
Configuring an IPsec transform set -
Configuring a manual IPsec policy -
Configuring an IKE-based IPsec policy -
Applying an IPsec policy to an interface -
Enabling ACL checking for de-encapsulated packets -
Configuring IPsec anti-replay -
Configuring IPsec anti-replay redundancy -
Binding a source interface to an IPsec policy -
Enabling QoS pre-classify -
Enabling logging of IPsec packets -
Configuring the DF bit of IPsec packets -
Configuring IPsec RRI
-
-
Configuring IPsec for IPv6 routing protocols -
Configuring IPsec for tunnels -
Configuring SNMP notifications for IPsec -
Configuring IPsec fragmentation -
Setting the maximum number of IPsec tunnels -
Enabling logging for IPsec negotiation -
Displaying and maintaining IPsec -
IPsec configuration examples
-
-
Configuring IKE -
-
Overview -
FIPS compliance -
IKE configuration prerequisites -
IKE configuration task list -
Configuring an IKE profile -
Configuring an IKE proposal -
Configuring an IKE keychain -
Configuring the global identity information -
Configuring the IKE keepalive feature -
Configuring the IKE NAT keepalive feature -
Configuring IKE DPD -
Enabling invalid SPI recovery -
Setting the maximum number of IKE SAs -
Configuring an IKE IPv4 address pool -
Configuring SNMP notifications for IKE -
Enabling logging for IKE negotiation -
Displaying and maintaining IKE -
IKE configuration examples -
-
Main mode IKE with pre-shared key authentication configuration example -
Aggressive mode with RSA signature authentication configuration example -
Aggressive mode with NAT traversal configuration example -
IKE remote extended authentication configuration example -
IKE local extended authentication and address pool authorization configuration example
-
-
Troubleshooting IKE -
-
IKE negotiation failed because no matching IKE proposals were found -
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly -
IPsec SA negotiation failed because no matching IPsec transform sets were found -
IPsec SA negotiation failed due to invalid identity information
-
-
-
Configuring IKEv2 -
Configuring SSH -
-
Overview -
FIPS compliance -
Configuring the device as an SSH server -
-
SSH server configuration task list -
Generating local key pairs -
Enabling the Stelnet server -
Enabling the SFTP server -
Enabling the SCP server -
Enabling NETCONF over SSH -
Configuring the user lines for SSH login -
Configuring a client's host public key -
Configuring an SSH user -
Configuring the SSH management parameters
-
-
Configuring the device as an Stelnet client -
Configuring the device as an SFTP client -
Configuring the device as an SCP client -
Specifying algorithms for SSH2 -
Configuring SSH redirect -
Displaying and maintaining SSH -
Stelnet configuration examples -
SFTP configuration examples -
SCP configuration example -
NETCONF over SSH configuration example
-
-
Configuring SSL -
Configuring ASPF -
-
Overview -
Command and hardware compatibility -
ASPF configuration task list -
Configuring an ASPF policy -
Applying an ASPF policy to an interface -
Applying an ASPF policy to a zone pair -
Enabling ICMP error message sending for packet dropping by security policies applied to zone pairs -
Displaying and maintaining ASPF -
ASPF configuration examples
-
-
Configuring APR -
-
Overview -
Command and hardware compatibility -
Licensing requirements -
APR configuration task list -
Configuring PBAR -
Configuring a user-defined NBAR rule -
Configuring application groups -
Enabling application statistics on an interface -
Managing the APR signature database -
Displaying and maintaining APR -
APR configuration examples
-
-
Managing sessions -
-
Overview -
Command and hardware compatibility -
Session management task list -
Setting the session aging time for different protocol states -
Setting the session aging time for different application layer protocols or applications -
Specifying persistent sessions -
Enabling session statistics collection -
Specifying the loose mode for session state machine -
Configuring session logging -
Displaying and maintaining session management
-
-
Configuring connection limits -
Configuring object groups -
Configuring object policies -
-
Overview -
Object policy rules -
Command and hardware compatibility -
Object policy configuration task list -
Configuration prerequisites -
Creating object policies -
Configuring object policy rules -
Applying object policies to zone pairs -
Changing the rule match order -
Enabling rule matching acceleration -
Displaying and maintaining object policies -
Object policy configuration example
-
-
Configuring attack detection and prevention -
-
Overview -
Command and hardware compatibility -
Attacks that the device can prevent -
Blacklist -
Whitelist -
Client verification -
Attack detection and prevention configuration task list -
Configuring an attack defense policy -
-
Creating an attack defense policy -
Configuring a single-packet attack defense policy -
Configuring a scanning attack defense policy -
Configuring a flood attack defense policy -
Configuring attack detection exemption -
Applying an attack defense policy to an interface -
Applying an attack defense policy to the device -
Enabling log non-aggregation for single-packet attack events
-
-
Configuring TCP client verification -
Configuring DNS client verification -
Configuring HTTP client verification -
Configuring the IP blacklist -
Configuring the user blacklist -
Configuring the address object group blacklist -
Configuring the address object group whitelist -
Enabling the login delay -
Displaying and maintaining attack detection and prevention -
Attack detection and prevention configuration examples -
-
Interface-based attack detection and prevention configuration example -
IP blacklist configuration example -
User blacklist configuration example -
Address object group blacklist configuration example -
Address object group whitelist configuration example -
Interface-based TCP client verification configuration example -
Interface-based DNS client verification configuration example -
Interface-based HTTP client verification configuration example
-
-
-
Configuring IP source guard -
Configuring ARP attack protection -
-
Command and hardware compatibility -
ARP attack protection configuration task list -
Configuring unresolvable IP attack protection -
Configuring source MAC-based ARP attack detection -
Configuring ARP packet source MAC consistency check -
Configuring ARP active acknowledgement -
Configuring authorized ARP -
Configuring ARP attack detection -
Configuring ARP scanning and fixed ARP -
Configuring ARP gateway protection -
Configuring ARP filtering
-
-
Configuring uRPF -
Configuring IPv6 uRPF -
Configuring crypto engines -
Configuring FIPS -
Document conventions and icons -
Support and other resources