Contents
-
Configuring AAA -
-
Overview -
FIPS compliance -
AAA configuration considerations and task list -
Configuring AAA schemes -
Configuring AAA methods for ISP domains -
Configuring the RADIUS session-control feature -
Configuring the RADIUS DAS feature -
Changing the DSCP priority for RADIUS packets -
Configuring the RADIUS attribute translation feature -
Setting the maximum number of concurrent login users -
Configuring a NAS-ID profile -
Configuring the device ID -
Configuring the RADIUS server feature -
Displaying and maintaining AAA -
AAA configuration examples -
-
AAA for SSH users by an HWTACACS server -
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users -
Authentication and authorization for SSH users by a RADIUS server -
Authentication for SSH users by an LDAP server -
AAA for 802.1X users by a RADIUS server -
Local guest configuration and management example -
Authentication and authorization of 802.1X users by the device as a RADIUS server
-
-
Troubleshooting RADIUS -
Troubleshooting HWTACACS -
Troubleshooting LDAP
-
-
802.1X overview -
Configuring 802.1X -
-
Access control methods -
802.1X VLAN manipulation -
Using 802.1X authentication with other features -
Configuration prerequisites -
802.1X configuration task list -
Enabling 802.1X -
Enabling EAP relay or EAP termination -
Setting the port authorization state -
Specifying an access control method -
Setting the maximum number of concurrent 802.1X users on a port -
Setting the maximum number of authentication request attempts -
Setting the 802.1X authentication timeout timers -
Configuring online user handshake -
Configuring the authentication trigger feature -
Specifying a mandatory authentication domain on a port -
Setting the quiet timer -
Configuring 802.1X reauthentication -
Configuring an 802.1X guest VLAN -
Enabling 802.1X guest VLAN assignment delay -
Configuring an 802.1X Auth-Fail VLAN -
Configuring an 802.1X critical VLAN -
Enabling the 802.1X critical voice VLAN -
Specifying supported domain name delimiters -
Enabling 802.1X user IP freezing -
Sending 802.1X protocol packets out of a port without VLAN tags -
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users -
Configuring the EAD assistant feature -
Configuring 802.1X SmartOn -
Displaying and maintaining 802.1X -
802.1X authentication configuration examples -
-
Basic 802.1X authentication configuration example -
802.1X guest VLAN and authorization VLAN configuration example -
802.1X with ACL assignment configuration example -
802.1X with EAD assistant configuration example (with DHCP relay agent) -
802.1X with EAD assistant configuration example (with DHCP server) -
802.1X SmartOn configuration example
-
-
Troubleshooting 802.1X
-
-
Configuring MAC authentication -
-
Overview -
Configuration prerequisites -
General guidelines and restrictions -
Configuration task list -
Enabling MAC authentication -
Specifying a MAC authentication domain -
Configuring the user account format -
Configuring MAC authentication timers -
Setting the maximum number of concurrent MAC authentication users on a port -
Enabling MAC authentication multi-VLAN mode on a port -
Configuring MAC authentication delay -
Enabling parallel processing of MAC authentication and 802.1X authentication -
Configuring a MAC authentication guest VLAN -
Configuring a MAC authentication critical VLAN -
Enabling the MAC authentication critical voice VLAN -
Configuring periodic MAC reauthentication -
Including user IP addresses in MAC authentication requests -
Enabling MAC authentication offline detection -
Displaying and maintaining MAC authentication -
MAC authentication configuration examples
-
-
Configuring portal authentication -
-
Overview -
Portal configuration task list -
Configuration prerequisites -
Configuring a portal authentication server -
Configuring a portal Web server -
Enabling portal authentication -
Specifying a portal Web server -
Controlling portal user access -
-
Configuring a portal-free rule -
Configuring an authentication source subnet -
Configuring an authentication destination subnet -
Setting the maximum number of portal users -
Specifying a portal authentication domain -
Specifying a preauthentication domain -
Specifying a preauthentication IP address pool for portal users -
Enabling strict-checking on portal authorization information -
Enabling portal authentication only for DHCP users -
Enabling outgoing packets filtering on a portal-enabled interface
-
-
Configuring portal detection features -
Configuring the portal fail-permit feature -
Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server -
Enabling portal roaming -
Specifying a format for the NAS-Port-ID attribute -
Logging out online portal users -
Configuring Web redirect -
Applying a NAS-ID profile to an interface -
Configuring the local portal Web server feature -
Enabling ARP or ND entry conversion for portal clients -
Configuring HTTPS redirect -
Configuring MAC-based quick portal authentication -
Enabling logging for user logins and logouts -
Displaying and maintaining portal -
Portal configuration examples -
-
Configuring direct portal authentication -
Configuring re-DHCP portal authentication -
Configuring cross-subnet portal authentication -
Configuring extended direct portal authentication -
Configuring extended re-DHCP portal authentication -
Configuring extended cross-subnet portal authentication -
Configuring portal server detection and portal user synchronization -
Configuring cross-subnet portal authentication for MPLS L3VPNs -
Configuring direct portal authentication with a preauthentication domain -
Configuring re-DHCP portal authentication with a preauthentication domain -
Configuring direct portal authentication using local portal Web server
-
-
Troubleshooting portal
-
-
Configuring port security -
-
Overview -
General guidelines and restrictions -
Configuration task list -
Enabling port security -
Setting port security's limit on the number of secure MAC addresses on a port -
Setting the port security mode -
Configuring port security features -
Configuring secure MAC addresses -
Ignoring authorization information from the server -
Enabling MAC move -
Enabling the authorization-fail-offline feature -
Applying a NAS-ID profile to port security -
Enabling SNMP notifications for port security -
Displaying and maintaining port security -
Port security configuration examples -
Troubleshooting port security
-
-
Configuring password control -
-
Overview -
FIPS compliance -
Password control configuration task list -
Enabling password control -
Setting global password control parameters -
Setting user group password control parameters -
Setting local user password control parameters -
Setting super password control parameters -
Displaying and maintaining password control -
Password control configuration example
-
-
Configuring keychains -
Managing public keys -
Configuring PKI -
-
Overview -
FIPS compliance -
PKI configuration task list -
Configuring a PKI entity -
Configuring a PKI domain -
Requesting a certificate -
Aborting a certificate request -
Obtaining certificates -
Verifying PKI certificates -
Specifying the storage path for the certificates and CRLs -
Exporting certificates -
Removing a certificate -
Configuring a certificate-based access control policy -
Displaying and maintaining PKI -
PKI configuration examples -
-
Requesting a certificate from an RSA Keon CA server -
Requesting a certificate from a Windows Server 2003 CA server -
Requesting a certificate from an OpenCA server -
IKE negotiation with RSA digital signature from a Windows Server 2003 CA server -
Certificate-based access control policy configuration example -
Certificate import and export configuration example
-
-
Troubleshooting PKI configuration
-
-
Configuring IPsec -
-
Overview -
FIPS compliance -
IPsec tunnel establishment -
Implementing ACL-based IPsec -
-
Feature restrictions and guidelines -
ACL-based IPsec configuration task list -
Configuring an ACL -
Configuring an IPsec transform set -
Configuring a manual IPsec policy -
Configuring an IKE-based IPsec policy -
Applying an IPsec policy to an interface -
Enabling ACL checking for de-encapsulated packets -
Configuring IPsec anti-replay -
Configuring IPsec anti-replay redundancy -
Binding a source interface to an IPsec policy -
Enabling QoS pre-classify -
Enabling logging of IPsec packets -
Configuring the DF bit of IPsec packets -
Configuring IPsec RRI
-
-
Configuring IPsec for IPv6 routing protocols -
Configuring SNMP notifications for IPsec -
Configuring IPsec fragmentation -
Setting the maximum number of IPsec tunnels -
Displaying and maintaining IPsec -
IPsec configuration examples
-
-
Configuring IKE -
-
Overview -
FIPS compliance -
IKE configuration prerequisites -
IKE configuration task list -
Configuring an IKE profile -
Configuring an IKE proposal -
Configuring an IKE keychain -
Configuring the global identity information -
Configuring the IKE keepalive feature -
Configuring the IKE NAT keepalive feature -
Configuring IKE DPD -
Enabling invalid SPI recovery -
Setting the maximum number of IKE SAs -
Configuring an IKE IPv4 address pool -
Configuring SNMP notifications for IKE -
Displaying and maintaining IKE -
IKE configuration examples -
Troubleshooting IKE -
-
IKE negotiation failed because no matching IKE proposals were found -
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly -
IPsec SA negotiation failed because no matching IPsec transform sets were found -
IPsec SA negotiation failed due to invalid identity information
-
-
-
Configuring IKEv2 -
Configuring SSH -
-
Overview -
FIPS compliance -
Configuring the device as an SSH server -
-
SSH server configuration task list -
Generating local key pairs -
Enabling the Stelnet server -
Enabling the SFTP server -
Enabling the SCP server -
Enabling NETCONF over SSH -
Configuring the user lines for SSH login -
Configuring a client's host public key -
Configuring an SSH user -
Configuring the SSH management parameters -
Specifying a PKI domain for the SSH server -
Specifying the SSH service port
-
-
Configuring the device as an Stelnet client -
Configuring the device as an SFTP client -
-
SFTP client configuration task list -
Generating local key pairs -
Specifying the source IP address for SFTP packets -
Establishing a connection to an SFTP server -
Establishing a connection to an SFTP server based on Suite B -
Working with SFTP directories -
Working with SFTP files -
Displaying help information -
Terminating the connection with the SFTP server
-
-
Configuring the device as an SCP client -
Specifying algorithms for SSH2 -
Displaying and maintaining SSH -
Stelnet configuration examples -
-
Password authentication enabled Stelnet server configuration example -
Publickey authentication enabled Stelnet server configuration example -
Password authentication enabled Stelnet client configuration example -
Publickey authentication enabled Stelnet client configuration example -
Stelnet configuration example based on 128-bit Suite B algorithms
-
-
SFTP configuration examples -
SCP configuration examples -
NETCONF over SSH configuration example with password authentication
-
-
Configuring SSL -
Configuring attack detection and prevention -
-
Overview -
Attacks that the device can prevent -
Blacklist feature -
Attack detection and prevention configuration task list -
Configuring an attack defense policy -
-
Creating an attack defense policy -
Configuring a single-packet attack defense policy -
Configuring a scanning attack defense policy -
Configuring a flood attack defense policy -
Configuring attack detection exemption -
Applying an attack defense policy to an interface -
Applying an attack defense policy to the device -
Enabling log non-aggregation for single-packet attack events
-
-
Configuring TCP fragment attack prevention -
Configuring the IP blacklist feature -
Configuring the user blacklist feature -
Configuring login attack prevention -
Enabling the login delay -
Displaying and maintaining attack detection and prevention -
Attack detection and prevention configuration examples
-
-
Configuring TCP attack prevention -
Configuring IP source guard -
-
Overview -
Configuration restrictions and guidelines -
IPSG configuration task list -
Configuring the IPv4SG feature -
Configuring the IPv6SG feature -
Displaying and maintaining IPSG -
IPSG configuration examples -
-
Static IPv4SG configuration example -
Dynamic IPv4SG using DHCP snooping configuration example -
Dynamic IPv4SG using DHCP relay agent configuration example -
Static IPv6SG configuration example -
Dynamic IPv6SG using DHCPv6 snooping configuration example -
Dynamic IPv6SG using DHCPv6 relay agent configuration example
-
-
-
Configuring ARP attack protection -
-
ARP attack protection configuration task list -
Configuring unresolvable IP attack protection -
Configuring ARP packet rate limit -
Configuring source MAC-based ARP attack detection -
Configuring ARP packet source MAC consistency check -
Configuring ARP active acknowledgement -
Configuring authorized ARP -
Configuring ARP attack detection -
-
Configuring user validity check -
Configuring ARP packet validity check -
Configuring ARP restricted forwarding -
Enabling ARP attack detection logging -
Displaying and maintaining ARP attack detection -
User validity check and ARP packet validity check configuration example -
ARP restricted forwarding configuration example
-
-
Configuring ARP scanning and fixed ARP -
Configuring ARP gateway protection -
Configuring ARP filtering -
Configuring ARP sender IP address checking
-
-
Configuring ND attack defense -
Configuring uRPF -
Configuring IPv6 uRPF -
Configuring MFF -
Configuring FIPS -
Configuring MACsec -
-
Overview -
Feature and hardware compatibility -
General restrictions and guidelines -
MACsec configuration task list -
Enabling MKA -
Enabling MACsec desire -
Configuring a preshared key -
Configuring the MKA key server priority -
Configuring MACsec protection parameters in interface view -
Configuring MACsec protection parameters by MKA policy -
Displaying and maintaining MACsec -
MACsec configuration examples -
Troubleshooting MACsec
-
-
Configuring 802.1X client -
-
802.1X client configuration task list -
Enabling the 802.1X client feature -
Configuring an 802.1X client username and password -
Configuring an 802.1X client MAC address -
Specifying an 802.1X client EAP authentication method -
Configuring an 802.1X client anonymous identifier -
Specifying an SSL client policy -
Displaying and maintaining 802.1X client
-
-
Configuring Web authentication -
-
Overview -
Web authentication task list -
Configuration prerequisites -
Configuring the Web authentication server -
Enabling Web authentication -
Specifying a Web authentication domain -
Setting the redirection wait time -
Configuring a Web authentication-free subnet -
Setting the maximum number of Web authentication users -
Configuring online Web authentication user detection -
Configuring an Auth-Fail VLAN -
Configuring Web authentication to support Web proxy -
Displaying and maintaining Web authentication -
Web authentication configuration examples -
Troubleshooting Web authentication
-
-
Configuring triple authentication -
Document conventions and icons -
Support and other resources