HPE FlexNetwork 7500 Series Security Configuration Manual

Category
Software
Type
Security Configuration Manual
HPE FlexNetwork 7500 Switch Series
Security Configuration Guide
P
art number: 5200-1952
Software
version: 7500-CMW710-R7524
Document version: 6W100-20161230
© Copyright 2016 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ····························································································· 1
Overview ···························································································································································· 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 6
LDAP ·························································································································································· 9
AAA implementation on the device ·········································································································· 12
AAA for MPLS L3VPNs ···························································································································· 14
RADIUS server feature of the device ······································································································· 14
Protocols and standards ·························································································································· 15
RADIUS attributes ···································································································································· 15
FIPS compliance ·············································································································································· 19
AAA configuration considerations and task list ································································································ 19
Configuring AAA schemes ······························································································································· 21
Configuring local users ····························································································································· 21
Configuring RADIUS schemes ················································································································· 27
Configuring HWTACACS schemes ·········································································································· 39
Configuring LDAP schemes ····················································································································· 45
Configuring AAA methods for ISP domains ····································································································· 49
Configuration prerequisites ······················································································································ 50
Creating an ISP domain ··························································································································· 50
Configuring ISP domain attributes ··········································································································· 51
Configuring authentication methods for an ISP domain ··········································································· 52
Configuring authorization methods for an ISP domain ············································································· 53
Configuring accounting methods for an ISP domain ················································································ 54
Configuring the RADIUS session-control feature ····························································································· 55
Configuring the RADIUS DAS feature ············································································································· 56
Changing the DSCP priority for RADIUS packets ···························································································· 57
Configuring the RADIUS attribute translation feature ······················································································ 57
Setting the maximum number of concurrent login users ·················································································· 59
Configuring a NAS-ID profile ···························································································································· 59
Configuring the device ID ································································································································· 59
Configuring the RADIUS server feature ··········································································································· 60
Restrictions and guidelines ······················································································································ 60
Configuration task list ······························································································································· 60
Specifying RADIUS clients ······················································································································· 60
Activating the RADIUS server configuration ···························································································· 61
Displaying and maintaining RADIUS users and clients ············································································ 61
Displaying and maintaining AAA ······················································································································ 61
AAA configuration examples ···························································································································· 61
AAA for SSH users by an HWTACACS server ························································································ 61
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 63
Authentication and authorization for SSH users by a RADIUS server ····················································· 65
Authentication for SSH users by an LDAP server ···················································································· 68
AAA for 802.1X users by a RADIUS server ····························································································· 71
Local guest configuration and management example ·············································································· 75
Authentication and authorization of 802.1X users by the device as a RADIUS server ···························· 77
Troubleshooting RADIUS ································································································································· 80
RADIUS authentication failure ················································································································· 80
RADIUS packet delivery failure ················································································································ 80
RADIUS accounting error ························································································································· 81
Troubleshooting HWTACACS ·························································································································· 81
Troubleshooting LDAP ····································································································································· 81
LDAP authentication failure ······················································································································ 81
802.1X overview ··························································································· 83
802.1X architecture ·········································································································································· 83
Controlled/uncontrolled port and port authorization status ·············································································· 83
ii
802.1X-related protocols ·································································································································· 84
Packet formats ········································································································································· 84
EAP over RADIUS ··································································································································· 85
802.1X authentication initiation ························································································································ 86
802.1X client as the initiator ····················································································································· 86
Access device as the initiator ··················································································································· 86
802.1X authentication procedures ··················································································································· 87
Comparing EAP relay and EAP termination ····························································································· 87
EAP relay ················································································································································· 88
EAP termination ······································································································································· 89
Configuring 802.1X ······················································································· 91
Access control methods ··································································································································· 91
802.1X VLAN manipulation ······························································································································ 91
Authorization VLAN ·································································································································· 91
Guest VLAN ············································································································································· 93
Auth-Fail VLAN ········································································································································ 94
Critical VLAN ············································································································································ 95
Critical voice VLAN ·································································································································· 97
Using 802.1X authentication with other features ····························································································· 98
ACL assignment ······································································································································· 98
Redirect URL assignment ························································································································ 98
EAD assistant ··········································································································································· 98
SmartOn ··················································································································································· 99
Configuration prerequisites ······························································································································ 99
802.1X configuration task list ························································································································· 100
Enabling 802.1X ············································································································································· 100
Enabling EAP relay or EAP termination ········································································································· 101
Setting the port authorization state ················································································································ 101
Specifying an access control method ············································································································ 102
Setting the maximum number of concurrent 802.1X users on a port ····························································· 102
Setting the maximum number of authentication request attempts ································································· 103
Setting the 802.1X authentication timeout timers ·························································································· 103
Configuring online user handshake ··············································································································· 103
Configuration restrictions and guidelines ······························································································· 104
Configuration procedure ························································································································· 104
Configuring the authentication trigger feature ································································································ 104
Configuration restrictions and guidelines ······························································································· 105
Configuration procedure ························································································································· 105
Specifying a mandatory authentication domain on a port ·············································································· 105
Setting the quiet timer ···································································································································· 106
Configuring 802.1X reauthentication ·············································································································· 106
Overview ················································································································································ 106
Configuration restrictions and guidelines ······························································································· 106
Configuring 802.1X periodic reauthentication ························································································ 107
Configuring 802.1X manual reauthentication ························································································· 107
Enabling the keep-online feature ··········································································································· 107
Configuring an 802.1X guest VLAN ··············································································································· 108
Configuration restrictions and guidelines ······························································································· 108
Configuration prerequisites ···················································································································· 108
Configuration procedure ························································································································· 109
Enabling 802.1X guest VLAN assignment delay ··························································································· 109
Configuring an 802.1X Auth-Fail VLAN ········································································································· 109
Configuration restrictions and guidelines ······························································································· 109
Configuration prerequisites ···················································································································· 110
Configuration procedure ························································································································· 110
Configuring an 802.1X critical VLAN ·············································································································· 110
Configuration restrictions and guidelines ······························································································· 111
Configuration prerequisites ···················································································································· 111
Configuration procedure ························································································································· 111
Enabling the 802.1X critical voice VLAN ········································································································ 112
Configuration restrictions and guidelines ······························································································· 112
iii
Configuration prerequisites ···················································································································· 112
Configuration procedure ························································································································· 112
Specifying supported domain name delimiters ······························································································ 112
Enabling 802.1X user IP freezing ·················································································································· 113
Sending 802.1X protocol packets out of a port without VLAN tags ······························································· 113
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··················· 114
Configuring the EAD assistant feature ··········································································································· 114
Configuring 802.1X SmartOn ························································································································· 115
Displaying and maintaining 802.1X ················································································································ 116
802.1X authentication configuration examples ······························································································ 116
Basic 802.1X authentication configuration example ·············································································· 116
802.1X guest VLAN and authorization VLAN configuration example ···················································· 118
802.1X with ACL assignment configuration example ············································································· 121
802.1X with EAD assistant configuration example (with DHCP relay agent) ········································· 122
802.1X with EAD assistant configuration example (with DHCP server) ················································· 125
802.1X SmartOn configuration example ································································································ 127
Troubleshooting 802.1X ································································································································· 129
EAD assistant URL redirection failure ···································································································· 129
Configuring MAC authentication ································································· 130
Overview ························································································································································ 130
User account policies ····························································································································· 130
Authentication methods ·························································································································· 130
VLAN assignment ·································································································································· 131
ACL assignment ····································································································································· 132
Redirect URL assignment ······················································································································ 133
Configuration prerequisites ···························································································································· 133
General guidelines and restrictions ················································································································ 133
Configuration task list ····································································································································· 133
Enabling MAC authentication ························································································································· 134
Specifying a MAC authentication domain ······································································································ 134
Configuring the user account format ·············································································································· 135
Configuring MAC authentication timers ········································································································· 135
Setting the maximum number of concurrent MAC authentication users on a port ········································· 136
Enabling MAC authentication multi-VLAN mode on a port ············································································ 136
Configuring MAC authentication delay ··········································································································· 136
Enabling parallel processing of MAC authentication and 802.1X authentication ··········································· 137
Configuration restrictions and guidelines ······························································································· 137
Configuration procedure ························································································································· 138
Configuring a MAC authentication guest VLAN ····························································································· 138
Configuration prerequisites ···················································································································· 138
Configuration restrictions and guidelines ······························································································· 138
Configuration procedure ························································································································· 139
Configuring a MAC authentication critical VLAN ···························································································· 139
Enabling the MAC authentication critical voice VLAN ···················································································· 140
Configuration prerequisites ···················································································································· 140
Configuration procedure ························································································································· 140
Configuring periodic MAC reauthentication ··································································································· 140
Overview ················································································································································ 140
Configuration restrictions and guidelines ······························································································· 141
Configuration procedure ························································································································· 141
Including user IP addresses in MAC authentication requests ········································································ 142
Enabling MAC authentication offline detection ······························································································ 142
Displaying and maintaining MAC authentication ···························································································· 143
MAC authentication configuration examples ·································································································· 143
Local MAC authentication configuration example ·················································································· 143
RADIUS-based MAC authentication configuration example ·································································· 145
ACL assignment configuration example································································································· 147
Configuring portal authentication ································································ 151
Overview ························································································································································ 151
Extended portal functions ······················································································································· 151
iv
Portal system components ····················································································································· 151
Portal system using the local portal Web server ···················································································· 153
Interaction between portal system components ····················································································· 153
Portal authentication modes ··················································································································· 154
Portal support for EAP ··························································································································· 154
Portal authentication process ················································································································· 155
Portal filtering rules ································································································································ 157
MAC-based quick portal authentication ································································································· 157
Portal configuration task list ··························································································································· 158
Configuration prerequisites ···························································································································· 159
Configuring a portal authentication server ····································································································· 159
Configuring a portal Web server ···················································································································· 160
Enabling portal authentication ························································································································ 161
Configuration restrictions and guidelines ······························································································· 161
Configuration procedure ························································································································· 162
Specifying a portal Web server ······················································································································ 162
Controlling portal user access ························································································································ 163
Configuring a portal-free rule ················································································································· 163
Configuring an authentication source subnet ························································································· 164
Configuring an authentication destination subnet ·················································································· 165
Setting the maximum number of portal users ························································································ 165
Specifying a portal authentication domain ····························································································· 166
Specifying a preauthentication domain ·································································································· 167
Specifying a preauthentication IP address pool for portal users ···························································· 167
Enabling strict-checking on portal authorization information ·································································· 168
Enabling portal authentication only for DHCP users ·············································································· 169
Enabling outgoing packets filtering on a portal-enabled interface ·························································· 169
Configuring portal detection features ············································································································· 170
Configuring online detection of portal users ··························································································· 170
Configuring portal authentication server detection ················································································· 171
Configuring portal Web server detection ································································································ 172
Configuring portal user synchronization ································································································· 172
Configuring the portal fail-permit feature ········································································································ 173
Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server ··························· 174
Enabling portal roaming ································································································································· 174
Specifying a format for the NAS-Port-ID attribute ·························································································· 175
Logging out online portal users ······················································································································ 175
Configuring Web redirect ······························································································································· 176
Applying a NAS-ID profile to an interface ······································································································ 176
Configuring the local portal Web server feature ····························································································· 177
Customizing authentication pages ········································································································· 177
Configuring a local portal Web server ···································································································· 179
Enabling ARP or ND entry conversion for portal clients ················································································ 180
Configuring HTTPS redirect ··························································································································· 180
Configuring MAC-based quick portal authentication ······················································································ 181
Configuring a MAC binding server ········································································································· 181
Specifying a MAC binding server on an interface ·················································································· 182
Enabling logging for user logins and logouts ································································································· 182
Displaying and maintaining portal ·················································································································· 182
Portal configuration examples ························································································································ 183
Configuring direct portal authentication ·································································································· 183
Configuring re-DHCP portal authentication ···························································································· 189
Configuring cross-subnet portal authentication ······················································································ 193
Configuring extended direct portal authentication ·················································································· 196
Configuring extended re-DHCP portal authentication ············································································ 199
Configuring extended cross-subnet portal authentication ······································································ 203
Configuring portal server detection and portal user synchronization ····················································· 207
Configuring cross-subnet portal authentication for MPLS L3VPNs························································ 212
Configuring direct portal authentication with a preauthentication domain ·············································· 214
Configuring re-DHCP portal authentication with a preauthentication domain ········································ 216
Configuring direct portal authentication using local portal Web server ·················································· 218
Troubleshooting portal ··································································································································· 221
v
No portal authentication page is pushed for users ················································································· 221
Cannot log out portal users on the access device ················································································· 222
Cannot log out portal users on the RADIUS server ··············································································· 222
Users logged out by the access device still exist on the portal authentication server···························· 222
Re-DHCP portal authenticated users cannot log in successfully ··························································· 223
Configuring port security ············································································· 224
Overview ························································································································································ 224
Port security features ····························································································································· 224
Port security modes ······························································································································· 224
Configuration task list ····································································································································· 227
Enabling port security ···································································································································· 228
Setting port security's limit on the number of secure MAC addresses on a port ············································ 228
Setting the port security mode ······················································································································· 229
Configuring port security features ·················································································································· 230
Configuring NTK ····································································································································· 230
Configuring intrusion protection ············································································································· 230
Configuring secure MAC addresses ·············································································································· 231
Configuration prerequisites ···················································································································· 232
Configuration procedure ························································································································· 232
Ignoring authorization information from the server ························································································ 233
Enabling MAC move ······································································································································ 233
Enabling the authorization-fail-offline feature ································································································· 233
Applying a NAS-ID profile to port security ······································································································ 234
Enabling SNMP notifications for port security ································································································ 235
Displaying and maintaining port security ······································································································· 235
Port security configuration examples ············································································································· 235
autoLearn configuration example ··········································································································· 235
userLoginWithOUI configuration example ······························································································ 237
macAddressElseUserLoginSecure configuration example ···································································· 240
Troubleshooting port security ························································································································· 244
Cannot set the port security mode ········································································································· 244
Cannot configure secure MAC addresses ····························································································· 244
Configuring password control ····································································· 245
Overview ························································································································································ 245
Password setting ···································································································································· 245
Password updating and expiration ········································································································· 246
User login control ··································································································································· 247
Password not displayed in any form ······································································································ 248
Logging ·················································································································································· 248
FIPS compliance ············································································································································ 248
Password control configuration task list ········································································································· 248
Enabling password control ····························································································································· 249
Setting global password control parameters ·································································································· 249
Setting user group password control parameters ·························································································· 250
Setting local user password control parameters ···························································································· 251
Setting super password control parameters ·································································································· 252
Displaying and maintaining password control ································································································ 252
Password control configuration example ······································································································· 253
Network requirements ···························································································································· 253
Configuration procedure ························································································································· 253
Verifying the configuration ······················································································································ 255
Configuring keychains ················································································· 256
Overview ························································································································································ 256
Configuration procedure ································································································································ 256
Displaying and maintaining keychain ············································································································· 257
Keychain configuration example ···················································································································· 257
Network requirements ···························································································································· 257
Configuration procedure ························································································································· 258
Verifying the configuration ······················································································································ 259
vi
Managing public keys ················································································· 263
Overview ························································································································································ 263
FIPS compliance ············································································································································ 263
Creating a local key pair ································································································································ 263
Distributing a local host public key ················································································································· 265
Exporting a host public key ···················································································································· 265
Displaying a host public key ··················································································································· 265
Destroying a local key pair ····························································································································· 266
Configuring a peer host public key ················································································································· 266
Importing a peer host public key from a public key file ·········································································· 266
Entering a peer host public key ·············································································································· 267
Displaying and maintaining public keys ········································································································· 267
Examples of public key management ············································································································ 267
Example for entering a peer host public key ·························································································· 267
Example for importing a public key from a public key file ······································································ 269
Configuring PKI ··························································································· 272
Overview ························································································································································ 272
PKI terminology ······································································································································ 272
PKI architecture ······································································································································ 273
PKI operation ········································································································································· 273
PKI applications ····································································································································· 274
Support for MPLS L3VPN ······················································································································ 274
FIPS compliance ············································································································································ 275
PKI configuration task list ······························································································································· 275
Configuring a PKI entity ································································································································· 275
Configuring a PKI domain ······························································································································ 276
Requesting a certificate ································································································································· 278
Configuration guidelines ························································································································· 278
Configuring automatic certificate request ······························································································· 279
Manually requesting a certificate ············································································································ 279
Aborting a certificate request ························································································································· 280
Obtaining certificates ····································································································································· 280
Configuration prerequisites ···················································································································· 280
Configuration guidelines ························································································································· 281
Configuration procedure ························································································································· 281
Verifying PKI certificates ································································································································ 281
Verifying certificates with CRL checking ································································································ 282
Verifying certificates without CRL checking ··························································································· 282
Specifying the storage path for the certificates and CRLs ············································································· 283
Exporting certificates ······································································································································ 283
Removing a certificate ··································································································································· 284
Configuring a certificate-based access control policy ···················································································· 284
Displaying and maintaining PKI ····················································································································· 285
PKI configuration examples ··························································································································· 286
Requesting a certificate from an RSA Keon CA server ·········································································· 286
Requesting a certificate from a Windows Server 2003 CA server ························································· 289
Requesting a certificate from an OpenCA server ··················································································· 292
Certificate-based access control policy configuration example ······························································ 295
Certificate import and export configuration example ·············································································· 297
Troubleshooting PKI configuration ················································································································· 302
Failed to obtain the CA certificate ·········································································································· 302
Failed to obtain local certificates ············································································································ 302
Failed to request local certificates ·········································································································· 303
Failed to obtain CRLs ····························································································································· 304
Failed to import the CA certificate ·········································································································· 305
Failed to import a local certificate ··········································································································· 305
Failed to export certificates ···················································································································· 305
Failed to set the storage path ················································································································· 306
vii
Configuring SSH ························································································· 307
Overview ························································································································································ 307
How SSH works ····································································································································· 307
SSH authentication methods ·················································································································· 308
SSH support for Suite B ························································································································· 309
FIPS compliance ············································································································································ 309
Configuring the device as an SSH server ······································································································ 310
SSH server configuration task list ·········································································································· 310
Generating local key pairs ······················································································································ 310
Enabling the Stelnet server ···················································································································· 311
Enabling the SFTP server ······················································································································ 311
Enabling the SCP server ························································································································ 312
Enabling NETCONF over SSH ·············································································································· 312
Configuring the user lines for SSH login ································································································ 312
Configuring a client's host public key ····································································································· 313
Configuring an SSH user ······················································································································· 314
Configuring the SSH management parameters ····················································································· 315
Specifying a PKI domain for the SSH server ························································································· 316
Specifying the SSH service port ············································································································· 316
Configuring the device as an Stelnet client ···································································································· 317
Stelnet client configuration task list ········································································································ 317
Generating local key pairs ······················································································································ 317
Specifying the source IP address for SSH packets ················································································ 317
Establishing a connection to an Stelnet server ······················································································ 318
Establishing a connection to an Stelnet server based on Suite B ·························································· 320
Configuring the device as an SFTP client ······································································································ 321
SFTP client configuration task list ·········································································································· 321
Generating local key pairs ······················································································································ 321
Specifying the source IP address for SFTP packets ·············································································· 321
Establishing a connection to an SFTP server ························································································ 322
Establishing a connection to an SFTP server based on Suite B ···························································· 324
Working with SFTP directories ··············································································································· 324
Working with SFTP files ························································································································· 325
Displaying help information ···················································································································· 325
Terminating the connection with the SFTP server ················································································· 325
Configuring the device as an SCP client ········································································································ 325
SCP client configuration task list ············································································································ 325
Generating local key pairs ······················································································································ 326
Establishing a connection to an SCP server ·························································································· 326
Establishing a connection to an SCP server based on Suite B······························································ 328
Specifying algorithms for SSH2 ····················································································································· 328
Specifying key exchange algorithms for SSH2 ······················································································ 329
Specifying public key algorithms for SSH2 ···························································································· 329
Specifying encryption algorithms for SSH2 ···························································································· 330
Specifying MAC algorithms for SSH2 ···································································································· 330
Displaying and maintaining SSH ···················································································································· 330
Stelnet configuration examples ······················································································································ 331
Password authentication enabled Stelnet server configuration example ··············································· 331
Publickey authentication enabled Stelnet server configuration example ··············································· 333
Password authentication enabled Stelnet client configuration example ················································ 339
Publickey authentication enabled Stelnet client configuration example ················································· 342
Stelnet configuration example based on 128-bit Suite B algorithms ······················································ 344
SFTP configuration examples ························································································································ 348
Password authentication enabled SFTP server configuration example ················································· 348
Publickey authentication enabled SFTP client configuration example ··················································· 351
SFTP configuration example based on 192-bit Suite B algorithms ························································ 354
SCP configuration examples ·························································································································· 358
SCP configuration example with password authentication ···································································· 358
SCP configuration example based on Suite B algorithms ······································································ 360
NETCONF over SSH configuration example with password authentication ·················································· 366
Network requirements ···························································································································· 366
viii
Configuration procedure ························································································································· 367
Verifying the configuration ······················································································································ 368
Configuring SSL ·························································································· 369
Overview ························································································································································ 369
SSL security services ····························································································································· 369
SSL protocol stack ································································································································· 369
FIPS compliance ············································································································································ 370
SSL configuration task list ······························································································································ 370
Configuring an SSL server policy ··················································································································· 370
Configuring an SSL client policy ···················································································································· 373
Displaying and maintaining SSL ···················································································································· 375
SSL server policy configuration example ······································································································· 375
Configuring attack detection and prevention ··············································· 378
Overview ························································································································································ 378
Attacks that the device can prevent ··············································································································· 378
Single-packet attacks ····························································································································· 378
Scanning attacks ···································································································································· 379
Flood attacks ·········································································································································· 380
TCP fragment attack ······························································································································ 381
Login DoS attack ···································································································································· 381
Login dictionary attack ··························································································································· 381
Blacklist feature ·············································································································································· 381
IP blacklist ·············································································································································· 381
User blacklist ·········································································································································· 382
Attack detection and prevention configuration task list ·················································································· 382
Configuring an attack defense policy ············································································································· 382
Creating an attack defense policy ·········································································································· 382
Configuring a single-packet attack defense policy ················································································· 383
Configuring a scanning attack defense policy ························································································ 384
Configuring a flood attack defense policy ······························································································ 385
Configuring attack detection exemption ································································································· 389
Applying an attack defense policy to an interface ·················································································· 390
Applying an attack defense policy to the device ···················································································· 390
Enabling log non-aggregation for single-packet attack events ······························································· 391
Configuring TCP fragment attack prevention ································································································· 391
Configuring the IP blacklist feature ················································································································ 391
Configuring the user blacklist feature ············································································································· 392
Configuring login attack prevention ················································································································ 392
Enabling the login delay ································································································································· 393
Displaying and maintaining attack detection and prevention ········································································· 393
Attack detection and prevention configuration examples ··············································································· 395
Interface-based attack detection and prevention configuration example ··············································· 395
IP blacklist configuration example ·········································································································· 399
User blacklist configuration example ······································································································ 400
Configuring TCP attack prevention ····························································· 401
Overview ························································································································································ 401
Configuring Naptha attack prevention ············································································································ 401
Configuring IP source guard ······································································· 402
Overview ························································································································································ 402
Static IPSG bindings ······························································································································ 402
Dynamic IPSG bindings ························································································································· 403
Configuration restrictions and guidelines ······································································································· 404
IPSG configuration task list ···························································································································· 404
Configuring the IPv4SG feature ····················································································································· 404
Enabling IPv4SG on an interface ··········································································································· 404
Configuring a static IPv4SG binding ······································································································ 405
Excluding IPv4 packets from IPSG filtering ···························································································· 406
Configuring the IPv6SG feature ····················································································································· 406
ix
Enabling IPv6SG on an interface ··········································································································· 406
Configuring a static IPv6SG binding ······································································································ 407
Displaying and maintaining IPSG ·················································································································· 407
IPSG configuration examples ························································································································ 408
Static IPv4SG configuration example ····································································································· 408
Dynamic IPv4SG using DHCP snooping configuration example ··························································· 410
Dynamic IPv4SG using DHCP relay agent configuration example ························································ 411
Static IPv6SG configuration example ····································································································· 412
Dynamic IPv6SG using DHCPv6 snooping configuration example ······················································· 412
Dynamic IPv6SG using DHCPv6 relay agent configuration example ···················································· 413
Configuring ARP attack protection ······························································ 415
ARP attack protection configuration task list ·································································································· 415
Configuring unresolvable IP attack protection ······························································································· 415
Configuring ARP source suppression ···································································································· 416
Configuring ARP blackhole routing ········································································································ 416
Displaying and maintaining unresolvable IP attack protection ······························································· 416
Configuration example ··························································································································· 416
Configuring ARP packet rate limit ·················································································································· 417
Configuration guidelines ························································································································· 417
Configuration procedure ························································································································· 418
Configuring source MAC-based ARP attack detection ·················································································· 418
Configuration procedure ························································································································· 419
Displaying and maintaining source MAC-based ARP attack detection ·················································· 419
Configuration example ··························································································································· 420
Configuring ARP packet source MAC consistency check ·············································································· 421
Configuring ARP active acknowledgement ···································································································· 421
Configuring authorized ARP ·························································································································· 422
Configuration procedure ························································································································· 422
Configuration example (on a DHCP server) ··························································································· 422
Configuration example (on a DHCP relay agent) ··················································································· 423
Configuring ARP attack detection ·················································································································· 424
Configuring user validity check ·············································································································· 425
Configuring ARP packet validity check ·································································································· 426
Configuring ARP restricted forwarding ··································································································· 427
Enabling ARP attack detection logging ·································································································· 427
Displaying and maintaining ARP attack detection ·················································································· 427
User validity check and ARP packet validity check configuration example ············································ 428
ARP restricted forwarding configuration example ·················································································· 429
Configuring ARP scanning and fixed ARP ····································································································· 431
Configuration restrictions and guidelines ······························································································· 431
Configuration procedure ························································································································· 431
Configuring ARP gateway protection ············································································································· 431
Configuration guidelines ························································································································· 432
Configuration procedure ························································································································· 432
Configuration example ··························································································································· 432
Configuring ARP filtering ································································································································ 433
Configuration guidelines ························································································································· 433
Configuration procedure ························································································································· 433
Configuration example ··························································································································· 433
Configuring ARP sender IP address checking ······························································································· 434
Configuring ND attack defense ··································································· 436
Overview ························································································································································ 436
ND attack defense configuration task list ······································································································· 436
Enabling source MAC consistency check for ND messages ········································································· 436
Configuring ND attack detection ···················································································································· 437
About ND attack detection ····················································································································· 437
Configuration guidelines ························································································································· 437
Configuration procedure ························································································································· 438
Displaying and maintaining ND attack detection ···················································································· 438
ND attack detection configuration example ···························································································· 438
x
Configuring RA guard ···································································································································· 440
About RA guard ······································································································································ 440
Specifying the role of the attached device ····························································································· 440
Configuring an RA guard policy ············································································································· 441
Enabling the RA guard logging feature ·································································································· 441
Displaying and maintaining RA guard ···································································································· 442
RA guard configuration example ············································································································ 442
Configuring uRPF ······················································································· 445
Overview ························································································································································ 445
uRPF check modes ································································································································ 445
Cooperation with default route ··············································································································· 445
uRPF operation ······································································································································ 446
Network application ································································································································ 447
Enabling uRPF ··············································································································································· 448
Displaying and maintaining uRPF ·················································································································· 448
uRPF configuration example ·························································································································· 448
Configuring IPv6 uRPF ··············································································· 450
Overview ························································································································································ 450
IPv6 uRPF check modes ························································································································ 450
Cooperation with default route ··············································································································· 450
IPv6 uRPF operation ······························································································································ 451
Network application ································································································································ 452
Enabling IPv6 uRPF ······································································································································· 453
Displaying and maintaining IPv6 uRPF ·········································································································· 453
IPv6 uRPF configuration example ················································································································· 453
Configuring MFF ························································································· 455
Overview ························································································································································ 455
Basic concepts ······································································································································· 456
MFF operation modes ···························································································································· 456
MFF working mechanism ······················································································································· 457
Protocols and standards ························································································································ 457
Configuring MFF ············································································································································ 457
Enabling MFF ········································································································································· 457
Configuring a network port ····················································································································· 458
Enabling periodic gateway probe ··········································································································· 458
Specifying the IP addresses of servers ·································································································· 458
Displaying and maintaining MFF ···················································································································· 459
MFF configuration examples ·························································································································· 459
Auto-mode MFF configuration example in a tree network ····································································· 459
Auto-mode MFF configuration example in a ring network ······································································ 461
Manual-mode MFF configuration example in a tree network ································································· 462
Manual-mode MFF configuration example in a ring network ································································· 463
Configuring FIPS ························································································· 466
Overview ························································································································································ 466
Configuration restrictions and guidelines ······································································································· 466
Configuring FIPS mode ·································································································································· 467
Entering FIPS mode ······························································································································· 467
Configuration changes in FIPS mode ···································································································· 468
Exiting FIPS mode ································································································································· 469
FIPS self-tests ················································································································································ 469
Power-up self-tests ································································································································ 470
Conditional self-tests ······························································································································ 470
Triggering self-tests ································································································································ 471
Displaying and maintaining FIPS ··················································································································· 471
FIPS configuration examples ························································································································· 471
Entering FIPS mode through automatic reboot ······················································································ 471
Entering FIPS mode through manual reboot ·························································································· 472
Exiting FIPS mode through automatic reboot ························································································ 474
xi
Exiting FIPS mode through manual reboot ···························································································· 474
Configuring MACsec ··················································································· 476
Overview ························································································································································ 476
Basic concepts ······································································································································· 476
MACsec services ··································································································································· 476
MACsec applications ······························································································································ 477
MACsec operating mechanism ·············································································································· 477
Protocols and standards ························································································································ 479
Feature and hardware compatibility ··············································································································· 479
General restrictions and guidelines ················································································································ 479
MACsec configuration task list ······················································································································· 480
Enabling MKA ················································································································································ 480
Enabling MACsec desire ································································································································ 480
Configuring a preshared key ·························································································································· 481
Configuring the MKA key server priority ········································································································ 481
Configuring MACsec protection parameters in interface view ······································································· 482
Configuring the MACsec confidentiality offset ························································································ 482
Configuring MACsec replay protection ··································································································· 482
Configuring the MACsec validation mode ······························································································ 483
Configuring MACsec protection parameters by MKA policy ·········································································· 483
Configuring an MKA policy ····················································································································· 483
Applying an MKA policy ························································································································· 484
Displaying and maintaining MACsec ············································································································· 484
MACsec configuration examples ··················································································································· 485
Client-oriented MACsec configuration example (host as client) ····························································· 485
Client-oriented MACsec configuration example (device as client) ························································· 488
Device-oriented MACsec configuration example ··················································································· 491
Troubleshooting MACsec ······························································································································· 494
Cannot establish MKA sessions between MACsec devices ·································································· 494
Configuring 802.1X client ············································································ 496
802.1X client configuration task list ················································································································ 496
Enabling the 802.1X client feature ················································································································· 496
Configuring an 802.1X client username and password ················································································· 497
Configuring an 802.1X client MAC address ··································································································· 497
Specifying an 802.1X client EAP authentication method ··············································································· 498
Configuring an 802.1X client anonymous identifier ························································································ 498
Specifying an SSL client policy ······················································································································ 499
Displaying and maintaining 802.1X client ······································································································ 499
Configuring Web authentication ·································································· 500
Overview ························································································································································ 500
Web authentication types ······················································································································· 500
Advantages of Web authentication ········································································································ 500
Web authentication system ···················································································································· 500
Web authentication process ··················································································································· 501
Web authentication task list ··························································································································· 502
Configuration prerequisites ···························································································································· 502
Configuring the Web authentication server ···································································································· 503
Enabling Web authentication ························································································································· 503
Specifying a Web authentication domain ······································································································· 504
Setting the redirection wait time ····················································································································· 504
Configuring a Web authentication-free subnet ······························································································· 505
Setting the maximum number of Web authentication users ·········································································· 505
Configuring online Web authentication user detection ··················································································· 505
Configuring an Auth-Fail VLAN ······················································································································ 506
Configuring Web authentication to support Web proxy ·················································································· 506
Displaying and maintaining Web authentication ···························································································· 507
Web authentication configuration examples ·································································································· 507
Web authentication using the local authentication server ······································································ 507
Web authentication using the RADIUS authentication server ································································ 509
xii
Troubleshooting Web authentication ············································································································· 511
Failure to come line (Web authentication configuration correct) ···························································· 511
Failure to come online (local authentication interface using the default ISP domain) ···························· 511
Failure to come line (VLAN configured on interface) ············································································· 512
Configuring triple authentication ································································· 513
Overview ························································································································································ 513
Triple authentication mechanism ··········································································································· 513
Extended triple authentication features ·································································································· 514
Configuration restrictions and guidelines ······································································································· 515
Configuring triple authentication ···················································································································· 515
Triple authentication configuration examples ································································································· 515
Triple authentication basic function configuration example ···································································· 515
Triple authentication supporting authorization VLAN and authentication failure VLAN configuration
example ·················································································································································· 519
Document conventions and icons ······························································· 525
Conventions ··················································································································································· 525
Network topology icons ·································································································································· 526
Support and other resources ······································································ 527
Accessing Hewlett Packard Enterprise Support ···························································································· 527
Accessing updates ········································································································································· 527
Websites ················································································································································ 528
Customer self repair ······························································································································· 528
Remote support ······································································································································ 528
Documentation feedback ······················································································································· 528
Index ··········································································································· 530
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
• Authentication—Identifies users and verifies their validity.
• Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
• Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server
for authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
• Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
• Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
• Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
RADIUS servers
Users Clients Dictionary
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
RADIUS client RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of termination
Host
6) The host access the resources
7) Teardown request
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
• The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Code
Packet type
Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4 Accounting-Reques
t
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or
stop accounting.
5 Accounting-Respon
se
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
• The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
• The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
• The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
• The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
 Type—Type of the attribute.
 Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
 Value—Value of the attribute. Its format and content depend on the Type subfield.
Code
Attributes
Identifier
0
7
Length
Authenticator (16bytes)
7 15 31
5
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
Attribute
No.
Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
6
Attribute
No.
Attribute
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26)
allows a vendor to define extended attributes. The extended attributes can implement functions that
the standard RADIUS protocol does not provide.
A vendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following
parts:
• Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a
code compliant to RFC 1700.
• Vendor-Type—Type of the subattribute.
• Vendor-Length—Length of the subattribute.
• Vendor-Data—Contents of the subattribute.
Hewlett Packard Enterprise supports the RADIUS subattributes with a vendor ID of 25506. For more
information, see "Proprietary RADIUS subattributes (vendor ID 25506)."
Figure 5 Format of attribute 26
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security
protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server
model for information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client,
the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After
Type Length
0
Vendor-ID
7 15 31
Vendor-ID (continued) Vendor-Type Vendor-Length
Vendor-Data
(Specified attribute value……)
23
……
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332
  • Page 333 333
  • Page 334 334
  • Page 335 335
  • Page 336 336
  • Page 337 337
  • Page 338 338
  • Page 339 339
  • Page 340 340
  • Page 341 341
  • Page 342 342
  • Page 343 343
  • Page 344 344
  • Page 345 345
  • Page 346 346
  • Page 347 347
  • Page 348 348
  • Page 349 349
  • Page 350 350
  • Page 351 351
  • Page 352 352
  • Page 353 353
  • Page 354 354
  • Page 355 355
  • Page 356 356
  • Page 357 357
  • Page 358 358
  • Page 359 359
  • Page 360 360
  • Page 361 361
  • Page 362 362
  • Page 363 363
  • Page 364 364
  • Page 365 365
  • Page 366 366
  • Page 367 367
  • Page 368 368
  • Page 369 369
  • Page 370 370
  • Page 371 371
  • Page 372 372
  • Page 373 373
  • Page 374 374
  • Page 375 375
  • Page 376 376
  • Page 377 377
  • Page 378 378
  • Page 379 379
  • Page 380 380
  • Page 381 381
  • Page 382 382
  • Page 383 383
  • Page 384 384
  • Page 385 385
  • Page 386 386
  • Page 387 387
  • Page 388 388
  • Page 389 389
  • Page 390 390
  • Page 391 391
  • Page 392 392
  • Page 393 393
  • Page 394 394
  • Page 395 395
  • Page 396 396
  • Page 397 397
  • Page 398 398
  • Page 399 399
  • Page 400 400
  • Page 401 401
  • Page 402 402
  • Page 403 403
  • Page 404 404
  • Page 405 405
  • Page 406 406
  • Page 407 407
  • Page 408 408
  • Page 409 409
  • Page 410 410
  • Page 411 411
  • Page 412 412
  • Page 413 413
  • Page 414 414
  • Page 415 415
  • Page 416 416
  • Page 417 417
  • Page 418 418
  • Page 419 419
  • Page 420 420
  • Page 421 421
  • Page 422 422
  • Page 423 423
  • Page 424 424
  • Page 425 425
  • Page 426 426
  • Page 427 427
  • Page 428 428
  • Page 429 429
  • Page 430 430
  • Page 431 431
  • Page 432 432
  • Page 433 433
  • Page 434 434
  • Page 435 435
  • Page 436 436
  • Page 437 437
  • Page 438 438
  • Page 439 439
  • Page 440 440
  • Page 441 441
  • Page 442 442
  • Page 443 443
  • Page 444 444
  • Page 445 445
  • Page 446 446
  • Page 447 447
  • Page 448 448
  • Page 449 449
  • Page 450 450
  • Page 451 451
  • Page 452 452
  • Page 453 453
  • Page 454 454
  • Page 455 455
  • Page 456 456
  • Page 457 457
  • Page 458 458
  • Page 459 459
  • Page 460 460
  • Page 461 461
  • Page 462 462
  • Page 463 463
  • Page 464 464
  • Page 465 465
  • Page 466 466
  • Page 467 467
  • Page 468 468
  • Page 469 469
  • Page 470 470
  • Page 471 471
  • Page 472 472
  • Page 473 473
  • Page 474 474
  • Page 475 475
  • Page 476 476
  • Page 477 477
  • Page 478 478
  • Page 479 479
  • Page 480 480
  • Page 481 481
  • Page 482 482
  • Page 483 483
  • Page 484 484
  • Page 485 485
  • Page 486 486
  • Page 487 487
  • Page 488 488
  • Page 489 489
  • Page 490 490
  • Page 491 491
  • Page 492 492
  • Page 493 493
  • Page 494 494
  • Page 495 495
  • Page 496 496
  • Page 497 497
  • Page 498 498
  • Page 499 499
  • Page 500 500
  • Page 501 501
  • Page 502 502
  • Page 503 503
  • Page 504 504
  • Page 505 505
  • Page 506 506
  • Page 507 507
  • Page 508 508
  • Page 509 509
  • Page 510 510
  • Page 511 511
  • Page 512 512
  • Page 513 513
  • Page 514 514
  • Page 515 515
  • Page 516 516
  • Page 517 517
  • Page 518 518
  • Page 519 519
  • Page 520 520
  • Page 521 521
  • Page 522 522
  • Page 523 523
  • Page 524 524
  • Page 525 525
  • Page 526 526
  • Page 527 527
  • Page 528 528
  • Page 529 529
  • Page 530 530
  • Page 531 531
  • Page 532 532
  • Page 533 533
  • Page 534 534
  • Page 535 535
  • Page 536 536
  • Page 537 537
  • Page 538 538
  • Page 539 539
  • Page 540 540
  • Page 541 541
  • Page 542 542
  • Page 543 543
  • Page 544 544
  • Page 545 545
  • Page 546 546
  • Page 547 547
  • Page 548 548
  • Page 549 549
  • Page 550 550
  • Page 551 551
  • Page 552 552
  • Page 553 553
  • Page 554 554
  • Page 555 555
  • Page 556 556
  • Page 557 557
  • Page 558 558
  • Page 559 559
  • Page 560 560
  • Page 561 561
  • Page 562 562
  • Page 563 563
  • Page 564 564
  • Page 565 565
  • Page 566 566
  • Page 567 567
  • Page 568 568
  • Page 569 569
  • Page 570 570
  • Page 571 571
  • Page 572 572
  • Page 573 573
  • Page 574 574
  • Page 575 575
  • Page 576 576
  • Page 577 577
  • Page 578 578
  • Page 579 579
  • Page 580 580
  • Page 581 581
  • Page 582 582
  • Page 583 583
  • Page 584 584
  • Page 585 585
  • Page 586 586
  • Page 587 587
  • Page 588 588
  • Page 589 589
  • Page 590 590
  • Page 591 591
  • Page 592 592
  • Page 593 593
  • Page 594 594
  • Page 595 595
  • Page 596 596
  • Page 597 597

HPE FlexNetwork 7500 Series Security Configuration Manual

Category
Software
Type
Security Configuration Manual

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI