HPE FlexNetwork 7500 Series Security Configuration Manual
- Category
- Software
- Type
- Security Configuration Manual
HPE FlexNetwork 7500 Switch Series
Security Configuration Guide
P
art number: 5200-1952
Software
version: 7500-CMW710-R7524
Document version: 6W100-20161230
© Copyright 2016 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring AAA ····························································································· 1
Overview ···························································································································································· 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 6
LDAP ·························································································································································· 9
AAA implementation on the device ·········································································································· 12
AAA for MPLS L3VPNs ···························································································································· 14
RADIUS server feature of the device ······································································································· 14
Protocols and standards ·························································································································· 15
RADIUS attributes ···································································································································· 15
FIPS compliance ·············································································································································· 19
AAA configuration considerations and task list ································································································ 19
Configuring AAA schemes ······························································································································· 21
Configuring local users ····························································································································· 21
Configuring RADIUS schemes ················································································································· 27
Configuring HWTACACS schemes ·········································································································· 39
Configuring LDAP schemes ····················································································································· 45
Configuring AAA methods for ISP domains ····································································································· 49
Configuration prerequisites ······················································································································ 50
Creating an ISP domain ··························································································································· 50
Configuring ISP domain attributes ··········································································································· 51
Configuring authentication methods for an ISP domain ··········································································· 52
Configuring authorization methods for an ISP domain ············································································· 53
Configuring accounting methods for an ISP domain ················································································ 54
Configuring the RADIUS session-control feature ····························································································· 55
Configuring the RADIUS DAS feature ············································································································· 56
Changing the DSCP priority for RADIUS packets ···························································································· 57
Configuring the RADIUS attribute translation feature ······················································································ 57
Setting the maximum number of concurrent login users ·················································································· 59
Configuring a NAS-ID profile ···························································································································· 59
Configuring the device ID ································································································································· 59
Configuring the RADIUS server feature ··········································································································· 60
Restrictions and guidelines ······················································································································ 60
Configuration task list ······························································································································· 60
Specifying RADIUS clients ······················································································································· 60
Activating the RADIUS server configuration ···························································································· 61
Displaying and maintaining RADIUS users and clients ············································································ 61
Displaying and maintaining AAA ······················································································································ 61
AAA configuration examples ···························································································································· 61
AAA for SSH users by an HWTACACS server ························································································ 61
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 63
Authentication and authorization for SSH users by a RADIUS server ····················································· 65
Authentication for SSH users by an LDAP server ···················································································· 68
AAA for 802.1X users by a RADIUS server ····························································································· 71
Local guest configuration and management example ·············································································· 75
Authentication and authorization of 802.1X users by the device as a RADIUS server ···························· 77
Troubleshooting RADIUS ································································································································· 80
RADIUS authentication failure ················································································································· 80
RADIUS packet delivery failure ················································································································ 80
RADIUS accounting error ························································································································· 81
Troubleshooting HWTACACS ·························································································································· 81
Troubleshooting LDAP ····································································································································· 81
LDAP authentication failure ······················································································································ 81
802.1X overview ··························································································· 83
802.1X architecture ·········································································································································· 83
Controlled/uncontrolled port and port authorization status ·············································································· 83
ii
802.1X-related protocols ·································································································································· 84
Packet formats ········································································································································· 84
EAP over RADIUS ··································································································································· 85
802.1X authentication initiation ························································································································ 86
802.1X client as the initiator ····················································································································· 86
Access device as the initiator ··················································································································· 86
802.1X authentication procedures ··················································································································· 87
Comparing EAP relay and EAP termination ····························································································· 87
EAP relay ················································································································································· 88
EAP termination ······································································································································· 89
Configuring 802.1X ······················································································· 91
Access control methods ··································································································································· 91
802.1X VLAN manipulation ······························································································································ 91
Authorization VLAN ·································································································································· 91
Guest VLAN ············································································································································· 93
Auth-Fail VLAN ········································································································································ 94
Critical VLAN ············································································································································ 95
Critical voice VLAN ·································································································································· 97
Using 802.1X authentication with other features ····························································································· 98
ACL assignment ······································································································································· 98
Redirect URL assignment ························································································································ 98
EAD assistant ··········································································································································· 98
SmartOn ··················································································································································· 99
Configuration prerequisites ······························································································································ 99
802.1X configuration task list ························································································································· 100
Enabling 802.1X ············································································································································· 100
Enabling EAP relay or EAP termination ········································································································· 101
Setting the port authorization state ················································································································ 101
Specifying an access control method ············································································································ 102
Setting the maximum number of concurrent 802.1X users on a port ····························································· 102
Setting the maximum number of authentication request attempts ································································· 103
Setting the 802.1X authentication timeout timers ·························································································· 103
Configuring online user handshake ··············································································································· 103
Configuration restrictions and guidelines ······························································································· 104
Configuration procedure ························································································································· 104
Configuring the authentication trigger feature ································································································ 104
Configuration restrictions and guidelines ······························································································· 105
Configuration procedure ························································································································· 105
Specifying a mandatory authentication domain on a port ·············································································· 105
Setting the quiet timer ···································································································································· 106
Configuring 802.1X reauthentication ·············································································································· 106
Overview ················································································································································ 106
Configuration restrictions and guidelines ······························································································· 106
Configuring 802.1X periodic reauthentication ························································································ 107
Configuring 802.1X manual reauthentication ························································································· 107
Enabling the keep-online feature ··········································································································· 107
Configuring an 802.1X guest VLAN ··············································································································· 108
Configuration restrictions and guidelines ······························································································· 108
Configuration prerequisites ···················································································································· 108
Configuration procedure ························································································································· 109
Enabling 802.1X guest VLAN assignment delay ··························································································· 109
Configuring an 802.1X Auth-Fail VLAN ········································································································· 109
Configuration restrictions and guidelines ······························································································· 109
Configuration prerequisites ···················································································································· 110
Configuration procedure ························································································································· 110
Configuring an 802.1X critical VLAN ·············································································································· 110
Configuration restrictions and guidelines ······························································································· 111
Configuration prerequisites ···················································································································· 111
Configuration procedure ························································································································· 111
Enabling the 802.1X critical voice VLAN ········································································································ 112
Configuration restrictions and guidelines ······························································································· 112
iii
Configuration prerequisites ···················································································································· 112
Configuration procedure ························································································································· 112
Specifying supported domain name delimiters ······························································································ 112
Enabling 802.1X user IP freezing ·················································································································· 113
Sending 802.1X protocol packets out of a port without VLAN tags ······························································· 113
Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··················· 114
Configuring the EAD assistant feature ··········································································································· 114
Configuring 802.1X SmartOn ························································································································· 115
Displaying and maintaining 802.1X ················································································································ 116
802.1X authentication configuration examples ······························································································ 116
Basic 802.1X authentication configuration example ·············································································· 116
802.1X guest VLAN and authorization VLAN configuration example ···················································· 118
802.1X with ACL assignment configuration example ············································································· 121
802.1X with EAD assistant configuration example (with DHCP relay agent) ········································· 122
802.1X with EAD assistant configuration example (with DHCP server) ················································· 125
802.1X SmartOn configuration example ································································································ 127
Troubleshooting 802.1X ································································································································· 129
EAD assistant URL redirection failure ···································································································· 129
Configuring MAC authentication ································································· 130
Overview ························································································································································ 130
User account policies ····························································································································· 130
Authentication methods ·························································································································· 130
VLAN assignment ·································································································································· 131
ACL assignment ····································································································································· 132
Redirect URL assignment ······················································································································ 133
Configuration prerequisites ···························································································································· 133
General guidelines and restrictions ················································································································ 133
Configuration task list ····································································································································· 133
Enabling MAC authentication ························································································································· 134
Specifying a MAC authentication domain ······································································································ 134
Configuring the user account format ·············································································································· 135
Configuring MAC authentication timers ········································································································· 135
Setting the maximum number of concurrent MAC authentication users on a port ········································· 136
Enabling MAC authentication multi-VLAN mode on a port ············································································ 136
Configuring MAC authentication delay ··········································································································· 136
Enabling parallel processing of MAC authentication and 802.1X authentication ··········································· 137
Configuration restrictions and guidelines ······························································································· 137
Configuration procedure ························································································································· 138
Configuring a MAC authentication guest VLAN ····························································································· 138
Configuration prerequisites ···················································································································· 138
Configuration restrictions and guidelines ······························································································· 138
Configuration procedure ························································································································· 139
Configuring a MAC authentication critical VLAN ···························································································· 139
Enabling the MAC authentication critical voice VLAN ···················································································· 140
Configuration prerequisites ···················································································································· 140
Configuration procedure ························································································································· 140
Configuring periodic MAC reauthentication ··································································································· 140
Overview ················································································································································ 140
Configuration restrictions and guidelines ······························································································· 141
Configuration procedure ························································································································· 141
Including user IP addresses in MAC authentication requests ········································································ 142
Enabling MAC authentication offline detection ······························································································ 142
Displaying and maintaining MAC authentication ···························································································· 143
MAC authentication configuration examples ·································································································· 143
Local MAC authentication configuration example ·················································································· 143
RADIUS-based MAC authentication configuration example ·································································· 145
ACL assignment configuration example································································································· 147
Configuring portal authentication ································································ 151
Overview ························································································································································ 151
Extended portal functions ······················································································································· 151
iv
Portal system components ····················································································································· 151
Portal system using the local portal Web server ···················································································· 153
Interaction between portal system components ····················································································· 153
Portal authentication modes ··················································································································· 154
Portal support for EAP ··························································································································· 154
Portal authentication process ················································································································· 155
Portal filtering rules ································································································································ 157
MAC-based quick portal authentication ································································································· 157
Portal configuration task list ··························································································································· 158
Configuration prerequisites ···························································································································· 159
Configuring a portal authentication server ····································································································· 159
Configuring a portal Web server ···················································································································· 160
Enabling portal authentication ························································································································ 161
Configuration restrictions and guidelines ······························································································· 161
Configuration procedure ························································································································· 162
Specifying a portal Web server ······················································································································ 162
Controlling portal user access ························································································································ 163
Configuring a portal-free rule ················································································································· 163
Configuring an authentication source subnet ························································································· 164
Configuring an authentication destination subnet ·················································································· 165
Setting the maximum number of portal users ························································································ 165
Specifying a portal authentication domain ····························································································· 166
Specifying a preauthentication domain ·································································································· 167
Specifying a preauthentication IP address pool for portal users ···························································· 167
Enabling strict-checking on portal authorization information ·································································· 168
Enabling portal authentication only for DHCP users ·············································································· 169
Enabling outgoing packets filtering on a portal-enabled interface ·························································· 169
Configuring portal detection features ············································································································· 170
Configuring online detection of portal users ··························································································· 170
Configuring portal authentication server detection ················································································· 171
Configuring portal Web server detection ································································································ 172
Configuring portal user synchronization ································································································· 172
Configuring the portal fail-permit feature ········································································································ 173
Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server ··························· 174
Enabling portal roaming ································································································································· 174
Specifying a format for the NAS-Port-ID attribute ·························································································· 175
Logging out online portal users ······················································································································ 175
Configuring Web redirect ······························································································································· 176
Applying a NAS-ID profile to an interface ······································································································ 176
Configuring the local portal Web server feature ····························································································· 177
Customizing authentication pages ········································································································· 177
Configuring a local portal Web server ···································································································· 179
Enabling ARP or ND entry conversion for portal clients ················································································ 180
Configuring HTTPS redirect ··························································································································· 180
Configuring MAC-based quick portal authentication ······················································································ 181
Configuring a MAC binding server ········································································································· 181
Specifying a MAC binding server on an interface ·················································································· 182
Enabling logging for user logins and logouts ································································································· 182
Displaying and maintaining portal ·················································································································· 182
Portal configuration examples ························································································································ 183
Configuring direct portal authentication ·································································································· 183
Configuring re-DHCP portal authentication ···························································································· 189
Configuring cross-subnet portal authentication ······················································································ 193
Configuring extended direct portal authentication ·················································································· 196
Configuring extended re-DHCP portal authentication ············································································ 199
Configuring extended cross-subnet portal authentication ······································································ 203
Configuring portal server detection and portal user synchronization ····················································· 207
Configuring cross-subnet portal authentication for MPLS L3VPNs························································ 212
Configuring direct portal authentication with a preauthentication domain ·············································· 214
Configuring re-DHCP portal authentication with a preauthentication domain ········································ 216
Configuring direct portal authentication using local portal Web server ·················································· 218
Troubleshooting portal ··································································································································· 221
v
No portal authentication page is pushed for users ················································································· 221
Cannot log out portal users on the access device ················································································· 222
Cannot log out portal users on the RADIUS server ··············································································· 222
Users logged out by the access device still exist on the portal authentication server···························· 222
Re-DHCP portal authenticated users cannot log in successfully ··························································· 223
Configuring port security ············································································· 224
Overview ························································································································································ 224
Port security features ····························································································································· 224
Port security modes ······························································································································· 224
Configuration task list ····································································································································· 227
Enabling port security ···································································································································· 228
Setting port security's limit on the number of secure MAC addresses on a port ············································ 228
Setting the port security mode ······················································································································· 229
Configuring port security features ·················································································································· 230
Configuring NTK ····································································································································· 230
Configuring intrusion protection ············································································································· 230
Configuring secure MAC addresses ·············································································································· 231
Configuration prerequisites ···················································································································· 232
Configuration procedure ························································································································· 232
Ignoring authorization information from the server ························································································ 233
Enabling MAC move ······································································································································ 233
Enabling the authorization-fail-offline feature ································································································· 233
Applying a NAS-ID profile to port security ······································································································ 234
Enabling SNMP notifications for port security ································································································ 235
Displaying and maintaining port security ······································································································· 235
Port security configuration examples ············································································································· 235
autoLearn configuration example ··········································································································· 235
userLoginWithOUI configuration example ······························································································ 237
macAddressElseUserLoginSecure configuration example ···································································· 240
Troubleshooting port security ························································································································· 244
Cannot set the port security mode ········································································································· 244
Cannot configure secure MAC addresses ····························································································· 244
Configuring password control ····································································· 245
Overview ························································································································································ 245
Password setting ···································································································································· 245
Password updating and expiration ········································································································· 246
User login control ··································································································································· 247
Password not displayed in any form ······································································································ 248
Logging ·················································································································································· 248
FIPS compliance ············································································································································ 248
Password control configuration task list ········································································································· 248
Enabling password control ····························································································································· 249
Setting global password control parameters ·································································································· 249
Setting user group password control parameters ·························································································· 250
Setting local user password control parameters ···························································································· 251
Setting super password control parameters ·································································································· 252
Displaying and maintaining password control ································································································ 252
Password control configuration example ······································································································· 253
Network requirements ···························································································································· 253
Configuration procedure ························································································································· 253
Verifying the configuration ······················································································································ 255
Configuring keychains ················································································· 256
Overview ························································································································································ 256
Configuration procedure ································································································································ 256
Displaying and maintaining keychain ············································································································· 257
Keychain configuration example ···················································································································· 257
Network requirements ···························································································································· 257
Configuration procedure ························································································································· 258
Verifying the configuration ······················································································································ 259
vi
Managing public keys ················································································· 263
Overview ························································································································································ 263
FIPS compliance ············································································································································ 263
Creating a local key pair ································································································································ 263
Distributing a local host public key ················································································································· 265
Exporting a host public key ···················································································································· 265
Displaying a host public key ··················································································································· 265
Destroying a local key pair ····························································································································· 266
Configuring a peer host public key ················································································································· 266
Importing a peer host public key from a public key file ·········································································· 266
Entering a peer host public key ·············································································································· 267
Displaying and maintaining public keys ········································································································· 267
Examples of public key management ············································································································ 267
Example for entering a peer host public key ·························································································· 267
Example for importing a public key from a public key file ······································································ 269
Configuring PKI ··························································································· 272
Overview ························································································································································ 272
PKI terminology ······································································································································ 272
PKI architecture ······································································································································ 273
PKI operation ········································································································································· 273
PKI applications ····································································································································· 274
Support for MPLS L3VPN ······················································································································ 274
FIPS compliance ············································································································································ 275
PKI configuration task list ······························································································································· 275
Configuring a PKI entity ································································································································· 275
Configuring a PKI domain ······························································································································ 276
Requesting a certificate ································································································································· 278
Configuration guidelines ························································································································· 278
Configuring automatic certificate request ······························································································· 279
Manually requesting a certificate ············································································································ 279
Aborting a certificate request ························································································································· 280
Obtaining certificates ····································································································································· 280
Configuration prerequisites ···················································································································· 280
Configuration guidelines ························································································································· 281
Configuration procedure ························································································································· 281
Verifying PKI certificates ································································································································ 281
Verifying certificates with CRL checking ································································································ 282
Verifying certificates without CRL checking ··························································································· 282
Specifying the storage path for the certificates and CRLs ············································································· 283
Exporting certificates ······································································································································ 283
Removing a certificate ··································································································································· 284
Configuring a certificate-based access control policy ···················································································· 284
Displaying and maintaining PKI ····················································································································· 285
PKI configuration examples ··························································································································· 286
Requesting a certificate from an RSA Keon CA server ·········································································· 286
Requesting a certificate from a Windows Server 2003 CA server ························································· 289
Requesting a certificate from an OpenCA server ··················································································· 292
Certificate-based access control policy configuration example ······························································ 295
Certificate import and export configuration example ·············································································· 297
Troubleshooting PKI configuration ················································································································· 302
Failed to obtain the CA certificate ·········································································································· 302
Failed to obtain local certificates ············································································································ 302
Failed to request local certificates ·········································································································· 303
Failed to obtain CRLs ····························································································································· 304
Failed to import the CA certificate ·········································································································· 305
Failed to import a local certificate ··········································································································· 305
Failed to export certificates ···················································································································· 305
Failed to set the storage path ················································································································· 306
vii
Configuring SSH ························································································· 307
Overview ························································································································································ 307
How SSH works ····································································································································· 307
SSH authentication methods ·················································································································· 308
SSH support for Suite B ························································································································· 309
FIPS compliance ············································································································································ 309
Configuring the device as an SSH server ······································································································ 310
SSH server configuration task list ·········································································································· 310
Generating local key pairs ······················································································································ 310
Enabling the Stelnet server ···················································································································· 311
Enabling the SFTP server ······················································································································ 311
Enabling the SCP server ························································································································ 312
Enabling NETCONF over SSH ·············································································································· 312
Configuring the user lines for SSH login ································································································ 312
Configuring a client's host public key ····································································································· 313
Configuring an SSH user ······················································································································· 314
Configuring the SSH management parameters ····················································································· 315
Specifying a PKI domain for the SSH server ························································································· 316
Specifying the SSH service port ············································································································· 316
Configuring the device as an Stelnet client ···································································································· 317
Stelnet client configuration task list ········································································································ 317
Generating local key pairs ······················································································································ 317
Specifying the source IP address for SSH packets ················································································ 317
Establishing a connection to an Stelnet server ······················································································ 318
Establishing a connection to an Stelnet server based on Suite B ·························································· 320
Configuring the device as an SFTP client ······································································································ 321
SFTP client configuration task list ·········································································································· 321
Generating local key pairs ······················································································································ 321
Specifying the source IP address for SFTP packets ·············································································· 321
Establishing a connection to an SFTP server ························································································ 322
Establishing a connection to an SFTP server based on Suite B ···························································· 324
Working with SFTP directories ··············································································································· 324
Working with SFTP files ························································································································· 325
Displaying help information ···················································································································· 325
Terminating the connection with the SFTP server ················································································· 325
Configuring the device as an SCP client ········································································································ 325
SCP client configuration task list ············································································································ 325
Generating local key pairs ······················································································································ 326
Establishing a connection to an SCP server ·························································································· 326
Establishing a connection to an SCP server based on Suite B······························································ 328
Specifying algorithms for SSH2 ····················································································································· 328
Specifying key exchange algorithms for SSH2 ······················································································ 329
Specifying public key algorithms for SSH2 ···························································································· 329
Specifying encryption algorithms for SSH2 ···························································································· 330
Specifying MAC algorithms for SSH2 ···································································································· 330
Displaying and maintaining SSH ···················································································································· 330
Stelnet configuration examples ······················································································································ 331
Password authentication enabled Stelnet server configuration example ··············································· 331
Publickey authentication enabled Stelnet server configuration example ··············································· 333
Password authentication enabled Stelnet client configuration example ················································ 339
Publickey authentication enabled Stelnet client configuration example ················································· 342
Stelnet configuration example based on 128-bit Suite B algorithms ······················································ 344
SFTP configuration examples ························································································································ 348
Password authentication enabled SFTP server configuration example ················································· 348
Publickey authentication enabled SFTP client configuration example ··················································· 351
SFTP configuration example based on 192-bit Suite B algorithms ························································ 354
SCP configuration examples ·························································································································· 358
SCP configuration example with password authentication ···································································· 358
SCP configuration example based on Suite B algorithms ······································································ 360
NETCONF over SSH configuration example with password authentication ·················································· 366
Network requirements ···························································································································· 366
viii
Configuration procedure ························································································································· 367
Verifying the configuration ······················································································································ 368
Configuring SSL ·························································································· 369
Overview ························································································································································ 369
SSL security services ····························································································································· 369
SSL protocol stack ································································································································· 369
FIPS compliance ············································································································································ 370
SSL configuration task list ······························································································································ 370
Configuring an SSL server policy ··················································································································· 370
Configuring an SSL client policy ···················································································································· 373
Displaying and maintaining SSL ···················································································································· 375
SSL server policy configuration example ······································································································· 375
Configuring attack detection and prevention ··············································· 378
Overview ························································································································································ 378
Attacks that the device can prevent ··············································································································· 378
Single-packet attacks ····························································································································· 378
Scanning attacks ···································································································································· 379
Flood attacks ·········································································································································· 380
TCP fragment attack ······························································································································ 381
Login DoS attack ···································································································································· 381
Login dictionary attack ··························································································································· 381
Blacklist feature ·············································································································································· 381
IP blacklist ·············································································································································· 381
User blacklist ·········································································································································· 382
Attack detection and prevention configuration task list ·················································································· 382
Configuring an attack defense policy ············································································································· 382
Creating an attack defense policy ·········································································································· 382
Configuring a single-packet attack defense policy ················································································· 383
Configuring a scanning attack defense policy ························································································ 384
Configuring a flood attack defense policy ······························································································ 385
Configuring attack detection exemption ································································································· 389
Applying an attack defense policy to an interface ·················································································· 390
Applying an attack defense policy to the device ···················································································· 390
Enabling log non-aggregation for single-packet attack events ······························································· 391
Configuring TCP fragment attack prevention ································································································· 391
Configuring the IP blacklist feature ················································································································ 391
Configuring the user blacklist feature ············································································································· 392
Configuring login attack prevention ················································································································ 392
Enabling the login delay ································································································································· 393
Displaying and maintaining attack detection and prevention ········································································· 393
Attack detection and prevention configuration examples ··············································································· 395
Interface-based attack detection and prevention configuration example ··············································· 395
IP blacklist configuration example ·········································································································· 399
User blacklist configuration example ······································································································ 400
Configuring TCP attack prevention ····························································· 401
Overview ························································································································································ 401
Configuring Naptha attack prevention ············································································································ 401
Configuring IP source guard ······································································· 402
Overview ························································································································································ 402
Static IPSG bindings ······························································································································ 402
Dynamic IPSG bindings ························································································································· 403
Configuration restrictions and guidelines ······································································································· 404
IPSG configuration task list ···························································································································· 404
Configuring the IPv4SG feature ····················································································································· 404
Enabling IPv4SG on an interface ··········································································································· 404
Configuring a static IPv4SG binding ······································································································ 405
Excluding IPv4 packets from IPSG filtering ···························································································· 406
Configuring the IPv6SG feature ····················································································································· 406
ix
Enabling IPv6SG on an interface ··········································································································· 406
Configuring a static IPv6SG binding ······································································································ 407
Displaying and maintaining IPSG ·················································································································· 407
IPSG configuration examples ························································································································ 408
Static IPv4SG configuration example ····································································································· 408
Dynamic IPv4SG using DHCP snooping configuration example ··························································· 410
Dynamic IPv4SG using DHCP relay agent configuration example ························································ 411
Static IPv6SG configuration example ····································································································· 412
Dynamic IPv6SG using DHCPv6 snooping configuration example ······················································· 412
Dynamic IPv6SG using DHCPv6 relay agent configuration example ···················································· 413
Configuring ARP attack protection ······························································ 415
ARP attack protection configuration task list ·································································································· 415
Configuring unresolvable IP attack protection ······························································································· 415
Configuring ARP source suppression ···································································································· 416
Configuring ARP blackhole routing ········································································································ 416
Displaying and maintaining unresolvable IP attack protection ······························································· 416
Configuration example ··························································································································· 416
Configuring ARP packet rate limit ·················································································································· 417
Configuration guidelines ························································································································· 417
Configuration procedure ························································································································· 418
Configuring source MAC-based ARP attack detection ·················································································· 418
Configuration procedure ························································································································· 419
Displaying and maintaining source MAC-based ARP attack detection ·················································· 419
Configuration example ··························································································································· 420
Configuring ARP packet source MAC consistency check ·············································································· 421
Configuring ARP active acknowledgement ···································································································· 421
Configuring authorized ARP ·························································································································· 422
Configuration procedure ························································································································· 422
Configuration example (on a DHCP server) ··························································································· 422
Configuration example (on a DHCP relay agent) ··················································································· 423
Configuring ARP attack detection ·················································································································· 424
Configuring user validity check ·············································································································· 425
Configuring ARP packet validity check ·································································································· 426
Configuring ARP restricted forwarding ··································································································· 427
Enabling ARP attack detection logging ·································································································· 427
Displaying and maintaining ARP attack detection ·················································································· 427
User validity check and ARP packet validity check configuration example ············································ 428
ARP restricted forwarding configuration example ·················································································· 429
Configuring ARP scanning and fixed ARP ····································································································· 431
Configuration restrictions and guidelines ······························································································· 431
Configuration procedure ························································································································· 431
Configuring ARP gateway protection ············································································································· 431
Configuration guidelines ························································································································· 432
Configuration procedure ························································································································· 432
Configuration example ··························································································································· 432
Configuring ARP filtering ································································································································ 433
Configuration guidelines ························································································································· 433
Configuration procedure ························································································································· 433
Configuration example ··························································································································· 433
Configuring ARP sender IP address checking ······························································································· 434
Configuring ND attack defense ··································································· 436
Overview ························································································································································ 436
ND attack defense configuration task list ······································································································· 436
Enabling source MAC consistency check for ND messages ········································································· 436
Configuring ND attack detection ···················································································································· 437
About ND attack detection ····················································································································· 437
Configuration guidelines ························································································································· 437
Configuration procedure ························································································································· 438
Displaying and maintaining ND attack detection ···················································································· 438
ND attack detection configuration example ···························································································· 438
x
Configuring RA guard ···································································································································· 440
About RA guard ······································································································································ 440
Specifying the role of the attached device ····························································································· 440
Configuring an RA guard policy ············································································································· 441
Enabling the RA guard logging feature ·································································································· 441
Displaying and maintaining RA guard ···································································································· 442
RA guard configuration example ············································································································ 442
Configuring uRPF ······················································································· 445
Overview ························································································································································ 445
uRPF check modes ································································································································ 445
Cooperation with default route ··············································································································· 445
uRPF operation ······································································································································ 446
Network application ································································································································ 447
Enabling uRPF ··············································································································································· 448
Displaying and maintaining uRPF ·················································································································· 448
uRPF configuration example ·························································································································· 448
Configuring IPv6 uRPF ··············································································· 450
Overview ························································································································································ 450
IPv6 uRPF check modes ························································································································ 450
Cooperation with default route ··············································································································· 450
IPv6 uRPF operation ······························································································································ 451
Network application ································································································································ 452
Enabling IPv6 uRPF ······································································································································· 453
Displaying and maintaining IPv6 uRPF ·········································································································· 453
IPv6 uRPF configuration example ················································································································· 453
Configuring MFF ························································································· 455
Overview ························································································································································ 455
Basic concepts ······································································································································· 456
MFF operation modes ···························································································································· 456
MFF working mechanism ······················································································································· 457
Protocols and standards ························································································································ 457
Configuring MFF ············································································································································ 457
Enabling MFF ········································································································································· 457
Configuring a network port ····················································································································· 458
Enabling periodic gateway probe ··········································································································· 458
Specifying the IP addresses of servers ·································································································· 458
Displaying and maintaining MFF ···················································································································· 459
MFF configuration examples ·························································································································· 459
Auto-mode MFF configuration example in a tree network ····································································· 459
Auto-mode MFF configuration example in a ring network ······································································ 461
Manual-mode MFF configuration example in a tree network ································································· 462
Manual-mode MFF configuration example in a ring network ································································· 463
Configuring FIPS ························································································· 466
Overview ························································································································································ 466
Configuration restrictions and guidelines ······································································································· 466
Configuring FIPS mode ·································································································································· 467
Entering FIPS mode ······························································································································· 467
Configuration changes in FIPS mode ···································································································· 468
Exiting FIPS mode ································································································································· 469
FIPS self-tests ················································································································································ 469
Power-up self-tests ································································································································ 470
Conditional self-tests ······························································································································ 470
Triggering self-tests ································································································································ 471
Displaying and maintaining FIPS ··················································································································· 471
FIPS configuration examples ························································································································· 471
Entering FIPS mode through automatic reboot ······················································································ 471
Entering FIPS mode through manual reboot ·························································································· 472
Exiting FIPS mode through automatic reboot ························································································ 474
xi
Exiting FIPS mode through manual reboot ···························································································· 474
Configuring MACsec ··················································································· 476
Overview ························································································································································ 476
Basic concepts ······································································································································· 476
MACsec services ··································································································································· 476
MACsec applications ······························································································································ 477
MACsec operating mechanism ·············································································································· 477
Protocols and standards ························································································································ 479
Feature and hardware compatibility ··············································································································· 479
General restrictions and guidelines ················································································································ 479
MACsec configuration task list ······················································································································· 480
Enabling MKA ················································································································································ 480
Enabling MACsec desire ································································································································ 480
Configuring a preshared key ·························································································································· 481
Configuring the MKA key server priority ········································································································ 481
Configuring MACsec protection parameters in interface view ······································································· 482
Configuring the MACsec confidentiality offset ························································································ 482
Configuring MACsec replay protection ··································································································· 482
Configuring the MACsec validation mode ······························································································ 483
Configuring MACsec protection parameters by MKA policy ·········································································· 483
Configuring an MKA policy ····················································································································· 483
Applying an MKA policy ························································································································· 484
Displaying and maintaining MACsec ············································································································· 484
MACsec configuration examples ··················································································································· 485
Client-oriented MACsec configuration example (host as client) ····························································· 485
Client-oriented MACsec configuration example (device as client) ························································· 488
Device-oriented MACsec configuration example ··················································································· 491
Troubleshooting MACsec ······························································································································· 494
Cannot establish MKA sessions between MACsec devices ·································································· 494
Configuring 802.1X client ············································································ 496
802.1X client configuration task list ················································································································ 496
Enabling the 802.1X client feature ················································································································· 496
Configuring an 802.1X client username and password ················································································· 497
Configuring an 802.1X client MAC address ··································································································· 497
Specifying an 802.1X client EAP authentication method ··············································································· 498
Configuring an 802.1X client anonymous identifier ························································································ 498
Specifying an SSL client policy ······················································································································ 499
Displaying and maintaining 802.1X client ······································································································ 499
Configuring Web authentication ·································································· 500
Overview ························································································································································ 500
Web authentication types ······················································································································· 500
Advantages of Web authentication ········································································································ 500
Web authentication system ···················································································································· 500
Web authentication process ··················································································································· 501
Web authentication task list ··························································································································· 502
Configuration prerequisites ···························································································································· 502
Configuring the Web authentication server ···································································································· 503
Enabling Web authentication ························································································································· 503
Specifying a Web authentication domain ······································································································· 504
Setting the redirection wait time ····················································································································· 504
Configuring a Web authentication-free subnet ······························································································· 505
Setting the maximum number of Web authentication users ·········································································· 505
Configuring online Web authentication user detection ··················································································· 505
Configuring an Auth-Fail VLAN ······················································································································ 506
Configuring Web authentication to support Web proxy ·················································································· 506
Displaying and maintaining Web authentication ···························································································· 507
Web authentication configuration examples ·································································································· 507
Web authentication using the local authentication server ······································································ 507
Web authentication using the RADIUS authentication server ································································ 509
xii
Troubleshooting Web authentication ············································································································· 511
Failure to come line (Web authentication configuration correct) ···························································· 511
Failure to come online (local authentication interface using the default ISP domain) ···························· 511
Failure to come line (VLAN configured on interface) ············································································· 512
Configuring triple authentication ································································· 513
Overview ························································································································································ 513
Triple authentication mechanism ··········································································································· 513
Extended triple authentication features ·································································································· 514
Configuration restrictions and guidelines ······································································································· 515
Configuring triple authentication ···················································································································· 515
Triple authentication configuration examples ································································································· 515
Triple authentication basic function configuration example ···································································· 515
Triple authentication supporting authorization VLAN and authentication failure VLAN configuration
example ·················································································································································· 519
Document conventions and icons ······························································· 525
Conventions ··················································································································································· 525
Network topology icons ·································································································································· 526
Support and other resources ······································································ 527
Accessing Hewlett Packard Enterprise Support ···························································································· 527
Accessing updates ········································································································································· 527
Websites ················································································································································ 528
Customer self repair ······························································································································· 528
Remote support ······································································································································ 528
Documentation feedback ······················································································································· 528
Index ··········································································································· 530
1
Configuring AAA
Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. This feature specifies the following security functions:
• Authentication—Identifies users and verifies their validity.
• Authorization—Grants different users different rights, and controls the users' access to
resources and services. For example, you can permit office users to read and print files and
prevent guests from accessing files on the device.
• Accounting—Records network usage details of users, including the service type, start time,
and traffic. This function enables time-based and traffic-based charging and user behavior
auditing.
AAA uses a client/server model. The client runs on the access device, or the network access server
(NAS), which authenticates user identities and controls user access. The server maintains user
information centrally. See Figure 1.
Figure 1 AAA network diagram
To access networks or resources beyond the NAS, a user sends its identity information to the NAS.
The NAS transparently passes the user information to AAA servers and waits for the authentication,
authorization, and accounting result. Based on the result, the NAS determines whether to permit or
deny the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most
often used.
The network in Figure 1 has one RADIUS server and one HWTACACS server. You can use different
servers to implement different security functions. For example, you can use the HWTACACS server
for authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company
wants employees to be authenticated before they access specific resources, you would deploy an
authentication server. If network usage information is needed, you would also configure an
accounting server.
The device performs dynamic password authentication.
Remote user NAS RADIUS server
HWTACACS server
Internet
Network
2
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. The protocol can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user
access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user
authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support
additional access methods, such as Ethernet and ADSL.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network service access.
The RADIUS server operates using the following process:
1. Receives authentication, authorization, and accounting requests from RADIUS clients.
2. Performs user authentication, authorization, or accounting.
3. Returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
The RADIUS server can also act as the client of another RADIUS server to provide authentication
proxy services.
The RADIUS server maintains the following databases:
• Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
• Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
• Dictionary—Stores RADIUS protocol attributes and their values.
Figure 2 RADIUS server databases
Information exchange security mechanism
The RADIUS client and server exchange information between them with the help of shared keys,
which are preconfigured on the client and server. A RADIUS packet has a 16-byte field called
Authenticator. This field includes a signature generated by using the MD5 algorithm, the shared key,
and some other information. The receiver of the packet verifies the signature and accepts the packet
only when the signature is correct. This mechanism ensures the security of information exchanged
between the RADIUS client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.
User authentication methods
The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.
RADIUS servers
Users Clients Dictionary
3
Basic RADIUS packet exchange process
Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server.
Figure 3 Basic RADIUS packet exchange process
RADIUS uses in the following workflow:
1. The host sends a connection request that includes the user's username and password to the
RADIUS client.
2. The RADIUS client sends an authentication request (Access-Request) to the RADIUS server.
The request includes the user's password, which has been processed by the MD5 algorithm
and shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds,
the server sends back an Access-Accept packet that contains the user's authorization
information. If the authentication fails, the server returns an Access-Reject packet.
4. The RADIUS client permits or denies the user according to the authentication result. If the result
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request)
packet to the RADIUS server.
5. The RADIUS server returns an acknowledgment (Accounting-Response) packet and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection.
8. The RADIUS client sends a stop-accounting request (Accounting-Request) packet to the
RADIUS server.
9. The RADIUS server returns an acknowledgment (Accounting-Response) and stops accounting
for the user.
10. The RADIUS client notifies the user of the termination.
RADIUS packet format
RADIUS uses UDP to transmit packets. The protocol also uses a series of mechanisms to ensure
smooth packet exchange between the RADIUS server and the client. These mechanisms include the
timer mechanism, the retransmission mechanism, and the backup server mechanism.
RADIUS client RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
8) Accounting-Request (stop)
9) Accounting-Response
10) Notification of termination
Host
6) The host access the resources
7) Teardown request
4
Figure 4 RADIUS packet format
Descriptions of the fields are as follows:
• The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main
values and their meanings.
Table 1 Main values of the Code field
Code
Packet type
Description
1 Access-Request
From the client to the server. A packet of this type includes user
information for the server to authenticate the user. It must contain the
User-Name attribute and can optionally contain the attributes of
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept From the server to the client. If all attribute values included in the
Access-Request are acceptable, the authentication succeeds, and
the server sends an Access-Accept response.
3 Access-Reject From the server to the client. If any attribute value included in the
Access-Request is unacceptable, the authentication fails, and the
server sends an Access-Reject response.
4 Accounting-Reques
t
From the client to the server. A packet of this type includes user
information for the server to start or stop accounting for the user. The
Acct-Status-Type attribute in the packet indicates whether to start or
stop accounting.
5 Accounting-Respon
se
From the server to the client. The server sends a packet of this type to
notify the client that it has received the Accounting-Request and has
successfully recorded the accounting information.
• The Identifier field (1 byte long) is used to match response packets with request packets and to
detect duplicate request packets. The request and response packets of the same exchange
process for the same purpose (such as authentication or accounting) have the same identifier.
• The Length field (2 bytes long) indicates the length of the entire packet (in bytes), including the
Code, Identifier, Length, Authenticator, and Attributes fields. Bytes beyond this length are
considered padding and are ignored by the receiver. If the length of a received packet is less
than this length, the packet is dropped.
• The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS
server and to encrypt user passwords. There are two types of authenticators: request
authenticator and response authenticator.
• The Attributes field (variable in length) includes authentication, authorization, and accounting
information. This field can contain multiple attributes, each with the following subfields:
 Type—Type of the attribute.
 Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.
 Value—Value of the attribute. Its format and content depend on the Type subfield.
Code
Attributes
Identifier
0
7
Length
Authenticator (16bytes)
7 15 31
5
Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC
2868. For more information, see "Commonly used standard RADIUS attributes."
Table 2 Commonly used RADIUS attributes
No.
Attribute
No.
Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
6
No.
Attribute
No.
Attribute
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26)
allows a vendor to define extended attributes. The extended attributes can implement functions that
the standard RADIUS protocol does not provide.
A vendor can encapsulate multiple subattributes in the TLV format in attribute 26 to provide extended
functions. As shown in Figure 5, a subattribute encapsulated in attribute 26 consists of the following
parts:
• Vendor-ID—ID of the vendor. The most significant byte is 0. The other three bytes contains a
code compliant to RFC 1700.
• Vendor-Type—Type of the subattribute.
• Vendor-Length—Length of the subattribute.
• Vendor-Data—Contents of the subattribute.
Hewlett Packard Enterprise supports the RADIUS subattributes with a vendor ID of 25506. For more
information, see "Proprietary RADIUS subattributes (vendor ID 25506)."
Figure 5 Format of attribute 26
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security
protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server
model for information exchange between the NAS and the HWTACACS server.
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical
HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client,
the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After
Type Length
0
Vendor-ID
7 15 31
Vendor-ID (continued) Vendor-Type Vendor-Length
Vendor-Data
(Specified attribute value……)
23
……
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
HPE FlexNetwork 7500 Series Security Configuration Manual
- Category
- Software
- Type
- Security Configuration Manual
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
-
Aruba JG091B Configuration Guide
-
Aruba JH103A Configuration Guide
-
-
Aruba JH691A Configuration Guide
-
Aruba R9F19A Configuration Guide
-
HPE FlexFabric 12900E & 12900 & 7900 Switch Series Security Configuration Guide
-
-
-
-
Aruba JL588A Reference guide
Other documents
-
-
-
-
-
-
-
-
H3C S5820V2 series Security Configuration Manual
-
HP 6125G Configuration manual
-