HP E3800 Series User Manual

Step-by-step method to prepare the switch for secure network operation, covering security settings and protocols.

Describes setting passwords for Manager and Operator levels using the menu interface.

Procedure for deleting all usernames and passwords, including recovering from a lost manager password.

Explains configuring manager and operator passwords and usernames using CLI commands.

Covers enabling/disabling front-panel buttons for password clearing, rebooting, and factory reset.

Explains the password recovery feature, its prerequisites, and the process for disabling or re-enabling it.

Provides guidelines for configuring connection-rate filtering, including for attack-free and attack-prone networks.

Details commands for enabling connection-rate filtering on the switch and applying it on a per-port basis.

Explains the command to enable connection-rate filtering and set the global sensitivity level.

Describes configuring the per-port policy for responding to high inbound IP connection attempts from a given source.

Explains how to create and apply connection-rate ACLs to filter IP traffic from authenticated clients.

Describes the Web Authentication method using a web page login to authenticate users for network access.

Explains MAC Authentication for authenticating devices by their MAC address for network access.

Provides steps for configuring Web/MAC authentication, including prerequisite checks and port configuration.

Details the steps for configuring Web Authentication, including redirect URLs and optional settings.

Provides an overview and commands for configuring MAC Authentication on the switch.

Outlines a general procedure for setting up and testing TACACS+ authentication to prevent lockouts.

Describes steps for configuring TACACS+ operation, including before you begin and CLI commands.

Explains how the 'aaa authentication' command configures access control for Console, Telnet, SSH, Web, and Port-Access.

Explains how to check User Setup entries on the TACACS+ server for correct single login feature operation.

Details configuring TACACS+ server access parameters: host IP address, encryption key, and timeout value.

Explains how encryption keys prevent unauthorized access by encrypting username and password information in TACACS+ packets.

Provides preparation steps and information collection for configuring RADIUS on the switch.

Describes configuring the switch for RADIUS authentication, including server access and global parameters.

Outlines three main steps for configuring RADIUS authentication: configure access methods, enable RADIUS, and configure servers.

Describes configuring RADIUS authentication for Console, Telnet, SSH, WebAgent, and Port-Access methods.

Describes configuring the switch to interact with a RADIUS server for authentication and accounting services.

Provides methods to prevent unauthorized access through the WebAgent, including local authentication and IP manager features.

Explains how RADIUS protocol combines user authentication and authorization for controlling CLI command access.

Describes configuring authorization for controlling access to CLI commands using RADIUS protocol.

Provides steps for configuring RADIUS accounting, including accessing a RADIUS server and accounting types.

Outlines steps for configuring RADIUS accounting: accessing RADIUS server, reconfiguring Acct-Session-ID, and configuring accounting types.

Describes how the switch accesses RADIUS servers in the order listed and how to change this order.

Explains configuring RADIUS attributes for dynamic removal of 802.1X, MAC, and Web authentication limits.

Details configuring RADIUS attributes (VSAs) for CoS, rate-limiting, and ACLs supported on the switch.

Describes applying RADIUS-assigned ACLs to filter IP traffic from authenticated clients.

Provides guidelines for configuring RADIUS-assigned ACLs on a RADIUS server, including an example for FreeRADIUS.

Illustrates configuring RADIUS-assigned IPv4 ACL support using the standard attribute for client identification.

Shows configuring VSA attribute 63 for RADIUS-assigned IPv6 and IPv4 ACL support on FreeRADIUS.

Demonstrates using HP VSA attribute 61 for configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS.

Details steps to configure the switch for RADIUS-assigned ACLs: configure RADIUS operation and authentication method.

Outlines steps for two-way authentication: client preparation and switch preparation.

Details SSH-related CLI commands for generating keys, enabling/disabling SSH, and configuring parameters.

Explains how to assign local login and enable passwords to the switch for management access.

Describes generating a public and private host key pair on the switch for SSH client negotiation.

Guides on copying the switch’s public key to SSH clients for authentication and preventing unauthorized access.

Outlines general steps: client preparation (install SSL browser) and switch preparation (generate certificate).

Details steps for SSL configuration: assign local passwords, generate server host certificate, and enable SSL.

Recommends assigning a Manager password to the switch for security and explains WebAgent configuration.

Describes generating a server certificate on the switch before enabling SSL for secure connections.

Explains how to generate a self-signed host certificate using the WebAgent, including security and error handling.

Details the three-phase process for installing a CA-signed certificate using the WebAgent.

Explains enabling SSL using CLI/WebAgent and the browser's contact behavior, including man-in-the-middle attack prevention.

Provides CLI commands to enable or disable SSL on the switch, including port configuration.

Explains applying static ACLs (RACL, VACL, Static Port ACL) and dynamic (RADIUS-assigned) ACLs.

Explains dynamic ACLs assigned by a RADIUS server to filter IP traffic from authenticated clients.

Describes dynamic ACLs configured on RADIUS servers to filter inbound IPv4 and IPv6 traffic from authenticated clients.

Suggests steps for planning and configuring ACLs: determine policies, plan ACLs, configure on RADIUS server, and test.

Introduces static ACLs, their operation on interfaces, and traffic filtering options for IPv4 traffic.

Provides steps for planning ACLs: identify ACL action, identify traffic types, design ACLs, and configure ACLs.

Details RACLs, VACLs, and Static Port ACLs configuration and operating rules.

Describes steps for configuring and assigning IPv4 ACLs using the CLI or an offline text editor.

Describes using the CLI or an offline text editor to create an ACL, recommending CLI for short ACLs.

Describes commands for performing operations on standard ACLs: creating, adding ACEs, deleting, resequencing, and remarks.

Describes commands for creating and entering context of a named, standard ACL, and appending ACEs.

Lists commands to display ACL configuration, including summary, content, VLAN, port, and RADIUS assignments.

Describes using an offline method to create or extensively edit large ACLs via text files and TFTP.

Explains how ACL logging generates messages for explicit 'deny' actions, aiding network testing and monitoring.

Protects the network from common DHCP attacks like address spoofing and address exhaustion.

Details the command to enable DHCP snooping globally and optionally on specific VLANs.

Describes configuring ports as trusted; DHCP server packets on trusted ports are forwarded without validation.

Protects the network from ARP cache poisoning by validating IP-to-MAC bindings on untrusted ports.

Prevents IP source address spoofing on a per-port and per-VLAN basis using known IP-to-MAC bindings.

Discusses attacks using forged IP source addresses and how dynamic IP lockdown protects against them.

Details the command to enable dynamic IP lockdown on all ports or specified ports.

Describes adding static IP-to-MAC bindings for dynamic IP lockdown and DHCP/ARP packet validation.

Explains using static filters to enhance security and control access to network resources by forwarding or dropping traffic.

Details filter types: Source-Port, Multicast, and Protocol, including their selection criteria.

Enables forwarding or dropping traffic from end nodes on a source-port to specific destination ports.

Allows specifying named source-port filters for use on multiple ports and port trunks.

Describes the named source-port filter command operating from the global configuration level.

Outlines steps before configuring 802.1X: configure local username/password and determine switch ports.

Describes using 802.1X Open VLAN mode to provide a path for clients needing 802.1X supplicant software download.

Provides preparation steps and configuration for 802.1X Open VLAN mode, including VLANs and RADIUS server setup.

Details commands for configuring switch ports as 802.1X authenticators, including authentication commands and options.

Explains basic operation, intruder protection, eavesdrop prevention, and general operation for port security.

Defines MAC Lockdown as permanent assignment of MAC address to a port to prevent station movement and hijacking.

Explains MAC Lockout as a blacklist for any traffic to/from a MAC address on all ports and VLANs.

Details configuring IP authorized managers for the switch, including access method and privilege level.

Introduces Key Management System (KMS) for configuring and maintaining security information for routing protocols.

Outlines three KMS configuration steps: create key chain entry, assign key, and assign key chain to KMS-enabled protocol.