To Next Page

To Previous Page

263

6. Specify the authority for certificate request.

7. Configure the required entity DN parameters.

Failed to retrieve CRLs

Symptom

CRLs cannot be retrieved.

Analysis

• The network connection is down because, for example, the network cable is damaged or the

connectors have bad contact.

• No CA certificate has been retrieved before you try to obtain CRLs.

• The IP address of LDAP server is not configured.

• The CRL distribution URL is not configured.

• The LDAP server version is wrong.

• The domain name of the CRL distribution point failed to be resolved.

Solution

1. Make sure the network connection is physically proper.

2. Retrieve a CA certificate.

3. Specify the IP address of the LDAP server.

4. Specify the CRL distribution URL.

5. Re-configure the LDAP version.

6. Configure the correct DNS server that can resolve the domain name of the CRL distribution

point.

Default Chapter3
- Table of Contents3
Security Overview14
- Network Security Threats14
- Network Security Services14
- Network Security Technologies14
Configuring AAA19
- Overview19
- FIPS Compliance33
- AAA Configuration Considerations and Task List33
- Configuring AAA Schemes35
- Configuring AAA Methods for ISP Domains56
- Tearing down User Connections65
- Configuring a NAS ID-VLAN Binding66
- Configuring the Router as a RADIUS Server66
- Displaying and Maintaining AAA68
- AAA Configuration Examples68
- Troubleshooting AAA88
  - Troubleshooting RADIUS88
  - Troubleshooting HWTACACS90
802.1X Overview91
- 802.1X Architecture91
- Controlled/Uncontrolled Port and Port Authorization Status91
- 802.1X-Related Protocols92
  - Packet Formats92
  - EAP over RADIUS93
- Initiating 802.1X Authentication94
  - 802.1X Client as the Initiator94
  - Access Device as the Initiator94
- 802.1X Authentication Procedures94
Configuring 802.1X99
- Hewlett Packard Enterprise Implementation of 802.1X99
  - Access Control Methods99
  - Using 802.1X Authentication with Other Features99
- Configuration Prerequisites102
- 802.1X Configuration Task List102
- Enabling 802.1X103
- Enabling EAP Relay or EAP Termination103
- Setting the Port Authorization State104
- Specifying an Access Control Method105
- Setting the Maximum Number of Concurrent 802.1X Users on a Port105
- Setting the Maximum Number of Authentication Request Attempts106
- Setting the 802.1X Authentication Timeout Timers106
- Configuring the Online User Handshake Function106
  - Configuration Guidelines107
  - Configuration Procedure107
- Enabling the Proxy Detection Function107
- Configuring the Authentication Trigger Function108
  - Configuration Guidelines108
  - Configuration Procedure108
- Specifying a Mandatory Authentication Domain on a Port109
- Configuring the Quiet Timer109
- Enabling the Periodic Online User Re-Authentication Function110
- Configuring an 802.1X Guest VLAN110
  - Configuration Guidelines110
  - Configuration Prerequisites111
  - Configuration Procedure111
- Configuring an Auth-Fail VLAN111
  - Configuration Guidelines111
- Configuring an 802.1X Critical VLAN112
  - Configuration Guidelines112
  - Configuration Prerequisites112
  - Configuration Procedure112
- Specifying Supported Domain Name Delimiters113
- Configuring 802.1X MAC Address Binding113
- Displaying and Maintaining 802.1X114
- 802.1X Authentication Configuration Example114
  - Network Requirements114
  - Configuration Procedure115
  - Verifying the Configuration116
- Guest VLAN and VLAN Assignment Configuration Example116
  - Network Requirements116
  - Configuration Procedure117
  - Verifying the Configuration119
- With ACL Assignment Configuration Example119
  - Network Requirements119
  - Configuration Procedure119
  - Verifying the Configuration120
Configuring EAD Fast Deployment121
- Overview121
  - Free IP121
  - URL Redirection121
- Hardware Compatibility with EAD Fast Deployment121
- Configuration Prerequisites122
- Configuring a Free IP122
- Configuring the Redirect URL122
- Setting the EAD Rule Timer122
- Displaying and Maintaining EAD Fast Deployment123
- EAD Fast Deployment Configuration Example123
- Troubleshooting EAD Fast Deployment125
  - Web Browser Users Cannot be Correctly Redirected125
Configuring MAC Authentication127
- Overview127
- Using MAC Authentication with Other Features128
  - VLAN Assignment128
  - ACL Assignment128
- Configuration Task List129
- Basic Configuration for MAC Authentication129
  - Configuring MAC Authentication Globally129
  - Configuring MAC Authentication on a Port130
- Specifying a MAC Authentication Domain131
- Configuring MAC Authentication Delay131
- Displaying and Maintaining MAC Authentication132
- MAC Authentication Configuration Examples132
Configuring Port Security138
- Overview138
- Configuration Task List142
- Enabling Port Security142
- Setting Port Security's Limit on the Number of MAC Addresses on a Port143
- Setting the Port Security Mode143
  - Configuration Prerequisites144
  - Configuration Procedure144
- Configuring Port Security Features145
- Configuring Secure MAC Addresses147
  - Configuration Prerequisites148
  - Configuration Procedure148
- Configuring Port Security for WLAN Ports148
- Ignoring Authorization Information from the Server150
- Displaying and Maintaining Port Security150
- Port Security Configuration Examples151
- Troubleshooting Port Security160
Configuring Ipsec162
- Overview162
- FIPS Compliance167
- Implementing Ipsec167
- Implementing ACL-Based Ipsec168
- Implementing Tunnel Interface-Based Ipsec186
- Configuring Ipsec for Ipv6 Routing Protocols190
- Displaying and Maintaining Ipsec191
- Ipsec Configuration Examples192
Configuring IKE213
- Overview213
- FIPS Compliance215
- IKE Configuration Task List216
- Configuring a Name for the Local Security Gateway216
- Configuring an IKE Proposal217
- Configuring an IKE Peer218
- Setting Keepalive Timers220
- Setting the NAT Keepalive Timer220
- Configuring a DPD Detector221
- Disabling Next Payload Field Checking221
- Displaying and Maintaining IKE222
- IKE Configuration Examples222
  - Configuring Main Mode IKE with Pre-Shared Key Authentication222
  - Configuring Aggressive Mode IKE with NAT Traversal226
- Troubleshooting IKE229
Configuring Ikev2232
- Overview232
  - New Features in Ikev2232
  - Protocols and Standards233
- Ikev2 Configuration Task List233
- Configuring Global Ikev2 Parameters234
- Configuring an Ikev2 Proposal236
- Configuring an Ikev2 Policy236
- Configuring an Ikev2 Keyring237
- Configuring an Ikev2 Profile238
- Displaying and Maintaining Ikev2240
- Ikev2 Configuration Examples240
  - Configuring Ikev2 Pre-Shared Key Authentication240
  - Configuring Ikev2 Certificate Authentication246
- Troubleshooting Ikev2253
  - No Matching Ikev2 Proposal Found253
  - Ipsec Tunnels Cannot be Set up253
Configuring PKI254
- Overview254
- FIPS Compliance256
- PKI Configuration Task List256
- Configuring an Entity DN257
- Configuring a PKI Domain258
- Requesting a PKI Certificate259
  - Configuring Automatic Certificate Request260
  - Manually Requesting a Certificate261
- Retrieving a Certificate Manually262
- Verifying PKI Certificates262
  - Verifying Certificates with CRL Checking263
  - Verifying Certificates Without CRL Checking263
- Destroying the Local RSA Key Pair263
- Deleting a Certificate264
- Configuring a Certificate Access Control Policy264
- Displaying and Maintaining PKI265
- PKI Configuration Examples265
- Troubleshooting PKI Configurationtroubleshooting PKI Configuration275
Managing Public Keys277
- FIPS Compliance277
- Configuration Task List278
- Creating a Local Asymmetric Key Pair278
- Displaying or Exporting the Local Host Public Key279
- Displaying and Recording the Host Public Key Information280
- Displaying the Host Public Key in a Specific Format and Saving It to a File280
- Exporting the Host Public Key in a Specific Format to a File280
- Destroying a Local Asymmetric Key Pair281
- Configuring the Local RSA Key Pair for Certificate Request281
- Exporting an RSA Key Pair281
- Importing an RSA Key Pair282
- Specifying the Peer Public Key on the Local Device282
- Displaying Public Keys283
- Public Key Configuration Examples283
Configuring RSH291
- Configuration Prerequisites291
- Configuration Procedure291
- RSH Configuration Example291
Configuring Portal Authentication294
- Overview294
- Portal Configuration Task List303
- Configuration Prerequisites305
- Specifying the Portal Server305
  - Specifying the Local Portal Server for Layer 2 Portal Authentication305
  - Specifying a Portal Server for Layer 3 Portal Authentication306
- Configuring the Local Portal Server307
  - Customizing Authentication Pages307
  - Configuring the Local Portal Server310
- Enabling Portal Authentication311
  - Enabling Layer 2 Portal Authentication311
  - Enabling Layer 3 Portal Authentication311
- Controlling Access of Portal Users312
- Configuring RADIUS Related Attributes316
- Specifying a Source IP Address for Outgoing Portal Packets318
- Specifying an Autoredirection URL for Authenticated Portal Users319
- Configuring Portal Detection Functions319
- Logging off Portal Users322
- Including the MAC Address Parameter in the Redirection URL322
- Configuring Mandatory Web Page Pushing323
- Displaying and Maintaining Portal324
- Portal Configuration Examples325
- Troubleshooting Portal346
  - Inconsistent Keys on the Access Device and the Portal Server346
  - Incorrect Server Port Number on the Access Device346
Configuring Firewall347
- Overview347
  - ACL Based Packet-Filter347
  - Aspf348
- Configuring a Packet-Filter Firewall351
- Configuring an ASPF356
Configuring SSH361
- Overview361
- FIPS Compliance363
- Configuring the Device as an SSH Server364
- Configuring the Device as an Stelnet Client369
- Configuring the Device as an SFTP Client371
- Configuring the Device as an SCP Client375
  - SCP Client Configuration Task List375
  - Transferring Files with an SCP Server376
- Displaying and Maintaining SSH376
- Stelnet Configuration Examples377
- SCP Configuration Example394
  - Network Requirements394
  - Configuration Procedure395
Configuring SSL397
- Overview397
  - SSL Security Mechanism397
  - SSL Protocol Stack397
- FIPS Compliance398
- Configuration Task List398
- Configuring an SSL Server Policy399
- Configuring an SSL Client Policy400
- Displaying and Maintaining SSL401
- SSL Server Policy Configuration Example401
- Troubleshooting SSL403
  - SSL Handshake Failure403
Configuring SSL VPN405
- Configuration Procedure406
- SSL VPN Configuration Example406
Configuring a User Profile410
- Overview410
- Configuration Restrictions and Guidelines410
- User Profile Configuration Task List410
- Creating a User Profile410
- Performing Configurations in User Profile View411
- Enabling a User Profile411
- Displaying and Maintaining User Profile411
Configuring ARP Attack Protection412
- Overview412
- ARP Attack Protection Configuration Task List412
- Configuring Unresolvable IP Attack Protection412
- Configuring Source MAC-Based ARP Attack Detection414
  - Displaying and Maintaining Source MAC-Based ARP Attack Detection415
  - Source MAC-Based ARP Attack Detection Configuration Example415
- Configuring ARP Packet Source MAC Consistency Check416
- Configuring ARP Active Acknowledgement416
- Configuring ARP Automatic Scanning and Fixed ARP416
  - Configuration Guidelines417
  - Configuration Procedure417
Configuring IP Source Guard418
- Overview418
  - Static IP Source Guard Binding Entries418
  - Dynamic IP Source Guard Binding Entries419
- Ipv4 Source Guard Configuration Task List419
- Configuring Ipv4 Source Guard419
- Displaying and Maintaining IP Source Guard422
- Static Ipv4 Source Guard Binding Entry Configuration Example422
- Dynamic Ipv4 Source Guard Using DHCP Snooping Configuration Example424
- Troubleshooting IP Source Guard425
Configuring Attack Detection and Protection426
- Overview426
- Attack Detection and Protection Configuration Task List429
- Configuring Attack Protection Functions for an Interface429
- Configuring the Blacklist Function433
- Enabling Traffic Statistics on an Interface434
- Enabling TCP Fragment Attack Protection434
- Displaying and Maintaining Attack Detection and Protection434
- Attack Detection and Protection Configuration Examples435
Configuring TCP Attack Protection440
- Overview440
- Enabling the SYN Cookie Feature440
- Enabling Protection against Naptha Attacks441
- Displaying and Maintaining TCP Attack Protection441
Configuring Connection Limits442
- Overview442
- Connection Limit Configuration Task List442
- Creating a Connection Limit Policy442
- Configuring the Connection Limit Policy442
  - Configuring the Default Connection Limit Action and Parameters442
  - Configuring an ACL-Based Connection Limit Rule443
- Applying the Connection Limit Policy444
- Displaying and Maintaining Connection Limiting444
- Troubleshooting Connection Limiting444
Configuring Password Control446
- Overview446
- FIPS Compliance448
- Password Control Configuration Task List449
- Enabling Password Control449
- Setting Global Password Control Parameters450
- Setting User Group Password Control Parameters451
- Setting Local User Password Control Parameters451
- Setting Super Password Control Parameters452
- Setting a Local User Password in Interactive Mode453
- Displaying and Maintaining Password Control453
- Password Control Configuration Example453
Configuring HABP456
- Configuring an HABP Server457
- Configuring an HABP Client457
- Displaying and Maintaining HABP458
- HABP Configuration Example458
Configuring URPF461
- Overview461
- Configuring URPF463
- URPF Configuration Example464
  - Network Requirements464
  - Configuration Procedure464
Configuring WLAN Client Isolation465
Configuring Group Domain VPN466
- Overview466
- Configuration Restrictions and Guidelines469
- Configuring the GDOI KS470
- Configuring the GDOI GM474
- Group Domain VPN Configuration Example478
- Troubleshooting Group Domain VPN492
Configuring FIPS495
- Overview495
- Hardware Compatibility with FIPS Mode495
- FIPS Self-Tests495
- Configuring FIPS Mode497
- Displaying and Maintaining FIPS498
- FIPS Configuration Example498
Document Conventions and Icons500
- Conventions500
- Network Topology Icons501
Support and Other Resources502
- Accessing Hewlett Packard Enterprise Support502
- Accessing Updates502
Index505

Brand	HPE
Model	FlexNetwork MSR Series
Category	Network Router
Language	English

HPE FlexNetwork MSR Series Comware 5 Security Configuration Guide

Table of Contents

Other manuals for HPE FlexNetwork MSR Series

Questions and Answers:

HPE FlexNetwork MSR Series Specifications

Related product manuals