To Next Page

To Previous Page

391

{ If the server’s certificate cannot be trusted, install the root certificate of the CA that issued

the local certificate to the SSL server on the SSL client, or let the server request a certificate

from the CA that the SSL client trusts.

{ If the SSL server is configured to authenticate the client, but the SSL client has no certificate

or the certificate cannot be trusted, request and install a certificate for the client.

2. Use the display ssl server-policy command to view the cipher suites that the SSL server

policy supports. If the server and the client have no matching cipher suite, use the ciphersuite

command to modify the cipher suite configuration of the SSL server.

Default Chapter3
- Table of Contents3
Security Overview14
- Network Security Threats14
- Network Security Services14
- Network Security Technologies14
Configuring AAA19
- Overview19
- FIPS Compliance33
- AAA Configuration Considerations and Task List33
- Configuring AAA Schemes35
- Configuring AAA Methods for ISP Domains56
- Tearing down User Connections65
- Configuring a NAS ID-VLAN Binding66
- Configuring the Router as a RADIUS Server66
- Displaying and Maintaining AAA68
- AAA Configuration Examples68
- Troubleshooting AAA88
  - Troubleshooting RADIUS88
  - Troubleshooting HWTACACS90
802.1X Overview91
- 802.1X Architecture91
- Controlled/Uncontrolled Port and Port Authorization Status91
- 802.1X-Related Protocols92
  - Packet Formats92
  - EAP over RADIUS93
- Initiating 802.1X Authentication94
  - 802.1X Client as the Initiator94
  - Access Device as the Initiator94
- 802.1X Authentication Procedures94
Configuring 802.1X99
- Hewlett Packard Enterprise Implementation of 802.1X99
  - Access Control Methods99
  - Using 802.1X Authentication with Other Features99
- Configuration Prerequisites102
- 802.1X Configuration Task List102
- Enabling 802.1X103
- Enabling EAP Relay or EAP Termination103
- Setting the Port Authorization State104
- Specifying an Access Control Method105
- Setting the Maximum Number of Concurrent 802.1X Users on a Port105
- Setting the Maximum Number of Authentication Request Attempts106
- Setting the 802.1X Authentication Timeout Timers106
- Configuring the Online User Handshake Function106
  - Configuration Guidelines107
  - Configuration Procedure107
- Enabling the Proxy Detection Function107
- Configuring the Authentication Trigger Function108
  - Configuration Guidelines108
  - Configuration Procedure108
- Specifying a Mandatory Authentication Domain on a Port109
- Configuring the Quiet Timer109
- Enabling the Periodic Online User Re-Authentication Function110
- Configuring an 802.1X Guest VLAN110
  - Configuration Guidelines110
  - Configuration Prerequisites111
  - Configuration Procedure111
- Configuring an Auth-Fail VLAN111
  - Configuration Guidelines111
- Configuring an 802.1X Critical VLAN112
  - Configuration Guidelines112
  - Configuration Prerequisites112
  - Configuration Procedure112
- Specifying Supported Domain Name Delimiters113
- Configuring 802.1X MAC Address Binding113
- Displaying and Maintaining 802.1X114
- 802.1X Authentication Configuration Example114
  - Network Requirements114
  - Configuration Procedure115
  - Verifying the Configuration116
- Guest VLAN and VLAN Assignment Configuration Example116
  - Network Requirements116
  - Configuration Procedure117
  - Verifying the Configuration119
- With ACL Assignment Configuration Example119
  - Network Requirements119
  - Configuration Procedure119
  - Verifying the Configuration120
Configuring EAD Fast Deployment121
- Overview121
  - Free IP121
  - URL Redirection121
- Hardware Compatibility with EAD Fast Deployment121
- Configuration Prerequisites122
- Configuring a Free IP122
- Configuring the Redirect URL122
- Setting the EAD Rule Timer122
- Displaying and Maintaining EAD Fast Deployment123
- EAD Fast Deployment Configuration Example123
- Troubleshooting EAD Fast Deployment125
  - Web Browser Users Cannot be Correctly Redirected125
Configuring MAC Authentication127
- Overview127
- Using MAC Authentication with Other Features128
  - VLAN Assignment128
  - ACL Assignment128
- Configuration Task List129
- Basic Configuration for MAC Authentication129
  - Configuring MAC Authentication Globally129
  - Configuring MAC Authentication on a Port130
- Specifying a MAC Authentication Domain131
- Configuring MAC Authentication Delay131
- Displaying and Maintaining MAC Authentication132
- MAC Authentication Configuration Examples132
Configuring Port Security138
- Overview138
- Configuration Task List142
- Enabling Port Security142
- Setting Port Security's Limit on the Number of MAC Addresses on a Port143
- Setting the Port Security Mode143
  - Configuration Prerequisites144
  - Configuration Procedure144
- Configuring Port Security Features145
- Configuring Secure MAC Addresses147
  - Configuration Prerequisites148
  - Configuration Procedure148
- Configuring Port Security for WLAN Ports148
- Ignoring Authorization Information from the Server150
- Displaying and Maintaining Port Security150
- Port Security Configuration Examples151
- Troubleshooting Port Security160
Configuring Ipsec162
- Overview162
- FIPS Compliance167
- Implementing Ipsec167
- Implementing ACL-Based Ipsec168
- Implementing Tunnel Interface-Based Ipsec186
- Configuring Ipsec for Ipv6 Routing Protocols190
- Displaying and Maintaining Ipsec191
- Ipsec Configuration Examples192
Configuring IKE213
- Overview213
- FIPS Compliance215
- IKE Configuration Task List216
- Configuring a Name for the Local Security Gateway216
- Configuring an IKE Proposal217
- Configuring an IKE Peer218
- Setting Keepalive Timers220
- Setting the NAT Keepalive Timer220
- Configuring a DPD Detector221
- Disabling Next Payload Field Checking221
- Displaying and Maintaining IKE222
- IKE Configuration Examples222
  - Configuring Main Mode IKE with Pre-Shared Key Authentication222
  - Configuring Aggressive Mode IKE with NAT Traversal226
- Troubleshooting IKE229
Configuring Ikev2232
- Overview232
  - New Features in Ikev2232
  - Protocols and Standards233
- Ikev2 Configuration Task List233
- Configuring Global Ikev2 Parameters234
- Configuring an Ikev2 Proposal236
- Configuring an Ikev2 Policy236
- Configuring an Ikev2 Keyring237
- Configuring an Ikev2 Profile238
- Displaying and Maintaining Ikev2240
- Ikev2 Configuration Examples240
  - Configuring Ikev2 Pre-Shared Key Authentication240
  - Configuring Ikev2 Certificate Authentication246
- Troubleshooting Ikev2253
  - No Matching Ikev2 Proposal Found253
  - Ipsec Tunnels Cannot be Set up253
Configuring PKI254
- Overview254
- FIPS Compliance256
- PKI Configuration Task List256
- Configuring an Entity DN257
- Configuring a PKI Domain258
- Requesting a PKI Certificate259
  - Configuring Automatic Certificate Request260
  - Manually Requesting a Certificate261
- Retrieving a Certificate Manually262
- Verifying PKI Certificates262
  - Verifying Certificates with CRL Checking263
  - Verifying Certificates Without CRL Checking263
- Destroying the Local RSA Key Pair263
- Deleting a Certificate264
- Configuring a Certificate Access Control Policy264
- Displaying and Maintaining PKI265
- PKI Configuration Examples265
- Troubleshooting PKI Configurationtroubleshooting PKI Configuration275
Managing Public Keys277
- FIPS Compliance277
- Configuration Task List278
- Creating a Local Asymmetric Key Pair278
- Displaying or Exporting the Local Host Public Key279
- Displaying and Recording the Host Public Key Information280
- Displaying the Host Public Key in a Specific Format and Saving It to a File280
- Exporting the Host Public Key in a Specific Format to a File280
- Destroying a Local Asymmetric Key Pair281
- Configuring the Local RSA Key Pair for Certificate Request281
- Exporting an RSA Key Pair281
- Importing an RSA Key Pair282
- Specifying the Peer Public Key on the Local Device282
- Displaying Public Keys283
- Public Key Configuration Examples283
Configuring RSH291
- Configuration Prerequisites291
- Configuration Procedure291
- RSH Configuration Example291
Configuring Portal Authentication294
- Overview294
- Portal Configuration Task List303
- Configuration Prerequisites305
- Specifying the Portal Server305
  - Specifying the Local Portal Server for Layer 2 Portal Authentication305
  - Specifying a Portal Server for Layer 3 Portal Authentication306
- Configuring the Local Portal Server307
  - Customizing Authentication Pages307
  - Configuring the Local Portal Server310
- Enabling Portal Authentication311
  - Enabling Layer 2 Portal Authentication311
  - Enabling Layer 3 Portal Authentication311
- Controlling Access of Portal Users312
- Configuring RADIUS Related Attributes316
- Specifying a Source IP Address for Outgoing Portal Packets318
- Specifying an Autoredirection URL for Authenticated Portal Users319
- Configuring Portal Detection Functions319
- Logging off Portal Users322
- Including the MAC Address Parameter in the Redirection URL322
- Configuring Mandatory Web Page Pushing323
- Displaying and Maintaining Portal324
- Portal Configuration Examples325
- Troubleshooting Portal346
  - Inconsistent Keys on the Access Device and the Portal Server346
  - Incorrect Server Port Number on the Access Device346
Configuring Firewall347
- Overview347
  - ACL Based Packet-Filter347
  - Aspf348
- Configuring a Packet-Filter Firewall351
- Configuring an ASPF356
Configuring SSH361
- Overview361
- FIPS Compliance363
- Configuring the Device as an SSH Server364
- Configuring the Device as an Stelnet Client369
- Configuring the Device as an SFTP Client371
- Configuring the Device as an SCP Client375
  - SCP Client Configuration Task List375
  - Transferring Files with an SCP Server376
- Displaying and Maintaining SSH376
- Stelnet Configuration Examples377
- SCP Configuration Example394
  - Network Requirements394
  - Configuration Procedure395
Configuring SSL397
- Overview397
  - SSL Security Mechanism397
  - SSL Protocol Stack397
- FIPS Compliance398
- Configuration Task List398
- Configuring an SSL Server Policy399
- Configuring an SSL Client Policy400
- Displaying and Maintaining SSL401
- SSL Server Policy Configuration Example401
- Troubleshooting SSL403
  - SSL Handshake Failure403
Configuring SSL VPN405
- Configuration Procedure406
- SSL VPN Configuration Example406
Configuring a User Profile410
- Overview410
- Configuration Restrictions and Guidelines410
- User Profile Configuration Task List410
- Creating a User Profile410
- Performing Configurations in User Profile View411
- Enabling a User Profile411
- Displaying and Maintaining User Profile411
Configuring ARP Attack Protection412
- Overview412
- ARP Attack Protection Configuration Task List412
- Configuring Unresolvable IP Attack Protection412
- Configuring Source MAC-Based ARP Attack Detection414
  - Displaying and Maintaining Source MAC-Based ARP Attack Detection415
  - Source MAC-Based ARP Attack Detection Configuration Example415
- Configuring ARP Packet Source MAC Consistency Check416
- Configuring ARP Active Acknowledgement416
- Configuring ARP Automatic Scanning and Fixed ARP416
  - Configuration Guidelines417
  - Configuration Procedure417
Configuring IP Source Guard418
- Overview418
  - Static IP Source Guard Binding Entries418
  - Dynamic IP Source Guard Binding Entries419
- Ipv4 Source Guard Configuration Task List419
- Configuring Ipv4 Source Guard419
- Displaying and Maintaining IP Source Guard422
- Static Ipv4 Source Guard Binding Entry Configuration Example422
- Dynamic Ipv4 Source Guard Using DHCP Snooping Configuration Example424
- Troubleshooting IP Source Guard425
Configuring Attack Detection and Protection426
- Overview426
- Attack Detection and Protection Configuration Task List429
- Configuring Attack Protection Functions for an Interface429
- Configuring the Blacklist Function433
- Enabling Traffic Statistics on an Interface434
- Enabling TCP Fragment Attack Protection434
- Displaying and Maintaining Attack Detection and Protection434
- Attack Detection and Protection Configuration Examples435
Configuring TCP Attack Protection440
- Overview440
- Enabling the SYN Cookie Feature440
- Enabling Protection against Naptha Attacks441
- Displaying and Maintaining TCP Attack Protection441
Configuring Connection Limits442
- Overview442
- Connection Limit Configuration Task List442
- Creating a Connection Limit Policy442
- Configuring the Connection Limit Policy442
  - Configuring the Default Connection Limit Action and Parameters442
  - Configuring an ACL-Based Connection Limit Rule443
- Applying the Connection Limit Policy444
- Displaying and Maintaining Connection Limiting444
- Troubleshooting Connection Limiting444
Configuring Password Control446
- Overview446
- FIPS Compliance448
- Password Control Configuration Task List449
- Enabling Password Control449
- Setting Global Password Control Parameters450
- Setting User Group Password Control Parameters451
- Setting Local User Password Control Parameters451
- Setting Super Password Control Parameters452
- Setting a Local User Password in Interactive Mode453
- Displaying and Maintaining Password Control453
- Password Control Configuration Example453
Configuring HABP456
- Configuring an HABP Server457
- Configuring an HABP Client457
- Displaying and Maintaining HABP458
- HABP Configuration Example458
Configuring URPF461
- Overview461
- Configuring URPF463
- URPF Configuration Example464
  - Network Requirements464
  - Configuration Procedure464
Configuring WLAN Client Isolation465
Configuring Group Domain VPN466
- Overview466
- Configuration Restrictions and Guidelines469
- Configuring the GDOI KS470
- Configuring the GDOI GM474
- Group Domain VPN Configuration Example478
- Troubleshooting Group Domain VPN492
Configuring FIPS495
- Overview495
- Hardware Compatibility with FIPS Mode495
- FIPS Self-Tests495
- Configuring FIPS Mode497
- Displaying and Maintaining FIPS498
- FIPS Configuration Example498
Document Conventions and Icons500
- Conventions500
- Network Topology Icons501
Support and Other Resources502
- Accessing Hewlett Packard Enterprise Support502
- Accessing Updates502
Index505

Brand	HPE
Model	FlexNetwork MSR Series
Category	Network Router
Language	English

HPE FlexNetwork MSR Series Comware 5 Security Configuration Guide

Table of Contents

Other manuals for HPE FlexNetwork MSR Series

Questions and Answers:

HPE FlexNetwork MSR Series Specifications

Related product manuals