H3C Technologies H3C S12500-X Series Switches User Manual
Security configuration guide
This manual is related to the following products:
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches
Table of contents
Document Outline
- Title Page
- Preface
- Contents
- Configuring AAA
- Overview
- FIPS compliance
- AAA configuration considerations and task list
- Configuring AAA schemes
- Configuring local users
- Configuring RADIUS schemes
- Configuration task list
- Creating a RADIUS scheme
- Specifying the RADIUS authentication servers
- Specifying the RADIUS accounting servers and the relevant parameters
- Specifying the shared keys for secure RADIUS communication
- Specifying a VPN for the scheme
- Setting the username format and traffic statistics units
- Setting the maximum number of RADIUS request transmission attempts
- Setting the status of RADIUS servers
- Specifying the source IP address for outgoing RADIUS packets
- Setting RADIUS timers
- Configuring the accounting-on feature
- Configuring the IP addresses of the security policy servers
- Enabling SNMP notifications for RADIUS
- Displaying and maintaining RADIUS
- Configuring HWTACACS schemes
- Configuration task list
- Creating an HWTACACS scheme
- Specifying the HWTACACS authentication servers
- Specifying the HWTACACS authorization servers
- Specifying the HWTACACS accounting servers
- Specifying the shared keys for secure HWTACACS communication
- Specifying a VPN for the scheme
- Setting the username format and traffic statistics units
- Specifying the source IP address for outgoing HWTACACS packets
- Setting HWTACACS timers
- Displaying and maintaining HWTACACS
- Configuring LDAP schemes
- Configuration task list
- Creating an LDAP server
- Configuring the IP address of the LDAP server
- Specifying the LDAP version
- Setting the LDAP server timeout period
- Configuring administrator attributes
- Configuring LDAP user attributes
- Creating an LDAP scheme
- Specifying the LDAP authentication server
- Displaying and maintaining LDAP
- Configuring AAA methods for ISP domains
- Enabling the session-control feature
- Setting the maximum number of concurrent login users
- Displaying and maintaining AAA
- AAA for SSH users by an HWTACACS server
- Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users
- Authentication and authorization for SSH users by a RADIUS server
- Authentication for SSH users by an LDAP server
- Troubleshooting RADIUS
- Troubleshooting HWTACACS
- Troubleshooting LDAP
- 802.1X overview
- Configuring 802.1X
- H3C implementation of 802.1X
- Configuration prerequisites
- 802.1X configuration task list
- Enabling 802.1X
- Enabling EAP relay or EAP termination
- Setting the port authorization state
- Specifying an access control method
- Setting the maximum number of concurrent 802.1X users on a port
- Setting the maximum number of authentication request attempts
- Setting the 802.1X authentication timeout timers
- Configuring the online user handshake function
- Configuring the authentication trigger function
- Specifying a mandatory authentication domain on a port
- Configuring the quiet timer
- Enabling the periodic online user re-authentication function
- Displaying and maintaining 802.1X
- 802.1X authentication configuration example
- Configuring MAC authentication
- Overview
- Configuration prerequisites
- Configuration task list
- Enabling MAC authentication
- Specifying a MAC authentication domain
- Configuring the user account format
- Configuring MAC authentication timers
- Setting the maximum number of concurrent MAC authentication users on a port
- Configuring MAC authentication delay
- Displaying and maintaining MAC authentication
- MAC authentication configuration examples
- Configuring port security
- Overview
- Configuration task list
- Enabling port security
- Setting port security's limit on the number of secure MAC addresses on a port
- Setting the port security mode
- Configuring port security features
- Configuring secure MAC addresses
- Ignoring authorization information from the server
- Enabling MAC move
- Displaying and maintaining port security
- Port security configuration examples
- Troubleshooting port security
- Configuring password control
- Overview
- FIPS compliance
- Password control configuration task list
- Enabling password control
- Setting global password control parameters
- Setting user group password control parameters
- Setting local user password control parameters
- Setting super password control parameters
- Displaying and maintaining password control
- Password control configuration example
- Managing public keys
- Configuring IPsec
- Overview
- IPsec tunnel establishment
- Implementing ACL-based IPsec
- Feature restrictions and guidelines
- ACL-based IPsec configuration task list
- Configuring an ACL
- Configuring an IPsec transform set
- Configuring a manual IPsec policy
- Configuring an IKE-based IPsec policy
- Applying an IPsec policy to an interface
- Enabling ACL checking for de-encapsulated packets
- Configuring the IPsec anti-replay function
- Binding a source interface to an IPsec policy
- Enabling QoS pre-classify
- Enabling logging of IPsec packets
- Configuring the DF bit of IPsec packets
- Configuring SNMP notifications for IPsec
- Displaying and maintaining IPsec
- IPsec configuration examples
- Configuring IKE
- Overview
- IKE configuration prerequisites
- IKE configuration task list
- Configuring an IKE profile
- Configuring an IKE proposal
- Configuring an IKE keychain
- Configuring the global identity information
- Configuring the IKE keepalive function
- Configuring the IKE NAT keepalive function
- Configuring IKE DPD
- Enabling invalid SPI recovery
- Setting the maximum number of IKE SAs
- Configuring SNMP notifications for IKE
- Displaying and maintaining IKE
- Main mode IKE with pre-shared key authentication configuration example
- Troubleshooting IKE
- Configuring SSH
- Overview
- FIPS compliance
- Configuring the device as an SSH server
- Configuring the device as an Stelnet client
- Configuring the device as an SFTP client
- Configuring the device as an SCP client
- Displaying and maintaining SSH
- Stelnet configuration examples
- SFTP configuration examples
- SCP configuration examples
- Configuring IP source guard
- Overview
- IP source guard configuration task list
- Configuring the IPv4 source guard function
- Configuring the IPv6 source guard function
- Displaying and maintaining IP source guard
- IP source guard configuration examples
- Configuring ARP attack protection
- ARP attack protection configuration task list
- Configuring unresolvable IP attack protection
- Configuring ARP packet rate limit
- Configuring source MAC-based ARP attack detection
- Configuring ARP packet source MAC consistency check
- Configuring ARP active acknowledgement
- Configuring authorized ARP
- Configuring ARP detection
- Configuring ARP automatic scanning and fixed ARP
- Configuring ARP gateway protection
- Configuring ARP filtering
- Configuring uRPF
- Configuring crypto engines
- Configuring FIPS
- Overview
- Configuration restrictions and guidelines
- Configuring FIPS mode
- FIPS self-tests
- Displaying and maintaining FIPS
- FIPS configuration examples