H3C Technologies H3C S6300 Series Switches User Manual
Security configuration guide
This manual is related to the following products:
Table of contents
Document Outline
- Title Page
- Preface
- Contents
- Configuring AAA
- Overview
- FIPS compliance
- AAA configuration considerations and task list
- Configuring AAA schemes
- Configuring local users
- Configuring RADIUS schemes
- Configuration task list
- Creating a RADIUS scheme
- Specifying the RADIUS authentication servers
- Specifying the RADIUS accounting servers and the relevant parameters
- Specifying the shared keys for secure RADIUS communication
- Setting the username format and traffic statistics units
- Setting the maximum number of RADIUS request transmission attempts
- Setting the status of RADIUS servers
- Specifying the source IP address for outgoing RADIUS packets
- Setting RADIUS timers
- Configuring the accounting-on feature
- Configuring the IP addresses of the security policy servers
- Configuring the Login-Service attribute check method for SSH, FTP, and terminal users
- Enabling SNMP notifications for RADIUS
- Displaying and maintaining RADIUS
- Configuring HWTACACS schemes
- Configuration task list
- Creating an HWTACACS scheme
- Specifying the HWTACACS authentication servers
- Specifying the HWTACACS authorization servers
- Specifying the HWTACACS accounting servers
- Specifying the shared keys for secure HWTACACS communication
- Setting the username format and traffic statistics units
- Specifying the source IP address for outgoing HWTACACS packets
- Setting HWTACACS timers
- Displaying and maintaining HWTACACS
- Configuring LDAP schemes
- Configuration task list
- Creating an LDAP server
- Configuring the IP address of the LDAP server
- Specifying the LDAP version
- Setting the LDAP server timeout period
- Configuring administrator attributes
- Configuring LDAP user attributes
- Creating an LDAP scheme
- Specifying the LDAP authentication server
- Displaying and maintaining LDAP
- Configuring AAA methods for ISP domains
- Enabling the session-control feature
- Setting the maximum number of concurrent login users
- Displaying and maintaining AAA
- AAA configuration examples
- Troubleshooting RADIUS
- Troubleshooting HWTACACS
- Troubleshooting LDAP
- 802.1X overview
- Configuring 802.1X
- H3C implementation of 802.1X
- Configuration prerequisites
- 802.1X configuration task list
- Enabling 802.1X
- Enabling EAP relay or EAP termination
- Setting the port authorization state
- Specifying an access control method
- Setting the maximum number of concurrent 802.1X users on a port
- Setting the maximum number of authentication request attempts
- Setting the 802.1X authentication timeout timers
- Configuring the online user handshake function
- Configuring the authentication trigger function
- Specifying a mandatory authentication domain on a port
- Configuring the quiet timer
- Enabling the periodic online user re-authentication function
- Displaying and maintaining 802.1X
- 802.1X authentication configuration example
- Configuring MAC authentication
- Overview
- Configuration prerequisites
- Configuration task list
- Enabling MAC authentication
- Specifying a MAC authentication domain
- Configuring the user account format
- Configuring MAC authentication timers
- Setting the maximum number of concurrent MAC authentication users on a port
- Configuring MAC authentication delay
- Displaying and maintaining MAC authentication
- MAC authentication configuration examples
- Configuring portal authentication
- Overview
- Portal configuration task list
- Configuration prerequisites
- Configuring a portal authentication server
- Configuring a portal Web server
- Enabling portal authentication on an interface
- Referencing a portal Web server for an interface
- Controlling portal user access
- Configuring portal detection functions
- Configuring the portal fail-permit function
- Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server
- Enabling portal roaming
- Logging out portal users
- Displaying and maintaining portal
- Portal configuration examples
- Configuring direct portal authentication
- Configuring re-DHCP portal authentication
- Configuring cross-subnet portal authentication
- Configuring extended direct portal authentication
- Configuring extended re-DHCP portal authentication
- Configuring extended cross-subnet portal authentication
- Configuring portal server detection and portal user synchronization
- Troubleshooting portal
- Configuring port security
- Overview
- Configuration task list
- Enabling port security
- Setting port security's limit on the number of secure MAC addresses on a port
- Setting the port security mode
- Configuring port security features
- Configuring secure MAC addresses
- Ignoring authorization information from the server
- Enabling MAC move
- Displaying and maintaining port security
- Port security configuration examples
- Troubleshooting port security
- Configuring password control
- Overview
- FIPS compliance
- Password control configuration task list
- Enabling password control
- Setting global password control parameters
- Setting user group password control parameters
- Setting local user password control parameters
- Setting super password control parameters
- Displaying and maintaining password control
- Password control configuration example
- Managing public keys
- Configuring PKI
- Overview
- FIPS compliance
- PKI configuration task list
- Configuring a PKI entity
- Configuring a PKI domain
- Requesting a certificate
- Aborting a certificate request
- Obtaining certificates
- Verifying PKI certificates
- Specifying the storage path for the certificates and CRLs
- Exporting certificates
- Removing a certificate
- Configuring a certificate access control policy
- Displaying and maintaining PKI
- PKI configuration examples
- Troubleshooting PKI configuration
- Configuring IPsec
- Overview
- IPsec tunnel establishment
- Implementing ACL-based IPsec
- Feature restrictions and guidelines
- ACL-based IPsec configuration task list
- Configuring an ACL
- Configuring an IPsec transform set
- Configuring a manual IPsec policy
- Configuring an IKE-based IPsec policy
- Applying an IPsec policy to an interface
- Enabling ACL checking for de-encapsulated packets
- Configuring the IPsec anti-replay function
- Binding a source interface to an IPsec policy
- Enabling QoS pre-classify
- Enabling logging of IPsec packets
- Configuring the DF bit of IPsec packets
- Configuring IPsec for IPv6 routing protocols
- Configuring SNMP notifications for IPsec
- Displaying and maintaining IPsec
- IPsec configuration examples
- Configuring IKE
- Overview
- FIPS compliance
- IKE configuration prerequisites
- IKE configuration task list
- Configuring an IKE profile
- Configuring an IKE proposal
- Configuring an IKE keychain
- Configuring the global identity information
- Configuring the IKE keepalive function
- Configuring the IKE NAT keepalive function
- Configuring IKE DPD
- Enabling invalid SPI recovery
- Setting the maximum number of IKE SAs
- Configuring SNMP notifications for IKE
- Displaying and maintaining IKE
- IKE configuration examples
- Troubleshooting IKE
- Configuring SSH
- Overview
- FIPS compliance
- Configuring the device as an SSH server
- Configuring the device as an Stelnet client
- Configuring the device as an SFTP client
- Configuring the device as an SCP client
- Displaying and maintaining SSH
- Stelnet configuration examples
- SFTP configuration examples
- SCP configuration examples
- NETCONF over SSH configuration example with password authentication
- Configuring SSL
- Configuring IP source guard
- Overview
- IP source guard configuration task list
- Configuring the IPv4 source guard feature
- Configuring the IPv6 source guard feature
- Displaying and maintaining IP source guard
- IP source guard configuration examples
- Configuring ARP attack protection
- ARP attack protection configuration task list
- Configuring unresolvable IP attack protection
- Configuring ARP packet rate limit
- Configuring source MAC-based ARP attack detection
- Configuring ARP packet source MAC consistency check
- Configuring ARP active acknowledgement
- Configuring authorized ARP
- Configuring ARP detection
- Configuring ARP scanning and fixed ARP
- Configuring ARP gateway protection
- Configuring ARP filtering
- Configuring MFF
- Configuring crypto engines
- Configuring FIPS
- Overview
- Configuration restrictions and guidelines
- Configuring FIPS mode
- FIPS self-tests
- Displaying and maintaining FIPS
- FIPS configuration examples
- Index