HPE FlexNetwork 7500 Series Security Configuration Manual page 13

Exiting FIPS mode through manual reboot ···························································································· 474
Configuring MACsec ··················································································· 476
Overview ························································································································································ 476
Basic concepts ······································································································································· 476
MACsec services ··································································································································· 476
MACsec applications ······························································································································ 477
MACsec operating mechanism ·············································································································· 477
Protocols and standards ························································································································ 479
Feature and hardware compatibility ··············································································································· 479
General restrictions and guidelines ················································································································ 479
MACsec configuration task list ······················································································································· 480
Enabling MKA ················································································································································ 480
Enabling MACsec desire ································································································································ 480
Configuring a preshared key ·························································································································· 481
Configuring the MKA key server priority ········································································································ 481
Configuring MACsec protection parameters in interface view ······································································· 482
Configuring the MACsec confidentiality offset ························································································ 482
Configuring MACsec replay protection ··································································································· 482
Configuring the MACsec validation mode ······························································································ 483
Configuring MACsec protection parameters by MKA policy ·········································································· 483
Configuring an MKA policy ····················································································································· 483
Applying an MKA policy ························································································································· 484
Displaying and maintaining MACsec ············································································································· 484
MACsec configuration examples ··················································································································· 485
Client-oriented MACsec configuration example (host as client) ····························································· 485
Client-oriented MACsec configuration example (device as client) ························································· 488
Device-oriented MACsec configuration example ··················································································· 491
Troubleshooting MACsec ······························································································································· 494
Cannot establish MKA sessions between MACsec devices ·································································· 494
Configuring 802.1X client ············································································ 496
802.1X client configuration task list ················································································································ 496
Enabling the 802.1X client feature ················································································································· 496
Configuring an 802.1X client username and password ················································································· 497
Configuring an 802.1X client MAC address ··································································································· 497
Specifying an 802.1X client EAP authentication method ··············································································· 498
Configuring an 802.1X client anonymous identifier ························································································ 498
Specifying an SSL client policy ······················································································································ 499
Displaying and maintaining 802.1X client ······································································································ 499
Configuring Web authentication ·································································· 500
Overview ························································································································································ 500
Web authentication types ······················································································································· 500
Advantages of Web authentication ········································································································ 500
Web authentication system ···················································································································· 500
Web authentication process ··················································································································· 501
Web authentication task list ··························································································································· 502
Configuration prerequisites ···························································································································· 502
Configuring the Web authentication server ···································································································· 503
Enabling Web authentication ························································································································· 503
Specifying a Web authentication domain ······································································································· 504
Setting the redirection wait time ····················································································································· 504
Configuring a Web authentication-free subnet ······························································································· 505
Setting the maximum number of Web authentication users ·········································································· 505
Configuring online Web authentication user detection ··················································································· 505
Configuring an Auth-Fail VLAN ······················································································································ 506
Configuring Web authentication to support Web proxy ·················································································· 506
Displaying and maintaining Web authentication ···························································································· 507
Web authentication configuration examples ·································································································· 507
Web authentication using the local authentication server ······································································ 507
Web authentication using the RADIUS authentication server ································································ 509
xi