HP FlexFabric 5930 Switch Series Security Configuration Guide Part number: 5998-4629 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Contents Configuring AAA ························································································································································· 1 Overview ············································································································································································ 1 RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 AAA implementation on the device ························································································································ 9 AAA for MPLS L3VPNs ········································································································································· 11 Protocols and standards ······································································································································· 11 RADIUS attributes ·················································································································································· 11 ...
Page 4
Enabling password control ··········································································································································· 52 Setting global password control parameters ·············································································································· 53 Setting user group password control parameters ······································································································· 54 Setting local user password control parameters ········································································································· 54 Setting super password control parameters ················································································································ 55 Displaying and maintaining password control ···········································································································...
Page 5
PKI configuration examples ··········································································································································· 83 Certificate request from an RSA Keon CA server ······························································································ 83 Certificate request from a Windows 2003 CA server ······················································································ 86 Certificate request from an OpenCA server ······································································································· 89 Certificate import and export configuration example ······················································································· 92 ...
Page 6
SSL security mechanism ······································································································································ 138 SSL protocol stack ··············································································································································· 138 SSL configuration task list ············································································································································ 139 Configuring an SSL server policy ······························································································································· 139 Configuring an SSL client policy ································································································································ 140 Displaying and maintaining SSL ································································································································· 141 ...
Page 7
Configuration guidelines ···································································································································· 166 Configuration procedure ···································································································································· 166 Configuration example ······································································································································· 166 Support and other resources ·································································································································· 168 Contacting HP ······························································································································································ 168 Subscription service ············································································································································ 168 Related information ······················································································································································ 168 Documents ···························································································································································· 168 ...
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It specifies the following security functions: • Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights and controls their access to resources and •...
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
Page 10
Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 11
RADIUS packet format RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
Page 12
The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) includes specific authentication, authorization, and accounting information.
Page 13
Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code • compliant to RFC 1700. • Vendor-Type—Type of the sub-attribute. Vendor-Length—Length of the sub-attribute. • Vendor-Data—Contents of the sub-attribute. • For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...
Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.
Page 15
Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
Page 17
AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user, and uses the methods configured for the access type in the domain to control the user's access. AAA also supports configuring a set of default methods for an ISP domain.
authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide. • User role authentication—Authenticates each user who wants to obtain a temporary user role without logging out or getting disconnected. For more information about temporary user role authorization, see Fundamentals Configuration Guide.
Page 19
Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Page 20
Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
Sub-attribute Description Result of the Trigger-Request or SetPolicy operation, zero for success and Result_Code any other value for failure. Connect_ID Index of the user connection. FTP user working directory. When the RADIUS client acts as the FTP Ftp_Directory server, this attribute is used to set the FTP directory for an FTP user on the RADIUS client.
Configure AAA methods for the users' ISP domains. Remote AAA methods need to reference the configured RADIUS and HWTACACS schemes. Figure 9 AAA configuration procedure To configure AAA, perform the following tasks: Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: •...
Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. The device only supports device management users who log in to the device for device management.
Page 24
Configuring local user attributes Follow these guidelines when you configure local user attributes: • When you use the password-control enable command to globally enable the password control feature, local user passwords are not displayed. The authentication mode of user interfaces is set by the authentication-mode command in user line •...
Page 25
Step Command Remarks The following default settings apply: • No authorization ACL, idle timeout period, or authorized VLAN is configured for local users. • FTP, SFTP, or SCP users are authorized access to the root directory of the device, but they do not have the access authorization-attribute { acl permission.
Page 26
implement centralized user attributes management for the local users in the group. Local user attributes that are manageable include authorization attributes. By default, every new local user belongs to the default user group system and has all attributes of the group.
Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters that the device uses to exchange information with the RADIUS servers, including the IP addresses of the servers, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Required.)
Page 28
To specify RADIUS authentication servers for a RADIUS scheme: Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. • Specify the primary RADIUS authentication server: primary authentication Configure at least one command. { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | By default, no authentication server simple } string | vpn-instance...
Page 29
Step Command Remarks • Specify the primary RADIUS accounting server: Configure at least one primary accounting { ipv4-address | command. ipv6 ipv6-address } [ port-number | By default, no accounting key { cipher | simple } string | server is specified. vpn-instance vpn-instance-name ] * Specify RADIUS accounting Two accounting servers in a...
Page 30
Step Command Remarks Specify a VPN for the RADIUS By default, a RADIUS scheme vpn-instance vpn-instance-name scheme. belongs to the public network. Setting the username format and traffic statistics units A username is typically in the format userid@isp-name, where isp-name represents the user's ISP domain name.
Page 31
Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers.
Page 32
Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } Configure at least one • Set the status of the primary RADIUS command. accounting server: By default, every server state primary accounting { active | specified in a RADIUS scheme block }...
Page 33
Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name By default, the source IP address specified by the radius nas-ip Specify a source IP address nas-ip { ipv4-address | ipv6 command in system view is used. If for outgoing RADIUS packets.
Page 34
NAS. The security policy server is the management and control center of the HP EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.
Enabling SNMP notifications for RADIUS When SNMP notifications are enabled for RADIUS, the SNMP agent supports the following notifications generated by RADIUS: • RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.
Page 36
Tasks at a glance (Optional.) Setting the username format and traffic statistics units (Optional.) Specifying the source IP address for outgoing HWTACACS packets (Optional.) Setting HWTACACS timers (Optional.) Displaying and maintaining HWTACACS Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure up to 16 HWTACACS schemes.
Page 37
Specifying the HWTACACS authorization servers You can specify one primary authorization server and up to 16 secondary authorization servers for an HWTACACS scheme. When the primary server is not available, the device tries to communicate with the secondary servers in the order they are configured, and communicates with the first secondary server in active state.
Page 38
Step Command Remarks • Specify the primary HWTACACS accounting server: primary accounting { ipv4-address | Configure at least one command. ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no accounting server is single-connection | vpn-instance specified.
Page 39
Setting the username format and traffic statistics units A username is typically in the format userid@isp-name, where isp-name represents the user's ISP domain name. By default, the ISP domain name is included in a username. However, if HWTACACS servers do not recognize usernames that contain ISP domain names, you can configure the device to remove the domain name from each username to be sent.
Page 40
Step Command Remarks Enter system view. system-view By default, the IP address of the Specify a source IP address hwtacacs nas-ip { ipv4-address | HWTACACS packet outbound for outgoing HWTACACS ipv6 ipv6-address } [ vpn-instance interface is used as the source IP packets.
If the quiet timer of a server expires, the status of the server changes back to active, but the device does not check the server again during the authentication or accounting process. If no server is found reachable during one search process, the device considers the authentication or accounting attempt a failure.
authorization, and local accounting. If you do not configure any AAA methods for an ISP domain, the device uses the system-defined AAA methods for users in the domain. Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device first. "Configuring local user attributes."...
Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name By default, an ISP domain is in Place the ISP domain in active active state, and users in the state { active | block } or blocked state. domain can request network services.
Step Command Remarks authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default Specify the authentication radius-scheme-name ] [ local ] [ none ] | local authentication method is method for login users. [ none ] | none | radius-scheme used for login users.
Step Command Remarks authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default Specify the authorization radius-scheme-name ] [ local ] [ none ] | authorization method is used method for login users. local [ none ] | none | radius-scheme for login users.
Enabling the session-control feature A RADIUS server running on IMC can use session-control packets to inform disconnect or dynamic authorization change requests. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To enable the session-control feature: Step Command Remarks...
Set the shared keys for secure HWTACACS communication to expert. Configure the switch to send usernames without domain names to the HWTACACS server. Configure the switch to assign the default user role network-operator to SSH users after they pass authentication. Figure 10 Network diagram Configuration procedure Configure the HWTACACS server:...
Configuration procedure Configure the HWTACACS server. (Details not shown.) Configure the RADIUS server. (Details not shown.) Configure the switch: # Assign IP addresses to interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service.
Verifying the configuration When the user initiates an SSH connection to the switch and enter the username hello@bbb and the correct password, the user successfully logs in and can use the commands for the network-operator user role. Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in...
Page 51
Set the ports for authentication and accounting to 1812 and 1813, respectively. Select the service type Device Management Service. Select the access device type HP. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
Page 52
Figure 14 Adding an account for device management Configure the switch: # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
# Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.
The user is configured on the RADIUS server. • • The correct password is entered. The same shared key is configured on both the RADIUS server and the NAS. • RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: •...
Configuring password control Overview Password control refers to a set of functions provided by the device to manage login and super password setup, expirations, and updates for device management users, and to control user login status based on predefined policies. Local users are divided into two types: device management users and network access users.
configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: A password cannot contain the username or the reverse of the username. For example, if the •...
the history records by at least four characters and the four characters must be different from one another. Otherwise, the system will display an error message, and the password will not be changed. You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the most recent record overwrites the earliest one.
Password control configuration task list The password control functions can be configured in several different views, and different views support different functions. The settings configured in different views or for different objects have the following application ranges: • Settings for super passwords apply to only super passwords. Settings in local user view apply to only the password of the local user.
Setting global password control parameters The password expiration time, minimum password length, and password composition policy can be configured in system view, user group view, or local user view. The password settings with a smaller application scope have higher priority. Global settings in system view apply to the passwords of the local users in all user groups if you do not configure password policies for these users in both local user view and user group view.
Setting user group password control parameters Step Command Remarks Enter system view. system-view By default, no user group exists. Create a user group and enter For information about how to user-group group-name user group view. configure a user group, see "Configuring AAA."...
Step Command Remarks By default, the setting equals that for the user group to which the Configure the password local user belongs. If no expiration expiration time for the local password-control aging aging-time time is configured for the user user. group, the global setting applies to the local user.
Step Command Remarks password-control super By default, a super password must Configure the password composition type-number contain at least one character type composition policy for super type-number [ type-length and at least one character for each passwords. type-length ] type. Displaying and maintaining password control Execute display commands in any view and reset commands in user view.
A super password must contain four character types and at least five characters for each type. • Configure a password control policy for the local Telnet user test to meet the following requirements: The password must contain at least 24 characters. •...
[Sysname-luser-manage-test] service-type telnet # Set the minimum password length to 24 for the local user. [Sysname-luser-manage-test] password-control length 24 # Specify that the password of the local user must contain at least four character types and at least five characters for each type. [Sysname-luser-manage-test] password-control composition type-number 4 type-length 5 # Set the password for the local user to expire after 20 days.
Page 66
User group: system Bind attributes: Authorization attributes: Work directory: flash: User role list: network-operator Password control configurations: Password aging: Enabled (20 days) Password length: Enabled (24 characters) Password composition: Enabled (4 types, 5 characters per type)
Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the Revest-Shamir-Adleman Algorithm (RSA), the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 15.
• Table 5 A comparison of different types of asymmetric key algorithms Type Number of key pairs Modulus length HP recommendation • If you specify the key pair name, the command creates a host key pair. The value range is •...
Exporting a host public key in a specific format to a file (use this method if you can import public • keys from a file on the peer device) Displaying a host public key in a specific format and saving it to a file (use this method if you can •...
IMPORTANT: key displayed by the display Manually enter (type or copy) If the peer device is an HP device, use public-key local public command, the peer public key the display public-key local public the system saves the key.
Step Command Remarks Import a peer host public key public-key peer keyname import sshkey By default, no peer host from a public key file. filename public key exists. Entering a peer public key Step Command Remarks Enter system view. system-view Specify a name for the peer public key and enter public public-key peer keyname...
Page 72
Figure 16 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).
Enter public key view. Return to system view with "peer-public-key end" command. [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea...
Page 74
# Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 75
# Use FTP in binary mode to get the public key file devicea.pub from Device A. <DeviceB> ftp 10.1.1.1 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files.
PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. HP's PKI system provides certificate management for SSL. PKI terminology Digital certificate A digital certificate is a document signed by a certificate authority (CA).
(CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make sure you understand the CA policy before you select a trusted CA for certificate request because different CAs might use different policies. PKI architecture A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository, as shown in Figure Figure 18 PKI architecture...
The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the LDAP server or other certificate repositories to provide directory navigation services, and notifies the PKI entity that the certificate is successfully issued.
Step Command Remarks Set a common name for the common-name By default, the common name is not set. entity. common-name-sting Set the country code of the country country-code-string By default, the country code is not set. entity. Set the locality of the entity. locality locality-name By default, the locality is not set.
Page 81
Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. Specify the trusted CA. ca identifier name The trusted CA name is in SCEP messages, and the CA server does not use this name unless the server has two CAs configured with the same registration server.
Step Command Remarks • Specify an RSA key pair: Use either command. public-key rsa { { encryption name encryption-key-name [ length By default, no key pair is specified. key-length ] | signature name You can specify a non-existing key signature-key-name [ length Specify the key pair for pair, which is generated during the key-length ] } * | general name...
Online mode—A certificate request can be automatically or manually submitted. The following • sections describe the online request mode. Configuring automatic certificate request IMPORTANT: If an automatically requested certificate will soon expire or has expired, the entity does not initiate a re-request to the CA automatically, and the applications using the certificate might be interrupted.
Before you manually submit a certificate request, make sure the CA certificate exists and a key pair is specified for the PKI domain: The CA certificate is used to verify the authenticity and validity of the obtained local certificate. • The key pair is used for certificate request.
To abort a certificate request: Step Command Remarks Enter system view. system-view pki abort-certificate-request This command is not saved in the Abort a certificate request. domain domain-name configuration file. Obtaining certificates You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from a CA and save them locally for higher lookup efficiency.
Configuration procedure To obtain certificates: Step Command Remarks Enter system view. system-view • Import certificates in offline mode: pki import domain domain-name { der { ca | local | peer } filename filename | p12 local The pki filename filename | pem { ca | local | peer } retrieve-certificate [ filename filename ] } Import or obtain certificates.
Step Command Remarks The newly obtained CRL overwrites the old one, if any. (Optional.) Obtain the CRL pki retrieve-crl domain The obtained CRL must be issued by and save it locally. domain-name a CA certificate in the CA certificate chain in the current domain. Verify the validity of the pki validate-certificate domain certificates.
Task Command Remarks By default, the storage path for the certificates and CRLs is the PKI directory on the storage media of the device. Specify the storage path for pki storage { certificates | the certificates and CRLs. crls } dir-path For a distributed device, you must specify a path on the current MPU rather than on other MPUs.
Use public-key local destroy to destroy the existing local key pair. Use public-key local create to generate a new key pair. Request a new certificate. To remove a certificate: Step Command Remarks Enter system view. system-view If no serial number is pki delete-certificate domain domain-name { ca | specified, the command Remove a certificate.
Step Command Remarks Return to system view. quit Create a certificate access pki certificate access-control-policy By default, no certificate access control policy and enter its policy-name control policy exists. view. By default, no statement is configured, and all certificates can pass the verification.
Page 91
Figure 20 Network diagram Configuring the CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA. Subject DN—DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).
Page 92
# Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [Device-pki-domain-torsa] public-key rsa general name abc length 1024 [Device-pki-domain-torsa] quit Generate a local RSA key pair. [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048).
Page 94
Install the SCEP add-on: The Windows 2003 server does not support SCEP by default. Install the SCEP add-on on the server so that the device can automatically register and obtain its certificate from the server. After the SCEP add-on installation completes, you will see a URL. Use the URL to configure it on the device as the URL of the registration server for certificate request.
Page 95
[Device-pki-domain-winserver] quit Generate an RSA local key pair: [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 97
Configuring the device Synchronize the system time of the device with the CA server, so that the device can correctly request a certificate. Create an entity named aaa with the common name as rnd, the country code as CN, the organization name as test, and the unit name as software.
Page 98
[Device] pki request-certificate domain openca Start to request the general certificate ... … Request certificate of domain openca successfully Verifying the configuration # After obtaining the local certificate, display information about the certificate. [Device] display pki certificate domain openca local Certificate: Data: Version: 3 (0x2)
keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B X509v3 Issuer Alternative Name: DNS:root@docm.com, DNS:, IP Address:192.168.154.145, IP Address:192.168.154.138 Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 5c:4c:ba:d0:a1:35:79:e6:e5:98:69:91:f6:66:2a:4f:7f:8b: 0e:80:de:79:45:b9:d9:12:5e:13:28:17:36:42:d5:ae:fc:4e: ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57:...
Page 100
Figure 23 Network diagram Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a file named pkicachain.pem in PEM format. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No trusted CA is specified. • The URL of the registration server is not correct or not specified.
Configure the correct LDAP server. Specify the key pair used for certificate request in the PKI domain, generate the proper key pair, and make sure it matches the local certificates to the obtained. Reference the proper PKI entity in the PKI domain, and correctly configure the PKI entity. Obtain CRLs.
Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No CA certificate has been obtained before you try to obtain CRLs. •...
Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis The PKI domain has no CA certificate, and the certificate file to be imported does not contain the • CA certificate chain. CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained. •...
Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis The specified storage path does not exist. • • The specified storage path is illegal. The disk space is full. • Solution Use mkdir to create the path.
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.
CLI. The text pasted at one time must be no more than 2000 bytes. Interaction HP recommends that you paste commands in the same view. Otherwise, the server might not be able to correctly execute the commands. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server.
Password-publickey authentication—The server requires SSH2 clients to pass both password • authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the server. • Any authentication—The server requires clients to pass either password authentication or publickey authentication.
Configuration guidelines SSH supports locally generated DSA and RSA key pairs with default names rather than with • specified names. For more information about the commands that are used to generate keys, see Security Command Reference. • The public-key local create rsa command generates a server key pair and a host key pair for RSA. SSH1 uses the public key in the server key pair of the SSH server to encrypt the session key before transmitting the session key.
PKCS format. HP recommends that you configure no more than 20 SSH client host public keys on an SSH server. To manually configure a client's host public key:...
Step Command Remarks Enter system view. system-view Enter public key view. public-key peer keyname When you enter the contents for a host public key, you can use spaces and carriage returns between characters. When you Configure a client's host Enter the content of the host public save the host public key, spaces public key.
If the authentication method is password, the user role is authorized by the remote AAA server or the local device. If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view. If you change the authentication method or public key for an SSH user that has been logged in, the •...
Maximum number of concurrent online SSH users. When the number of online SSH users reaches • the upper limit, the system refuses new SSH connection requests. To set the SSH management parameters: Step Command Remarks Enter system view. system-view Enable the SSH server to ssh server compatible-ssh1x By default, the SSH server supports support SSH1 clients.
Stelnet clients in the authentication service, HP recommends that you specify a loopback interface as the source interface. To specify a source IP address or source interface for the Stelnet client:...
SFTP clients in the authentication service, HP recommends that you specify a loopback interface as the source interface. To specify a source IP address or source interface for the SFTP client:...
Working with SFTP files Task Command Remarks Change the name of a file on the rename old-name new-name Available in SFTP client view. SFTP server. Download a file from the remote get remote-file [ local-file ] Available in SFTP client view. server and save it locally.
When an SCP client accesses an SCP server, it uses the locally saved host public key of the server to authenticate the server. When acting as an SCP client, the device supports the first authentication by default. When the device accesses an SCP server for the first time but it is not configured with the host public key of the SCP server, it can access the server and locally save the server's host public key for future use.
Task Command Display SSH user information on the SSH display ssh user-information [ username ] server. display public-key local { dsa | rsa } public [ name Display the public keys of the local key pairs. publickey-name ] Display the public keys of the SSH peers. display public-key peer [ brief | name publickey-name ] Stelnet configuration examples Password authentication enabled Stelnet server configuration...
Page 125
Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+. Create the key pair successfully. # Enable the SSH server function. [Switch] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this IP address as the destination for SSH connection.
Figure 25 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server.
Page 127
Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY, and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
Page 128
Figure 28 Generating process After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save. Figure 29 Saving a key pair on the client...
Page 129
Click Save private key to save the private key. A confirmation dialog box appears. Click Yes, enter a file name (private.ppk in this example), and click Save. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.
Page 130
# Create a local device management user client002 with the service type ssh and the user role network-admin. [Switch] local-user client002 class manage [Switch-luser-manage-client002] service-type ssh [Switch-luser-manage-client002] authorization-attribute user-role network-admin [Switch-luser-manage-client002] quit Specify the private key file and establish a connection to the Stelnet server: Launch PuTTY.exe on the Stelnet client to enter the interface shown in Figure In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server.
Page 131
Figure 31 Specifying the preferred SSH version Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 32 appears. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.
Figure 32 Specifying the private key file Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements...
Page 133
[SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 134
[SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit You can determine whether to configure the host public key of the server on the client before establishing a connection to the server: If you do not configure the host public key of the server on the client, select Yes to access the server without authenticating the server, and locally save the host public key of the server.
[SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server 192.168.1.40 and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you successfully log in to Switch B. Publickey authentication enabled Stelnet client configuration example Network requirements...
Page 136
.++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.
# Create an SSH user client002 with the authentication method publickey, and assign the public key switchkey to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user client002 with the service type ssh and the user role network-admin.
Page 138
......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Figure 36 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 37, you can log in to Switch B through the SFTP client that runs on Switch A and are assigned the user role network-admin to execute file management and transfer operations. Switch B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm.
Page 140
The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully.
Page 141
[SwitchB] public-key peer switchkey import sshkey pubkey # Create an SSH user client001 with the service type sftp, authentication method publickey, and public key switchkey. [SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey switchkey # Create a local device management user client001 with the service type ssh, the user role network-admin, and the working directory flash:/.
# Rename directory new1 to new2 and verify that the directory has been successfully renamed . sftp> rename new1 new2 sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...
Page 143
Configuration procedure Configure the SCP server: # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 144
[SwitchA-Vlan-interface2] quit [SwitchA] quit Connect to the SCP server, download the file remote.bin from the server, and save it locally with the name local.bin. <SwitchA> scp 192.168.0.1 get remote.bin local.bin Username: client001 Connected to 192.168.0.1 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Enter password: 18471 bytes transfered in 0.001 seconds.
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security mechanism SSL provides the following security services: Privacy—SSL uses a symmetric encryption algorithm to encrypt data and uses an asymmetric key...
Figure 40 SSL protocol stack The following describes the major functions of SSL protocols: SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to • the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), authenticates the server and client, and securely exchanges the key between the server and client.
Step Command Remarks By default, no PKI domain is specified for an SSL server policy. If SSL clients authenticate the server through a digital certificate, you must use this (Optional.) Specify a PKI pki-domain domain-name command to specify a PKI domain for the SSL server policy.
Step Command Remarks By default, no PKI domain is specified for an SSL client policy. If the SSL server authenticates the SSL client through a digital certificate, you must use this (Optional.) Specify a PKI command to specify a PKI pki-domain domain-name domain for the SSL client policy.
Configuring IP source guard Overview IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate packets. It drops all packets that do not match the table. The IP source guard binding table can include the following binding entries: IP-interface binding entries.
IP source guard use static IPv4 source guard binding entries on an interface to filter IPv4 packets received by the interface or cooperate with the ARP detection feature to check user validity. IP source guard use static IPv6 source guard binding entries on an interface to filter IPv6 packets received by the interface. For more information about ARP detection, see "Configuring ARP attack protection."...
Tasks at a glance (Required.) Enabling IPv6 source guard on an interface (Optional.) Configuring a static IPv6 source guard binding entry Configuring the IPv4 source guard function You cannot configure the IPv4 source guard function on a service loopback interface. If IPv4 source guard is enabled on an interface, you cannot assign the interface to a service loopback group.
Configuring a static IPv4 source guard binding entry Static IPv4 source guard binding entries include global static IPv4 source entries and interface-specific static IPv4 source guard binding entries. A global static IPv4 source guard binding entry defines both the source IP address and source MAC address of packets that can be forwarded, and it takes effect on all interfaces.
Enabling IPv6 source guard on an interface You must first enable the IPv6 source guard function on an interface and use static entries to filter packets. All the fields in a static IPv6 source guard binding entry are used by IP source guard to filter packets. For more information about how to configure a static IPv6 source guard binding entry, see "Configuring a static IPv6 source guard binding...
Step Command Remarks These types of interfaces are supported: interface interface-type Enter interface view. Layer 2 Ethernet port, Layer 3 Ethernet interface-number interface, VLAN interface. By default, no static IPv6 source guard binding entry is configured on an interface. ipv6 source binding { ip-address The vlan vlan-id option is supported only in Configure a static IPv6 ipv6-address | ip-address...
Page 155
Figure 42 Network diagram Configuration procedure Configure Switch A: # Configure IP addresses for the interfaces. (Details not shown.) # Enable IPv4 source guard on FortyGigE 1/0/2. <SwitchA> system-view [SwitchA] interface fortygige 1/0/2 [SwitchA-FortyGigE1/0/2] ip verify source ip-address mac-address # On FortyGigE 1/0/2, configure a static IPv4 source guard binding entry for Host C. [SwitchA-FortyGigE1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [SwitchA-FortyGigE1/0/2] quit...
Verifying the configuration # Display static IPv4 source guard binding entries on Switch A. The output shows that the static IPv4 source guard binding entries are configured successfully. <SwitchA> display ip source binding static Total entries found: 2 IP Address MAC Address Interface VLAN Type...
# Configure FortyGigE 1/0/2 as a trusted interface. [Switch] interface fortygige 1/0/2 [Switch-FortyGigE1/0/2] dhcp snooping trust [Switch-FortyGigE1/0/2] quit Enable IPv4 source guard on FortyGigE 1/0/1 to filter packets based on both the source IP address and the MAC address. Enable recording of client information in DHCP snooping entries on this interface: [Switch] interface fortygige 1/0/1 [Switch-FortyGigE1/0/1] ip verify source ip-address mac-address...
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
ARP source suppression—If the attack packets have the same source address, you can enable the • ARP source suppression function, and set the maximum number of unresolvable IP packets that the device can receive from a host within 5 seconds. If the threshold is reached, the device stops resolving packets from the host until the 5 seconds elapse.
Figure 46 Network diagram Configuration considerations If the attack packets have the same source address, configure the ARP source suppression function as follows: Enable ARP source suppression. Set the threshold to 100. If the number of unresolvable IP packets received from a host within 5 seconds exceeds 100, the device stops resolving packets from the host until the 5 seconds elapse.
Configuration guidelines Configure this feature when ARP detection is enabled, or when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. When the receiving rate of ARP packets on the interface exceeds the rate limit, those packets are discarded. You can enable sending notifications to the SNMP module or enable logging for ARP packet rate limit.
Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets received from the same MAC address within 5 seconds against a specific threshold. If the threshold is exceeded, the device adds the MAC address in an ARP attack entry.
Configuration example Network requirements As shown in Figure 47, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway.
[Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body, so that the gateway can learn correct ARP entries.
Configuring user validity check Upon receiving an ARP packet from an ARP untrusted interface, the device compares the sender IP and MAC addresses against the static IP source guard binding entries and the DHCP snooping entries. If a match is found from those entries, the ARP packet is considered valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded.
ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP • requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. To configure ARP packet validity check: Step Command Remarks Enter system view.
To delete a specific static ARP entry converted from a dynamic one, use the undo arp ip-address • [ vpn-instance-name ] command. Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries. Configuration procedure To configure ARP automatic scanning and fixed ARP: Step...
Step Command Remarks Enable ARP gateway protection By default, ARP gateway arp filter source ip-address for the specified gateway. protection is disabled. Configuration example Network requirements As shown in Figure 49, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B.
Configuration guidelines When you configure ARP filtering, follow these guidelines: • You can configure a maximum of eight permitted entries on an interface. Do not configure both the arp filter source and arp filter binding commands on an interface. • If ARP filtering operates with ARP detection, ARP filtering applies first.
Page 174
Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface fortygige 1/0/1 [SwitchB-FortyGigE1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-FortyGigE1/0/1] quit [SwitchB] interface fortygige 1/0/2 [SwitchB-FortyGigE1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, FortyGigE 1/0/1 permits ARP packets from Host A, and discards other ARP packets.
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 177
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 182
security local key pair, security password control configuration, 49, 52, detecting security password control global parameters, security ARP detection configuration, security password control local user parameters, security ARP source MAC-based attack security password control user group detection, 157, parameters, device security password setting, security AAA configuration, 1, security SFTP server function enable,...
Page 183
security PKI RSA Keon CA server certificate security SSH Stelnet client publickey request, authentication, security PKI verification (CRL checking), dst-mac validity check (ARP), security PKI verification (without CRL dynamic checking), security IP source guard dynamic binding entry, security PKI Windows 2003 CA server security IPv4 source guard dynamic configuration certificate request, with DHCP relay,...
Page 184
1 15 history filtering security password history, security ARP packets, 165, fixed ARP configuration, security AAA RADIUS HP proprietary attributes, format HTTP security AAA HWTACACS username, security SSL configuration, 138, security AAA RADIUS packet format, HW Terminal Access Controller Access Control System.
Page 185
IPv4. See IPv4 source guard security AAA RADIUS session-control IPv6. See IPv6 source guard feature, maintaining, implementing static binding entry, security AAA for MPLS L3VPNs, ip validity check (ARP), security AAA HWTACACS, IPv4 security AAA on device, source guard. See IPv4 source guard security AAA RADIUS, IPv4 source guard...
Page 186
security SSH RSA server key pair, security SSL services, MAC address Layer 3 security ARP attack protection configuration, security PKI MPLS L3VPN support, security ARP source MAC-based attack LDAP detection, protocols and standards, security IP source guard configuration, 142, security AAA configuration, 1, security IPv4 source guard dynamic configuration security AAA local user configuration, with DHCP relay,...
Page 187
security AAA RADIUS security policy server IP security IP source guard static binding entry, address configuration, 27, security IPv4 source guard configuration, network security IPv4 source guard on interface, security AAA device implementation, security IPv6 source guard configuration, security AAA HWTACACS implementation, security IPv6 source guard on interface, security AAA HWTACACS scheme security password control global parameters,...