HP MSR2000 Configuration Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Network Router
  5. MSR2000 Series
  6. Configuration manual
HP MSR2000 Configuration Manual

HP MSR2000 Configuration Manual

Hide thumbs Also See for MSR2000:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual
HP MSR2000/3000/4000 Router Series
Security
Configuration Guide (V7)
Part number: 5998-3996
Software version: CMW710-R0007P02
Document version: 6PW100-20130927

Advertisement

Table of Contents
loading

Related Manuals for HP MSR2000

Summary of Contents for HP MSR2000

  • Page 1 HP MSR2000/3000/4000 Router Series Security Configuration Guide (V7) Part number: 5998-3996 Software version: CMW710-R0007P02 Document version: 6PW100-20130927...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents Configuring AAA ························································································································································· 1   Overview ············································································································································································ 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   AAA implementation on the device ························································································································ 9   AAA for MPLS L3VPNs ········································································································································· 11   Protocols and standards ······································································································································· 11   RADIUS attributes ·················································································································································· 12  ...
  • Page 4   EAP relay ································································································································································ 55   EAP termination ····················································································································································· 57   Configuring 802.1X ·················································································································································· 59   HP implementation of 802.1X ······································································································································ 59   Configuration prerequisites ··········································································································································· 59   802.1X configuration task list ······································································································································· 59   Enabling 802.1X ···························································································································································· 60  ...
  • Page 5 Password updating and expiration ····················································································································· 79   User login control ·················································································································································· 80   Password not displayed in any form ··················································································································· 80   Logging ··································································································································································· 80   FIPS compliance ····························································································································································· 81   Password control configuration task list ······················································································································· 81   Enabling password control ··········································································································································· 81  ...
  • Page 6 Exporting certificates ··················································································································································· 111   Removing a certificate ················································································································································· 112   Configuring a certificate access control policy ········································································································· 112   Displaying and maintaining PKI ································································································································· 113   PKI configuration examples ········································································································································· 113   Certificate request from an RSA Keon CA server ···························································································· 114  ...
  • Page 7 Configuring IKE ······················································································································································· 179   Overview ······································································································································································· 179   IKE negotiation process ······································································································································ 179   IKE security mechanism ······································································································································· 180   Protocols and standards ····································································································································· 181   IKE configuration prerequisites ··································································································································· 181   IKE configuration task list ············································································································································ 181   Configuring an IKE profile ··········································································································································...
  • Page 8 Displaying and maintaining SSH ······························································································································· 226   Stelnet configuration examples ··································································································································· 226   Password authentication enabled Stelnet server configuration example ······················································ 226   Publickey authentication enabled Stelnet server configuration example ······················································· 228   Password authentication enabled Stelnet client configuration example ························································ 233  ...
  • Page 9 Troubleshooting connection limits ······························································································································ 271   ACLs in the connection limit rules with overlapping segments ······································································· 271   Configuring ARP attack protection ························································································································· 272   ARP attack protection configuration task list ············································································································· 272   Configuring unresolvable IP attack protection ·········································································································· 273  ...
  • Page 10 Configuring a portal authentication server················································································································ 299   Configuring a portal Web server ······························································································································· 300   Enabling portal authentication on an interface ········································································································· 300   Configuration restrictions and guidelines ········································································································· 300   Configuration procedure ···································································································································· 301   Referencing a portal Web server for an interface ···································································································· 301  ...
  • Page 11 Support and other resources ·································································································································· 348   Contacting HP ······························································································································································ 348   Subscription service ············································································································································ 348   Related information ······················································································································································ 348   Documents ···························································································································································· 348   Websites ······························································································································································· 348   Conventions ·································································································································································· 349   Index ········································································································································································ 351  ...

  • Page 12: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It specifies the following security functions: • Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights and controls their access to resources and •...

  • Page 13: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
  • Page 14 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
  • Page 15 RADIUS packet format RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
  • Page 16 The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) includes specific authentication, authorization, and accounting information.
  • Page 17 5, a sub-attribute encapsulated in attribute 26 consists of the following parts: Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code • compliant to RFC 1700. The vendor ID of HP is 25506. Vendor-Type—Type of the sub-attribute. • Vendor-Length—Length of the sub-attribute.

  • Page 18: Hwtacacs

    Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.
  • Page 19 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 20: Aaa Implementation On The Device

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
  • Page 21 • NOTE: The device also provides authentication modules (such as 802.1X) for implementation of user authentication management policies. If you configure these authentication modules, the ISP domains for users of the access types depend on the configuration of the authentication modules. AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain.

  • Page 22: Aaa For Mpls L3Vpns

    Command authorization—Enables the NAS to let the authorization server determine whether a • command entered by a login user is permitted, and allow login users to execute only authorized commands. For more information about command authorization, see Fundamentals Configuration Guide. •...

  • Page 23: Radius Attributes

    Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier...
  • Page 24 Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
  • Page 25 Sub-attribute Description Operation for the session, used for session control. Possible values include: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value.

  • Page 26: Fips Compliance

    Sub-attribute Description Amount of bytes output within an accounting interval, in units of 4G Output-Interval-Gigawords bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

  • Page 27: Configuring Aaa Schemes

    Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: • Configuring local users • Configuring RADIUS schemes • Configuring HWTACACS schemes (Required.) Configure AAA methods for ISP domains: (Required.) Creating an ISP domain (Optional.) Configuring ISP domain attributes...
  • Page 28 Binding attributes—Binding attributes control the scope of users, and are checked during local • authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP address, access port, MAC address, and native VLAN.
  • Page 29 Step Command Remarks Enter system view. system-view Add a local user and enter local-user user-name [ class By default, no local user exists. local user view. { manage | network } ] Network access user passwords are encrypted with the encryption •...
  • Page 30 Step Command Remarks By default, a local user is assigned the user role of network-operator when the user is created by a network-admin user. For PPP users, only the settings for acl, callback-number, and idle-cut take effect. authorization-attribute { acl For LAN and portal users, only the (Optional.) Configure acl-number | callback-number...
  • Page 31 To configure user group attributes: Step Command Remarks Enter system view. system-view By default, there is a Create a user group and system-defined user group named user-group group-name enter its view. system, which is the default user group. authorization-attribute { acl acl-number | callback-number By default, no authorization Configure authorization...

  • Page 32: Configuring Radius Schemes

    Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters that the device uses to exchange information with the RADIUS servers, including the IP addresses of the servers, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Required.)
  • Page 33 Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. • Specify the primary RADIUS authentication server: primary authentication Configure at least one command. { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | By default, no authentication server simple } string | vpn-instance is specified.
  • Page 34 Step Command Remarks • Specify the primary RADIUS accounting server: Configure at least one primary accounting { ipv4-address | command. ipv6 ipv6-address } [ port-number | By default, no accounting key { cipher | simple } string | server is specified. vpn-instance vpn-instance-name ] * Specify RADIUS accounting Two accounting servers in a...
  • Page 35 Step Command Remarks Specify a VPN for the RADIUS By default, a RADIUS scheme vpn-instance vpn-instance-name scheme. belongs to the public network. Setting the username format and traffic statistics units A username is typically in the format userid@isp-name, where isp-name represents the user's ISP domain name.
  • Page 36 Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers.
  • Page 37 Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } Configure at least one • Set the status of the primary RADIUS command. accounting server: By default, every server state primary accounting { active | specified in a RADIUS scheme block }...
  • Page 38 Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name By default, the source IP address specified by the radius nas-ip Specify a source IP address nas-ip { ipv4-address | ipv6 command in system view is used. If for outgoing RADIUS packets.
  • Page 39 NAS. The security policy server is the management and control center of the HP EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.

  • Page 40: Configuring Hwtacacs Schemes

    Step Command Remarks By default, no security policy server security-policy-server { ipv4-address is specified for a scheme. Specify a security policy | ipv6 ipv6-address } [ vpn-instance server. You can specify up to eight security vpn-instance-name ] policy servers for a RADIUS scheme. Displaying and maintaining RADIUS Execute display commands in any view and reset commands in user view.
  • Page 41 Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the device tries to communicate with the secondary servers in the order they are configured, and communicates with the first secondary server in active state.
  • Page 42 Step Command Remarks • Specify the primary HWTACACS authorization server: primary authorization Configure at least one command. { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | By default, no authorization server simple } string | vpn-instance is specified.
  • Page 43 Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, no shared key is Specify a shared key for specified. secure HWTACACS key { accounting | authentication | The shared key configured on the authentication, authorization, authorization } { cipher | simple } device must be the same as that...
  • Page 44 Step Command Remarks data-flow-format { data { byte | Optional. Set the data flow and packet giga-byte | kilo-byte | mega-byte } measurement units for traffic By default, traffic is counted in | packet { giga-packet | kilo-packet statistics. bytes and packets. | mega-packet | one-packet } }* Specifying the source IP address for outgoing HWTACACS packets The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS...
  • Page 45 Setting HWTACACS timers The device uses the following timers to control communication with an HWTACACS server: • Server response timeout timer (response-timeout)—Defines the HWTACACS request retransmission interval. The timer starts immediately after an HWTACACS authentication, authorization, or accounting request is sent. If the device does not receive a response from the server before the timer expires, it resends the request.

  • Page 46: Configuring Aaa Methods For Isp Domains

    Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain view. Each ISP domain has a set of system-defined AAA methods, which are local authentication, local authorization, and local accounting. If you do not configure any AAA methods for an ISP domain, the device uses the system-defined AAA methods for users in the domain.

  • Page 47: Configuring Authentication Methods For An Isp Domain

    Maximum number of online users—The device controls the number of online users in a domain to • ensure the system performance and service reliability. Authorization attributes—The device assigns the authorization attributes in the ISP domain to the • authenticated users who do not receive authorization attributes from the server. An ISP domain attribute applies to all users in the domain.

  • Page 48: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authentication default { hwtacacs-scheme By default, the default hwtacacs-scheme-name [ radius-scheme authentication method is Specify the default radius-scheme-name ] [ local ] [ none ] | local local.

  • Page 49: Configuring Accounting Methods For An Isp Domain

    If RADIUS authorization fails, the server sends an error message to the NAS, indicating that the • server itself is not responding. Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme By default, the authorization...
  • Page 50 Determine whether to configure the default accounting method for all access types or service types. The default accounting method applies to all access users, but it has a lower priority than the accounting method that is specified for an access type or service type. Configuration guidelines When configuring accounting methods, follow these guidelines: Login users who use FTP services do not support accounting.

  • Page 51: Enabling The Session-Control Feature

    Enabling the session-control feature A RADIUS server running on IMC can use session-control packets to inform disconnect or dynamic authorization change requests. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To enable the session-control feature: Step Command Remarks...

  • Page 52: Authentication And Authorization For Ssh Users By A Radius Server

    Set the ports for authentication to 1812, respectively. Select the service type Device Management Service. Select the access device type HP. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
  • Page 53 The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the router, which is chosen in this order on the router: IP address specified by the nas-ip command IP address specified by the radius nas-ip command IP address of the outbound interface (the default) Figure 11 Adding the router as an access device...
  • Page 54 Figure 12 Adding an account for device management Configure the router: # Assign an IP address to interface Ethernet 1/1, the SSH user access interface. <Router> system-view [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.1.70 255.255.255.0 [Router-Ethernet1/1] quit # Assign an IP address to interface Ethernet 1/2, through which the router communicates with the server.

  • Page 55: Verifying The Configuration

    [Router] role default-role enable # Create a RADIUS scheme. [Router] radius scheme rad # Specify the primary authentication server. [Router-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Router-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.

  • Page 56: Verifying The Configuration

    <Router> system-view [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.1.70 255.255.255.0 [Router-Ethernet1/1] quit # Create local RSA and DSA key pairs. [Router] public-key local create rsa [Router] public-key local create dsa # Enable the SSH service. [Router] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63.

  • Page 57: Configuration Procedure

    Set the shared keys for secure HWTACACS communication to expert. Configure the router to send usernames without domain names to the HWTACACS server. Figure 14 Network diagram HWTACACS server 10.1.1.1/24 Eth1/2 10.1.1.2/24 Eth1/1 192.168.1.70/24 Internet SSH user Router 192.168.1.58/24 Configuration procedure Configure the HWTACACS server: # On the HWTACACS server, set the shared keys for secure communication with the router to expert, add an account for the SSH user, and specify the password.

  • Page 58: Verifying The Configuration

    [Router-hwtacacs-hwtac] quit # Create ISP domain bbb and configure AAA methods for login users. [Router] domain bbb [Router-isp-bbb] authentication login hwtacacs-scheme hwtac [Router-isp-bbb] authorization login hwtacacs-scheme hwtac [Router-isp-bbb] accounting login hwtacacs-scheme hwtac [Router-isp-bbb] quit # Create local RSA and DSA key pairs. [Router] public-key local create rsa [Router] public-key local create dsa # Enable the SSH service.

  • Page 59: Radius Packet Delivery Failure

    The username is in the userid@isp-name format and the ISP domain is correctly configured on the • NAS. The user is configured on the RADIUS server. • The correct password is entered. • The same shared key is configured on both the RADIUS server and the NAS. •...

  • Page 60: Troubleshooting Hwtacacs

    Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS."...

  • Page 61: 802.1X Overview

    802.1X overview 802.1X is available only on the routers with Layer 2 Ethernet switching interface module installed. For more information about the Layer 2 Ethernet switching interface modules, see HP MSR Router Series Interface Module Guide. 802.1X is a port-based network access control protocol initially proposed for securing WLANs, and it has also been widely used on Ethernet networks for access control.

  • Page 62: 802.1X-Related Protocols

    • Performs unidirectional traffic control to deny traffic from the client. • The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.

  • Page 63: Packet Formats

    • • Protocol version—The EAPOL protocol version used by the EAPOL packet sender. Type—Type of the EAPOL packet. Table 4 lists the types of EAPOL packets supported by HP • implementation of 802.1X. Table 4 Types of EAPOL packets Value...

  • Page 64: Eap Over Radius

    Value Type Description The client sends an EAPOL-Logoff message to tell the network access 0x02 EAPOL-Logoff device that it is logging off. Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows. Packet body—Content of the packet.

  • Page 65: Access Device As The Initiator

    802.1X client (for example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets. One example is the 802.1X client available with Windows XP.

  • Page 66: A Comparison Of Eap Relay And Eap Termination

    • Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication Works with any RADIUS server that initiated by an HP iNode 802.1X EAP termination supports PAP or CHAP client. authentication. • The processing is complex on the network access device.
  • Page 67 Figure 23 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge (EAP-Request/MD5 challenge) (6) EAP-Request/MD5 challenge (7) EAP-Response/MD5 challenge (8) RADIUS Access-Request (EAP-Response/MD5 challenge) (9) RADIUS Access-Accept (EAP-Success) (10) EAP-Success...

  • Page 68: Eap Termination

    The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.
  • Page 69 Figure 24 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption. The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 70: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port.

  • Page 71: Enabling 802.1X

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...

  • Page 72: Setting The Port Authorization State

    Setting the port authorization state The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: • authorized-force—Places the port in the authorized state, enabling users on the port to access the network without authentication.

  • Page 73: Setting The Maximum Number Of Authentication Request Attempts

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number Set the maximum number of By default, the maximum dot1x max-user user-number concurrent 802.1X users on a number of concurrent 802.1X [ interface interface-list ] port. users on a port is 256. Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request...

  • Page 74: Configuring The Online User Handshake Function

    Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command. If no response is received from an online user after the maximum number of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state.

  • Page 75: Configuration Procedure

    Disable the multicast trigger in a wireless LAN. Wireless clients and the wireless module of the • network access device can both initiate 802.1X authentication. Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these •...

  • Page 76: Enabling The Periodic Online User Re-Authentication Function

    To configure the quiet timer: Step Command Remarks Enter system view. system-view Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. dot1x timer quiet-period (Optional.) Set the quiet timer. The default is 60 seconds. quiet-period-value Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users, and updates the authorization attributes assigned by the server.

  • Page 77: 802.1X Authentication Configuration Example

    Figure 25 Network diagram Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.
  • Page 78 [Device-luser-network-localuser] quit # Configure the idle cut function to log off any online user that has been idle for 20 minutes. [Device-luser-localuser] authorization-attribute idle-cut 20 [Device-luser-localuser] quit Configure a RADIUS scheme: # Create the RADIUS scheme radius1 and enter its view. [Device] radius scheme radius1 # Specify the IP addresses of the primary authentication and accounting RADIUS servers.

  • Page 79: Verifying The Configuration

    # Specify aabbcc.net as the mandatory domain. [Device-Ethernet1/1] dot1x mandatory-domain aabbcc.net Verifying the configuration Use the display dot1x interface ethernet 1/1 command to verify the 802.1X configuration. After an 802.1X user passes authentication, you can use the display dot1x sessions command to view the user connection information.

  • Page 80: Configuring Mac Authentication

    Configuring MAC authentication The MAC authentication feature is available only on the routers with Layer 2 Ethernet switching interface module installed. For more information about the Layer 2 Ethernet switching interface modules, see HP MSR Router Series Interface Module Guide.

  • Page 81: Configuration Prerequisites

    If you configure MAC-based accounts, the access device sends the source MAC address as the • username and password to the RADIUS server for authentication. If you configure a shared account, the access device sends the shared account username and •...

  • Page 82: Specifying A Mac Authentication Domain

    Step Command Remarks Enter Layer 2 Ethernet interface interface interface-type view. interface-number Enable MAC authentication on By default, MAC authentication is mac-authentication the port. disabled on a port. Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: Specify a global authentication domain in system view.

  • Page 83: Configuring Mac Authentication Timers

    Step Command Remarks • Use one MAC-based user account for each user: mac-authentication Use either method. user-name-format mac-address By default, the device uses the [ { with-hyphen | without-hyphen } Configure the MAC MAC address of a user as the [ lowercase | uppercase ] ] authentication user username and password for...

  • Page 84: Configuring Mac Authentication Delay

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type view. interface-number By default, the maximum number Set the maximum number of mac-authentication max-user of concurrent MAC concurrent MAC authentication user-number authentication users on the port users on the port.

  • Page 85: Local Mac Authentication Configuration Example

    Local MAC authentication configuration example Network requirements As shown in Figure 26, configure local MAC authentication on port GigabitEthernet 1/1 to control Internet access, as follows: Configure the device to detect whether a user has gone offline every 180 seconds, and if a user fails •...

  • Page 86: Verifying The Configuration

    # Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lower case. [Device] mac-authentication user-name-format mac-address with-hyphen lowercase Verifying the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC authentication is enabled User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx Fixed username: mac Fixed password: Not configured...

  • Page 87: Configuration Procedure

    Figure 27 Network diagram Configuration procedure Make sure the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account. Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme.

  • Page 88: Verifying The Configuration

    # Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users. [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verifying the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC authentication is enabled User name format is fixed account Fixed username: aaa...

  • Page 89: Configuring Password Control

    Configuring password control Overview Password control refers to a set of functions provided by the device to manage login and super password setup, expirations, and updates for device management users, and to control user login status based on predefined policies. Local users are divided into two types: device management users and network access users.

  • Page 90: Password Updating And Expiration

    configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: A password cannot contain the username or the reverse of the username. For example, if the •...

  • Page 91: User Login Control

    the history records by at least four characters and the four characters must be different from one another. Otherwise, the system will display an error message, and the password will not be changed. You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the most recent record overwrites the earliest one.

  • Page 92: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control functions can be configured in several different views, and different views support different functions.

  • Page 93: Setting Global Password Control Parameters

    Step Command Remarks Enable the global password By default, the global password password-control enable control feature. control feature is disabled. password-control { aging | (Optional.) Enable a specific By default, all four password composition | history | length } password control function. control functions are enabled.

  • Page 94: Setting User Group Password Control Parameters

    Step Command Remarks Specify the maximum number By default, the maximum number of login attempts and the password-control login-attempt of login attempts is 3 and a user action to be taken when a login-times [ exceed { lock | failing to log in after the specified user fails to log in after the lock-time time | unlock } ] number of attempts must wait for 1...

  • Page 95: Setting Local User Password Control Parameters

    Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local user exists. Local user password control applies to device management Create a device management users instead of network access local-user user-name class manage user and enter local user view.

  • Page 96: Displaying And Maintaining Password Control

    To set super password control parameters: Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • In non-FIPS mode, the default setting is 10 characters. Configure the minimum length password-control super length for super passwords.
  • Page 97 A password expires after 30 days. • • The minimum password update interval is 36 hours. The maximum account idle time is 30 days. • A password cannot contain the username or the reverse of the username. • • No character appears consecutively three or more times in a password. Configure a super password control policy for user role network-operator to meet the following requirements: A super password must contain at least four character types and at least five characters for.
  • Page 98 [Sysname-luser-manage-test] password-control length 16 # Specify that the password of the local user must contain at least four character types and at least five characters for each type. [Sysname-luser-manage-test] password-control composition type-number 4 type-length 5 # Set the password for the local user to expire after 20 days. [Sysname-luser-manage-test] password-control aging 20 # Configure the password of the local user in interactive mode.
  • Page 99 User role list: network-operator Password control configurations: Password aging: Enabled (20 days) Password length: Enabled (16 characters) Password composition: Enabled (4 types, 5 characters per type)

  • Page 100: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the Revest-Shamir-Adleman Algorithm (RSA), the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, such as SSH and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 28.

  • Page 101: Creating A Local Key Pair

    Creating a local key pair Configuration guidelines When you create a local key pair, follow these guidelines: The key algorithm must be the same as required by the security application. • The key modulus length must be appropriate (see Table 6).

  • Page 102: Distributing A Local Host Public Key

    Step Command Remarks Create local DSA or RSA key public-key local create { dsa | By default, no local key pair exists. pairs. ecdsa | rsa } [ name key-name ] Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can use the public key to encrypt information sent to the local device or authenticate the digital signature signed by the local device.

  • Page 103: Displaying A Host Public Key

    Step Command Enter system view. system-view • Display RSA host public keys: In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } In FIPS mode: Display local host public keys public-key local export rsa [ name key-name ] { openssh | ssh2 } in a specific format.

  • Page 104: Configuring A Peer Public Key

    IMPORTANT: key displayed by the display Manually enter (type or copy) If the peer device is an HP device, use public-key local public command, the peer public key the display public-key local public the system saves the key.

  • Page 105: Displaying And Maintaining Public Keys

    Displaying and maintaining public keys Execute display commands in any view. Task Command display public-key local { dsa | ecdsa | rsa } public [ name Display local public keys. key-name ] display public-key peer [ brief | name publickey-name ] [ name Display peer public keys.
  • Page 106 Time when key pair created: 16:48:31 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 Configure Device B: # Enter the host public key of Device A in public key view. The key must be literally the same as displayed on Device A.

  • Page 107: Example For Importing A Public Key From A Public Key File

    45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Network requirements Figure 30, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B. Configure Device B to use the asymmetric key algorithm of RSA to authenticate Device A.
  • Page 108 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 # Export the RSA host public key to the file devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub [DeviceA] quit # Enable the FTP server function, create an FTP user with the username ftp and password 123, and configure the FTP user role as network-admin.
  • Page 109 [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001...

  • Page 110: Configuring Pki

    PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. HP's PKI system provides certificate management for IPsec. PKI terminology Digital certificate A digital certificate is a document signed by a certificate authority (CA).

  • Page 111: Pki Architecture

    CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in a certification practice statement (CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make sure you understand the CA policy before you select a trusted CA for certificate request because different CAs might use different policies.

  • Page 112: Pki Operation

    PKI operation The following describes how a PKI entity requests a local certificate from a CA, and how an RA is involved in entity enrollment: A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA.

  • Page 113: Fips Compliance

    Figure 32 PKI support for MPLS L3VPN FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity...

  • Page 114: Configuring A Pki Domain

    FQDN of the entity. • • IP address of the entity. Whether the categories are required or optional depends on the CA policy. Follow the CA policy to configure the entity settings. For example, if the CA policy requires the entity DN, but you configure only the IP address, the CA rejects the certificate request from the entity.
  • Page 115 If you do not specify the fingerprint for the PKI domain, the system asks you to verify the fingerprint manually. For an obtained CA root certificate in an automatic local certificate request process that IKE triggers, • if its fingerprint does not match the one configured for the PKI domain, the device rejects the root certificate, and the local certificate request fails.

  • Page 116: Requesting A Certificate

    Step Command Remarks Optional if you manually request • In non-FIPS mode: local certificates. root-certificate fingerprint { md5 | Specify the fingerprint If you want to verify the fingerprint sha1 } string for root certificate manually, do not configure this verification.

  • Page 117: Configuring Automatic Certificate Request

    To submit a certificate request in offline mode: Use pki request-certificate domain pkcs10 to print the request information on the terminal or use pki request-certificate domain pkcs10 filename to save the request information to a local file. Send the printed information or the saved file to the CA by an out-of-band means to submit the request.

  • Page 118: Manually Requesting A Certificate

    Manually requesting a certificate IMPORTANT: Before you manually request a certificate, make sure the system time of the device is synchronized with the CA server. Otherwise, the device might fail to request the certificate because it regards the certificate out Fundamentals of the validity period.

  • Page 119: Aborting A Certificate Request

    Aborting a certificate request Before the CA issues a certificate, you can abort a certificate request to change some parameters, such as the common name, country code, and FQDN, in the certificate request. You can use display pki certificate request-status to display the certificate request status. Alternatively, you can also remove the PKI domain to abort the certificate request.

  • Page 120: Configuration Procedure

    If a PKI domain already has local or peer certificates, you can still perform the obtain operation, • and the obtained local or peer certificates overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for signature and the other for encryption. •...

  • Page 121: Verifying Certificates Without Crl Checking

    Step Command Remarks (Optional.) Specify the URL crl url url-string [ vpn-instance By default, the URL of the CRL of the CRL repository. vpn-instance-name ] repository is not specified. Enable CRL checking. crl check enable By default, CRL checking is enabled. Return to system view.

  • Page 122: Exporting Certificates

    After you change the storage path for the certificates or CRLs, the certificate files (with the file extension .cer or .p12) and CRL files (with the extension .crl) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Remarks...

  • Page 123: Removing A Certificate

    Removing a certificate CAUTION: When you remove the CA certificate in a domain, the system also removes the local certificates, peer certificates, and CRLs in the same PKI domain. Each certificate issued by a CA has a validity period. If the certificate is about to expire or your private key is compromised, do the following tasks: Remove the local certificate.

  • Page 124: Displaying And Maintaining Pki

    To configure a certificate access control policy: Step Command Remarks Enter system view. system-view Create a certificate attribute pki certificate attribute-group By default, no certificate attribute group and enter its view. group-name group exists. attribute id { alt-subject-name (Optional.) Configure an { fqdn | ip } | { issuer-name | attribute rule for issuer name, By default, not attribute rule is...

  • Page 125: Certificate Request From An Rsa Keon Ca Server

    If you use RSA Keon, the SCEP add-on is not required. When you configure a PKI domain, you must use the certificate request from ca command to specify the CA to accept certificate requests for PKI entity enrollment to a CA. Certificate request from an RSA Keon CA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server.
  • Page 126 [Device-pki-domain-torsa] certificate request url http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 # Specify the CA for accepting certificate requests. [Device-pki-domain-torsa] certificate request from ca # Specify the PKI entity name as aaa. [Device-pki-domain-torsa] certificate request entity aaa # Specify the URL of the CRL repository. [Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits.

  • Page 127: Certificate Request From A Windows 2003 Ca Server

    OU=test CN=myca Validity Not Before: Aug 24 09:06:29 2011 GMT Not After : Aug 23 09:06:29 2012 GMT Subject: CN=Device Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61...
  • Page 128 Figure 34 Network diagram Configuring the CA server Install the certificate service component: Select Control Panel > Add or Remove Programs from the start menu. Select Add/Remove Windows Components > Certificate Services. Click Next to begin the installation. Set the CA name. In this example, set the CA name to myca. Install the SCEP add-on: The Windows 2003 server does not support SCEP by default.
  • Page 129 [Device] pki domain winserver # Specify the name of the trusted CA as myca. [Device-pki-domain-winserver] ca identifier myca # Configure the URL of the registration server in the form of http://host:port/certsrv/mscep/mscep.dll, where host:port is the host IP address and port number of the CA server.
  • Page 130 Issuer: CN=myca Validity Not Before: Aug 24 09:06:29 2011 GMT Not After : Aug 23 09:06:29 2012 GMT Subject: CN=test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5...

  • Page 131: Certificate Request From An Openca Server

    Certificate request from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 35 Network diagram Configuring the CA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals.
  • Page 132 Generate a local RSA key pair. [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 133 0d:f7:64:cf:0a:dd:39:49:d7:3f:25:35:18:f4:1c: 59:46:2b:ec:0d:21:1d:00:05:8a:bf:ee:ac:61:03: 6c:1f:35:b5:b4:cd:86:9f:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B...

  • Page 134: Ike Negotiation With Rsa Digital Signature From A Windows 2003 Ca Server

    81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. IKE negotiation with RSA digital signature from a Windows 2003 CA server Network requirements Device A and Device B establish an IPsec tunnel to protect the traffic between Host A on subnet 10.1.1.0/24 and Host B on subnet 1.1.1.0/24.
  • Page 135 [DeviceA-pki-entity-en] quit # Configure a PKI domain. [DeviceA] pki domain 1 [DeviceA-pki-domain-1] ca identifier CA1 [DeviceA-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.dll [DeviceA-pki-domain-1] certificate request entity en [DeviceA-pki-domain-1] ldap-server host 1.1.1.102 # Specify the RA to accept certificate requests. [DeviceA-pki-domain-1] certificate request from ra # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits.

  • Page 136: Certificate Import And Export Configuration Example

    [DeviceB-pki-domain-1] certificate request entity en [DeviceB-pki-domain-1] ldap-server host 1.1.1.102 # Specify the RA to accept certificate requests. [DeviceB-pki-domain-1] certificate request from ra # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [DeviceB-pki-domain-1] public-key rsa general name abc length 1024 [DeviceB-pki-domain-1] quit # Generate a local RSA key pair.
  • Page 137 Figure 37 Network diagram Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a file named pkicachain.pem in PEM format. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
  • Page 138 Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=beijing/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...
  • Page 139 Serial Number: 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus:...
  • Page 140 Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT...
  • Page 141 CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/...

  • Page 142: Troubleshooting Pki Configuration

    Troubleshooting PKI configuration This section describes common PKI problems and how to troubleshoot them. Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the •...

  • Page 143: Failed To Request Local Certificates

    Solution Make sure the network connection is physically proper. Obtain or import the CA certificate. Configure the correct LDAP server. Specify the key pair used for certificate request in the PKI domain, generate the proper key pair, and make sure it matches the local certificates to the obtained. Reference the proper PKI entity in the PKI domain, and correctly configure the PKI entity.

  • Page 144: Failed To Obtain Crls

    Synchronize the system time of the device with the CA server. Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. •...

  • Page 145: Failed To Import A Local Certificate

    Solution Use undo crl check enable to disable CRL checking. Make sure the format of the imported file is proper. Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis The PKI domain has no CA certificate, and the certificate file to be imported does not contain the •...

  • Page 146: Failed To Set The Storage Path

    Use mkdir to create the required path. Specify a correct export path. Configure the proper key pair in the PKI domain. Clear up the disk space of the device. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis The specified storage path does not exist.

  • Page 147: Configuring Ipsec

    Configuring IPsec Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS." CAUTION: If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match the QoS traffic classification rules.

  • Page 148: Security Protocols And Encapsulation Modes

    Security protocols and encapsulation modes Security protocols IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets and the security services that they can provide. AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown in Figure •...

  • Page 149: Security Association

    IKE negotiation mode—The peers negotiate and maintain the SA through IKE. This configuration • mode is simple and has good expansibility. In medium- and large-scale dynamic networks, HP recommends setting up SAs through IKE negotiations. A manually configured SA never ages out. An IKE-created SA has a lifetime, which comes in two types: Time-based lifetime—Defines how long the SA can be valid after it is created.

  • Page 150: Ipsec Implementation

    receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid. IPsec uses the Hash-based Message Authentication Code (HMAC) based authentication algorithms, including HMAC-MD5 and HMAC-SHA1.

  • Page 151: Ipsec Rri

    encapsulated with IPsec. When the interface receives an IPsec packet whose destination address is the IP address of the local device, it searches for the inbound IPsec SA according to the SPI carried in the IPsec packet header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the ACL, the device processes the packet.

  • Page 152: Protocols And Standards

    Figure 41 IPsec VPN IPsec Reverse Route Inject (RRI) enables an IPsec tunnel gateway to automatically add static routes destined for protected private networks or peer IPsec tunnel gateways to a routing table. As shown Figure 41, you can enable IPsec RRI on the gateway at the enterprise center. After an IPsec tunnel is established, the gateway automatically adds a static route to the routing table, which can be queried as other routing entries.

  • Page 153: Implementing Acl-Based Ipsec

    IPsec tunnels can be established in different methods. Choose a proper method to establish IPsec tunnels according to your network conditions: ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based IPsec • tunnel, configure an IPsec policy, reference an ACL in the policy, and apply the policy to an interface (see "Implementing ACL-based IPsec").

  • Page 154: Configuring An Acl

    Configuring an ACL IPsec uses ACLs to identify the traffic to be protected. To use IPsec to protect VPN traffic, specify the VPN parameters in the ACL rules. Keywords in ACL rules An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec.
  • Page 155 ipsec policy testa 1 isakmp <---IPsec policy entry with a higher priority security acl 3000 ike-profile aa transform-set 1 ipsec policy testa 2 isakmp <---IPsec policy entry with a lower priority security acl 3001 ike-profile bb transform-set 1 IPsec configurations on Router B: •...

  • Page 156: Configuring An Ipsec Transform Set

    Figure 42 Mirror image ACLs If the ACL rules on IPsec peers do not form mirror images of each other, SAs can be set up only when both of the following requirements are met: The range specified by an ACL rule on one peer is covered by its counterpart ACL rule on the other •...
  • Page 157 Step Command Remarks Enter system view. system-view Create an IPsec transform set ipsec transform-set By default, no IPsec transform set and enter its view. transform-set-name exists. Optional. Specify the security protocol protocol { ah | ah-esp | esp } By default, the IPsec transform set for the IPsec transform set.

  • Page 158: Configuring A Manual Ipsec Policy

    Step Command Remarks By default, the PFS feature is not used for SA negotiation. For more information about PFS, • In non-FIPS mode: "Configuring IKE." pfs { dh-group1 | dh-group2 | The security level of the (Optional.) Enable the Perfect dh-group5 | dh-group14 | Diffie-Hellman (DH) group of the Forward Secrecy (PFS) feature...
  • Page 159 Step Command Remarks (Optional.) Configure a description for the IPsec description text By default, no description is configured. policy. By default, an IPsec policy references no ACL. Specify an ACL for the security acl [ ipv6 ] { acl-number | IPsec policy.

  • Page 160: Configuring An Ike-Based Ipsec Policy

    Step Command Remarks • Configure an authentication key in hexadecimal format for sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication By default, no keys are configured for the key in character format for AH: IPsec SA.
  • Page 161 An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation, • IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped. •...
  • Page 162 Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv4 address of the IPsec tunnel is the first IPv6 address of the Specify the local IP address of local-address { ipv4-address | ipv6 interface to which the IPsec policy...
  • Page 163 Step Command Remarks ipsec { ipv6-policy-template | Create an IPsec policy By default, no IPsec policy template policy-template } template-name template and enter its view. exists. seq-number (Optional.) Configure a By default, no description is description for the IPsec policy description text configured.

  • Page 164: Applying An Ipsec Policy To An Interface

    Step Command Remarks (Optional.) Enable the global IPsec SA idle timeout function, By default, the global IPsec SA idle ipsec sa idle-time seconds and set the global SA idle timeout function is disabled. timeout. Create an IPsec policy by ipsec { ipv6-policy | policy } referencing the IPsec policy policy-name seq-number isakmp By default, no IPsec policy exists.

  • Page 165: Configuring The Ipsec Anti-Replay Function

    To enable ACL checking for de-encapsulated packets: Step Command Remarks Enter system view. system-view Enable ACL checking for ipsec decrypt-check enable By default, this feature is enabled. de-encapsulated packets. Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window.

  • Page 166: Enabling Qos Pre-Classify

    respectively. When one interface fails and a link failover occurs, the other interface needs to take some time to re-negotiate SAs, resulting in service interruption. To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces. This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs.

  • Page 167: Enabling Logging Of Ipsec Packets

    Enabling logging of IPsec packets Perform this task to enable the logging of IPsec packets that are discarded because of reasons such as IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information includes the source and destination IP addresses, the SPI value, and the sequence number of a discarded IPsec packet, and the reason for the failure.

  • Page 168: Configuring Ipsec Rri

    Step Command Remarks Configure the DF bit of By default, the interface uses the IPsec packets on the ipsec df-bit { clear | copy | set } global DF bit setting. interface. To configure the DF bit of IPsec packets globally: Step Command Remarks...

  • Page 169: Configuring Ipsec For Ipv6 Routing Protocols

    Step Command Remarks • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number isakmp Enter IPsec policy view or • To enter IPsec policy template Use either command. IPsec policy template view. view: ipsec { policy-template | ipv6-policy-template } template-name seq-number By default, IPsec RRI is disabled.
  • Page 170 The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by • protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. •...

  • Page 171: Configuring Snmp Notifications For Ipsec

    Configuring SNMP notifications for IPsec After you enable SNMP notifications for IPsec, the IPsec module notifies the NMS of important events of the module. The notifications are sent to the SNMP module of the device. You can decide how the SNMP module outputs notifications by configuring the notification transmission parameters for the SNMP module.

  • Page 172: Ipsec Configuration Examples

    Task Command Clear IPsec statistics. reset ipsec statistics [ tunnel-id tunnel-id ] IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 44, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
  • Page 173 # Specify the ESP encryption and authentication algorithms. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create a manual IPsec policy named map1, with the sequence number as 10. [RouterA] ipsec policy map1 10 manual # Apply ACL 3101. [RouterA-ipsec-policy-manual-map1-10] security acl 3101 # Apply the IPsec transform set tran1.
  • Page 174 # Create a manual IPsec policy named use1, with the sequence number as 10. [RouterB] ipsec policy use1 10 manual # Apply ACL 3101. [RouterB-ipsec-policy-manual-use1-10] security acl 3101 # Apply IPsec transform set tran1. [RouterB-ipsec-policy-manual-use1-10] transform-set tran1 # Specify the remote IP address of the IPsec tunnel as 2.2.2.1. [RouterB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1 # Configure the inbound and outbound SPIs for ESP.

  • Page 175: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets

    [Outbound ESP SA] SPI: 12345 (0x00003039) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA Configuring an IKE-based IPsec tunnel for IPv4 packets Network requirements As shown in Figure 45, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
  • Page 176 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [RouterA] ike keychain keychain1 # # Specify the plaintext 123456TESTplat&! as the pre-shared key to be used with the remote peer at 2.2.3.1. [RouterA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&! [RouterA-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1.
  • Page 177 [RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterB-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [RouterB] ike keychain keychain1 [RouterB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!

  • Page 178: Configuring An Ike-Based Ipsec Tunnel For Ipv6 Packets

    ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: isakmp ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect Forward Secrecy: Path MTU: 1443 Tunnel: local address: 2.2.3.1 remote address: 2.2.2.1 Flow: sour addr: 2.2.3.1/0.0.0.0 port: 0 protocol: IP dest addr: 2.2.2.1/0.0.0.0 port: 0 protocol: IP [Inbound ESP SAs]...
  • Page 179 Figure 46 Network diagram Router A Router B Eth1/2 Eth1/2 111::1/64 222::1/64 Internet Eth1/1 Eth1/1 333::1/64 555::1/64 Host A Host B 333::3/64 555::5/64 Configuration procedure Configure Router A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Define an ACL to identify data flows from subnet 333::/64 to subnet 555::/64. <RouterA>...
  • Page 180 # Apply IPv6 ACL 3101. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] security acl ipv6 3101 # Apply the IPsec transform set tran1. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] transform-set tran1 # Specify the local and remote IPv6 addresses of the IPsec tunnel as 111::1 and 222::1. [RouterA-ipsec-ipv6-policy-isakmp-map1-10] local-address ipv6 111::1 [RouterA-ipsec-ipv6-policy-isakmp-map1-10] remote-address ipv6 222::1 # Apply the IKE profile profile1.
  • Page 181 # Create an IKE-based IPsec policy named use1, with the sequence number as 10. [RouterB] ipsec ipv6-policy use1 10 isakmp # Apply ACL 3101. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] security acl ipv6 3101 # Apply the IPsec transform set tran1. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1 # Specify the local and remote IPv6 addresses of the IPsec tunnel as 222::1 and 111::1. [RouterB-ipsec-ipv6-policy-isakmp-use1-10] local-address ipv6 222::1 [RouterB-ipsec-ipv6-policy-isakmp-use1-10] remote-address ipv6 111::1 # Apply the IKE profile profile1.

  • Page 182: Configuring Ipsec For Ripng

    Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797 Max received sequence-number: 1 Anti-replay check enable: N Anti-replay window size: UDP encapsulation used for NAT traversal: N Status: active [Outbound ESP SAs] SPI: 3840956402 (0xe4f057f2) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2312/797 Max sent sequence-number: 1...
  • Page 183 # Configure basic RIPng. <RouterA> system-view [RouterA] ripng 1 [RouterA-ripng-1] quit [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ripng 1 enable [RouterA-Ethernet1/1] quit # Create and configure the IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 [RouterA-ipsec-transform-set-tran1] encapsulation-mode transport [RouterA-ipsec-transform-set-tran1] protocol esp [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit...
  • Page 184 [RouterB-ipsec-profile-profile001] transform-set tran1 [RouterB-ipsec-profile-profile001] sa spi outbound esp 123456 [RouterB-ipsec-profile-profile001] sa spi inbound esp 123456 [RouterB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [RouterB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [RouterB-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1. [RouterB] ripng 1 [RouterB-ripng-1] enable ipsec-profile profile001 [RouterB-ripng-1] quit...

  • Page 185: Configuring Ipsec Rri

    Preference : 100 Checkzero : Enabled Default Cost : 0 Maximum number of balanced paths : 8 Update time 30 sec(s) Timeout time 180 sec(s) Suppress time : 120 sec(s) Garbage-Collect time : 120 sec(s) Number of periodic updates sent : 186 Number of trigger updates sent : 1 IPsec profile name: profile001 # Use the display ipsec sa command to display the established IPsec SAs.
  • Page 186 Figure 48 Network diagram Branch Eth1/2 5.5.5.1/24 Eth1/1 2.2.2.2/24 RouterB Host B Enterprise Center Branch Eth1/1 Eth1/2 1.1.1.1/24 4.4.4.1/24 Internet Router C Router A Host A Branch Router D Configuration procedure Assign IPv4 addresses to the interfaces on the routers according to Figure 48.
  • Page 187 # Create an IKE keychain named key1 and specify the plaintext 123 as the pre-shared key to be used with the remote peer at 2.2.2.2. [RouterA] ike keychain key1 [RouterA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123 [RouterA-ike-keychain-key1] quit # Apply the IPsec policy map1 to interface Ethernet1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipsec apply policy map1 [RouterA-Ethernet1/1] quit...

  • Page 188: Verify The Configuration

    Make sure Router B has a route to the peer private network, with the outgoing interface as Ethernet1/1. Configure Router C and Router D in the same way Router B is configured.. Verify the configuration: Send traffic from subnet 5.5.5.0/24 to subnet 4.4.4.0/24. IKE negotiation is triggered to establish IPsec SAs between Router A and Router B.
  • Page 189 The output shows that IPsec SAs are established. # Display the routing table on Router A. [RouterA] display ip routing-table Destination/Mask Proto Cost NextHop Interface 5.5.5.0/24 static 100 1000 2.2.2.2 Eth1/1 The output shows that a correct static route is created by IPsec RRI. After the IPsec tunnels are established between Router A and Router C and Router D, the associated static routes are also created on Router A.

  • Page 190: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, dramatically simplifying the configuration and maintenance of IPsec.

  • Page 191: Ike Security Mechanism

    Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec SAs. Figure 50 IKE exchange process in main mode As shown in Figure 50, the main mode of IKE negotiation in phase 1 involves three pairs of messages: SA exchange—Used for negotiating the IKE security policy.

  • Page 192: Protocols And Standards

    authentication method can simplify the configuration because only one PKI domain is required. If you use the pre-shared key authentication method, you must configure a pre-shared key for each branch on the Headquarters node. DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys.

  • Page 193: Configuring An Ike Profile

    Tasks at a glance Remarks (Optional.) Configuring the global identity information (Optional.) Configuring the IKE keepalive function (Optional.) Configuring the IKE NAT keepalive function (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile...
  • Page 194 First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority number has a higher priority.

  • Page 195: Configuring An Ike Proposal

    Step Command Remarks By default, the IKE DPD function is not configured for an IKE profile and an IKE profile uses the DPD settings configured in (Optional.) Configure IKE dpd interval interval-seconds [ retry system view. If the IKE DPD DPD.

  • Page 196: Configuring An Ike Keychain

    Step Command Remarks Enter system view. system-view By default, there is an IKE Create an IKE proposal and ike proposal proposal-number proposal that is used as the enter its view. default IKE proposal. By default: • In non-FIPS mode: • In non-FIPS mode, an IKE encryption-algorithm { 3des-cbc | proposal uses the 56-bit DES...

  • Page 197: Configuring The Global Identity Information

    If a tie still exists, the device prefers an IKE keychain configured earlier. To configure the IKE keychain: Step Command Remarks Enter system view. system-view Create an IKE keychain and ike keychain keychain-name By default, no IKE keychain enter its view. [ vpn-instance vpn-name ] exists.

  • Page 198: Configuring The Ike Keepalive Function

    Step Command Remarks By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication. (Optional.) Configure the If the aggressive IKE SA negotiation local device to always obtain ike signature-identity mode and signature authentication the identity information from from-certificate are used, configure this command on...

  • Page 199: Configuring Ike Dpd

    Step Command Remarks Enter system view. system-view Set the IKE NAT keepalive ike nat-keepalive seconds The default interval is 20 seconds. interval. Configuring IKE DPD DPD detects dead peers. It can operate in periodic mode or on-demand mode. Periodic DPD—Sends a DPD message at regular intervals. It features an earlier detection of dead •...

  • Page 200: Setting The Maximum Number Of Ike Sas

    it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. Because no IKE SA is available, the notification is not sent.

  • Page 201: Displaying And Maintaining Ike

    To configure SNMP notifications for IKE: Step Command Remarks Enter system view system-view Enable SNMP By default, SNMP notifications notifications for IKE snmp-agent trap enable ike global for IKE are enabled. globally. snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | Enable SNMP encrypt-failure | invalid-cert-auth |...
  • Page 202 Figure 51 Network diagram Device A Device B Eth1/1 Eth1/1 1.1.1.1/16 2.2.2.2/16 Internet Eth1/2 Eth1/2 10.1.1.1/24 10.1.2.1/24 Host A Host B 10.1.1.2/24 10.1.2.2/24 Configuration procedure Configure Device A: # Assign an IP address to each interface. (Details not shown.) # Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <DeviceA>...
  • Page 203 # Reference IPsec transform set tran1 for the IPsec policy. [DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify IKE profile profile1 for the IPsec policy. [DeviceA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [DeviceA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to interface Ethernet 1/1. [DeviceA-Ethernet1/1] ipsec apply policy map1 [DeviceA-Ethernet1/1] quit # Configure a static route to subnet 10.1.2.0/24.
  • Page 204 [DeviceB-ipsec-policy-isakmp-use1-10] ike-profile profile1 [DeviceB-ipsec-policy-isakmp-use1-10] quit # Apply IPsec policy use1 to interface Ethernet 1/1. [DeviceB-Ethernet1/1] ipsec apply policy use1 # Configure a static route to the subnet where Host A resides. [DeviceB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1 Verifying the configuration When there is traffic between subnets 10.1.1.0/24 and 10.1.2.0/24, IKE negotiation is triggered.

  • Page 205: Aggressive Mode With Rsa Signature Authentication Configuration Example

    Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: IP [Inbound ESP SAs] SPI: 3264152513 (0xc28f03c1) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: active...
  • Page 206 [DeviceA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-adv-3101] quit # Create an IPsec transform set named tran1. [DeviceA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms.
  • Page 207 # Set the local identity to the FQDN name www.routera.com. [DeviceA-ike-profile-profile1] local-identity fqdn www.routera.com # Configure a peer ID with the identity type of FQDN name and the value of www.routerb.com. [DeviceA-ike-profile-profile1] match remote identity fqdn www.routerb.com [DeviceA-ike-profile-profile1] quit # Create an IKE proposal named 10. [DeviceA] ike proposal 10 # Specify the authentication algorithm as HMAC-SHA1.
  • Page 208 # Set the common name as routerb for the PKI entity. [DeviceB-pki-entity-entity2] common-name routerb [DeviceA-pki-entity-entity1] quit # Create a PKI domain named domain2. [DeviceB] pki domain domain2 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [DeviceB-pki-domain-domain2] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate.
  • Page 209 # Create an IPsec policy named use1, with the sequence number as 1, referencing the IPsec policy template template1. [DeviceB] ipsec policy use1 1 isakmp template template1 # Apply IPsec policy use1 to interface Ethernet 1/1. [DeviceB-Ethernet1/1] ipsec apply policy use1 [DeviceB-Ethernet1/1] quit # Configure a static route to the subnet where Host A resides.
  • Page 210 Public-Key: (1024 bit) Modulus: 00:de:81:f4:42:c6:9f:c2:37:7b:21:84:57:d6:42: 00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43: c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14: 70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27: d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb: 4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0: ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66: 2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33: 1b:31:03:78:4f:77:a0:db:af Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90: 08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8: 7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7: f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf: 55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9: 8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31: 57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d: 82:16 # Display the local certificate on Device A. [DeviceA] display pki certificate domain domain1 local Certificate: Data: Version: 3 (0x2)
  • Page 211 X509v3 extensions: X509v3 CRL Distribution Points: Full Name: URI:http://xx.rsa.com:447/8088.crl Signature Algorithm: sha1WithRSAEncryption 73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61: 9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e: cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98: 30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78: f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5: 21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff: 65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90: 7e:cd # Display the IPsec SA information on Device A. [DeviceA] display ipsec sa ------------------------------- Interface: Ethernet1/1 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: isakmp -----------------------------...

  • Page 212: Aggressive Mode With Nat Traversal Configuration Example

    [Outbound ESP SAs] SPI: 738451674 (0x2c03e0da) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: active # Use the same commands to verify the information about the CA certificate, local certificate, IKE SA, and IPsec SA on Device B.
  • Page 213 # Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-transform1] protocol esp # Specify the encryption and authentication algorithms. [DeviceA-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceA-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceA-ipsec-transform-set-transform1] quit # Create an IKE keychain named keychain1. [DeviceA] ike keychain keychain1 # Specify plaintext 12345zxcvb!@#$%ZXCVB as the pre-shared key to be used with the remote peer at 2.2.2.2.
  • Page 214 [DeviceB] ipsec transform-set transform1 # Use the ESP protocol for the IPsec transform set. [DeviceB-ipsec-transform-set-transform1] protocol esp # Specify the encryption and authentication algorithms. [DeviceB-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceB-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceB-ipsec-transform-set-transform1] quit # Create IKE keychain keychain1. [DeviceB]ike keychain keychain1 # Specify plaintext 12345zxcvb!@#$%ZXCVB as the pre-shared key to be used with the remote peer at 1.1.1.1.
  • Page 215 2.2.2.2 IPSEC Flags: RD--READY RL--REPLACED FD-FADING [DeviceA] display ike sa verbose ----------------------------------------------- Connection ID: 13 Outside VPN: Inside VPN: Profile: profile1 Transmitting entity: Initiator ----------------------------------------------- Local IP: 1.1.1.1 Local ID type: FQDN Local ID: www.devicea.com Remote IP: 2.2.2.2 Remote ID type: IPV4_ADDR Remote ID: 2.2.2.2 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5...

  • Page 216: Troubleshooting Ike

    dest addr: 10.2.1.0/255.255.255.0 port: 0 protocol: IP [Inbound ESP SAs] SPI: 830667426 (0x3182faa2) Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: Y Status: active [Outbound ESP SAs] SPI: 3516214669 (0xd1952d8d)

  • Page 217: Ike Negotiation Failed Due To Malformed Payload

    Solution Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals. Modify the IKE proposal configuration to make sure the two ends have matching IKE proposals. IKE negotiation failed due to malformed payload Symptom The IKE SA is in Unknown state. <Sysname>...

  • Page 218: Ipsec Sa Negotiation Failed Due To Invalid Identity Information

    Construct notification packet: NO_PROPOSAL_CHOSEN. Analysis Certain IPsec policy settings are incorrect. Solution Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec SA negotiation failed due to invalid identity information Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD...
  • Page 219 Life duration(sec): 86400 Remaining key duration(sec): 85847 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Check whether the IPsec policy is referencing an IKE profile. [Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1 Interface: Ethernet0/1 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: isakmp -----------------------------...
  • Page 220 IPsec Policy: policy1 Interface: Ethernet0/1 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: isakmp ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile, remove the reference.

  • Page 221: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.

  • Page 222: Ssh Authentication Methods

    CLI. The text pasted at one time must be no more than 2000 bytes. Interaction HP recommends that you paste commands in the same view. Otherwise, the server might not be able to correctly execute the commands. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server.

  • Page 223: Fips Compliance

    Password-publickey authentication—The server requires SSH2 clients to pass both password • authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the server. • Any authentication—The server requires clients to pass either password authentication or publickey authentication.

  • Page 224: Enabling The Ssh Server Function

    Configuration guidelines SSH supports locally generated DSA and RSA key pairs only with default names. For more • information about the commands that are used to generate keys, see Security Command Reference. • The public-key local create rsa command generates a server key pair and a host key pair for RSA. SSH1 uses the public key in the server key pair of the SSH server to encrypt the session key before transmitting the session key.

  • Page 225: Configuring The User Lines For Ssh Clients

    PKCS format. HP recommends that you configure no more than 20 SSH client host public keys on an SSH server. To manually configure a client's host public key:...

  • Page 226: Configuring An Ssh User

    Step Command Remarks Enter public key view. public-key peer keyname When you enter the contents for a host public key, you can use spaces and carriage returns between characters. When you Configure a client's host Enter the content of the host public save the host public key, spaces public key.

  • Page 227: Setting The Ssh Management Parameters

    If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view. If you change the authentication method or public key for an SSH user that has been logged in, the •...

  • Page 228: Configuring The Device As An Stelnet Client

    Step Command Remarks Enter system view. system-view By default, the SSH server supports SSH1 clients. Enable the SSH server to ssh server compatible-ssh1x support SSH1 clients. enable This command is not available in FIPS mode. By default, the RSA server key pair is not updated.

  • Page 229: Specifying A Source Ip Address Or Source Interface For The Stelnet Client

    To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends that you specify a loopback interface or dialer interface as the source interface.
  • Page 230 Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 }...

  • Page 231: Configuring The Device As An Sftp Client

    SFTP clients in the authentication service, HP recommends that you specify a loopback interface or dialer interface as the source interface. To specify a source IP address or source interface for the SFTP client:...
  • Page 232 When an SFTP client accesses an SFTP server, it uses the locally saved host public key of the server to authenticate the server. When acting as an SFTP client, the device supports the first authentication by default. When the device accesses an SFTP server for the first time but it is not configured with the host public key of the SFTP server, it can access the server and locally save the server's host public key for future use.
  • Page 233 Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des |...

  • Page 234: Working With Sftp Directories

    Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return to the upper-level directory. cdup Available in SFTP client view. Display the current working Available in SFTP client view. directory on the SFTP server.

  • Page 235: Terminating The Connection With The Sftp Server

    Task Command Remarks Use either command. • help Display the help information of an Available in SFTP client view. SFTP client command. • These two commands function in the same way. Terminating the connection with the SFTP server Task Command Remarks Use one of the commands.
  • Page 236 Task Command Remarks • In non-FIPS mode, connect to the IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 237: Displaying And Maintaining Ssh

    Displaying and maintaining SSH Execute display commands in any view. Task Command Display the source IP address or source interface information configured for the SFTP display sftp client source client. Display the source IP address or source interface information configured for the Stelnet display ssh client source client.
  • Page 238 <Router> system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...

  • Page 239: Publickey Authentication Enabled Stelnet Server Configuration Example

    Figure 55 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server.
  • Page 240 Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY, and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
  • Page 241 Figure 58 Generating process After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save. Figure 59 Saving a key pair on the client...
  • Page 242 Click Save private key to save the private key. A confirmation dialog box appears. Click Yes, enter a file name (private.ppk in this example), and click Save. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.
  • Page 243 Figure 60 Specifying the host name (or IP address) Select Connection > SSH from the navigation tree. The window shown in Figure 61 appears. Specify the Preferred SSH protocol version as 2. Figure 61 Specifying the preferred SSH version...

  • Page 244: Password Authentication Enabled Stelnet Client Configuration Example

    Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 62 appears. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 62 Specifying the private key file Click Open to connect to the server.
  • Page 245 Configuration procedure Configure the Stelnet server: # Generate the RSA key pairs. <RouterB> system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 246 If you do not configure the host public key of the server on the client, select Yes to access the server without authenticating the server, and save the host public key of the server locally. <RouterA> ssh2 192.168.1.40 Username: client001 The server is not authenticated.

  • Page 247: Publickey Authentication Enabled Stelnet Client Configuration Example

    8716261214A5A3B493E866991113B2D [RouterA-pkey-public-key-key1]485348 [RouterA-pkey-public-key-key1] peer-public-key end [RouterA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <RouterA> ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you log in to Router B successfully. Publickey authentication enabled Stelnet client configuration example Network requirements...
  • Page 248 [RouterA] public-key local export dsa ssh2 key.pub [RouterA] quit # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048).

  • Page 249: Sftp Configuration Examples

    SFTP configuration examples This section provides examples of configuring SFTP on routers. Unless otherwise noted, the devices in the configuration examples are in non-FIPS mode. If you configure an SFTP server in FIPS mode, follow these guidelines: The modulus length of the key pair must be 2048 bits. •...
  • Page 250 [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.1.45 255.255.255.0 [Router-Ethernet1/1] quit # Set the authentication mode of the user lines to AAA. [Router] line vty 0 15 [Router-line-vty0-15] authentication-mode scheme [Router-line-vty0-15] quit # Create a local device management user client002 with the plaintext password aabbcc, the service type ssh, the user role network-admin, and the working directory cfa0:/.

  • Page 251: Publickey Authentication Enabled Sftp Client Configuration Example

    Figure 66 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 67, you can log in to Router B through the SFTP client that runs on Router A and are assigned the user role network-admin to execute file management and transfer operations. Router B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm.
  • Page 252 The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully.
  • Page 253 [RouterB] ssh user client001 service-type sftp authentication-type publickey assign publickey routerkey # Create a local device management user client001 with the service type ssh, the user role network-admin, and the working directory cfa0:/. [RouterB] local-user client001 class manage [RouterB-luser-manage-client001] service-type ssh [RouterB-luser-manage-client001] authorization-attribute user-role network-admin work-directory cfa0:/ [RouterB-luser-manage-client001] quit...

  • Page 254: Scp File Transfer With Password Authentication

    -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 # Download the pubkey2 file from the server and save it as a local file public.
  • Page 255 <RouterB> system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 256 [RouterA-Ethernet1/1] quit [RouterA] quit Connect to the SCP server, download the file remote.bin from the server, and save it locally to the file local.bin. <RouterA> scp 192.168.0.1 get remote.bin local.bin Username: client001 Connected to 192.168.0.1 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Enter password: 18471 bytes transfered in 0.001 seconds.

  • Page 257: Configuring Aspf

    Configuring ASPF Overview A packet-filter firewall is a static firewall. It cannot solve the following issues: • Predefine security policies for multi-channel application layer protocols, such as FTP. Detects attacks from the transport layer and application layer, such as SYN Flood. •...

  • Page 258: Aspf Inspections

    Multi-channel protocol—A multi-channel protocol establishes more than one connection for a user and transfers control messages and user data through different connections. FTP is one example of multi-channel protocols. • Internal interface and external interface On an edge device configured with ASPF to protect hosts and servers on the internal network, interfaces connected to the internal network are called "internal interfaces"...
  • Page 259 The following uses FTP to explain the process of multi-channel application layer protocol inspection. Figure 70 FTP inspection Device FTP client FTP server An FTP client initiates a FTP connection to FTP Port:1333 Port:21 server A session entry is created for control connection Control channel Analyzes FTP instructions and responses, and creates an associated entry for data connection...

  • Page 260: Aspf Configuration Task List

    For a multi-channel protocol, if you enable TCP or UDP inspection without configuring application • layer protocol inspection, the device might not be able to receive response packets. HP recommends that you enable application layer protocol inspection together with TCP/UDP inspection.

  • Page 261: Displaying And Maintaining Aspf

    You can apply both ASPF and packet filtering to implement packet filtering. For example, you can apply a packet filtering policy to the inbound direction of the external interface and apply an ASPF policy to the outbound direction of the external interface. The application denies unsolicited access from the external network to the internal network and allows response packets from external to the internal network.
  • Page 262 Figure 71 Network diagram Router A Router B Eth1/0 10.1.1.1/24 Eth1/1 Internal network External network 192.168.1.1/24 Server Host 2.2.2.11/24 192.168.1.2/24 Configuration procedure # Configure ACL 31 1 1 to deny all IP packets. <RouterA> system-view [RouterA] acl number 3111 [RouterA-acl-adv-3111] rule deny ip [RouterA-acl-adv-3111] quit # Create ASPF policy 1 for FTP inspection.

  • Page 263: Aspf Tcp Application Inspection Configuration Example

    ASPF TCP application inspection configuration example Network requirements Local users on the internal network need to access the external network. To protect the internal network against ICMP and SYN packet attacks from the external network, configure an ASPF policy on Router A to drop faked ICMP error messages and non-SYN packets that are the first packets over TCP connections.

  • Page 264: Aspf H.323 Application Inspection Configuration Example

    Enable TCP SYN packet check Detect these protocols: Router A can recognize the faked ICMP error messages from external networks, and drop the non-SYN packets that are the first packets over TCP connections. ASPF H.323 application inspection configuration example Network requirements Figure 73 displays a typical H.323 application network.
  • Page 265 [RouterA-Ethernet1/0] aspf 1 inbound [RouterA-Ethernet1/0] quit Verifying the configuration # Display ASPF sessions on Router A. [RouterA] display aspf session ipv4 Initiator: Source IP/port: 1.1.1.111/33184 Destination IP/port: 192.168.1.3/32828 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: UDP(17) Initiator: Source IP/port: 1.1.1.111/1719 Destination IP/port: 192.168.1.2/1719 VPN instance/VLAN ID/VLL ID: -/-/- Protocol: UDP(17) Initiator:...

  • Page 266: Configuring Apr

    Configuring APR Overview The application recognition (APR) feature enables QoS and ASPF to recognize application protocols of packets sent on ports that are not well known. APR separately counts the number of packets or bytes that an interface has received or sent based on application protocols. It also calculates the transmission rates of the interface at the same time.

  • Page 267: Configuring Pbar

    You can add application protocols with the same properties to one application group, or copy application protocols from one application group to another. If a packet is recognized as the packet of an application protocol in an application group, the packet is considered as the packet of the application group.

  • Page 268: Enabling Application Statistics On An Interface

    Step Command Remarks Enter system view. system-view Create an application group and enter app-group group-name application group view. (Optional.) Configure a description for the By default, the description is description group-description user-defined application "User-defined application group." group. By default, the user-defined application group does not contain any application protocol.

  • Page 269: Displaying And Maintaining Apr

    [ direction { inbound | outbound } Display statistics for the specified application | interface interface-type interface-number | name app-name ] protocols (MSR2000/MSR3000). display application statistics [ direction { inbound | outbound } Display statistics for the specified application | interface interface-type interface-number [ slot slot-number ] | protocols (MSR4000).

  • Page 270: Configuration Procedure

    Configuration procedure # Create an application group named group1, and enter application group view. <Router> system-view [Router] app-group group1 # Add HTTP to the application group. [Router-app-group-group1] include application http [Router-app-group-group1] quit # Map HTTP to TCP and port 8080. [Router] port-mapping application http port 8080 protocol tcp # Create a traffic class named classifier_1, and match group1 to the class.

  • Page 271: Managing Sessions

    Managing sessions Overview Session management is a common module, providing basic services for NAT, ASPF, and intrusion detection and protection to implement their session-based services. Session management can be applied for the follow purposes: • Fast match between packets and sessions Management of transport layer protocol states •...

  • Page 272: Session Management Task List

    Supports ICMP/ICMPv6 error packet mapping, enabling the device to search for original sessions • according to the payloads in the ICMP/ICMPv6 error packets. Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.

  • Page 273: Setting The Session Aging Time For Different Application Layer Protocols

    Step Command Remarks By default, the session aging time is as follows: • FIN-WAIT: 30 seconds. • ICMP-REPLY: 30 seconds. • ICMP-REQUEST: 60 seconds. session aging-time state { fin | • RAWIP-OPEN: 30 seconds. icmp-reply | icmp-request | Set the session aging time for rawip-open | rawip-ready | syn | •...

  • Page 274: Specifying Persistent Sessions

    Specifying persistent sessions This task is for only TCP sessions in ESTABLISHED state. You can specify TCP sessions that match the permit statements in the specified ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions. A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries.

  • Page 275: Displaying And Maintaining Session Management

    Display session table entries display session table { ipv4 | ipv6 } [ source-ip source-ip ] (MSR2000/MSR3000). [ destination-ip destination-ip ] [ verbose ] display session table { ipv4 | ipv6 } [ slot slot-number ] Display session table entries (MSR4000).
  • Page 276 [ source-ip source-ip ] [ destination-ip Clear IPv6 session table entries destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp (MSR2000/MSR3000). | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]...

  • Page 277: Configuring Connection Limits

    Configuring connection limits As shown in Figure 75, the following types of network problems are commonly encountered: An internal user initiates large numbers of connections to external networks in a short period of time, • consuming large amounts of system resources and causing other internal users unable to access network resources correctly.

  • Page 278: Configuring The Connection Limit Policy

    When the connections established on a device are matched against a connection limit policy, all the limit rules in the policy are matched in ascending order of rule ID. HP recommends that you arrange the rules in ascending order of range.

  • Page 279: Displaying And Maintaining Connection Limits

    Display the connection limit statistics display connection-limit statistics { global | interface interface-type globally or on an interface interface-number } (MSR2000/MSR3000). Display the connection limit statistics display connection-limit statistics { global | interface interface-type globally or on an interface (MSR4000).

  • Page 280: Connection Limit Configuration Example

    Task Command Clear the connection limit statistics reset connection-limit statistics { global | interface interface-type globally or on an interface (MSR4000). interface-number } [ slot slot-number ] Connection limit configuration example Network requirements As shown in Figure 76, a company has five public IP addresses: 202.38.1.1/24 to 202.38.1.5/24. The internal network address is 192.168.0.0/16.
  • Page 281 # Configure connection limit rule 1 to permit up to 100000 connections from all the hosts matching ACL 3000 to the external network. When the connection number exceeds 100000, new connections cannot be established until the connection number goes below 95000. [Router-connection-limit-policy-1] limit 1 acl 3000 amount 100000 95000 # Configure connection limit rule 2 to permit up to 10000 connections to the servers matching ACL 3001.

  • Page 282: Troubleshooting Connection Limits

    Troubleshooting connection limits ACLs in the connection limit rules with overlapping segments Symptom On the router, create a connection limit policy and configure two rules for the policy. One limits connections from each host on segment 192.168.0.0/24 with the upper connection limit 10, and the other limits connections from 192.168.0.100/24 with the upper connection limit 100.

  • Page 283: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 284: Configuring Unresolvable Ip Attack Protection

    Configuring unresolvable IP attack protection If a device receives a large number of unresolvable IP packets from a host, the following situations can occur. • The device sends a large number of ARP requests, overloading the target subnets. The device keeps trying to resolve target IP addresses, overloading its CPU. •...

  • Page 285: Configuration Example

    Configuration example Network requirements As shown in Figure 77, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack.

  • Page 286: Configuring Arp Packet Rate Limit

    Configuring ARP packet rate limit NOTE: This feature is not supported in the current release, and it is reserved for future use. The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the device CPU is overloaded because all ARP packets are redirected to the CPU for inspection.

  • Page 287: Configuring Source Mac-Based Arp Attack Detection

    When an ARP attack entry expires, ARP packets sourced from the MAC address in the entry can be processed correctly. Displaying and maintaining source MAC-based ARP attack detection Execute display commands in any view. Task Command Display ARP attack entries detected by source display arp source-mac [ interface interface-type MAC-based ARP attack detection interface-number ] (MSR2000/MSR3000).

  • Page 288: Configuration Example

    Task Command Display ARP attack entries detected by source display arp source-mac { slot slot-number | interface MAC-based ARP attack detection (MSR4000). interface-type interface-number } Configuration example Network requirements As shown in Figure 78, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients.

  • Page 289: Configuring Arp Packet Source Mac Consistency Check

    # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection. [Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet...

  • Page 290: Configuration Procedure

    With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries to prevent user spoofing and allows only authorized clients to access network resources. Configuration procedure To enable authorized ARP: Step Command Remarks Enter system view. system-view Enter Layer 3 Ethernet interface or interface interface-type Layer 3 Ethernet subinterface view.

  • Page 291: Configuration Example (On A Dhcp Relay Agent)

    [RouterB-Ethernet1/1] ip address dhcp-alloc [RouterB-Ethernet1/1] quit After Router B obtains an IP address from Router A, display the authorized ARP entry information on Router A. [RouterA] display arp all Type: S-Static D-Dynamic M-Multiport I-Invalid IP Address MAC Address VLAN Interface Aging Type 10.1.1.2...

  • Page 292: Configuring Arp Detection

    <RouterB> system-view [RouterB] dhcp enable # Specify the IP addresses of Ethernet 1/1 and Ethernet 1/2. [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ip address 10.1.1.2 24 [RouterB-Ethernet1/1] quit [RouterB] interface ethernet 1/2 [RouterB-Ethernet1/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on Ethernet 1/2. [RouterB-Ethernet1/2] dhcp select relay # Add the DHCP server 10.1.1.1 to DHCP server group 1.

  • Page 293: Configuring User Validity Check

    If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies. Configuring user validity check Upon receiving an ARP packet from an ARP untrusted interface, the device compares the sender IP and MAC addresses against the static IP source guard binding entries, the DHCP snooping entries, and 802.1X security entries.

  • Page 294: Configuring Arp Restricted Forwarding

    src-mac—Checks whether the sender MAC address in the message body is identical to the source • MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded. • dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

  • Page 295: Displaying And Maintaining Arp Detection

    Step Command Remarks By default, ARP restricted Enable ARP restricted forwarding. arp restricted-forwarding enable forwarding is disabled. Displaying and maintaining ARP detection Execute display commands in any view and reset commands in user view. Task Command Display the VLANs enabled with display arp detection ARP detection.

  • Page 296: User Validity Check And Arp Packet Validity Check Configuration Example

    Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection. (Details not shown.) Configure Switch B: # Enable the 802.1X function. <SwitchB> system-view [SwitchB] dot1x [SwitchB] interface ethernet 1/1 [SwitchB-Ethernet1/1] dot1x [SwitchB-Ethernet1/1] quit [SwitchB] interface ethernet 1/2 [SwitchB-Ethernet1/2] dot1x...
  • Page 297 Figure 82 Network diagram Gateway DHCP server Switch A Eth1/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping Eth1/3 Switch B Eth1/1 Eth1/2 Host A Host B 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Add all interfaces on Switch B to VLAN 10, and specify the IP address of VLAN-interface 10 on Switch A.

  • Page 298: Configuring Arp Automatic Scanning And Fixed Arp

    [SwitchB-Ethernet1/2] quit # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac After the configurations are completed, ARP packets received on interfaces Ethernet 1/1 and Ethernet 1/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries.

  • Page 299: Configuring Arp Gateway Protection

    Configuring ARP gateway protection NOTE: This feature is not supported in the current release, and it is reserved for future use. Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks. When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway.

  • Page 300: Configuring Arp Filtering

    Figure 83 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B. <SwitchB> system-view [SwitchB] interface ethernet 1/1 [SwitchB-Ethernet1/1] arp filter source 10.1.1.1 [SwitchB-Ethernet1/1] quit [SwitchB] interface ethernet 1/2 [SwitchB-Ethernet1/2] arp filter source 10.1.1.1 After the configuration is complete, Ethernet 1/1 and Ethernet 1/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway.

  • Page 301: Configuration Procedure

    Configuration procedure To configure ARP filtering: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type interface-number view. Enable ARP filtering and arp filter binding ip-address By default, ARP filtering is configure a permitted entry. mac-address disabled.

  • Page 302: Configuring Crypto Engines

    IPsec SAs. The existing IPsec SAs still use the previously selected crypto engine for data encryption. In this case, HP recommends that you use the reset ipsec sa command to delete all existing IPsec SAs before you enable or disable hardware crypto engines, so the newly established IPsec SAs can use the newly selected crypto engine.

  • Page 303: Displaying And Maintaining Crypto Engines

    Display information about crypto engines. display crypto-engine Display statistics for crypto engines. display crypto-engine statistics [ engine-id engine-id ] (MSR2000/MSR3000) display crypto-engine statistics [ engine-id engine-id slot Display statistics for crypto engines. (MSR4000) slot-number ] Clear statistics for crypto engines.

  • Page 304: Configuring Portal Authentication

    Users can access more Internet resources after passing security check. Security check must cooperate with the HP IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device, portal...
  • Page 305 Figure 85 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.

  • Page 306: Interaction Between Portal System Components

    Web server. The user can also visit the authentication website to log in. The user must log in through the HP iNode client for extended portal functions. The user enters the authentication information on the authentication page/dialog box and submits the information.

  • Page 307: Portal Authentication Process

    Only the HP iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device.
  • Page 308 The portal authentication server adds the username and password into an authentication request packet and sends it to the access device. Meanwhile, the portal authentication server starts a timer to wait for an authentication reply packet. The access device and the RADIUS server exchange RADIUS packets. The access device sends an authentication reply packet to the portal authentication server to notify authentication success or failure.

  • Page 309: Portal Configuration Task List

    The access device detects the IP change of the client through DHCP and then notifies the portal authentication server that it has detected an IP change of the client IP. After receiving the IP change notification packets sent by the client and the access device, the portal authentication server notifies the client of login success.

  • Page 310: Configuring A Portal Authentication Server

    The prerequisites for portal authentication configuration are as follows: • The portal authentication server, portal Web server, and RADIUS server have been installed and configured correctly. To use the re-DHCP portal authentication mode, make sure the DHCP relay agent is enabled on the •...

  • Page 311: Configuring A Portal Web Server

    Configuring a portal Web server A portal Web server pushes the authentication page to users during portal authentication. It is also the Web server to which the device redirects user HTTP requests. Perform this task to configure the following portal Web server parameters: VPN instance of the portal Web server •...

  • Page 312: Configuration Procedure

    With re-DHCP portal authentication, HP recommends that you also configure authorized ARP on the • interface to make sure only valid users can access the network. With authorized ARP configured on the interface, the system learns ARP entries only from the users who have obtained a public address from DHCP.

  • Page 313: Controlling Portal User Access

    Controlling portal user access Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. The matching items for a portal-free rule include the source/destination IP address, TCP/UDP port number, source MAC address, access interface, and VLAN. Packets matching a portal-free rule will not trigger portal authentication, so users sending the packets can directly access the specified external websites.

  • Page 314: Configuring An Authentication Source Subnet

    Step Command Remarks By default, no source-based portal-free rule exists. portal free-rule rule-number source Configure a { interface interface-type If you specify both a VLAN and an source-based interface-number | mac mac-address | interface, the interface must belong portal-free rule. vlan vlan-id } * to the VLAN.

  • Page 315: Configuring An Authentication Destination Subnet

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no IPv6 portal authentication source subnet is Configure an IPv6 portal portal ipv6 layer3 source configured, and IPv6 users from authentication source subnet. ipv6-network-address prefix-length any subnets must pass portal authentication.

  • Page 316: Specifying A Portal Authentication Domain

    If the maximum number of portal users you set is less than that of the current login portal users, the limit can be set successfully and does not impact the login portal users, but the system does not allow new portal users to log in until the number drops down below the limit.

  • Page 317: Configuring Portal Detection Functions

    Configuring portal detection functions Configuring online detection of portal users Configure online detection of portal users on an interface to find abnormal logouts in time. If a portal user is idle for the specified period of time (idle time), the device sends detection packets to the user at a specific interval (interval interval) to identify whether the user is still online.

  • Page 318: Configuring Portal Web Server Detection

    If the portal authentication server receives a portal packet within a detection timeout (timeout timeout) and the portal packet is valid, the device considers the detection succeeds and the portal authentication server is reachable. Otherwise, the device considers the detection fails and the portal authentication server is unreachable.

  • Page 319: Configuring Portal User Synchronization

    Sending a log message, which contains the name, the current state, and the original state of the • portal Web server. Enabling portal fail-permit. When the portal Web server is unreachable, the portal fail-permit • feature on an interface allows users on the interface to have network access. When the server recovers, it resumes portal authentication on the interface.

  • Page 320: Configuring The Portal Fail-Permit Function

    Step Command Remarks Enter portal authentication server portal server server-name view. Configure the portal By default, portal user user synchronization user-sync timeout timeout synchronization is disabled. function. Configuring the portal fail-permit function Perform this task to configure the portal fail-permit function on an interface. When the access device detects that the portal authentication server is unreachable, it allows users on the interface to have network access without portal authentication.

  • Page 321: Enabling Portal Roaming

    During a re-DHCP portal authentication or mandatory user logout process, the device sends portal notification packets to the portal authentication server. For the authentication or logout process to complete, make sure the BAS-IP/BAS-IPv6 attribute is the same as the device IP or IPv4 address specified on the portal authentication server.

  • Page 322: Displaying And Maintaining Portal

    To log out users: Step Command Enter system view. system-view portal delete-user { ipv4-address | all | interface interface-type Log out IPv4 portal users. interface-number } portal delete-user { all | interface interface-type interface-number | Log out IPv6 portal users. ipv6 ipv6-address } Displaying and maintaining portal Execute display commands in any view and the reset command in user view.
  • Page 323 Figure 88 Network diagram Configuration prerequisites Configure IP addresses for the host, router, and servers as shown in Figure 88 and make sure they • can reach each other. Configure the RADIUS server correctly to provide authentication/authorization functions. • Configuring the portal authentication server This example assumes that the portal server runs on IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301).
  • Page 324 Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name. Enter the start IP address and end IP address of the IP group. Make sure the host IP address is in the IP group.
  • Page 325 Figure 91 Adding a portal device Associate the portal device with the IP address group: As shown in Figure 92, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Click Add to enter the page shown in Figure Enter the port group name.
  • Page 326 Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router> system-view [Router] radius scheme rs1 # Specify the primary authentication/authorization server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] key authentication simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.

  • Page 327: Configuring Re-Dhcp Portal Authentication

    Server name Action Layer3 source network: IP address Mask Destination authenticate subnet: IP address Mask A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 328 Figure 94 Network diagram Portal server 192.168.0.111/24 Eth1/2 20.20.20.1/24 Eth1/1 10.0.0.1/24 sub 192.168.0.100/24 DHCP server Host Router 192.168.0.112/24 Automatically obtains an IP address RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines Configure IP addresses for the router and servers as shown in Figure 94 and make sure the host, •...
  • Page 329 [Router] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain.

  • Page 330: Configuring Cross-Subnet Portal Authentication

    Configuring cross-subnet portal authentication Network requirements As shown in Figure 95, Router A supports portal authentication. The host accesses Router A through Router B. A portal server serves as both a portal authentication server and a portal Web server. A RADIUS server serves as the authentication/accounting server.

  • Page 331: Configuring Extended Direct Portal Authentication

    [Router] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain. [RouterA-isp-dm1] authentication portal radius-scheme rs1 [RouterA-isp-dm1] authorization portal radius-scheme rs1 [RouterA-isp-dm1] accounting portal radius-scheme rs1 [RouterA-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
  • Page 332 Figure 96 Network diagram Portal server 192.168.0.111/24 Eth1/2 Eth1/1 2.2.2.1/24 192.168.0.100/24 RADIUS server Host Router 192.168.0.112/24 2.2.2.2/24 Gateway : 2.2.2.1/24 Security policy server 192.168.0.113/24 Configuration prerequisites Configure IP addresses for the host, router, and servers as shown in Figure 96 and make sure they •...

  • Page 333: Configuring Extended Re-Dhcp Portal Authentication

    # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [Router] domain default enable dm1 Configure ACL 3000 for resources on subnet 192.168.0.0/24 and ACL 3001 for Internet resources: [Router] acl number 3000...
  • Page 334 Figure 97 Network diagram Portal server 192.168.0.111/24 Eth1/2 20.20.20.1/24 Eth1/1 DHCP server 10.0.0.1/24 sub 192.168.0.100/24 192.168.0.112/24 Host Router automatically obtains an IP address RADIUS server 192.168.0.113/24 Security policy server 192.168.0.114/24 Configuration prerequisites and guidelines Configure IP addresses for the router and servers as shown in Figure 97 and make sure the host, •...
  • Page 335 # Enable RADIUS session control. [Router-radius-rs1] radius session-control enable [Router-radius-rs1] quit # Enable RADIUS session control. [Router] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1...

  • Page 336: Configuring Extended Cross-Subnet Portal Authentication

    [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on interface Ethernet 1/2. [Router] interface ethernet 1/2 [Router-Ethernet1/2] portal enable method redhcp # Reference the portal Web server newpt on interface Ethernet 1/2.
  • Page 337 Make sure the IP address of the portal device added on the portal server is the IP address • (20.20.20.1) of the router's interface connecting the host. The IP address group associated with the portal device is the subnet of the host (8.8.8.0/24). Configuration procedure Perform the following configurations on Router A.

  • Page 338: Configuring Portal Server Detection And Portal User Synchronization

    NOTE: Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server. Configure portal authentication: # Configure a portal authentication server. [RouterA] portal server newpt [RouterA-portal-server-newpt] ip 192.168.0.111 key simple portal [RouterA-portal-server-newpt] port 50100 [RouterA-portal-server-newpt] quit # Configure a portal Web server.
  • Page 339 Figure 99 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the router and servers as shown in Figure 99 and make sure the host, • router, and servers can reach each other. Configure the RADIUS server correctly to provide authentication/authorization functions. •...
  • Page 340 Figure 100 Portal authentication server configuration Configure the IP address group: Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure 101.
  • Page 341 Enter the device name NAS. Enter the IP address of the router's interface connected to the host. Enter the key, which must be the same as that configured on the router. Set whether to enable IP address reallocation. This example uses direct portal authentication, and therefore select No from the Reallocate IP list.
  • Page 342 Figure 104 Adding a port group Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router>...
  • Page 343 # Configure reachability detection of the portal authentication server: configure the server detection interval as 40 seconds, and send log messages upon reachability status changes. [Router-portal-server-newpt] server-detect timeout 40 log NOTE: The value of timeout must be greater than or equal to the portal server heartbeat interval. # Configure portal user synchronization with the portal authentication server, and configure the synchronization detection interval as 600 seconds.

  • Page 344: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns

    Configuring cross-subnet portal authentication for MPLS L3VPNs Network requirements As shown in Figure 105, the PE device Router A provides portal authentication for the host in VPN 1. A portal server in VPN 3 serves as the portal authentication server, portal Web server, and RADIUS server. Configure cross-subnet portal authentication on Router A, so the host can access Internet resources after passing identity authentication.
  • Page 345 [RouterA-radius-rs1] nas-ip 3.3.0.3 [RouterA-radius-rs1] quit # Enable RADIUS session control. [RouterA] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain. [RouterA-isp-dm1] authentication portal radius-scheme rs1 [RouterA-isp-dm1] authorization portal radius-scheme rs1 [RouterA-isp-dm1] accounting portal radius-scheme rs1...

  • Page 346: Troubleshooting Portal

    Authorization ACL: None VPN instance: vpn3 VLAN Interface 000d-88f7-c268 3.3.0.1 Ethernet1/1 Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the portal Web server for authentication, no portal authentication page or error message is prompted for the user. The login page is blank. Analysis The key configured on the portal access device and that configured on the portal authentication server are inconsistent.

  • Page 347: Cannot Log Out Portal Users On The Radius Server

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HP IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
  • Page 348 Analysis When the access device detects that the client IP address is changed, it sends an unsolicited portal packet to notify of the IP change to the portal authentication server. The portal authentication server notifies of the authentication success only after it receives the IP change notification from both the access device and the client.

  • Page 349: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high. The device supports Level 2.

  • Page 350: Configuring Fips Mode

    Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and • non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the following tasks: Delete the local user and configure a new local user. Local user attributes include password, user role, and service type.

  • Page 351: Configuration Changes In Fips Mode

    Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to 1. Set the minimum length of user passwords to 15 characters. Add a local user account for device management, including the following items: A username.

  • Page 352: Exiting Fips Mode

    The password control function cannot be disabled globally. The undo password control enable • command does not take effect. The keys must contain at least 15 characters and 4 compositions of uppercase and lowercase letters, • digits, and special characters. This requirement applies to the following passwords (the last two passwords are used for password control): AAA server's shared key.

  • Page 353: Fips Self-Tests

    You can also trigger a self-test. If the power-up self-test fails, the device reboots. If the conditional self-test fails, the system outputs self-test failure information. NOTE: If a self-test fails, contact HP Support. Power-up self-tests The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed cryptographic algorithms.

  • Page 354: Conditional Self-Tests

    Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following types: • Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text.

  • Page 355: Entering Fips Mode Through Manual Reboot

    [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:y The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters):root Enter password(15-63 characters): Confirm password:...
  • Page 356 Configuration procedure # Enable the password control function globally. <Sysname> system-view [Sysname] password-control enable # Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to 1. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters.

  • Page 357: Exiting Fips Mode Through Automatic Reboot

    First login or password reset. For security reason, you need to change your pass word. Please enter your password. old password: new password: confirm: Updating user information. Please wait ..… <Sysname> # Display the current FIPS mode state. <Sysname>...
  • Page 358 Change the configuration to meet non-FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter non-FIPS mode. # Set the authentication mode for VTY lines to scheme. [Sysname] line vty 0 4 [Sysname-line-vty0-4] authentication-mode scheme # Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file.

  • Page 359: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 360: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 361 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 362: Index

    Configuring ARP active acknowledgement,278 Connection limit configuration example,269 Configuring ARP automatic scanning and fixed Connection limit configuration task list,266 ARP,287 Contacting HP,348 Configuring ARP detection,281 Controlled/uncontrolled port and port authorization Configuring ARP filtering,289 status,50 Configuring ARP gateway protection,288 Controlling portal user...
  • Page 363 Creating a connection limit policy,266 FIPS configuration examples,343 Creating a local key pair,90 FIPS self-tests,342 Destroying a local key pair,92 HP implementation of 802.1X,59 Displaying and maintaining 802.1X,65 Displaying and maintaining AAA,40 IKE configuration examples,190 Displaying and maintaining APR,258 IKE configuration...
  • Page 364 RADIUS-based MAC authentication configuration Setting the session aging time for different application example,75 layer protocols,262 Referencing a portal Web server for an interface,301 Setting the session aging time for different protocol states,261 Related information,348 Setting user group password control parameters,83 Removing a certificate,1 12 SFTP configuration...

This manual is also suitable for:

Msr3000Msr4000

Table of Contents