1. Manuals
  2. Brands
  3. HP Manuals
  4. Network Router
  5. HP ProCurve Series 6600
  6. Security configuration manual

HP 6600 Security Configuration Manual

Hide thumbs Also See for 6600:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, User Manual
HP 6600/HSR6600 Routers
Security

Configuration Guide

Part number: 5998-1515
Software version: A6602-CMW520-R3103
A6600-CMW520-R3102-RPE
A6600-CMW520-R3102-RSE
HSR6602_MCP-CMW520-R3102
Document version: 6PW103-20130628

Advertisement

Table of Contents
loading

Related Manuals for HP 6600

Summary of Contents for HP 6600

  • Page 1: Configuration Guide

    HP 6600/HSR6600 Routers Security Configuration Guide Part number: 5998-1515 Software version: A6602-CMW520-R3103 A6600-CMW520-R3102-RPE A6600-CMW520-R3102-RSE HSR6602_MCP-CMW520-R3102 Document version: 6PW103-20130628...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents Security overview ························································································································································· 1   Network security threats ··················································································································································· 1   Network security services ················································································································································· 1   Network security technologies ········································································································································· 2   Identity authentication ·············································································································································· 2   Access security ·························································································································································· 2   Data security ····························································································································································· 3   Firewall and connection control ······························································································································ 3  ...
  • Page 4 EAP relay ································································································································································ 79   EAP termination ····················································································································································· 81   Configuring 802.1X ·················································································································································· 83   HP implementation of 802.1X ······································································································································ 83   Access control methods ········································································································································ 83   Using 802.1X authentication with other features ······························································································ 83   Configuration prerequisites ··········································································································································· 87  ...
  • Page 5 Configuring the redirect URL ······································································································································· 107   Setting the EAD rule timer ··········································································································································· 107   Displaying and maintaining EAD fast deployment ··································································································· 107   EAD fast deployment configuration example (1) ······································································································ 108   Network requirements ········································································································································· 108   Configuration procedure ···································································································································· 108  ...
  • Page 6 Configuring re-DHCP portal authentication with extended functions ···························································· 157   Configuring cross-subnet portal authentication with extended functions ······················································· 160   Configuring portal stateful failover(6600/HSR6600) ····················································································· 162   Configuring portal server detection and portal user information synchronization ······································· 169   Cross-subnet portal authentication across Vans ······························································································· 174  ...
  • Page 7 Configuring a user profile ······································································································································ 200   Overview ······································································································································································· 200   User profile configuration task list ······························································································································ 200   Creating a user profile ················································································································································ 200   Performing configurations in user profile view ········································································································· 201   Enabling a user profile ················································································································································ 201  ...
  • Page 8 Verifying PKI certificates with CRL checking ····································································································· 234   Verifying PKI certificates without CRL checking································································································ 235   Destroying the local RSA key pair ······························································································································ 235   Removing a certificate ················································································································································· 235   Configuring an access control policy ························································································································ 236   Displaying and maintaining PKI ·································································································································...
  • Page 9 IKE operation ······················································································································································· 294   IKE functions ························································································································································· 295   Relationship between IKE and IPsec ·················································································································· 296   Protocols and standards ····································································································································· 296   FIPS compliance ··························································································································································· 296   IKE configuration task list ············································································································································ 296   Configuring a name for the local security gateway ································································································· 297  ...
  • Page 10 Stelnet configuration examples ··································································································································· 329   Password authentication enabled Stelnet server configuration example ······················································ 329   Publickey authentication enabled Stelnet server configuration example ······················································· 331   Password authentication enabled Stelnet client configuration example ························································ 336   Publickey authentication enabled Stelnet client configuration example ························································ 339  ...
  • Page 11 Configuring firewall ················································································································································ 437   Overview ······································································································································································· 437   ACL based packet-filter ······································································································································· 437   ASPF ······································································································································································ 437   Configuring a packet-filter firewall ····························································································································· 440   Packet-filter firewall configuration task list ········································································································ 440   Enabling the firewall function ····························································································································· 440  ...
  • Page 12 Troubleshooting connection limiting ··························································································································· 464   Connection limit rules with overlapping segments ··························································································· 464   Connection limit rules with overlapping protocol types ·················································································· 464   Configuring web filtering········································································································································ 466   Overview ······································································································································································· 466   URL address filtering ··········································································································································· 466   IP address-supported URL address filtering ·······································································································...
  • Page 13 Configuring IP source guard ·································································································································· 499   Overview ······································································································································································· 499   Static IP source guard entries ····························································································································· 499   Dynamic IP source guard entries ······················································································································· 500   Configuring IPv4 source guard ··································································································································· 500   Enabling IPv4 source guard on a port ·············································································································· 500  ...
  • Page 14 Network requirements ········································································································································· 536   Configuration procedure ···································································································································· 537   Verifying the configuration ································································································································· 538   Support and other resources ·································································································································· 539   Contacting HP ······························································································································································ 539   Subscription service ············································································································································ 539   Related information ······················································································································································ 539   Documents ···························································································································································· 539  ...

  • Page 15: Security Overview

    Security overview Network security threats are happened or potential threats to data confidentiality, data integrity, data availability or authorized usage of some resource in a network system. Network security services provide solutions to solve or reduce those threats to different extents. Network security threats Information disclosure—Information is leaked to an unauthorized person or entity.

  • Page 16: Network Security Technologies

    With digital certificates, the PKI system provides network communication, e-commerce, and e-Government with security services. HP's PKI system provides digital certificate management for IPsec and SSL. Access security 802.1X 802.1X is a port-based network access control protocol for securing wireless LANs (WLANs), and it has...

  • Page 17: Data Security

    Portal authentication Portal authentication, also called "Web authentication," controls user access at the access layer and other data entrance that needs protection. It does not require client software to authenticate users. Users only need to enter a username and a password on the webpage for authentication. With portal authentication, an access device redirects all unauthenticated users to a specific webpage, and users can freely access resources on the webpage.

  • Page 18: Attack Detection And Protection

    Attack detection and protection ARP attack protection Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices. HP has provided a...

  • Page 19: Other Security Technologies

    comprehensive and effective solution against common ARP attacks, such as user and gateway spoofing attacks and flood attacks. ND attack defense The IPv6 ND protocol provides rich functions, but does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets. To defend against such attacks, the device provides multiple ND attack detection technologies, such as source MAC consistency check for ND packets and ND Detection.
  • Page 20 Password control Password control is a set of functions for enhancing the local password security. It controls user login passwords, super passwords, and user login status based on predefined policies. Those policies include minimum password length, minimum password update interval, password aging, and early notice on pending password expiration.

  • Page 21: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. Authorization—Grants user rights and controls user access to resources and services. For example, •...

  • Page 22: Radius

    AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS, of which RADIUS is most often used. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
  • Page 23 Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user's username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted using the MD5 algorithm and the shared key.
  • Page 24 Figure 4 RADIUS packet format Code Identifier Length Authenticator Attributes Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. • Table 1 Main values of the Code field Code Packet type Description From the client to the server.
  • Page 25 Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2 shows a list of the attributes. For more information, see "Commonly used standard RADIUS attributes."...
  • Page 26 Vendor-ID—ID of the vendor. Its most significant byte is 0. The other three bytes contains a code that is compliant to RFC 1700. The vendor ID of HP is 25506. For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS...

  • Page 27: Hwtacacs

    HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, some terminal users need to log in to the NAS for operations.
  • Page 28 Figure 6 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: A Telnet user sends an access request to the HWTACACS client. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server.

  • Page 29: Domain-Based User Management

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user authorization request packet to the HWTACACS server.

  • Page 30: Aaa For Mpls L3Vpns

    Portal users—Users who must pass portal authentication to access the network. • • PPP users—Users who access through PPP. SSL VPN users—Users who access through SSL VPN. • In addition, AAA provides the following services for login users to enhance device security: Command authorization—Enables the NAS to defer to the authorization server to determine •...

  • Page 31: Radius Attributes

    • RFC 2869, RADIUS Extensions RFC 1492, An Access Control Protocol, Sometimes Called TACACS • RADIUS attributes This section provides tables of commonly used standard RADIUS attributes and HP proprietary RADIUS sub-attributes. Commonly used standard RADIUS attributes Attribute Description User-Name Name of the user to be authenticated.
  • Page 32 Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
  • Page 33 Sub-attribute Description Total remaining available traffic for the connection, in different units for Remanent_Volume different server types. Operation for the session, used for session control. Possible values include: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value.

  • Page 34: Aaa Configuration Considerations And Task List

    Sub-attribute Description Input-Interval-Gigawords Amount of bytes input within an accounting interval, in units of 4G bytes. Output-Interval-Gigawords Amount of bytes output within an accounting interval, in units of 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name.

  • Page 35: Configuring Aaa Schemes

    Table 4 AAA configuration task list Task Remarks Configuring local users Required. Configuring AAA Configuring RADIUS schemes Complete at least schemes one task. Configuring HWTACACS schemes Creating an ISP domain Required. Configuring ISP domain attributes Optional. Configuring AAA Configuring authentication methods for an ISP domain Required.
  • Page 36 User group. • Each local user belongs to a local user group and bears all attributes of the group, such as the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes." Password control attributes.
  • Page 37 level authorized to the user. If the user interface authentication mode is password (password) or no authentication (none), which commands a login user can use after login depends on the level configured for the user interface by using the user privilege level command in user interface view. For an SSH user using public key authentication, which commands are available depends on the level configured for the user interface.
  • Page 38 Step Command Remarks Optional. By default, there is no limit to the Set the maximum number maximum number of concurrent users of concurrent users of the access-limit max-user-number of a local user account. local user account. The limit is effective only for local accounting, and is not effective for FTP users.
  • Page 39 Step Command Remarks Optional. Set the validity time of the validity-date time local user. Not set by default. Optional. Set the expiration time of expiration-date time the local user. Not set by default. Optional. Assign the local user to a group group-name By default, a local user belongs to the user group.

  • Page 40: Configuring Radius Schemes

    Step Command Remarks Optional. By default, the guest attribute is not Set the guest attribute for the set for a user group, and guest group-attribute allow-guest user group. users created by a guest manager through the Web interface cannot join the group. Displaying and maintaining local users and local user groups Task Command...
  • Page 41 Task Remarks Configuring the IP address of the security policy server Optional. Configuring interpretation of the RADIUS class attribute as CAR parameters Optional. Enabling the trap function for RADIUS Optional. Enabling the RADIUS client service Optional. Displaying and maintaining RADIUS Optional.
  • Page 42 Step Command Remarks Configure at least one command. By default, no authentication/authorization server is specified. • Specify the primary RADIUS In FIPS mode, the shared key authentication/authorization server: must be a string of at least 8 primary authentication { ip-address characters that contain | ipv6 ipv6-address } [ port-number numbers, uppercase letters,...
  • Page 43 Step Command Remarks Configure at least one command. No accounting server is specified • Specify the primary RADIUS by default. accounting server: In FIPS mode, the shared key must primary accounting be a string of at least 8 characters { ip-address | ipv6 that contain numbers, uppercase ipv6-address } [ port-number | letters, lowercase letters, and...
  • Page 44 Step Command Remarks By default, no shared key is specified. In FIPS mode, the shared key must Specify a shared key for be a string of at least 8 characters secure RADIUS key { accounting | authentication } that contain numbers, uppercase authentication/authorization [ cipher | simple ] key letters, lowercase letters, and...
  • Page 45 Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • Extended—Uses the proprietary RADIUS protocol of HP. • When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies.
  • Page 46 Step Command Remarks Set the maximum number of Optional. RADIUS request transmission retry retry-times The default setting is 3. attempts. Setting the status of RADIUS servers By setting the status of RADIUS servers to blocked or active, you can control the AAA servers with which the device communicates when the current servers are no longer available.
  • Page 47 By default, the device sets the status of all RADIUS servers to active. In some cases, however, you may need to change the status of a server. For example, if a server fails, you can change the status of the server to blocked to avoid communication attempts to the server.
  • Page 48 Step Command Remarks Enter system view. system-view radius nas-ip { ip-address | ipv6 By default, the IP address of the Specify a source IP address ipv6-address } [ vpn-instance outbound interface is used as the for outgoing RADIUS packets. vpn-instance-name ] source IP address.
  • Page 49 Step Command Remarks Enter system view. system-view Specify a backup source IP radius nas-backup-ip ip-address address for outgoing RADIUS Not specified by default. [ vpn-instance vpn-instance-name ] packets. To specify a backup source IP address for a RADIUS scheme: Step Command Remarks Enter system view.
  • Page 50 If the device receives no response to the accounting-on packet, it re-sends the packet to the RADIUS server at a particular interval for a specified number of times. The accounting-on feature requires the cooperation of the HP IMC network management system. To configure the accounting-on feature for a RADIUS scheme:...
  • Page 51 Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation. The security policy server is the management and control center for EAD. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
  • Page 52 The ratio of the number of failed transmission attempts to the total number of authentication request • transmission attempts reaches the threshold. This threshold ranges from 1% to 100% and defaults to 30%. This threshold can only be configured through the MIB. The failure ratio is typically small.

  • Page 53: Configuring Hwtacacs Schemes

    Configuring HWTACACS schemes You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use. HWTACACS configuration task list Task Remarks Creating an HWTACACS scheme Required. Specifying the HWTACACS authentication servers Required. Specifying the HWTACACS authorization servers Optional.
  • Page 54 Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS authentication server: primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * Configure at least one command. Specify HWTACACS • Specify the secondary No authentication server is authentication servers.
  • Page 55 When the device receives a connection teardown request from a host or a connection teardown command from an administrator, it sends a stop-accounting request to the accounting server. You can enable buffering of non-responded stop-accounting requests to allow the device to buffer and resend a stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit.
  • Page 56 Step Command Remarks By default, no shared key is specified. In FIPS mode, the shared key must Specify a shared key for be a string of at least 8 characters secure HWTACACS key { accounting | authentication | that contain numbers, uppercase authentication, authorization, authorization } [ cipher | simple ] letters, lowercase letters, and...
  • Page 57 If an HWTACACS server does not support a username that carries the domain name, configure the device to remove the domain name before sending the username to the server. level switching authentication, user-name-format keep-original user-name-format without-domain commands all produce the same results: they make sure that usernames sent to the HWTACACS server carry no ISP domain name.
  • Page 58 Server response timeout timer (response-timeout)—Defines the HWTACACS request • retransmission interval. After sending an HWTACACS request (authentication, authorization, or accounting request), the device starts the server response timeout timer. If the device receives no response from the server before the timer expires, it resends the request. •...

  • Page 59: Configuring Aaa Methods For Isp Domains

    Configuring AAA methods for ISP domains By default, the device uses local (default) AAA methods for users in an ISP domain. To use other AAA methods for them, configure the device to reference existing AAA schemes for the ISP domain. For information about configuring AAA schemes, see "Configuring RADIUS schemes"...

  • Page 60: Configuring Isp Domain Attributes

    To delete the ISP domain that is functioning as the default ISP domain, you must change it to a non-default ISP domain by using the undo domain default enable command. Configuring ISP domain attributes In an ISP domain, you can configure the following attributes: Domain status—By placing the ISP domain to the active or blocked state, you allow or deny •...

  • Page 61: Configuring Authentication Methods For An Isp Domain

    Step Command Remarks Optional. Define an IP address pool ip pool pool-number for allocating addresses to By default, no IP address pool is low-ip-address [ high-ip-address ] PPP users. configured for PPP users. Optional. Specify the default authorization-attribute By default, an ISP domain has no authorization user profile.
  • Page 62 Configuration guidelines When configuring authentication methods, follow these guidelines: • If you configure an authentication method that references a RADIUS scheme and an authorization method that does not reference a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server also carries the authorization information, but the device ignores the information.

  • Page 63: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks Optional. Specify the authentication portal { local | none | authentication method The default authentication radius-scheme radius-scheme-name [ local ] } for portal users. method is used by default. authentication ppp { hwtacacs-scheme Optional. Specify the hwtacacs-scheme-name [ local ] | local | authentication method The default authentication none | radius-scheme radius-scheme-name...
  • Page 64 Configuration guidelines When configuring authorization methods, follow these guidelines: • To configure RADIUS authorization, you must also configure RADIUS authentication, and reference the same RADIUS scheme for RADIUS authentication and authorization. If the RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication also fails.

  • Page 65: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks authorization ppp { hwtacacs-scheme Optional. Specify the authorization hwtacacs-scheme-name [ local ] | local | The default authorization method for PPP users. none | radius-scheme radius-scheme-name method is used by default. [ local ] } Optional. Specify the authorization authorization ssl-vpn radius-scheme method for SSL VPN The default authorization...
  • Page 66 Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name Optional. Disabled by default. With the accounting optional feature, a device allows users Enable the accounting accounting optional to use network resources when optional feature.

  • Page 67: Tearing Down User Connections

    Step Command Remarks Optional. Specify the accounting accounting ssl-vpn radius-scheme The default accounting method method for SSL VPN users. radius-scheme-name is used by default. Tearing down user connections Step Command Remarks Enter system view. system-view cut connection { access-type { dot1x | The command mac-authentication | portal } | all | domain isp-name Tear down AAA user...

  • Page 68: Displaying And Maintaining Aaa

    The device ID must be used for stateful failover mode. Do not configure any device ID for a device working in stand-alone mode. Configuring or changing the device ID of a device will log out all online users of the device. HP recommends that you save the configuration and reboot the device after configuring or changing the device ID.
  • Page 69 Set the ports for authentication to 1812, respectively. Select the service type Device Management Service. Select the access device type HP(General). Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
  • Page 70 Figure 11 Adding the router as an access device Add a user account for device management: Click the User tab, and then select Access User View > Device Mgmt User from the navigation tree. Click Add to configure a device management account as follows: Enter the account name hello@bbb and specify the password.
  • Page 71 Figure 12 Adding an account for device management Configuring the router # Assign an IP address to interface GigabitEthernet 3/0/1, the Telnet user access interface. <Router> system-view [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet3/0/1] quit # Configure the IP address of interface GigabitEthernet 3/0/2, through which the router communicates with the server.

  • Page 72: Local Authentication/Authorization For Telnet/Ftp Users

    # Set the shared key for secure authentication communication to expert. [Router-radius-rad] key authentication expert # Specify the service type for the RADIUS server, which must be extended when the server runs on IMC. [Router-radius-rad] server-type extended # Include the domain names in usernames sent to the RADIUS server. [Router-radius-rad] user-name-format with-domain [Router-radius-rad] quit # Configure the AAA methods for domain bbb.

  • Page 73: Aaa For Ppp Users By An Hwtacacs Server

    # Enable the Telnet server on the device. [Router] telnet server enable # Configure the router to use AAA for Telnet users. [Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] quit # Create local user named telnet. [Router] local-user telnet [Router-luser-telnet] service-type telnet [Router-luser-telnet] password simple aabbcc [Router-luser-telnet] quit...
  • Page 74 Configuration procedure Configure the HWTACACS server. On the HWTACACS server, set the shared keys for secure communication with the router to expert, add an account for the PPP user, and specify the password. (Details not shown.) Configure the router: # Create HWTACACS scheme hwtac. <Router>...

  • Page 75: Level Switching Authentication For Telnet Users By A Radius Server

    Level switching authentication for Telnet users by a RADIUS server Network requirements As shown in Figure 15, configure the router to: Use local authentication for the Telnet user and assign the privilege level of 0 to the user when the •...
  • Page 76 [Router-GigabitEthernet3/0/1] quit # Configure the IP address of GigabitEthernet 3/0/2, through which the router communicates with the server. [Router] interface gigabitethernet 3/0/2 [Router-GigabitEthernet3/0/2] ip address 10.1.1.2 255.255.255.0 [Router-GigabitEthernet3/0/2] quit # Enable the router to provide Telnet service. [Router] telnet server enable # Configure the router to use AAA for Telnet users.
  • Page 77 Configure the RADIUS server. The RADIUS server in this example runs ACSv4.0. Add the usernames and passwords for user privilege level switching authentication. Table 5 Adding username and passwords for user privilege level switching authentication Username Password Switching to level $enab1$ pass1 $enab2$...
  • Page 78 Figure 17 List of the usernames for privilege level switching Verify the configuration. After the configuration is complete, the user can Telnet to the router and use username test@bbb and password aabbcc to enter the user interface of the router, and access all level 0 commands. <Router>...

  • Page 79: Aaa For Portal Users By A Radius Server

    Password: Enter the password for RADIUS privilege level switching authentication. Error: Invalid configuration or no response from the authentication server. Info: Change authentication mode to local. Password: Enter the password for local privilege level switching authentication. User privilege level is 3, and only those commands can be used whose level is equal or less than this.
  • Page 80 Set the shared key for secure authentication communication to expert. Set the ports for authentication to 1812, respectively. Select the service type LAN Access Service. Select the access device type HP(General). Select the access device from the device list or manually add the device with the IP address 10.1.1.2.
  • Page 81 Figure 20 Adding a service Add an access user account: Click the User tab, and then select Access User View > All Access Users from the navigation tree. Click Add to configure a user as follows: Select the user or add a user named hello. Enter the account name portal and specify the password.
  • Page 82 Figure 22 Portal server configuration Configure an IP address group: Select User Access Manager > Portal Service > IP Group from the navigation tree. Click Add to configure an IP address group as follows: Enter the name Portal_user. Set the start IP address to 192.168.1.1 and the end IP address to 192.168.1.255. Make sure the IP address group contains the IP address of the host.
  • Page 83 Enter the IP address of the access interface on the router, which is 192.168.1.70. Enter the key, which is portal, the same as that configured on the router. Specify whether to enable IP address reallocation. This example uses direct portal authentication by selecting No from the Reallocate IP list.
  • Page 84 Figure 26 Associating the portal device with IP address group Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router>...

  • Page 85: Troubleshooting Aaa

    # Enable portal authentication on the interface connecting the host. [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] portal server newpt method direct [Router-GigabitEthernet3/0/1] quit Verifying the configuration The user can initiate portal authentication by using the HP iNode client or by accessing a Web page. All initiated requests will redirected...
  • Page 86 Solution Check that: • The NAS and the RADIUS server can ping each other. The username is in the userid@isp-name format and the ISP domain is correctly configured on the • NAS. The user is configured on the RADIUS server. •...

  • Page 87: Troubleshooting Hwtacacs

    Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS."...

  • Page 88: 802.1X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 89: 802.1X-Related Protocols

    • Performs unidirectional traffic control to deny traffic from the client. • The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.
  • Page 90 • Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 6 lists the types of EAPOL packets supported by HP • implementation of 802.1X. Table 6 Types of EAPOL packets Value...

  • Page 91: Eap Over Radius

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, use an 802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets.

  • Page 92: 802.1X Authentication Procedures

    The access device supports the following modes: • Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication. Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC •...

  • Page 93: A Comparison Of Eap Relay And Eap Termination

    • Supports only MD5-Challenge EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an HP EAP termination supports PAP or CHAP authentication. iNode 802.1X client. • The processing is complex on the network access device.
  • Page 94 Figure 35 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge (EAP-Request/MD5 challenge) (6) EAP-Request/MD5 challenge (7) EAP-Response/MD5 challenge (8) RADIUS Access-Request (EAP-Response/MD5 challenge) (9) RADIUS Access-Accept (EAP-Success) (10) EAP-Success...

  • Page 95: Eap Termination

    The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.
  • Page 96 Figure 36 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 97: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter.
  • Page 98 Access control VLAN manipulation • If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The PVID of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed.
  • Page 99 Auth-Fail VLAN You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
  • Page 100 The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X access control mode. On a port that performs port-based access control • Authentication status VLAN manipulation A user that has not been assigned to any Assigns the critical VLAN to the port as the PVID.

  • Page 101: Configuration Prerequisites

    Authentication status VLAN manipulation A user in the MAC authentication guest VLAN The user is removed from the MAC authentication VLAN fails 802.1X authentication because all the and mapped to the 802.1X critical VLAN. 802.1X authentication server are unreachable. To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port.

  • Page 102: Enabling 802.1X

    Task Remarks Setting the port authorization state Optional. Specifying an access control method Optional. Setting the maximum number of concurrent 802.1X users on a port Optional. Setting the maximum number of authentication request attempts Optional. Setting the 802.1X authentication timeout timers Optional.

  • Page 103: Enabling Eap Relay Or Eap Termination

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...

  • Page 104: Specifying An Access Control Method

    Step Command Remarks Enter system system-view view. • In system view: dot1x port-control { authorized-force | auto | Set the port unauthorized-force } [ interface interface-list ] authorization • state in system In Ethernet interface view: By default, auto applies. view or Ethernet interface interface-type interface-number interface view.

  • Page 105: Setting The Maximum Number Of Authentication Request Attempts

    Step Command Remarks • In system view: dot1x max-user user-number [ interface interface-list ] Set the maximum number of • In Ethernet interface view: concurrent 802.1X users on a The default setting is port in system view or Ethernet 1024. interface interface-type interface view.

  • Page 106: Configuring The Online User Handshake Function

    To use the online handshake security function, make sure the online user handshake function is • enabled. HP recommends that you use the iNode client software and IMC server to ensure the normal operation of the online user handshake security function.

  • Page 107: Enabling The Proxy Detection Function

    Before you enable the proxy detection function, complete the following tasks: Enable the online user handshake function (see "Configuring the online user handshake function"). • • Deploy HP iNode client software in your network. To configure the proxy detection function: Step Command Remarks Enter system view.

  • Page 108: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you configure the authentication trigger function: • Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication. Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these •...

  • Page 109: Configuring The Quiet Timer

    Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response.

  • Page 110: Configuring An 802.1X Guest Vlan

    If no critical VLAN is configured, RADIUS server unreachable can cause an online user being re-authenticated to be logged off. If a critical VLAN is configured, the user remains online and in the original VLAN. Configuring an 802.1X guest VLAN Follow these guidelines when you configure an 802.1X guest VLAN: •...

  • Page 111: Configuring An 802.1X Critical Vlan

    Feature Relationship description Reference The 802.1X Auth-Fail VLAN function has Port intrusion protection on higher priority than the block MAC action a port that performs but lower priority than the shut down port See "Configuring port security." MAC-based access control action of the port intrusion protection feature.

  • Page 112: Specifying Supported Domain Name Delimiters

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Configure an 802.1X critical By default, no critical VLAN is dot1x critical vlan vlan-id VLAN on the port. configured. Optional. Configure the port to trigger By default, when a reachable 802.1X authentication on dot1x critical recovery-action...

  • Page 113: Displaying And Maintaining 802.1X

    Figure 37 Network diagram Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.)
  • Page 114 For information about the RADIUS commands used on the Router in this example, see Security Command Reference. Assign an IP address for each interface on the Router. (Details not shown.) Configure user accounts for the 802.1X users on the Router: # Add a local user with the username localuser, and password localpass in plaintext.

  • Page 115: Verifying The Configuration

    # Configure the idle cut function to log off any online domain user that has been idle for 20 minutes. [Router-isp-aabbcc.net] idle-cut enable 20 [Router-isp-aabbcc.net] quit # Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain.

  • Page 116: Configuration Procedure

    Figure 38 Network diagram Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the Router. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN.

  • Page 117: Verifying The Configuration

    Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view. <Router> system-view [Router] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Router-radius-2000] primary authentication 10.11.1.1 1812 [Router-radius-2000] primary accounting 10.11.1.1 1813 [Router-radius-2000] key authentication abc [Router-radius-2000] key accounting abc...

  • Page 118: With Acl Assignment Configuration Example

    802.1X with ACL assignment configuration example Network requirements As shown in Figure 39, the host at 192.168.1.10 connects to port GigabitEthernet 3/0/1 of Router. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.

  • Page 119: Verifying The Configuration

    # Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain. [Router] domain 2000 [Router-isp-2000] authentication default radius-scheme 2000 [Router-isp-2000] authorization default radius-scheme 2000 [Router-isp-2000] accounting default radius-scheme 2000 [Router-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00. [Router] time-range ftp 8:00 to 18:00 working-day # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 on the weekdays during business hours.

  • Page 120: Configuring Ead Fast Deployment

    Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, Router, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

  • Page 121: Configuring The Redirect Url

    If you use free IP, guest VLAN, and Auth-Fail VLAN features together, make sure that the free IP segments are in both guest VLAN and Auth-Fail VLAN. Users can access only the free IP segments. To configure a free IP: Step Command Remarks...

  • Page 122: Ead Fast Deployment Configuration Example (1)

    EAD fast deployment configuration example (1) Network requirements As shown in Figure 40, the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet 3/0/1 of Router, and they use DHCP to obtain IP addresses. Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network.

  • Page 123: Verifying The Configuration

    Configure DHCP relay: # Enable DHCP. <Router> system-view [Router] dhcp enable # Configure a DHCP server for a DHCP server group. [Router] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent on VLAN interface 2. [Router] interface vlan-interface 2 [Router-Vlan-interface2] dhcp select relay # Correlate VLAN interface 2 to the DHCP server group.

  • Page 124: Ead Fast Deployment Configuration Example (2)

    The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service. Enter the external website address in dotted decimal notation, for example, 3.3.3.3 or http://3.3.3.3, in the address bar.

  • Page 125: Configuration Procedure

    Configuration procedure Configure an IP address for each interface. (Details not shown.) Configure the DHCP server: # Enable DHCP. <Router> system-view [Router] dhcp enable # Enable the DHCP server on VLAN interface 2. [Router] interface vlan-interface 2 [Router-Vlan-interface2] dhcp select server global-pool [Router-Vlan-interface2] quit # Create DHCP address pool 0, specify a subnet for dynamic allocation in the pool, and specify the gateway address.

  • Page 126: Troubleshooting Ead Fast Deployment

    Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service.

  • Page 127: Configuring Mac Authentication

    Configuring MAC authentication MAC authentication is available only for SAP modules that are operating in bridge mode. Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 128: Mac Authentication Timers

    If a shared account is used, the access device sends the shared account username and password • to the RADIUS server for authentication. For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards •...

  • Page 129: Basic Configuration For Mac Authentication

    Task Remarks Basic configuration for MAC authentication: • Configuring MAC authentication globally Required. • Configuring MAC authentication on a port Specifying a MAC authentication domain Optional. Basic configuration for MAC authentication Before you perform basic configuration for MAC authentication, complete the following tasks: Create and configure an authentication domain, also called "an ISP domain."...

  • Page 130: Configuring Mac Authentication On A Port

    Configuring MAC authentication on a port You cannot add a MAC authentication-enabled port to a link aggregation group, or enable MAC authentication on a port already in a link aggregation group. To configure MAC authentication on a port: Step Command Remarks Enter system view.

  • Page 131: Displaying And Maintaining Mac Authentication

    Step Command Remarks • In system view: mac-authentication domain Specify an authentication domain-name domain for MAC By default, the system default • In interface view: authentication users in authentication domain is used for interface interface-type system view or interface MAC authentication users. interface-number view.
  • Page 132 [Router] local-user 00-e0-fc-12-34-56 [Router-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Router-luser-00-e0-fc-12-34-56] service-type lan-access [Router-luser-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc.net to perform local authentication for LAN access users. [Router] domain aabbcc.net [Router-isp-aabbcc.net] authentication lan-access local [Router-isp-aabbcc.net] quit # Enable MAC authentication globally. [Router] mac-authentication # Enable MAC authentication on port GigabitEthernet 3/0/1.

  • Page 133: Radius-Based Mac Authentication Configuration Example

    Slot: Index=52 , Username=00-15-e9-43-82-73@aabbcc.net IP=N/A IPv6=N/A MAC=00e0-fc12-3456 Total 1 connection(s) matched on slot 3. Total 1 connection(s) matched. RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 43, a host connects to port GigabitEthernet 3/0/1 on the router. The router uses RADIUS servers for authentication, authorization, and accounting.
  • Page 134 [Router-radius-2000] quit # Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting. [Router] domain 2000 [Router-isp-2000] authentication default radius-scheme 2000 [Router-isp-2000] authorization default radius-scheme 2000 [Router-isp-2000] accounting default radius-scheme 2000 [Router-isp-2000] quit # Enable MAC authentication globally. [Router] mac-authentication # Enable MAC authentication on port GigabitEthernet 3/0/1.

  • Page 135: Acl Assignment Configuration Example

    Index=52 , Username=aaa@2000 IP=N/A IPv6=N/A MAC=00e0-fc12-3456 Total 1 connection(s) matched on slot 3. Total 1 connection(s) matched. ACL assignment configuration example Network requirements As shown in Figure 44, a host connects to port GigabitEthernet 3/0/1 of the router, and the router uses RADIUS servers to perform authentication, authorization, and accounting.
  • Page 136 [Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting. [Sysname] domain 2000 [Sysname-isp-2000] authentication default radius-scheme 2000 [Sysname-isp-2000] authorization default radius-scheme 2000 [Sysname-isp-2000] accounting default radius-scheme 2000 [Sysname-isp-2000] quit # Enable MAC authentication globally. [Sysname] mac-authentication # Specify the ISP domain for MAC authentication.

  • Page 137: Configuring Portal Authentication

    Configuring portal authentication Portal on VLAN interfaces does not support accounting. Portal on other types of interfaces supports accounting. Overview Portal authentication helps control access to the Internet. Portal authentication is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page.
  • Page 138 PC. A client can use a browser or portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server. To implement security check, the client must be the HP iNode client. Access device Access devices control user access.

  • Page 139: Portal Authentication Modes

    NOTE: Portal authentication supports NAT traversal whether it is initiated by a Web client or an HP iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.

  • Page 140: Portal Support For Eap

    Therefore, no additional configuration is needed on the access device. NOTE: To use portal authentication that supports EAP, the portal server and client must be the HP IMC portal server and the HP iNode portal client. Layer 3 portal authentication process Direct authentication and cross-subnet authentication share the same authentication process.
  • Page 141 Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 47 Direct authentication/cross-subnet authentication process The direct authentication/cross-subnet authentication process is as follows: An authentication client initiates authentication by sending an HTTP request. When the HTTP packet arrives at the access device, the access device allows it to pass if it is destined for the portal server or a predefined free website, or redirects it to the portal server if it is destined for other websites.
  • Page 142 Re-DHCP authentication process (with CHAP/PAP authentication) Figure 48 Re-DHCP authentication process Authentication Authentication/ Security Portal server Access device client accounting server policy server 1) Initiate a connection 2) CHAP authentication 3) Authentication request 4) RADIUS authentication Timer 5) Authentication reply 6) Authentication succeeds 7) The user obtains...
  • Page 143 Portal support for EAP authentication process Figure 49 Portal support for EAP authentication process All portal authentication modes share the same EAP authentication steps. The following example uses direct portal authentication to show the EAP authentication process: The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process.

  • Page 144: Portal Stateful Failover

    The access device sends an authentication reply to the portal server. This reply carries the EAP-Success message in the EAP-Message attribute. The portal server notifies the authentication client of the authentication success. The portal server sends an authentication reply acknowledgment to the access device. The remaining steps are for extended portal authentication.

  • Page 145: Portal Authentication Across Vpns

    Stateful failover involves the following basic concepts: • Device states: Independence—A stable running status of a device when it does not establish the failover link with the other device. Synchronization—A stable running status of a device when it establishes the failover link with the other device successfully and is ready for data backup.

  • Page 146: Portal Configuration Task List

    For information about AAA implementation across VPNs, see "Configuring AAA." Portal configuration task list To configure Layer 3 portal authentication: Task Remarks Specifying a portal server for Layer 3 portal authentication Required. Enabling Layer 3 portal authentication Required. Configuring a portal-free rule Configuring an authentication source subnet Controlling access of portal Configuring an authentication destination subnet...

  • Page 147: Specifying A Portal Server For Layer 3 Portal Authentication

    With re-DHCP authentication, the IP address check function of the DHCP relay agent is enabled on • the access device, and the DHCP server is installed and configured properly. The portal client, access device, and servers can reach each other. •...

  • Page 148: Controlling Access Of Portal Users

    Configuration guidelines You can enable both direct/cross-subnet portal authentication and 802.1X authentication on a • Layer 3 interface, and a user can access the network after passing either authentication. If you enable both 802.1X authentication and re-DHCP portal authentication on a Layer 3 interface, portal authentication will fail.

  • Page 149: Configuring An Authentication Source Subnet

    Configuration guidelines If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the • VLAN. Otherwise, the rule does not take effect. • You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the system prompts that the rule already exists.

  • Page 150: Configuring An Authentication Destination Subnet

    Step Command Remarks Optional. By default, the authentication source subnet is 0.0.0.0/0, which means that users from any subnets must pass portal authentication. Configure an portal auth-network network-address authentication You can configure multiple { mask-length | mask } source subnet. authentication source subnets by executing this command.

  • Page 151: Specifying An Authentication Domain For Portal Users

    To set the maximum number of online portal users allowed in the system: Step Command Remarks Enter system view. system-view By default, the maximum number of Set the maximum number of online portal users is the maximum portal max-user max-number online portal users.

  • Page 152: Specifying Nas-Port-Type For An Interface

    Step Command Remarks • In system view: By default, the device name portal nas-id nas-identifier configured by the sysname • In interface view: command is used as the NAS ID. Specify the NAS ID value interface interface-type carried in a RADIUS request. For information about the sysname interface-number command, see Fundamentals...

  • Page 153: Specifying A Nas Id Profile For An Interface

    Step Command Remarks By default, no NAS-Port-ID value is specified for an interface, and the device uses the information Configure the NAS-Port-ID portal nas-port-id nas-port-id-value obtained from the physical value. interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request.

  • Page 154: Specifying A Source Ip Address For Outgoing Portal Packets

    IP address of outgoing portal packets. outgoing portal In NAT environments, HP recommends specifying packets. the interface's public IP address as the source IP address of outgoing portal packets. Configuring portal stateful failover CAUTION: Specifying or changing the device ID of a device will log off all online users on the device.
  • Page 155 Specify the portal group to which the portal service backup interface belongs. Be sure to specify the • same portal group for the portal service backup interfaces that back up each other on the two devices. • Specify the device ID. Make sure that the device ID of the local device is different from that of the peer device.

  • Page 156: Specifying An Autoredirection Url For Authenticated Portal Users

    Step Command Remarks Optional. Use either approach. By default, no backup source IP • Approach 1: address is specified. radius nas-backup-ip ip-address [ vpn-instance You do not need to specify the Specify a backup source IP vpn-instance-name ] backup source IP address if the address for outgoing RADIUS •...

  • Page 157: Configuring The Portal Server Detection Function

    With online portal user detection enabled on an interface, the device periodically sends probe packets (ARP requests) to the portal users on the interface to check whether the portal users are still online, to find portal users who get offline without logging off. •...
  • Page 158 IMC portal server and make sure that the product of interval and retry is greater than or equal to the portal server heartbeat interval. HP recommends configuring the interval to be greater than the portal server heartbeat interval configured on the portal server.

  • Page 159: Configuring Portal User Information Synchronization

    HP recommends configuring the interval to be greater than the portal user heartbeat interval configured on the portal server.

  • Page 160: Displaying And Maintaining Portal

    Displaying and maintaining portal Task Command Remarks display portal acl { all | dynamic | Display the ACLs on a specific static } interface interface-type Available in any view. interface. interface-number [ | { begin | exclude | include } regular-expression ] display portal connection statistics { all | Display portal connection statistics interface interface-type...

  • Page 161: Portal Configuration Examples

    Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure 52, the host is assigned with a public network IP address either manually or through DHCP. Configure the router to perform direct portal authentication for users on the host. Before a user passes portal authentication, the user can access only the portal server.
  • Page 162 Figure 53 Portal server configuration Configure the IP address group: Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.
  • Page 163 Enter the device name NAS, enter the IP address of the router's interface connected to the user, and enter the key, which must be the same as that configured on the switch. Set whether to enable IP address reallocation. This example uses direct portal authentication, and therefore select No from the Reallocate IP list.
  • Page 164 Figure 57 Adding a port group Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router>...

  • Page 165: Configuring Re-Dhcp Portal Authentication

    Status: Portal running Portal server: newpt Portal backup-group: None Authentication type: Direct Authentication domain: Authentication network: The user can initiate portal authentication by using the HP iNode client or by accessing a webpage. All initiated requests redirected portal authentication page http://192.168.0.1 1 1:8080/portal.
  • Page 166 Figure 58 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the router and servers as shown in Figure 58 and make sure the host, • router, and servers can reach each other. Configure the RADIUS server properly to provide authentication and authorization functions for •...

  • Page 167: Configuring Cross-Subnet Portal Authentication

    [Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users.
  • Page 168 Figure 59 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the host, routers, and servers as shown in Figure 59 and make sure they • can reach each other. Configure the RADIUS server properly to provide authentication and authorization functions for •...

  • Page 169: Configuring Direct Portal Authentication With Extended Functions

    # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication/authorization methods of the default domain are used for the user. [RouterA] domain default enable dm1 Configure portal authentication: # Configure the portal server as follows: Name: newpt...
  • Page 170 Figure 60 Network diagram Configuration prerequisites Configure IP addresses for the host, router, and servers as shown in Figure 60 and make sure they • can reach each other before extended portal is enabled. • Configure the RADIUS server properly to provide authentication and authorization functions for users.

  • Page 171: Configuring Re-Dhcp Portal Authentication With Extended Functions

    # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication/authorization methods of the default domain are used for the user. [Router] domain default enable dm1 Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001) for Internet resources: [Router] acl number 3000...
  • Page 172 Figure 61 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the router and servers as shown in Figure 61 and make sure the host, • router, and servers can reach each other. Configure the RADIUS server properly to provide authentication and authorization functions for •...
  • Page 173 # Configure the IP address of the security policy server. [Router-radius-rs1] security-policy-server 192.168.0.114 [Router-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] quit...

  • Page 174: Configuring Cross-Subnet Portal Authentication With Extended Functions

    [Router–GigabitEthernet3/0/2] quit Configuring cross-subnet portal authentication with extended functions Network requirements As shown in Figure 62, configure Router A to perform extended cross-subnet portal authentication for users on the host. If a user fails security check after passing identity authentication, the user can access only subnet 192.168.0.0/24.
  • Page 175 [RouterA-radius-rs1] key authentication simple radius [RouterA-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [RouterA-radius-rs1] security-policy-server 192.168.0.113 [RouterA-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain.

  • Page 176: Configuring Portal Stateful Failover(6600/Hsr6600)

    Configuring portal stateful failover(6600/HSR6600) Network requirements As shown in Figure 63, a failover link is present between Router A and Router B. Both Router A and Router B support portal authentication. Configure stateful failover between Router A and Router B to support portal service backup and use VRRP to implement traffic switchover between the routers.
  • Page 177 Configuring the portal server This example assumes that the portal server runs on IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). Configure the portal server: Log in to IMC and select the Service tab. Select User Access Manager > Portal Service > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server parameters as needed.
  • Page 178 Figure 65 Adding an IP address group Add a portal device: Select User Access Manager > Portal Service > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS, enter the virtual IP address of the VRRP group that holds the portal-enabled interface, and enter the key, which must be the same as that configured on the routers.
  • Page 179 Figure 67 Device list On the port group configuration page, click Add to enter the page shown in Figure Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. Use the default settings for other parameters.
  • Page 180 [RouterA–GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 192.168.0.1 # Set the priority of GigabitEthernet0/0/2 in VRRP group 2 to 200. [RouterA–GigabitEthernet0/0/2] vrrp vrid 2 priority 200 # On GigabitEthernet 0/0/2, configure the interface to be tracked as GigabitEthernet 0/0/1 and reduce the priority of GigabitEthernet 0/0/2 in VRRP group 2 by 150 when the interface state of GigabitEthernet 0/0/1 becomes Down or Removed.
  • Page 181 Configure portal stateful failover: # Assign interface GigabitEthernet0/0/1 to portal group 1. [RouterA–GigabitEthernet0/0/1] portal backup-group 1 [RouterA–GigabitEthernet0/0/1] quit # Set the device ID for Router A in stateful failover mode to 1. [RouterA] nas device-id 1 # Specify the source IP address of outgoing RADIUS packets as 192.168.0.1, the virtual IP address of VRRP group 2.
  • Page 182 Configure an authentication domain: # Create ISP domain dm1 and enter its view. [RouterB] domain dm1 # Configure AAA methods for the ISP domain. [RouterB-isp-dm1] authentication portal radius-scheme rs1 [RouterB-isp-dm1] authorization portal radius-scheme rs1 [RouterB-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication/authorization methods of the default domain are used for the user.

  • Page 183: Configuring Portal Server Detection And Portal User Information Synchronization

    ACL:NONE Work-mode: primary VPN instance:NONE Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 9.9.1.2 GigabitEthernet0/0/1 Total 1 user(s) matched, 1 listed. [RouterB] display portal user all Index:2 State:ONLINE SubState:NONE ACL:NONE Work-mode: secondary VPN instance:NONE Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 9.9.1.2 GigabitEthernet0/0/1 Total 1 user(s) matched, 1 listed. The output shows that both Router A and Router B has the user's information.
  • Page 184 Figure 69 Network diagram Configuration considerations Configure the portal server and enable portal server heartbeat function and the portal user heartbeat function. Configure the RADIUS server to implement authentication and authorization. Configure direct portal authentication on interface GigabitEthernet 3/0/2, which is directly connected with the host.
  • Page 185 Figure 70 Portal server configuration Configure the IP address group: Select User Access Manager > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.
  • Page 186 Enter the device name NAS. Enter the IP address of the router's interface connected to the user. Enter the key, which must be the same as that configured on the switch. Set whether to enable IP address reallocation. This example uses direct portal authentication, and therefore select No from the Reallocate IP list.
  • Page 187 Figure 74 Adding a port group Select User Access Manager > Service Parameters > Validate from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. <Router> system-view [Router] radius scheme rs1 # Configure the server type for the RADIUS scheme.

  • Page 188: Cross-Subnet Portal Authentication Across Vans

    [Router] portal server newpt user-sync interval 600 retry 2 The product of interval and retry must be greater than or equal to the portal user heartbeat interval, and HP recommends configuring the interval to be greater than the portal user heartbeat interval configured on the portal server.
  • Page 189 Figure 75 Network diagram Configuration prerequisites Before enabling portal authentication, be sure to configure the MPLS L3VPN capabilities properly • and specify VPN targets for VPN 1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other.

  • Page 190: Troubleshooting Portal

    # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication/authorization methods of the default domain are used for the user. [RouterA] domain default enable dm1 Configure portal authentication: # Configure the portal server as follows: Name: newpt...

  • Page 191: Incorrect Server Port Number On The Access Device

    Analysis The keys on the access device and those on the portal server are not configured consistently, causing CHAP message exchange failure. As a result, the portal server does not display the authentication page. Solution Use the display portal server command to display the key for the portal server on the access device •...

  • Page 192: Configuring Port Security

    This automatic mechanism enhances network security and reduces human intervention. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you use the 802.1X authentication or MAC authentication feature rather than port security.

  • Page 193: Port Security Modes

    Port security modes Port security supports the following categories of security mode: • MAC learning control—Includes autoLearn and secure. MAC address learning is permitted on ports in autoLearn mode and disabled on ports in secure mode. Authentication—Implements MAC authentication, 802.1X authentication, or a combination of the •...
  • Page 194 TIP: • userLogin specifies 802.1X authentication and port-based access control. • macAddress specifies MAC authentication. • Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request. •...

  • Page 195: Working With Guest Vlan And Auth-Fail Vlan

    Performing MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication and services multiple users. Performing a combination of MAC authentication and 802.1X authentication macAddressOrUserLoginSecure • This mode is the combination of the macAddressWithRadius and userLoginSecure modes. The port performs MAC authentication 30 seconds after receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames.

  • Page 196: Enabling Port Security

    Enabling port security When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes. Before you enable port security, disable 802.1X and MAC authentication globally. To enable port security: Step Command...

  • Page 197: Setting The Port Security Mode

    Setting the port security mode After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode.

  • Page 198: Configuring Port Security Features

    Configuring port security features Configuring NTK The NTK feature checks destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is discarded. Not all port security modes support triggering the NTK feature. For more information, Table The NTK feature supports the following modes: ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.

  • Page 199: Enabling Port Security Traps

    Step Command Remarks port-security intrusion-mode Configure the intrusion By default, intrusion protection is { blockmac | disableport | protection feature. disabled. disableport-temporarily } Return to system view. quit Set the silence timeout period Optional. port-security timer disableport during which a port remains time-value 20 seconds by default.

  • Page 200: Configuration Prerequisites

    Table 9 A comparison of static, sticky, and dynamic secure MAC addresses Can be saved and Type Address sources Aging mechanism survive a device reboot? Not available. They never age out unless you manually remove Static Manually added Yes. them, change the port security mode, or disable the port security feature.

  • Page 201: Ignoring Authorization Information From The Server

    Step Command Remarks Optional. By default, secure MAC addresses do note age out, and you can remove them only by performing Set the secure MAC port-security timer autolearn aging the undo port-security aging timer. time-value mac-address security command, changing the port security mode, or disabling the port security feature.

  • Page 202: Displaying And Maintaining Port Security

    Displaying and maintaining port security Task Command Remarks Display port security configuration information, operation display port-security [ interface interface-list ] [ | Available in any information, and statistics about { begin | exclude | include } regular-expression ] view. one or more ports or all ports. display port-security mac-address security Display information about secure [ interface interface-type interface-number ] [ vlan...
  • Page 203 [Router] port-security trap intrusion [Router] interface gigabitethernet 3/0/1 # Set port security's limit on the number of MAC addresses to 64 on the port. [Router-GigabitEthernet3/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Router-GigabitEthernet3/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.

  • Page 204: Configuring The Userloginwithoui Mode

    Perform the display port-security interface command after the number of MAC addresses learned by the port reaches 64, and you can see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you can see the following trap message: #Jul 14 10:39:47:135 2009 Router PORTSEC/4/VIOLATION: -Slot=3;...
  • Page 205 Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values • to access the port in addition to an 802.1X user. Figure 77 Network diagram Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference.
  • Page 206 [Router] port-security enable # Add five OUI values. [Router] port-security oui 1234-0100-1111 index 1 [Router] port-security oui 1234-0200-1111 index 2 [Router] port-security oui 1234-0300-1111 index 3 [Router] port-security oui 1234-0400-1111 index 4 [Router] port-security oui 1234-0500-1111 index 5 [Router] interface gigabitethernet 3/0/1 # Set the port security mode to userLoginWithOUI.
  • Page 207 Quiet-interval(min) Username format : without-domain Data flow unit : Byte Packet unit : one # Display the configuration of the ISP domain sun. [Router] display domain sun Domain : sun State : Active Access-limit : 30 Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme...
  • Page 208 Proxy logoff checker is disabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: EAD timeout:...

  • Page 209: Configuring The Macaddresselseuserloginsecure Mode

    [Router] display mac-address interface gigabitethernet 3/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 1234-0300-0011 Learned GigabitEthernet3/0/1 AGING 1 mac address(es) found Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 77, a client is connected to the Router through GigabitEthernet 3/0/1. The Router authenticates the client by a RADIUS server.
  • Page 210 # Set the NTK mode of the port to ntkonly. [Router-GigabitEthernet3/0/1] port-security ntk-mode ntkonly [Router-GigabitEthernet3/0/1] quit Verifying the configuration # Display the port security configuration. [Router] display port-security interface gigabitethernet 3/0/1 Equipment port-security is enabled Intrusion trap is enabled AutoLearn aging time is 30 minutes Disableport Timeout: 30s OUI value: GigabitEthernet3/0/1 is link-up...
  • Page 211 1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS # Display 802.1X authentication information. <Router> display dot1x interface GigabitEthernet 3/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled Proxy trap checker is disabled Proxy logoff checker is disabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s...

  • Page 212: Troubleshooting Port Security

    1. Authenticated user : MAC address: 0002-0000-0011 Controlled User(s) amount to 1 As NTK is enabled, frames with an unknown destination MAC address, multicast address, or broadcast address will be discarded. Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode.

  • Page 213: Cannot Change Port Security Mode When A User Is Online

    Cannot change port security mode when a user is online Symptom Port security mode cannot be changed when an 802.1X authenticated or MAC authenticated user is online. [RouterGigabitEthernet3/0/1] undo port-security port-mode Error:Cannot configure port-security for there is 802.1X user(s) on line on port GigabitEthernet3/0/1.

  • Page 214: Configuring A User Profile

    Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.

  • Page 215: Performing Configurations In User Profile View

    Step Command Remarks Enter system view. system-view Create a user profile, You can use the command to enter the view of user-profile profile-name and enter its view. an existing user profile. Performing configurations in user profile view After a user profile is created, perform configurations in user profile view. The configuration made in user profile view takes effect when the user profile is enabled and a user using the user profile goes online.

  • Page 216: Configuring Password Control

    Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes password control functions in detail. •...
  • Page 217 Password history • With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the history passwords and the current password. The new password must be different from the used ones by at least four characters and the four characters must not be the same.

  • Page 218: Fips Compliance

    In FIPS mode, a password must contain four types of characters and each type contains at least one character. When a user sets or changes the password, the system checks if the password meets the composition requirement. If not, the system displays an error message. Password complexity checking policy •...

  • Page 219: Enabling Password Control

    Settings in local user view apply only to the password of the local user. • • Settings in user group view apply to the passwords of the local users in the user group if you do not configure password policies for these users in local user view. Global settings in system view have the following application situations: •...

  • Page 220: Setting Global Password Control Parameters

    Step Command Remarks Optional. password-control { aging | Enable a specific password composition | history | length } All of the four password control control function. enable functions are enabled by default. After global password control is enabled, local user passwords configured on the device are not displayed when you use the corresponding display command.

  • Page 221: Setting User Group Password Control Parameters

    Step Command Remarks Optional. Specify the maximum number By default, the maximum number of login attempts and the password-control login-attempt of login attempts is 3 and a user action to be taken when a login-times [ exceed { lock | failing to log in after the specified user fails to log in after the lock-time time | unlock } ]...

  • Page 222: Setting Local User Password Control Parameters

    Setting local user password control parameters Step Command Remarks Enter system view. system-view Create a local user and enter local-user user-name local user view. Optional. By default, the setting equals that for the user group to which the Configure the password password-control aging aging-time local user belongs.

  • Page 223: Setting A Local User Password In Interactive Mode

    Step Command Remarks Optional. Configure the minimum length password-control super length By default, the minimum super for super passwords. length password length is the same as the global minimum password length. Optional. password-control super Configure the password By default, the super password composition type-number composition policy for super composition policy is the same as...

  • Page 224: Password Control Configuration Example

    Password control configuration example Network requirements Implement the following global password control policy: An FTP or VTY user failing to provide the correct password in two successive login attempts is • permanently prohibited from logging in. A user can log in five times within 60 days after the password expires. •...
  • Page 225 [Sysname] super password level 3 simple 12345ABGFTweuix # Create a local user named test. [Sysname] local-user test # Set the service type of the user to Telnet. [Sysname-luser-test] service-type telnet # Set the minimum password length to 12 for the local user. [Sysname-luser-test] password-control length 12 # Specify that the passwords of the local user must contain at least two types of valid characters and each type contains at least five characters.
  • Page 226 State: Active ServiceType: telnet Access-limit: Disable Current AccessNum: 0 User-group: system Bind attributes: Authorization attributes: Password aging: Enabled (20 days) Password length: Enabled (12 characters) Password composition: Enabled (2 types, 5 characters per type) Total 1 local user(s) matched.

  • Page 227: Configuring Rsh

    Configuring RSH Remote shell (RSH) allows users to execute OS commands on a remote host that runs the RSH daemon. Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon. The RSH daemon must be separately obtained and installed on the remote host. The RSH daemon supports authentication of an RSH client by the username.
  • Page 228 Figure 79 Network diagram Configuration Procedure Check that the RSH daemon has been installed and started properly on the remote host: From the Windows Control Panel, open the Administrative Tools folder. (For Windows XP, if you use the category view of the Control Panel window, select Administrative Tools from Performance and Maintenance.) Figure 80 Administrative Tools folder Double-click the Services icon to display the Services window.
  • Page 229 Look at the Status column to check whether the Remote Shell Daemon service is started. In this example, the service is not started yet. Double-click the Remote Shell Daemon service row, and then in the popped up Remote Shell Daemon Properties window, click Start to start the service, as shown in Figure Figure 82 Remote Shell Daemon Properties window Configure the router:...

  • Page 230: Managing Public Keys

    Managing public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 83 Encryption and decryption The keys that participate in the conversion between plain text and cipher text can be the same or different,...

  • Page 231: Creating A Local Asymmetric Key Pair

    Complete these tasks to configure public keys: Task Remarks Creating a local asymmetric key pair Configuring a local asymmetric key pair on the Displaying or exporting the local host public key Choose one or more local device tasks. Destroying a local asymmetric key pair Specifying the peer public key on the local device Creating a local asymmetric key pair When you create an asymmetric key pair on the local device, follow these guidelines:...

  • Page 232: Displaying Or Exporting The Local Host Public Key

    Displaying or exporting the local host public key In some applications, such as SSH, to allow your local device to be authenticated by a peer device through digital signature, you must display or export the local host public key, which will then be specified on the peer device.

  • Page 233: Exporting The Host Public Key In A Specific Format To A File

    Exporting the host public key in a specific format to a file Step Command Remarks Enter system view. system-view • Export the RSA host public key: public-key local export rsa { openssh | ssh1 | ssh2 } Export the local host public filename key in a specific format to a Use at least one command.

  • Page 234: Displaying Public Keys

    The recorded public key must be in intended asymmetric key pair. the correct format, or the manual configuration of a • If the peer device is an HP device, use the Manually configure format-incompliant public key will display public-key local public the public key—input fail.

  • Page 235: Public Key Configuration Examples

    Public key configuration examples Manually specifying the peer public key on the local device Network requirements As shown in Figure 84, to prevent illegal access, Router B (the local device) authenticates Router A (the peer device) through a digital signature. Before configuring authentication parameters on Router B, configure the public key of Router A on Router B.
  • Page 236 8B2B AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB61 58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DA CBA3 CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F020301000 Configure Router B: # Configure the host public key of Router A's RSA key pairs on Router B. In public key code view, enter the host public key of Router A.

  • Page 237: Importing A Public Key From A Public Key File

    The output shows that the host public key of Router A saved on Router B is consistent with the one created on Router A. Importing a public key from a public key file Network requirements As shown in Figure 85, to prevent illegal access, Router B (the local device) authenticates Router A (the peer device) through a digital signature.
  • Page 238 8B2B AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB61 58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DA CBA3 CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F020301000 # Export the RSA host public key HOST_KEY to a file named routera.pub. [RouterA] public-key local export rsa ssh2 routera.pub Enable the FTP server function on Router A: # Enable the FTP server function, and create an FTP user with the username ftp, password 123, and user level 3.
  • Page 239 <RouterB> system-view [RouterB] public-key peer routera import sshkey routera.pub # Display the host public key of Router A on Router B. [RouterB] display public-key peer name routera ===================================== Key Name : routera Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F...

  • Page 240: Configuring Pki

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for IPsec and SSL. PKI terms Digital certificate A digital certificate is a file signed by a certificate authority (CA) for an entity.

  • Page 241: Pki Architecture

    CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email.

  • Page 242: Pki Operation

    PKI operation In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificates. Here is how it works: An entity submits a certificate request to the RA. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA.

  • Page 243: Configuring A Pki Entity

    Task Remarks Configuring automatic certificate request Required. Requesting a certificate Use either method. Manually requesting a certificate Obtaining certificates Optional. Verifying PKI certificates Optional. Destroying the local RSA key pair Optional. Removing a certificate Optional. Configuring an access control policy Optional.

  • Page 244: Configuring A Pki Domain

    Sometimes, the registration management function is provided by the CA, in which case no independent RA is required. HP recommends that you to deploy an independent URL of the registration server—An entity sends a certificate request to the registration server •...
  • Page 245 needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. You can configure the polling interval and count to query the request status. IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs. •...

  • Page 246: Requesting A Certificate

    Requesting a certificate When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an "out-of-band"...

  • Page 247: Obtaining Certificates

    If a PKI domain already has a local certificate, you cannot request another certificate for it. This • helps avoid inconsistency between the certificate and the registration information resulting from configuration changes. Before requesting a new certificate, use the pki delete-certificate command to delete the existing local certificate and the CA certificate stored locally.

  • Page 248: Verifying Pki Certificates

    If a PKI domain already has a CA certificate, you cannot obtain another CA certificate for it. This restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes. To obtain a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and the local certificate first.

  • Page 249: Verifying Pki Certificates Without Crl Checking

    Step Command Remarks Return to system view. quit Obtain the CA certificate. "Obtaining certificates" pki retrieval-crl domain Obtain the CRLs. This command is not saved in the domain-name configuration file. Verify the validity of a pki validate-certificate { ca | local } certificate.

  • Page 250: Configuring An Access Control Policy

    Step Command Delete certificates. pki delete-certificate { ca | local } domain domain-name Configuring an access control policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server. To configure a certificate attribute-based access control policy: Step Command...

  • Page 251: Pki Configuration Examples

    Task Command Remarks display pki certificate Display information about one or access-control-policy { policy-name all certificate attribute-based Available in any view. | all } [ | { begin | exclude | access control policies. include } regular-expression ] PKI configuration examples The SCEP add-on is required when you use the Windows Server as the CA.
  • Page 252 After the configuration, make sure the system clock of the device is synchronous to that of the CA, so that the device can request certificates and obtain CRLs properly. Configuring the router Configure the entity DN: # Configure the entity name as aaa and the common name as router. <Router>...
  • Page 253 SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..CA certificates retrieval success. # Obtain CRLs and save them locally. [Router] pki retrieval-crl domain torsa Connecting to server for retrieving CRL.

  • Page 254: Certificate Request From A Windows 2003 Ca Server

    19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl You can also use some other display commands (display pki certificate ca domain and display pki crl domain commands) to display detailed information about the CA certificate and CRLs. Certificate request from a Windows 2003 CA server Network requirements Configure PKI entity Router to request a local certificate from the CA server.
  • Page 255 Specify the path for certificate service in the Local path text box. To avoid conflict with existing services, specify an available port number as the TCP port number of the default website. After completing the configuration, check that the system clock of the router is synchronous to that of the CA server, so that the router can request a certificate normally.
  • Page 256 SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..CA certificates retrieval success. # Request a local certificate manually. [Router] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait..

  • Page 257: Ike Negotiation With Rsa Digital Signature

    keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e You can also use some other display pki certificate ca domain command to display more information about the CA certificate.
  • Page 258 Configuration procedure Configure Router A: # Configure the entity DN. <RouterA> system-view [RouterA] pki entity en [RouterA-pki-entity-en] ip 2.2.2.1 [RouterA-pki-entity-en] common-name routera [RouterA-pki-entity-en] quit # Configure the PKI domain. The URL of the registration server varies with the CA server. [RouterA] pki domain 1 [RouterA-pki-domain-1] ca identifier CA1 [RouterA-pki-domain-1] certificate request url...

  • Page 259: Certificate Access Control Policy Configuration

    [RouterB-pki-domain-1] ldap-server ip 1.1.1.102 # Set the registration authority to RA. [RouterB-pki-domain-1] certificate request from ra # Configure the CRL distribution URL. This is not necessary if CRL checking is disabled. [RouterB-pki-domain-1] crl url ldap://1.1.1.102 [RouterB-pki-domain-1] quit # Create a local key pair using RSA. [RouterB] public-key local create rsa # Request a certificate.
  • Page 260 Configuration procedure For more information about SSL configuration, see "Configuring SSL." NOTE: The PKI domain to be referenced by the SSL policy must be created in advance. For how to configure a PKI domain, see "Configuring a PKI domain." Configure the HTTPS server. # Configure the SSL policy for the HTTPS server to use.

  • Page 261: Troubleshooting Pki

    Troubleshooting PKI Failed to obtain a CA certificate Symptom Failed to obtain a CA certificate. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. No trusted CA is specified. •...

  • Page 262: Failed To Obtain Crls

    Use the ping command to verify that the RA server is reachable. Specify the authority for certificate request. Configure the required entity DN parameters. Failed to obtain CRLs Symptom Failed to obtain CRLs. Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. No CA certificate has been obtained before you try to obtain CRLs.

  • Page 263: Configuring Ipsec

    Configuring IPsec Unless otherwise specified, the term "IKE" in this chapter refers to IKE version 1. Overview IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints. IPsec provides the following security services in insecure network environments: Confidentiality—The sender encrypts packets before transmitting them over the Internet, protecting •...
  • Page 264 encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5 and SHA- 1 . The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger.
  • Page 265 Figure 91 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms Authentication algorithms: IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet.

  • Page 266: Ipsec Tunnel Interface

    IPsec tunnel interface An IPsec tunnel interface is a Layer 3 logical interface. It supports dynamic routing. All packets including multicast packets that are routed to an IPsec tunnel interface are IPsec protected. The IPsec tunnel interface has the following advantages: Simplified configuration—The IPsec tunnel interface is easier to configure compared to using •...

  • Page 267: Ipsec For Ipv6 Routing Protocols

    Figure 93 De-encapsulation process of an IPsec packet The router forwards an IPsec packet received on the inbound interface to the forwarding module. Identifying that the destination address of the packet is the tunnel interface and the protocol is AH or ESP, the forwarding module forwards the packet to the IPsec tunnel interface for de-encapsulation.

  • Page 268: Protocols And Standards

    Figure 94 An IPsec VPN You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local gateway.

  • Page 269: Implementing Acl-Based Ipsec

    ACL-based IPsec and Tunnel interface-based IPsec are available for both IPv4 and IPv6 packets, and the configuration procedures are the same for IPv4 and IPv6. Implementing ACL-based IPsec The following is the generic configuration procedure for implementing ACL-based IPsec: Configure an ACL for identifying data flows to be protected. Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and encapsulation mode.
  • Page 270 Each ACL rule matches both the outbound traffic and the returned inbound traffic. Suppose there is • a rule rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255. This rule matches both traffic from 1.1.1.0 to 2.2.2.0 and traffic from 2.2.2.0 to 1.1.1.0. •...
  • Page 271 ipsec policy test 2 isakmp security acl 3001 ike-peer bb transform-set 1 Configure Router B: • acl number 3001 rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255 rule 1 deny ip ipsec policy test 1 isakmp security acl 3001 ike-peer aa transform-set 1 Configuring ACL rules...

  • Page 272: Configuring An Ipsec Transform Set

    Figure 96 Non-mirror image ACLs Protection modes Data flows can be protected in the following modes: Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is • protected by one tunnel that is established solely for it. Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL.

  • Page 273: Configuring An Ipsec Policy

    Step Command Remarks Configure at least one command. By default, no security algorithm is specified. You can configure security algorithms for a security protocol only after you select the protocol. For example, you can specify the ESP-specific security algorithms only when you select ESP as the security protocol.
  • Page 274 IPsec policies include the following categories: • Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode. IPsec policy that uses IKE—The parameters are automatically negotiated through IKE. •...
  • Page 275 Step Command Remarks Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications. By default, an IPsec policy references no ACL. Assign an ACL to the security acl [ ipv6 ] acl-number The ACL supports match criteria of the IPsec policy.
  • Page 276 NOTE: You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to configure an IPsec policy.
  • Page 277 Step Command Remark Optional. By default, the PFS feature is not used for negotiation. If the local end is configured with the PFS feature, the remote end that initiates the negotiation must also Enable and configure the pfs { dh-group1 | dh-group2 | be configured with this feature, perfect forward secrecy dh-group5 | dh-group14 }...
  • Page 278 Step Command Remark Optional. By default, an IPsec policy does not Specify the ACL for the IPsec security acl [ ipv6 ] acl-number reference any ACL policy to reference. In IKE negotiation mode, ACL only supports fuzzy match. By default, an IPsec policy does not reference any IPsec transform set.

  • Page 279: Applying An Ipsec Policy Group To An Interface

    Step Command Remark Optional. ipsec sa global-duration Configure the global SA By default, time-based SA lifetime { time-based seconds | lifetime. is 3600 seconds and traffic-based traffic-based kilobytes } SA lifetime is 1843200 kilobytes. Create an IPsec policy by ipsec policy policy-name referencing an IPsec policy seq-number isakmp template By default, no IPsec policy exists.

  • Page 280: Enabling Acl Checking Of De-Encapsulated Ipsec Packets

    If the encryption engine is disabled or has failed but the IPsec module backup function is enabled, the IPsec module takes over the responsibility of IPsec processing. If the IPsec module backup function is disabled, the matching packets are discarded. To enable the encryption engine: Step Command...

  • Page 281: Configuring Packet Information Pre-Extraction

    IMPORTANT: IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled. • A wider anti-replay window results in higher resource cost and more system performance degradation, • which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window size that is as small as possible.

  • Page 282: Configuring Ipsec Rri

    The invalid SPI recovery feature allows the receiver to send an INVALID SPI NOTIFY message to tell the sender the invalid SPIs. Upon receiving the message, the sender immediately deletes the corresponding SAs. The subsequent traffic triggers the two peers to set up new SAs for data transmission. Because attackers may exploit INVALID SPI NOTIFY messages to attack the IPsec packet sender (DoS attack), the invalid SPI recovery feature is disabled by default, making the receiver discard packets with invalid SPIs.

  • Page 283: Enabling Ipsec Packet Fragmentation Before/After Encryption

    Step Command Remarks Enter system view. system-view • To enter IPsec policy view: ipsec policy policy-name seq-number [ isakmp | manual ] Enter IPsec policy view or Use either command. IPsec policy template view. • To enter IPsec policy template view: ipsec policy-template template-name seq-number Disabled by default.

  • Page 284: Implementing Tunnel Interface-Based Ipsec

    Step Command Remarks • Enable IPsec packet fragmentation before or after encryption: ipsec fragmentation Use either command. Enable IPsec packet before-encryption enable By default, IPsec packet fragmentation before or after • Enable IPsec packet fragmentation before encryption is encryption. fragmentation before or after enabled.
  • Page 285 applied to an interface, for each packet arriving at the interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. One IPsec tunnel will be established for each data flow to be protected, and multiple IPsec tunnels may exist on an interface. An IPsec profile is similar to an IPsec policy.

  • Page 286: Configuring An Ipsec Tunnel Interface

    Step Command Remarks Optional. sa duration { time-based seconds | By default, the SA lifetime of an Set the SA lifetime. traffic-based kilobytes } IPsec profile equals the current global SA lifetime. Return to system view. quit Optional. ipsec sa global-duration 3600 seconds for time-based SA Set the global SA lifetime.
  • Page 287 Step Command Remarks • To assign an IPv4 address: ip address ip-address { mask | mask-length } [ sub ] • To assign a global unicast address or site-local address: ipv6 address { ipv6-address prefix-length | Configure one type of address. Assign a private IP address ipv6-address/prefix-length } By default, no private IP address...

  • Page 288: Enabling Packet Information Pre-Extraction On The Ipsec Tunnel Interface

    Enabling packet information pre-extraction on the IPsec tunnel interface Because packets that an IPsec tunnel interface passes to a physical interface are encapsulated, the QoS module cannot obtain the 5-tuple (source IP, destination IP, source port, destination port, and protocol) of the original packets.

  • Page 289: Configuring Ipsec For Ipv6 Routing Protocols

    Step Command Remarks For more information about Apply a QoS policy to qos apply policy policy-name { inbound | the command, see ACL and the IPsec tunnel interface. outbound } QoS Command Reference. Configuring IPsec for IPv6 routing protocols IMPORTANT: Do not apply an IPsec policy used for an IPv6 routing protocol to an interface.

  • Page 290: Ipsec Configuration Examples

    Task Command Remarks display ipsec statistics [ tunnel-id integer ] Display IPsec packet statistics. [ | { begin | exclude | include } Available in any view. regular-expression ] display ipsec tunnel [ | { begin | exclude Display IPsec tunnel information. Available in any view.
  • Page 291 # Specify the encapsulation mode as tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterA-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create manual IPsec policy map1. [RouterA] ipsec policy map1 10 manual # Apply the ACL.

  • Page 292: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets

    # Specify the algorithms for the IPsec transform set. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create a manual IPsec policy. [RouterB] ipsec policy use1 10 manual # Apply the ACL. [RouterB-ipsec-policy-manual-use1-10] security acl 3101 # Apply the IPsec transform set. [RouterB-ipsec-policy-manual-use1-10] transform-set tran1 # Configure the remote IP address of the tunnel.
  • Page 293 # Configure a static route to Host B. [RouterA] ip route-static 10.1.2.0 255.255.255.0 serial 2/1/1 # Create an IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterA-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set.

  • Page 294: Configuring Ike-Based Ipsec Tunnel For Ipv6 Packets

    [RouterB-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Configure the IKE peer. [RouterB] ike peer peer [RouterB-ike-peer-peer] pre-shared-key abcde [RouterB-ike-peer-peer] remote-address 2.2.2.1 [RouterB-ike-peer-peer] quit # Create an IPsec policy that uses IKE for IPsec SA negotiation. [RouterB] ipsec policy use1 10 isakmp # Apply the ACL.
  • Page 295 # Define an ACL to identify data flows from subnet 333::0/64 to subnet 555::0/64. <RouterA> system-view [RouterA] acl ipv6 number 3101 [RouterA-acl-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64 [RouterA-acl-adv-3101] quit # Configure a static route to Host B. [RouterA] ipv6 route-static 555::0 64 222::1 # Create an IPsec transform set named tran1.

  • Page 296: Configuring Ipsec With Ipsec Tunnel Interfaces

    # Specify the encapsulation mode as tunnel. [RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterB-ipsec-transform-set-tran1] transform esp # Specify the algorithms for the IPsec transform set. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Configure the IKE peer. [RouterB] ike peer peer [RouterB-ike-peer-peer] pre-share-key abcde [RouterB-ike-peer-peer] remote-address ipv6 111::1...
  • Page 297 Figure 99 Network diagram Configuration considerations Configure an IPsec tunnel interface on each router and configure a static route on each router to route the packets destined to the peer to the IPsec tunnel interface for IPsec protection. Configuration procedure Configure Router A: # Name the local gateway routera.
  • Page 298 [RouterA–Tunnel1] ip address 10.1.1.1 24 # Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4. [RouterA–Tunnel1] tunnel-protocol ipsec ipv4 # Set the source interface of the tunnel to Serial 2/1/1 on Tunnel 1. [RouterA–Tunnel1] source serial 2/1/1 # Set the tunnel destination address to 1.1.1.1, the source address of the remote peer.
  • Page 299 [RouterB] interface tunnel 1 # Assign IPv4 address 10.1.1.2/24 to tunnel interface Tunnel 1. [RouterB–Tunnel1] ip address 10.1.1.2 24 # Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4. [RouterB–Tunnel1] tunnel-protocol ipsec ipv4 # Set the source interface of the tunnel to Serial 2/1/1 on Tunnel 1. [RouterB–Tunnel1] source serial 2/1/1 # Apply IPsec profile btoa to tunnel interface Tunnel 1.

  • Page 300: Configuring Ipsec For Ripng

    ----------------------------- PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 1.1.1.2 flow : sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP [inbound ESP SAs] spi: 0x75b6ef44 (1974923076) transform: ESP-ENCRYPT-DES ESP-AUTH-MD5 in use setting: Tunnel connection id: 15 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3503...
  • Page 301 Network requirements As shown in Figure 100, Router A, Router B, and Router C are connected. They learn IPv6 routing information through RIPng. Configure IPsec for RIPng so that RIPng packets exchanged between the routers are transmitted through an IPsec tunnel. Configure IPsec to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96.
  • Page 302 [RouterA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [RouterA-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [RouterA] ripng 1 [RouterA-ripng-1] enable ipsec-policy policy001 [RouterA-ripng-1] quit Configure Router B: # Assign an IPv6 address to each interface. (Details not shown.) # Create a RIPng process and enable it on GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2.
  • Page 303 [RouterC-ripng-1] quit [RouterC] interface gigabitethernet 3/0/1 [RouterC-GigabitEthernet3/0/1] ripng 1 enable [RouterC-GigabitEthernet3/0/1] quit # Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.

  • Page 304: Configuring Ipsec Rri

    # Execute the display ipsec sa command on Router A to view the information about the inbound and outbound SAs. <RouterA> display ipsec sa =============================== Protocol: RIPng =============================== ----------------------------- IPsec policy name: "policy001" sequence number: 10 acl version: None mode: manual ----------------------------- PFS: N, DH group: none tunnel:...
  • Page 305 Figure 101 Network diagram Configuration procedure Assign IPv4 addresses to the interfaces on the routers according to Figure 101. Make sure Router A and Router B can reach each other. (Details not shown.) Configure Router A: # Configure ACL 3101 to identify traffic from subnet 10.4.4.0/24 to subnet 10.5.5.0/24. <RouterA>...
  • Page 306 [RouterA-ipsec-policy-isakmp-map1-10] security acl 3101 # Reference IKE peer peer. [RouterA-ipsec-policy-isakmp-map1-10] ike-peer peer # Enable dynamic IPsec RRI and use 1.1.1.2 as the next hop of the static route. [RouterA-ipsec-policy-isakmp-map1-10] reverse-route remote-peer 1.1.1.2 [RouterA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to interface GigabitEthernet 3/0/1. [RouterA] interface gigabitethernet 3/0/1 [RouterA-GigabitEthernet3/0/1] ipsec policy map1 [RouterA-GigabitEthernet3/0/1] quit...
  • Page 307 # Apply IPsec policy use1 to interface GigabitEthernet 3/0/1. [RouterB] interface gigabitethernet 3/0/1 [RouterB-GigabitEthernet3/0/1] ipsec policy use1 Verify the configuration: # Send traffic from subnet 10.5.5.0/24 to subnet 10.4.4.0/24, or from subnet 10.4.4.0/24 to 10.5.5.0/24. IKE negotiation is triggered to establish IPsec SAs between Router A and Router B. # Display the routing table on Router A.

  • Page 308: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKE version 1. Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.

  • Page 309: Ike Functions

    Figure 102 IKE exchange process in main mode Peer 1 Peer 2 Algorithm negotiation Initiator’s policy Send local IKE policy Search for matched policy Confirmed policy Receive the SA exchange policy Key generation Initiator’s key information Generate the key Receiver’s key information Identity Key exchange...

  • Page 310: Relationship Between Ike And Ipsec

    Relationship between IKE and IPsec Figure 103 Relationship between IKE and IPsec Figure 103 illustrates the relationship between IKE and IPsec: IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. •...

  • Page 311: Configuring A Name For The Local Security Gateway

    Task Remarks Configuring a name for the local security gateway Optional. Optional. Configuring an IKE proposal Required if you want to specify an IKE proposal for an IKE peer to reference. Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional.

  • Page 312: Configuring An Ike Peer

    Specify the IKE negotiation mode for the local end to use in IKE negotiation phase 1. If the IP • address of the remote end is obtained dynamically and pre-shared key authentication is used, HP recommends setting the IKE negotiation mode of the local end to aggressive. When acting as the...
  • Page 313 Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator. When • acting as the responder, the local end uses the IKE proposals configured in system view for negotiation. • Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature authentication.
  • Page 314 Step Command Remarks Optional. By default, no name is configured for the local security gateway in Configure a name for the local-name name IKE peer view, and the security local security gateway. gateway name configured by using the ike local-name command is used.

  • Page 315: Setting Keepalive Timers

    NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail. Setting keepalive timers IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured with the keepalive timeout, you must configure the keepalive packet transmission interval on the local end.

  • Page 316: Disabling Next Payload Field Checking

    If the time interval exceeds the DPD interval, it sends a DPD hello to the peer. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

  • Page 317: Ike Configuration Examples

    Task Command Remarks display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] Display IKE SA information. Available in any view. remote-address ] ] [ | { begin | exclude | include } regular-expression ] display ike proposal [ | { begin | Display IKE proposal information.
  • Page 318 [RouterA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use security protocol ESP. [RouterA-ipsec-transform-set-tran1] transform esp # Specify encryption and authentication algorithms. [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create IKE peer peer. [RouterA] ike peer peer # Set the pre-shared key.
  • Page 319 [RouterA] ip route-static 10.1.2.0 255.255.255.0 2.2.2.2 Configure Router B: # Configure ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24. <RouterB> system-view [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [RouterB-acl-adv-3101] quit # Create IPsec transform set tran1.
  • Page 320 Verify the configuration: # Check the IKE proposal configuration. [RouterA] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) --------------------------------------------------------------------------- PRE_SHARED DES_CBC MODP_768 5000 default PRE_SHARED DES_CBC MODP_768 86400 [RouterB] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm...

  • Page 321: Configuring Aggressive Mode Ike With Nat Traversal

    dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs] spi: 0x3d6d3a62(1030568546) transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1 in use setting: Tunnel connection id: 1 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3590 anti-replay detection: Enabled anti-replay window size(counter based): 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 0x553faae(89389742) transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1...
  • Page 322 Configuration procedure Configure Router A: # Specify a name for the local security gateway. <RouterA> system-view [RouterA] ike local-name routera # Configure an ACL. [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule 0 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 [RouterA-acl-adv-3101] quit # Configure an IKE proposal.
  • Page 323 [RouterA] interface gigabitethernet 3/0/1 [RouterA-GigabitEthernet3/0/1] ip address 172.16.0.1 255.255.255.0 [RouterA-GigabitEthernet3/0/1] quit # Configure a static route to the branch LAN. [RouterA] ip route-static 192.168.0.0 255.255.255.0 serial 2/1/1 Configure Router B: # Specify a name for the local security gateway. <RouterB> system-view [RouterB] ike local-name routerb # Configure an ACL.

  • Page 324: Troubleshooting Ike

    [RouterB] dialer-rule 1 ip permit # Configure dialer interface Dialer 0. Use the username and password assigned by the ISP for dial and PPP authentication. [RouterB] interface dialer 0 [RouterB-Dialer0] link-protocol ppp [RouterB-Dialer0] ppp pap local-user test password simple 123456 [RouterB-Dialer0] ip address ppp-negotiate [RouterB-Dialer0] dialer user 1 [RouterB-Dialer0] dialer-group 1...

  • Page 325: Proposal Mismatch

    got NOTIFY of type INVALID_ID_INFORMATION drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION Solution Verify that the ACLs in the IPsec policies configured on the interfaces at both ends are compatible. Configure the ACLs to mirror each other. For more information about ACL mirroring, see "Configuring IPsec."...

  • Page 326: Acl Configuration Error

    ACL configuration error Symptom ACL configuration error results in data flow blockage. Analysis When multiple devices create different IPsec tunnels early or late, a device may have multiple peers. If the device is not configured with ACL rule, the peers send packets to it to set up different IPsec tunnels in different protection granularity respectively.

  • Page 327: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network. SSH uses the typical client/server model, establishing a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.

  • Page 328: Ssh Authentication

    Stages Description SSH supports multiple algorithms. Based on the local algorithms, the two parties determine the key exchange algorithm for generating session keys, the Algorithm negotiation encryption algorithm for encrypting data, public key algorithm for digital signature and authentication, and the HMAC algorithm for protecting data integrity.

  • Page 329: Ssh Support For Mpls L3Vpn

    Password-publickey authentication—The server requires clients that run SSH2 to pass both • password authentication and publickey authentication. However, if a client runs SSH1, it only needs to pass either authentication. • Any authentication—The server requires the client to pass either of password authentication and publickey authentication.

  • Page 330: Ssh Server Configuration Task List

    SSH server configuration task list Task Remarks Generating local DSA or RSA key pairs Required. Enabling the SSH server function Required for Stelnet, SFTP, and SCP servers. Enabling the SFTP server function Required only for SFTP server. Configuring the user interfaces for SSH clients Required.

  • Page 331: Enabling The Ssh Server Function

    Step Command Remarks Generate DSA or RSA key By default, neither DSA key pair public-key local create { dsa | rsa } pairs. nor RSA key pairs exist. Enabling the SSH server function The SSH server function on the device allows clients to communicate with the device through SSH. When the device acts as an SCP server, only one SCP user is allowed to access to the SCP server at one time.

  • Page 332: Configuring A Client's Host Public Key

    A host public key obtained in other ways might be in incorrect format and cannot be saved on the server. HP recommends you to configure a client public key by importing it from a public key file.

  • Page 333: Configuring An Ssh User

    Step Command Remarks Enter system view. system-view Enter public key view. public-key peer keyname Enter public key code view. public-key-code begin Configure a client's host Enter the content of the host public Spaces and carriage returns are public key. allowed between characters. Return to public key view and When you exit public key code save the configured host...

  • Page 334: Setting The Ssh Management Parameters

    If a client directly sends the user's public key information to the server, the server must specify the client's public key and the specified public key must already exist. For more information about public keys, see "Configuring a client's host public key."...

  • Page 335: Configuring The Device As An Stelnet Client

    SFTP connection idle timeout period. Once the idle period of an SFTP connection exceeds the • specified threshold, the system automatically tears the connection down. To set the SSH management parameters: Step Command Remarks Enter system view. system-view Optional. Enable the SSH server to ssh server compatible-ssh1x By default, the SSH server supports support SSH1 clients.

  • Page 336: Specifying A Source Ip Address Or Source Interface For The Stelnet Client

    IP address or specify a source interface for the client. To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.

  • Page 337: Establishing A Connection To An Stelnet Server

    Disabling first-time authentication Step Command Remarks Enter system view. system-view Disable first-time undo ssh client first-time Enabled by default. authentication. The method for configuring the Configure the server host "Configuring a client's host server host public key on the client public key.

  • Page 338: Configuring The Device As An Sftp Client

    To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, HP recommends you to specify a loopback interface as the source interface.

  • Page 339: Establishing A Connection To An Sftp Server

    Establishing a connection to an SFTP server You can launch the SFTP client to establish a connection to an SFTP server, and specify the public key algorithm, the preferred encryption algorithm, preferred HMAC algorithm, and preferred key exchange algorithm. After the connection is established, you can directly enter SFTP client view on the server to perform directory and file operations.

  • Page 340: Working With Sftp Files

    Creating or deleting a directory • To work with the SFTP directories: Step Command Remarks For more information, see Enter SFTP client view. "Establishing a connection to an SFTP server." Change the working directory cd [ remote-path ] Optional. of the remote SFTP server. Return to the upper-level cdup Optional.

  • Page 341: Displaying Help Information

    Step Command Remarks Upload a local file to the SFTP put local-file [ remote-file ] Optional. server. Optional. • dir [ -a | -l ] [ remote-path ] Display the files under a The dir command functions as the specified directory. •...

  • Page 342: Scp Client Configuration Task List

    SCP client configuration task list Task Remarks Enabling and disabling first-time authentication Optional. Transferring files with an SCP server Required. Transferring files with an SCP server Task Command Remarks • Upload a file to the SCP server: In non-FIPS mode: scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } |...

  • Page 343: Displaying And Maintaining Ssh

    Displaying and maintaining SSH Task Command Remarks Display the source IP address or display sftp client source [ | { begin | exclude interface configured for the SFTP Available in any view. | include } regular-expression ] client. Display the source IP address or display ssh client source [ | { begin | exclude interface information configured for Available in any view.
  • Page 344 Configuration procedure Configure the Stelnet server: # Generate the RSA key pairs. <Router> system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.

  • Page 345: Publickey Authentication Enabled Stelnet Server Configuration Example

    Establish a connection to the Stelnet server: The device supports a variety of Stelnet client software, such as PuTTY, and OpenSSH. The following example takes PuTTY Version 0.58 on the Stelnet client. To establish a connection to the Stelnet server: Launch PuTTY.exe to enter the following interface.
  • Page 346 Figure 109 Network diagram Configuration considerations In the server configuration, the client public key is required. Use the client software to generate the RSA key pair on the client before configuring the Stelnet server. The device supports a variety of Stelnet client software, such as PuTTY, and OpenSSH. The following example takes PuTTY Version 0.58 on the Stelnet client.
  • Page 347 Figure 111 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 112 Saving a key pair on the client...
  • Page 348 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Transmit the public key file to the server through FTP or TFTP.
  • Page 349 [Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey Establish a connection to the Stelnet server: Launch PuTTY.exe on the Stelnet client to enter the following interface. In the Host Name (or IP address) field, enter the IP address of the Stelnet server (192.168.1.40).

  • Page 350: Password Authentication Enabled Stelnet Client Configuration Example

    Figure 114 Specifying the private key file Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the command-line interface of the server. Password authentication enabled Stelnet client configuration example Network requirements...
  • Page 351 [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 352 [RouterA-GigabitEthernet3/0/1] quit [RouterA] quit If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to the Stelnet server 192.168.1.40. <RouterA> ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ...

  • Page 353: Publickey Authentication Enabled Stelnet Client Configuration Example

    [RouterA-pkey-public-key] peer-public-key end # Specify the host public key for the Stelnet server (192.168.1.40) as key1. [RouterA] ssh client authentication server 10.165.87.136 assign publickey key1 [RouterA] quit # Establish an SSH connection to SSH server 192.168.1.40. <RouterA> ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 Press CTRL+K to abort Connected to 192.168.1.40...
  • Page 354 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [RouterA] public-key local export dsa ssh2 key.pub [RouterA] quit Then, you transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.

  • Page 355: Sftp Configuration Examples

    [RouterB] public-key peer ClientKey import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key ClientKey to the user. [RouterB] ssh user client002 service-type stelnet authentication-type publickey assign publickey ClientKey Establish a connection to the Stelnet server: # Establish an SSH connection to the Stelnet server (192.168.1.40).
  • Page 356 +++++++++++++++++++++++ +++++ +++++ # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 357: Publickey Authentication Enabled Sftp Client Configuration Example

    Figure 118 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 1 19, you can log in to Router B through the SFTP client that runs on Router A. Router B acts as the SFTP server, adopting publickey authentication and the RSA public key algorithm. Figure 119 Network diagram Configuration considerations In the server configuration, the client public key is required.
  • Page 358 The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++ +++++++++++++++++++++++ +++++ +++++...
  • Page 359 # Set the authentication mode of the user interface to AAA. [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode scheme # Enable the user interface to support SSH. [RouterB-ui-vty0-4] protocol inbound ssh [RouterB-ui-vty0-4] quit # Import the peer public key from the file pubkey, and name it RouterKey. [RouterB] public-key peer RouterKey import sshkey pubkey # For user client001, set the service type as SFTP, authentication method as publickey, public key as RouterKey, and working folder as cfa0:/.

  • Page 360: Scp File Transfer With Password Authentication

    sftp-client> mkdir new1 New directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup...

  • Page 361: Network Requirements

    Network requirements As shown in Figure 120, Router A acts as an SCP client and Router B acts as an SCP server. A user can securely transfer files with Router B through Router A. Router B uses the password authentication method and the client's username and password are saved on Router B.
  • Page 362 [RouterB] user-interface vty 0 4 [RouterB-ui-vty0-4] authentication-mode scheme # Enable the user interface to support SSH. [RouterB-ui-vty0-4] protocol inbound ssh [RouterB-ui-vty0-4] quit # Create a local user named client001 with the password as aabbcc and service type as ssh. [RouterB] local-user client001 [RouterB-luser-client001] password simple aabbcc [RouterB-luser-client001] service-type ssh [RouterB-luser-client001] quit...

  • Page 363: Configuring Ssl

    Configuring SSL The following matrix shows the feature and router compatibility: Feature 6602 HSR6602 6604/6608/6616 Yes on routers with the MCP CPU Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online banking to provide secure data transmission over the Internet.

  • Page 364: Ssl Protocol Stack

    SSL protocol stack The SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 122 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and •...
  • Page 365 SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). When the device acts as the SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify the SSL 2.0 Client Hello message from a client supporting both SSL 2.0 and SSL 3.0/TLS 1.0, and notify the client to use SSL 3.0 or TLS 1.0 for communication.

  • Page 366: Configuring An Ssl Client Policy

    Step Command Remarks Optional. The defaults are as follows: Set the maximum number of session { cachesize size | timeout • 500 for the maximum number cached sessions and the time } * of cached sessions. caching timeout time. • 3600 seconds for the caching timeout time.

  • Page 367: Displaying And Maintaining Ssl

    Step Command Remarks • In non-FIPS mode: prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | Optional. Specify the preferred cipher rsa_rc4_128_sha } suite for the SSL client policy. rsa_rc4_128_md5 by default. • In FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha |...
  • Page 368 The server and the client have no matching cipher suite. • Solution Issue the debugging ssl command and view the debugging information to locate the problem: If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, request one for it.

  • Page 369: Configuring Ssl Vpn

    Configuring SSL VPN The following matrix shows the feature and router compatibility: Feature 6602 HSR6602 6604/6608/6616 SSL VPN Yes on routers with the MCP CPU Overview SSL VPN is a VPN technology based on Secure Sockets Layer (SSL). It works between the transport layer and the application layer.

  • Page 370: Advantages Of Ssl Vpn

    After the HTTPS connection is established, the user can try to log in to the Web interface of the SSL VPN gateway by entering the username, password, and authentication method (RADIUS authentication, for example). The SSL VPN gateway will verify the user information. After logging in to the Web interface, the user finds the resources to access on the Web interface and then sends an access request to the SSL VPN gateway through an SSL connection.

  • Page 371: Ssl Vpn Configuration Example At The Cli

    Specify the SSL server policy to be used by the SSL VPN service. To access the SSL VPN gateway or • the internal resources, remote users need to log in to the web interface of the SSL VPN gateway through HTTPS. Therefore, you must specify an SSL server policy on the SSL VPN gateway so that the gateway can determine the SSL parameters to be used for providing the SSL VPN service.
  • Page 372 Figure 124 Network diagram Host Remote user 10.1.1.1/24 Internet Router SSL VPN gateway Internal servers 10.2.1.1/24 Configuration procedure In this example, the Windows Server is used as the CA. Install the SCEP plugin on the CA. Before the following configurations, make sure the intended SSL VPN gateway, the CA, and the host used by the remote user can reach each other, and the CA is enabled with the CA service and can issue certificates to the device (SSL VPN gateway) and the host.

  • Page 373: Configuring Ssl Vpn In The Web Interface

    # Specify the SSL server policy myssl and port 443 (default) for the SSL VPN service. [Router] ssl-vpn server-policy myssl # Enable the SSL VPN service. [Router] ssl-vpn enable Verify the configuration. On the user host, launch the IE browser and input https://10.1.1.1/svpn in the address bar. You can open the Web login interface of the SSL VPN gateway.

  • Page 374: Configuring Pki

    Step Remarks Required. Configure a user group, add local users to the user group, and select the resource groups that the user group can access. Configuring a user group By default, a user group named Guests exists, and no users and resource groups are assigned for it.
  • Page 375 You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes require different configurations. Recommended configuration procedure for manual request Step Remarks Required. Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the distinguished name (DN) shows the identity information of Creating a PKI entity the entity.
  • Page 376 Step Remarks Required. When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode.
  • Page 377 Task Remarks Required. Create a PKI domain, setting the certificate request mode to Auto. Before requesting a PKI certificate, an entity needs to be configured with Creating a PKI domain some enrollment information, which is called a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.
  • Page 378 Figure 126 Creating a PKI entity Configure the parameters as described in Table Click Apply. Table 12 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity.
  • Page 379 Figure 127 PKI domains Click Add. Figure 128 Creating a PKI domain Configure the parameters as described in Table Click Apply. Table 13 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA.
  • Page 380 It does not issue any certificate. Sometimes, the registration management function is provided by the CA, in which case no independent RA is required. HP recommends that you to deploy an independent RA. Enter the URL of the RA.
  • Page 381 Item Description Set the polling interval and attempt limit for querying the certificate request status. Polling Count After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after Polling Interval the certificate is signed.
  • Page 382 Figure 130 Generating an RSA key pair Set the key length. Click Apply. Destroying the RSA key pair From the navigation tree, select Authentication > Certificate Management > Certificate. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 131 Destroying the RSA key pair Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
  • Page 383 Table 14 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Enable Offline Select this box to retrieve a certificate in offline mode (that is, by an out-of-band means Mode like FTP, disk, or email).
  • Page 384 Figure 134 Requesting a certificate Configure the parameters as described in Table Table 15 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band means like FTP, disk, or email.

  • Page 385: Configuring The Ssl Vpn Service

    Figure 136 CRLs Click Retrieve CRL to retrieve the CRL of a domain. Click View CRL for the domain to display the contents of the CRL. Figure 137 Displaying CRL information Configuring the SSL VPN service Before you configure the SSL VPN service, go to Certificate Management to configure a PKI domain and get a certificate for the SSL VPN gateway.

  • Page 386: Configuring Web Proxy Server Resources

    Figure 138 Service management Configure the SSL VPN service information as described in Table Click Apply. Table 16 Configuration items Item Description Enable SSL VPN Select the box before this item to enable the SSL VPN service. Specify the port for providing the SSL VPN service. The default port number is Port 443.
  • Page 387 Figure 140 Adding a Web proxy server resource Configure the Web proxy server resource as described in Table Table 17 Configuration items Item Description Enter a name for the Web proxy server source. Resource Name The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
  • Page 388 After you enable single login and configure single login parameters, when a user accesses the resource through the SSL VPN service interface, the user is redirected to the specified website if the user's username and password for accessing the website are the same as those for logging in to the SSL VPN service interface.

  • Page 389: Configuring Tcp Application Resources

    A message will tell you that the single login function is configured successfully. During this process, the system automatically gets the username parameter name and the password parameter name. When the website login page requires parameters other than the username and password, you cannot configure single login in this method.
  • Page 390 Local Host Specify a loopback address or a character string that represents a loopback address. Specify the port number that the local host uses for the remote access service. HP Local Port recommends using a port number greater than 1024 that is rarely used.
  • Page 391 Local Host Specify a loopback address or a character string that represents a loopback address. Specify the port number that the local host uses for the remote access service. HP Local Port recommends using a port number greater than 1024 that is rarely used.
  • Page 392 Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
  • Page 393 Item Description Configure the Windows command for the resource. Command Users must manually start the email service application. You do not need to configure this item. Configuring a Notes service resource Notes, a platform for implementing office automation, provides email services in a client/server model. SSL VPN can improve the security of Notes mail services.
  • Page 394 Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.

  • Page 395: Configuring Ip Network Resources

    Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.

  • Page 396: Configuring Global Parameters

    Recommended configuration procedure Step Remarks Required. Configuring global Configure global parameters, such as the address pool, gateway address, parameters timeout time, WINS server, and DNS server, for IP network resources. Required. Configuring host resources Configure the host resources that users can access from the IP networks list of the SSL VPN interface.
  • Page 397 Table 24 Configuration items Item Description Start IP Specify the IP address pool from which the gateway assigns IP addresses for clients' virtual network adapters. End IP Subnet Mask Enter the subnet mask to be assigned to a client's virtual network adapter. Enter the default gateway IP address to be assigned to a client's virtual network Gateway IP adapter.
  • Page 398 Figure 154 Adding a host resource Enter a name for the host resource. Click the Add button under the network services list to enter the page for adding a network service. Figure 155 Adding an available network service Add a network service that the host resource provides for users, as described in Table Table 25 Configuration items Item...
  • Page 399 IMPORTANT: Description If you have configured the system to show network services by description, HP recommends that you include the network services' network information (subnet IP/mask) in the description so that users can view desired information after they log in to the SSL VPN system.
  • Page 400 Figure 158 Adding a user-IP binding Configure the user-IP binding as described in Table Click Apply. Table 26 Configuration items Item Description Specify the username to be bound with an IP address. The username must contain the Username domain name. For example, aaa@local. Specify the IP address to be bound with the username.

  • Page 401: Configuring A Resource Group

    Click Apply. Table 27 Configuration items Item Description Domain Name Enter a domain name to be issued to clients. Select the IP setting method, including Dynamic and Static. • Dynamic: To use this method, you also need to configure domain name resolution at the CLI.

  • Page 402: Configuring Local Users

    Figure 162 Adding a resource group Configure the resource group as describe in Table Click Apply. Table 28 Configuration items Item Description Resource Group Name Enter a name for the resource group. Selected Resources Specify resources for the resource group. Available Resources Configuring local users Configure SSL VPN users for local authentication in the following methods:...
  • Page 403 Figure 163 Local users Click Add to enter the page for adding a local user. Figure 164 Adding a local user Configure the local user information as described in Table...
  • Page 404 Click Apply. Table 29 Configuration items Item Description Username Enter a name for the local user. Description Enter a description for the local user. Password Specify a password for the local user and enter the password again to confirm the password.

  • Page 405: Configuring A User Group

    Figure 165 Batch import of local users Configuring a user group Select VPN > SSL VPN > User Management > User Group from the navigation tree. The user group list page appears. Figure 166 User groups Click Add to add a user group.
  • Page 406 Figure 167 Adding a user group Configure the user group as described in Table Click Apply. Table 30 Configuration items Item Description User Group Name Enter a name for the user group. Selected Resource Groups Select resource groups for the user group. Users in the user group will be able to access the resources in the selected resource groups.

  • Page 407: Viewing User Information

    Viewing user information Viewing online user information Select VPN > SSL VPN > User Management > User Information from the navigation tree. The Online Users tab appears, displaying the information of the current online users. Figure 168 Online users View information of the online users. Table 31 Field description Field Description...

  • Page 408: Performing Basic Configurations For The Ssl Vpn Domain

    Figure 169 History information Performing basic configurations for the SSL VPN domain Configure a domain policy, caching policy, and a bulletin: Domain policy—Defines the common parameters and functions for the SSL VPN domain. • Caching policy—Specifies which cached contents to clear from user hosts when users log out from •...
  • Page 409 Table 32 Configuration items Item Description Select this item to enable security check. With security check enabled, the SSL VPN system checks a user host based on the security policy and determines whether to allow the user to access resources according to the check result.
  • Page 410 Click the Caching Policy tab. The caching policy configuration page appears, as shown in Figure 171. Select the operations to be done on a user host when the user logs out, including: Clear cached webpages. Clear cookies. Clear downloaded programs. Downloaded programs refer to the SSL VPN client software that was automatically downloaded and run when the users logged in to the SSL VPN system.

  • Page 411: Configuring Authentication Policies

    Figure 173 Adding a bulletin Configure the bulletin settings as described in Table Click Apply. Table 33 Configuration items Item Description Title Enter a name for the bulletin. Content Enter the contents of the bulletin. Selected User Groups Select the user groups that can view the bulletin. Available User Groups Configuring authentication policies SSL VPN supports local authentication, RADIUS authentication, LDAP authentication, AD authentication,...
  • Page 412 Password—Authenticates only a user's password. • • Password+Certificate—Authenticates a user's password and client certificate. Certificate—Authenticates only a user's client certificate. • RADIUS authentication supports only two authentication policies: password and password+certificate. Configuring local authentication Local authentication authenticates users by using the user information saved on the SSL VPN gateway. This authentication method is the fastest because user information is locally saved, and the SSL VPN gateway does not need to exchange information with an external authentication server.
  • Page 413 Figure 175 RADIUS scheme list Click Add. Figure 176 RADIUS scheme configuration page Configure the parameters, as described in Table Click Apply. Table 34 Configuration items Item Description Scheme Name Enter a name for the RADIUS scheme. Configure the common parameters for the RADIUS scheme, including the server type, the username format, and the shared keys for authentication and accounting Common Configuration packets.
  • Page 414 Item Description Configure the parameters of the RADIUS authentication servers and accounting RADIUS Server servers. For more information about RADIUS server configuration, see "Add Configuration RADIUS servers." Configure common parameters: Click the expand button before Advanced in the Common Configuration area to expand the advanced configuration area.
  • Page 415 Table 35 Configuration items Item Description Select the type of the RADIUS servers supported by the device, which can be: • Standard—Standard RADIUS servers. The RADIUS client and RADIUS server communicate by using the standard RADIUS protocol and packet Server Type format defined in RFC 2865/2866 or later.
  • Page 416 RADIUS server. RADIUS Packet Source IP HP recommends using a loopback interface address instead of a physical interface address as the source IP address. If the physical interface is down, the response packets from the server cannot reach the device.
  • Page 417 Item Description Enable or disable the accounting-on feature, and set the interval and the maximum number of attempts for sending accounting-on packets. The accounting-on feature enables a device to send accounting-on packets to Send accounting-on packets RADIUS servers after it reboots, making the servers forcedly log out users who logged in through the device before the reboot.
  • Page 418 Table 37 Configuration items Item Description Select the type of the RADIUS server to be configured. Possible values include Server Type primary authentication server, primary accounting server, secondary authentication server, and secondary accounting server. Specify the IPv4 or IPv6 address of the RADIUS server. The IP addresses of the primary and secondary servers for a scheme must be IP Address different.
  • Page 419 Configuring LDAP authentication The LDAP is a cross-platform, standard directory service system that is based on TCP/IP. It is developed on the basis of the X.500 protocol but is better than X.500 in data reading, browsing, and search. LDAP is suitable for saving data that will not change frequently. A typical application of LDAP is to save user information of a system.
  • Page 420 Item Description Select an authentication mode for LDAP authentication. Options include Password, Authentication Mode Password+Certificate, and Certificate. User Group Attribute Specify the name of the user group attribute configured on the LDAP server. Specify conditions to Select this option to query user DN by specified conditions, including the administrator query user DN DN, password, search base DN, and search template.
  • Page 421 Click Apply. Table 40 Configuration items Item Description Enable AD Select this item to enable AD authentication. authentication AD Domain Name Enter the name of the AD domain. Enter the IP addresses of the AD servers. You can specify four AD servers at most. When one server fails, the system uses another AD Server IP server to authenticate users.

  • Page 422: Configuring A Security Policy

    Table 41 Configuration items Item Description Enable combined Select this item to enable combined authentication. authentication First-Time Authentication Select an authentication method as the first-time authentication method. Method Second-Time Authentication Select an authentication method as the second-time authentication method. Method With this item selected, the system provides the login page and asks a user for a password again after the user passes the first authentication.
  • Page 423 Click Add to add a new security policy. Figure 184 Adding a security policy Configure the security policy as describe in Table Click Apply. Table 42 Configuration items Item Description Name Enter a name for the security policy. Set a level for the security policy. A larger number means a higher level. If multiple security policies are defined, the system first uses the security policy with the highest priority to check the user host.
  • Page 424 Item Description Set check rules for the security policy. Check rules are divided into seven categories: operating system, browser, antivirus software, firewall, certificate, file, and process. To pass the check of a category, a host needs to satisfy at least one rule of the category. Policy Configuration To pass the check of a security policy, a host must satisfy all categories of the policy.

  • Page 425: Customizing The Ssl Vpn User Interface

    Item Description Set an operator for antivirus software version check and virus definitions version check. • >=: The antivirus software and its virus definitions must be of the specified version or a later version. • >: The antivirus software and its virus definitions must have a version later than the specified version.
  • Page 426 Full customization—You can edit a webpage file of your own to provide a fully customized user • access interface. Figure 185 Customizable information on the login page Copyright (c) 2010 Hewlett-Packard Development Company, L.P.
  • Page 427 Figure 186 Customizable information on the service page Partially customizing the SSL VPN interface Configure the text information: Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. The Text Information tab appears, as shown in Figure 187.
  • Page 428 Click the Login Page Logo tab to enter the page shown in Figure 188. Click Browse to select a local picture file. Set whether to directly overwrite the file with the same name on the device. Click Apply to upload the picture file to the SSL VPN system and use it as the logo picture on the login page.

  • Page 429: User Access To Ssl Vpn

    Figure 190 Specifying a service page background picture Fully customizing the SSL VPN interface Before full customization of the SSL VPN interface, upload the customized page file to the SSL VPN gateway through FTP or TFTP. Select VPN > SSL VPN > Page Customization > Full Customization from the navigation tree. The full customization page appears.

  • Page 430: Logging In To The Ssl Vpn Service Interface

    Logging in to the SSL VPN service interface After the SSL VPN gateway is well configured, a user can log in to the SSL VPN service interface, following these steps: Launch a browser on the user's host. Enter https://192.168.1.1:44300/svpn/ in the address bar of the browser to enter the SSL VPN login page, as shown in Figure 192.

  • Page 431: Accessing Ssl Vpn Resources

    Figure 193 SSL VPN service interface Figure 194 SSL VPN client software Accessing SSL VPN resources After logging in to the SSL VPN service interface, a user can see all resources that you have authorized the user to access, and perform the following operations: Clicking a resource name under Websites to access the website.

  • Page 432: Getting Help Information

    Clicking a resource name under TCP Applications to run the command you configured for the • resource (if any), or performing configurations according to the information provided by the resource name and then access the resource. For example, a user can configure the Outlook email receiving and sending servers according to the email resource name, logs in by using the username and password, and then uses the email service.

  • Page 433: Changing The Login Password

    Changing the login password To change the login password, a user needs to perform the following configurations: Click the Configure button in the upper right corner of the SSL VPN service interface to enter the page shown in Figure 196. Enter the new password, and confirm the new password.

  • Page 434: Configuration Prerequisites

    Specify the default authentication method as RADIUS for the SSL VPN domain and enable • verification code authentication. Figure 197 Network diagram Host Remote user 10.1.1.1/24 Internet Router SSL VPN gateway Internal servers 10.2.1.1/24 Configuration prerequisites • The SSL VPN gateway, the CA, and the hosts used by remote users can reach each other. The CA is enabled with the CA service and can issue certificates to the SSL VPN gateway and the •...
  • Page 435 Figure 198 Configuring a PKI entity named en Configure a PKI domain named sslvpn: Select Authentication > Certificate Management > Domain from the navigation tree. Click Add. On the page that appears, as shown in Figure 199, enter the PKI domain name sslvpn, enter the CA identifier CA server, select en as the local entity, select RA as the registration authority, enter the certificate requesting URL http://10.2.1.1/certsrv/mscep/mscep.dll, select Manual as the certificate request mode, and click Apply.
  • Page 436 Select Authentication > Certificate Management > Certificate from the navigation tree. Click Create Key to enter the key generation page, as shown in Figure 200. Set the key length to 1024. Click Apply. Figure 200 Generating an RSA key pair Retrieve the CA certificate: After the key pair is generated, click the Retrieve Cert button on the certificate management page.
  • Page 437 Figure 202 Requesting a local certificate You can view the retrieved CA certificate and the local certificate on the certificate management page. Figure 203 Certificate management page Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service: Select VPN >...
  • Page 438 Select VPN > SSL VPN > Resource Management > Web Proxy from the navigation tree. Click Add. The Web proxy server resource configuration page appears, as shown in Figure 205. Enter the resource name tech. Enter the website address http://10.153.1.223/. Click Apply.
  • Page 439 Figure 206 Configuring a desktop sharing service resource Configure global parameters for IP network resources: Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. The Global Configuration tab appears, as shown in Figure 207. Enter the start IP address 192.168.0.1.
  • Page 440 The network service is added to the host resource. Click the Add button under the Shortcuts list. On the page that appears, as shown in Figure 209, enter the shortcut name ftp_security-server and the shortcut command ftp 10.153.2.25, and click Apply. The shortcut is added to the host resource.
  • Page 441 Figure 210 Configuring a host resource Configure resource group res_gr1, and add resource desktop to it: Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree to enter the resource group list page. Click Add to enter the resource group configuration page, as shown in Figure 211.
  • Page 442 Configure resource group res_gr2, and add resources tech and sec_srv to it: On the resource group list page, click Add. Enter the resource group name res_gr2. Select resources tech and sec_srv on the Available Resources list and click the << button to add them to the Selected Resources list.
  • Page 443 Figure 213 Adding local user usera Configure user group user_gr1, assign resource group res_gr1 to the user group and add local user usera to the user group: Select VPN > SSL VPN > User Management > User Group from the navigation tree to enter the user group list page.
  • Page 444 Figure 214 Configuring user group user_gr1 Configure user group user_gr2, and assign resource group res_gr2 to the user group: On the user group list page, click Add. Enter the user group name user_gr2. Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list.
  • Page 445 Figure 215 Configuring user group user_gr2 Configuring an SSL VPN domain Configure the default authentication method for the SSL VPN domain as RADIUS and enable verification code authentication: Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. The Domain Policy tab appears, as shown in Figure 216.
  • Page 446 Figure 216 Configuring the domain policy Configure a RADIUS scheme named system: Select Authentication > RADIUS from the navigation tree. Click Add to enter the RADIUS scheme configuration page. Enter the scheme name system. In the Common Configuration area, select Extended as the supported RADIUS server type, and select Without domain name as the username format.

  • Page 447: Verifying The Configuration

    Figure 218 Configuring RADIUS scheme named system Enable RADIUS authentication for the SSL VPN domain: Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree. Click the RADIUS Authentication tab. Select the box before Enable RADIUS authentication. Click Apply.
  • Page 448 Figure 220 SSL VPN login page Select Local from the Auth Mode list. Use the public account usera to log in. You can see the resource desktop, as shown in Figure 221. Clicking the resource name, you can access the shared desktop of the specified host, as shown in Figure 222.
  • Page 449 Figure 222 Access the desktop sharing resource Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS server. Use this user account and the default authentication method RADIUS to log in. You can see website tech, subnet resource 10.153.2.0/24, and a shortcut to the security server, as shown in Figure 223.
  • Page 450 Figure 223 Resources that a non-public account can access Figure 224 Access the IP network resource...

  • Page 451: Configuring Firewall

    Configuring firewall Overview A firewall blocks unauthorized Internet access to a protected network while allowing internal network users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used to control access to the Internet, for example, to permit only specific hosts within the organization to access the Internet.
  • Page 452 ASPF functions An ASPF provides the following main functions: • Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and monitors the connection-oriented application layer protocol status. ASPF maintains the status information of each connection, and based on such information, determines whether to permit a packet to pass through the firewall into the internal network, thus defending the internal network against attacks.
  • Page 453 Single-channel protocol—A single-channel protocol establishes only one channel to exchange both control messages and data for a user. SMTP and HTTP are examples of single-channel protocols. Multi-channel protocol—A multi-channel protocol establishes more than one channel for a user and transfers control messages and user data through different channels. FTP and RTSP are examples of multi-channel protocols.

  • Page 454: Configuring A Packet-Filter Firewall

    Therefore, for multi-channel application layer protocols like FTP and H.323, the deployment of TCP inspection without application layer inspection will lead to failure of establishing a data connection. Configuring a packet-filter firewall Packet-filter firewall configuration task list Task Remarks Enabling the firewall function Required.

  • Page 455: Configuring Packet Filtering On An Interface

    Step Command Remarks Optional. permit (permit packets to pass the firewall) by default. Specify the default filtering firewall default { deny | permit } { all | slot Use the deny action with action of the firewall. slot-number } caution. If you specify the deny action, routing protocol packets are denied, resulting in network disconnectivity.

  • Page 456: Displaying And Maintaining A Packet-Filter Firewall

    You can apply only one ACL to filter packets in one direction of an interface. Configuring IPv6 packet filtering on an interface IPv6 packet filtering is a basic firewall function of an IPv6-based ACL. You can configure IPv6 packet filtering in the inbound or outbound direction of an interface so that the interface filters packets that match the IPv6 ACL rules.
  • Page 457 By using the firewall feature, the company intends to achieve the following aim: only specific users • on external networks are given access to the internal servers, and only specific hosts on the internal network are permitted to access external networks. •...

  • Page 458: Configuring An Aspf

    [Router-GigabitEthernet3/0/1] firewall packet-filter 3001 inbound # Apply ACL 3002 to packets that come in through Serial 2/1/1. [Router-GigabitEthernet3/0/1] quit [Router] interface serial 2/1/1 [Router-Serial2/1/1] firewall packet-filter 3002 inbound Configuring an ASPF ASPF configuration task list Task Remarks Enabling the firewall function Required.

  • Page 459: Applying An Aspf Policy To An Interface

    Applying an ASPF policy to an interface Two concepts are distinguished in ASPF policy: internal interface and external interface. If the device is connected to both the internal network and the Internet, and employs ASPF to protect the internal servers, the interface connected to the internal network is the internal interface and the one connected to the Internet is the external interface.

  • Page 460: Displaying Aspf

    Displaying ASPF Task Command Remarks Display all ASPF policy and display aspf all [ | { begin | exclude | Available in any view. session information. include } regular-expression ] Display the ASPF policy display aspf interface [ | { begin | exclude | configuration applied the Available in any view.
  • Page 461 # Create ACL 2001 to block Java applets from site 2.2.2.1 1. [RouterA] acl number 2001 [RouterA-acl-basic-2001] rule deny source 2.2.2.11 0 [RouterA-acl-basic-2001] rule permit [RouterA-acl-basic-2001] quit # Create ASPF policy1. [RouterA] aspf-policy 1 [RouterA-aspf-policy-1] icmp-error drop [RouterA-aspf-policy-1] tcp syn-check [RouterA-aspf-policy-1] quit # Apply ACL 31 1 1 and the ASPF policy to the interface Serial 2/1/1.

  • Page 462: Configuring Alg

    Configuring ALG Application Level Gateway (ALG) processes the payload information of application layer packets to make sure data connections can be established. Usually NAT translates only IP address and port information in packet headers and does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which may cause problems if not translated.
  • Page 463 Figure 228 Network diagram for ALG-enabled FTP application in passive mode Inside network Outside network Router Host FTP server FTP-ALG enabled FTP_CMD (“PASV”) FTP_CMD (“PASV”) FTP_EnterPassive (“IP1, Port1”) IP1, Port1------- IP2, Port2 > FTP_EnterPassive (“IP2, Port2”) FTP_Connet (IP2, Port2) FTP_Connet (IP1, Port1) The communication process includes the following steps: Establishing a control connection.

  • Page 464: Enabling Alg

    Enabling ALG Step Command Remarks Enter system view. system-view Optional. alg { all | dns | ftp | gtp | h323 | ils | Enable ALG. msn | nbt | pptp | qq | rtsp | sccp | By default, ALG is enabled for all sip | sqlnet | tftp } protocols.

  • Page 465: Sip/H.323 Alg Configuration Example

    SIP/H.323 ALG configuration example H.323 ALG configuration is similar to SIP ALG configuration. The following example describes SIP ALG configuration. The example describes only ALG configurations, assuming other required configurations on the server and client have been done. Network requirements As shown in Figure 230, a company uses the private network segment 192.168.1.0/24, and has four...
  • Page 466 Configure NAT and ALG on the router so that Host A uses 5.5.5.9 as its external IP address, the WINS server uses 5.5.5.10 as its external IP address, and Host B can access the WINS server and Host A by using host names.

  • Page 467: Managing Sessions

    Managing sessions Overview Session management is a common feature designed to implement session-based services such as NAT, ASPF, and intrusion protection. Session management regards packet exchanges at transport layer as sessions and updates the session status, or ages sessions out according to information in the initiator or responder packet.

  • Page 468: Session Management Task List

    Supporting ICMP error packet mapping and allowing the system to search for original sessions • according to the payload of these packets. Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions. Supporting persistent sessions, which are not aged within a long period of time.

  • Page 469: Configuring Session Aging Time Based On Application Layer Protocol Type

    { dns | ftp | of an application layer msn | qq | sip } time-value • msn—3600 seconds. protocol. • qq—60 seconds. • sip—300 seconds. HP recommends you set a larger value for the age time than the FTP packet keepalive interval.

  • Page 470: Configuring Early Aging For Sessions

    Configuring early aging for sessions A device that does not support attack detection or attack protection is vulnerable to attacks on session resources. If session resources are used up, the device cannot support normal forwarding services, for example, NAT processing. To prevent such attacks, you can configure early aging for sessions. After you configure early aging for sessions: When the session ratio (the ratio of the number of established sessions to the session count •...

  • Page 471: Specifying The Persistent Session Rule

    To enable checksum verification for protocol packets: Step Command Remarks Enter system view. system-view session checksum { all | { icmp | Enable checksum verification. Disabled by default. tcp | udp } * } Specifying the persistent session rule You can set sessions with specific characteristics as persistent sessions. The aging time of a persistent session does not change with session state transitions, and the session will not be removed even when no packets match it.

  • Page 472: Configuring Session Logging

    Configuring session logging Session logs help track information about user access, IP address translation, and traffic, and can be sent to the log server or exported to the information center in flow log format. It can help network administrators in security auditing. VLAN interfaces do not support session logging.

  • Page 473: Configuring Session Log Export

    Configuring session log export Session logs are exported in the form of flow logs. To configure session log exporting: Step Command Remarks Enter system view. system-view Optional. Specify the flow log userlog flow export version version-number version. 1.0 by default. Optional.
  • Page 474 Task Command Remarks Available in any view. This command is not display session statistics [ slot supported by the Display statistics for sessions slot-number ] [ | { begin | exclude | SPE-FWM-200, SPE-IPS-200, include } regular-expression ] SPE-ACG-200, and FIP600 cards.

  • Page 475: Configuring Connection Limits

    The limit rules are matched in ascending order of rule ID. When you configure connection limit rules for a policy, carefully check the rules and their order. HP recommends that you arrange the rules in ascending order of scale and range.

  • Page 476: Applying The Connection Limit Policy

    An IP address-based connection limit rule can be of any of the following types: • Source-to-destination—Limits connections from a specific internal host or segment to a specific external host or segment. Source-to-any—Limits connections from a specific internal host or segment to external networks. •...

  • Page 477: Configuration Procedure

    Each host on segment 192.168.0.0/24 can establish up to 100 connections to external network and • all the other hosts can establish as many connections as possible. Permit up to 10000 connections from the external network to the DNS server. •...

  • Page 478: Troubleshooting Connection Limiting

    Connection-limit policy 0, refcount 1, 3 limits limit 0 source ip 192.168.0.0 24 destination ip any protocol ip max-connections 100 per-source limit 1 source ip any destination ip 192.168.0.3 32 protocol dns max-connections 10000 limit 2 source ip any destination ip 192.168.0.2 32 protocol http max-connections 10000 Troubleshooting connection limiting Connection limit rules with overlapping segments Symptom...
  • Page 479 Analysis Both rules limit 0 and limit 1 involve HTTP connections, and the rule with a smaller ID is matched first. Rule 0 is used for HTTP connections. Solution Rearrange the two connection limit rules by exchanging their rule IDs so that the rule for HTTP connections is matched first.

  • Page 480: Configuring Web Filtering

    Configuring web filtering Overview In legacy network security solutions, network protection mainly targets external attacks. With the popularity of network applications in every walk of life, however, the internal network also faces security threats caused by internal user access to illegal networks. To protect the internal network against such threats, the network devices must be able to filter illegal access requests from internal users.

  • Page 481: Url Parameter Filtering

    If URL address filtering does not support IP addresses, the device checks the ACL rules for URL • address filtering. If the ACL permits the IP address, the device forwards the request. Otherwise, the device drops the request. URL parameter filtering Many webpages are dynamic, connected with databases, and support data query and modification through web requests.

  • Page 482: Activex Blocking

    ActiveX blocking ActiveX blocking protects networks from being attacked by malicious ActiveX plugins. After the ActiveX blocking function is enabled, requests for ActiveX plugins to all webpages will be filtered. If the ActiveX plugins in some webpages are expected, you can configure ACL rules to permit requests to the ActiveX plugins of these webpages.

  • Page 483: Configuring Url Parameter Filtering

    Step Command Remarks Enable the URL address filtering firewall http url-filter host enable Disabled by default. function. Configure IP address-supported firewall http url-filter host Deny by default. URL address filtering. ip-address { deny | permit } Optional. Specify an ACL for URL address firewall http url-filter host acl By default, no ACL is specified for filtering.

  • Page 484: Configuring Activex Blocking

    Step Command Remarks display firewall http java-blocking [ all Display information about | item keywords | verbose ] [ | { begin Optional. Java blocking. | exclude | include } regular-expression ] In the ACL for Java blocking, you need to configure the source IP addresses as the IP addresses of the HTTP servers allowed to be accessed, and set the action to permit.

  • Page 485: Url Address Filtering Configuration Example

    Task Command Remarks reset firewall http { activex-blocking | Clear web filtering statistics. java-blocking | url-filter host | url-filter Available in user view. parameter } counter URL address filtering configuration example Network requirements The hosts in the network segment 192.168.1.0/24 access the Internet through the device. The device is enabled with the URL address filtering function, and allows the hosts to access only www.webflt.com using the URL address or IP address.

  • Page 486: Url Parameter Filtering Configuration Example

    [Router-acl-basic-2000] quit # Specify to allow users to use IP addresses to access websites. [Router] firewall http url-filter host ip-address deny [Router] firewall http url-filter host acl 2000 After the above configuration, open a web browser on a host in the LAN, enter website http://www.webflt.com or http://3.3.3.3 and you can access this website correctly.

  • Page 487: Java Blocking Configuration Example

    [Router-acl-basic-2200] rule 1 deny source any [Router-acl-basic-2200] quit [Router] nat address-group 1 2.2.2.10 2.2.2.11 [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] nat outbound 2200 address-group 1 [Router-GigabitEthernet3/0/1] quit # Enable the URL parameter filtering function and add URL parameter filtering entry group. [Router] firewall http url-filter parameter enable [Router] firewall http url-filter parameter keywords group Use the display firewall http url-filter parameter verbose command to display detailed URL parameter...

  • Page 488: Troubleshooting Web Filtering

    [Router-acl-basic-2200] rule 0 permit source 192.168.1.0 0.0.0.255 [Router-acl-basic-2200] rule 1 deny source any [Router-acl-basic-2200] quit [Router] nat address-group 1 2.2.2.10 2.2.2.11 [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] nat outbound 2200 address-group 1 [Router-GigabitEthernet3/0/1] quit # Configure an ACL numbered 2100 for Java blocking. [Router] acl number 2100 [Router-acl-basic-2100] rule 0 permit source 5.5.5.5 0.0.0.0 [Router-acl-basic-2100] rule 1 deny source any...

  • Page 489: Invalid Characters Are Present In The Configured Parameter

    Analysis The number of URL address filtering entries, URL parameter filtering entries, Java blocking suffix keywords, or ActiveX blocking suffix keywords has reached the upper limit. Solution If necessary, remove some configured entries or keywords before adding new ones. Invalid characters are present in the configured parameter Symptom When you configure a URL address filtering entry or URL parameter filtering entry, the system displays a character error message.

  • Page 490: Invalid Blocking Suffix

    Table 46 Wildcards for URL parameter filtering entries Wildcard Meaning Usage guidelines Matches parameters starting with the Can be present once at the beginning of a keyword filtering entry. Matches parameters ending with the It can be present once at the end of a filtering keyword entry.

  • Page 491: Unable To Access The Http Server By Ip Address

    Unable to access the HTTP server by IP address Symptom After the URL address filtering function is enabled, you cannot access the HTTP server by its IP address. Analysis By default, the URL address filtering function disables access by IP address. Web requests that use the IP address to access the HTTP server will be filtered.

  • Page 492: Configuring Attack Detection And Protection

    Configuring attack detection and protection Overview Attack detection and protection is an important network security feature. It determines whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting the source IP address.
  • Page 493 Single-packet attack Description For some hosts and devices, large ICMP packets cause memory allocation error and Large ICMP thus crash down the protocol stack. A large ICMP attacker sends large ICMP packets to a target to make it crash down. An attacker exploits the route record option in the IP header to probe the topology of Route Record a network.

  • Page 494: Blacklist Function

    An attacker sends a large number of UDP packets to the target in a short time, making the target too busy to process normal services. Blacklist function The blacklist function is an attack protection measure that filters packets by source IP address. Compared with Access Control List (ACL) packet filtering, blacklist filtering is simpler in matching packets and therefore can filter packets at a high speed.

  • Page 495: Tcp Proxy

    RAW IP session establishment rate • The device collects statistics to calculate the session establishment rates at an interval of 5 seconds. Therefore, the session establishment rates displayed on the device are based on the statistics collected during the latest 5-second interval. The traffic statistics function does not concern about the session status (except the TCP half-open and half-close states).
  • Page 496 Figure 238 Data exchange process in unidirectional proxy mode TCP client TCP proxy TCP server 1) SYN 2) SYN ACK (invalid sequence number) 3) RST 4) SYN (retransmitting) 5) SYN (forwarding) 6) SYN ACK 7) ACK 8) ACK (forwarding) When the TCP proxy receives a SYN message sent from a client to a protected server, it sends back a SYN ACK message that uses a wrong sequence number on behalf of the server.

  • Page 497: Attack Detection And Protection Configuration Task List

    After receiving a SYN message from a client to a protected server, the TCP proxy sends back a SYN ACK message with the window size of 0 on behalf of the server. If the client is legitimate, the TCP proxy receives an ACK message. Upon receiving an ACK message from the client, the TCP proxy sets up a connection between itself and the server through a three-way handshake on behalf of the client.

  • Page 498: Configuring Attack Protection Functions For An Interface

    Configuring attack protection functions for an interface Creating an attack protection policy Before configuring attack protection functions for an interface, you need to create an attack protection policy and enter its view. In attack protection policy view, you can define one or more signatures used for attack detection and specify the corresponding protection measures.
  • Page 499 Step Command Remarks Configure the ICMP packet Optional. signature-detect large-icmp length threshold that triggers max-length length 4000 bytes by default. large ICMP attack protection. Optional. Configure the device to drop signature-detect action By default, the device does not single-packet attack packets. drop-packet process the attack packets if it detects an attack.
  • Page 500 Step Command Remarks Required to make the blacklist entries added by the scanning attack protection function take Enable the blacklist blacklist enable effect. function. By default, the blacklist function is disabled. Configuring a flood attack protection policy The flood attack protection function is used to protect servers. It detects various flood attacks by monitoring the rate at which connection requests are sent to a server.

  • Page 501: Applying An Attack Protection Policy To An Interface

    Step Command Remarks Enter system view. system-view Enter attack protection attack-defense policy policy view. policy-number Enable ICMP flood attack defense icmp-flood enable Disabled by default. protection. Optional. Configure the global action defense icmp-flood rate-threshold By default, the action threshold is and silence thresholds for high rate-number [ low 1000 packets per second and the...

  • Page 502: Configuring Tcp Proxy

    To apply an attack protection policy to an interface: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no attack protection policy is applied to any interface. Apply an attack protection attack-defense apply policy The attack protection policy to be policy to the interface.

  • Page 503: Enabling Traffic Statistics On An Interface

    Step Command Remarks Enter system view. system-view Enable the blacklist function. blacklist enable Disabled by default. Optional. blacklist ip source-ip-address The scanning attack protection Add a blacklist entry. [ timeout minutes ] function can add blacklist entries automatically. You can add blacklist entries manually, or configure the device to automatically add the IP addresses of detected scanning attackers to the blacklist.

  • Page 504: Attack Detection And Protection Configuration Examples

    Task Command Remarks Display the configuration display attack-defense policy information about one or all attack [ policy-number ] [ | { begin | exclude | Available in any view. protection policies. include } regular-expression ] display blacklist { all | ip source-ip-address Display information about blacklist [ slot slot-number ] | slot slot-number } [ | Available in any view.
  • Page 505 Figure 240 Network diagram Host A Host B Attacker Router GE3/0/1 GE3/0/2 192.168.1.1/16 202.1.0.1/16 Internet GE3/0/3 Host D 10.1.1.1/24 5.5.5.5/24 Host C Server 10.1.1.2/24 Configuration procedure # Configure IP addresses for interfaces. (Details not shown.) # Enable the blacklist function. <Router>...

  • Page 506: Blacklist Configuration Example

    # Configure the policy to drop the subsequent packets after a SYN flood attack is detected. [Router-attack-defense-policy-2] defense syn-flood action drop-packet [Router-attack-defense-policy-2] quit # Apply policy 2 to GigabitEthernet 3/0/3. [Router] interface gigabitethernet 3/0/3 [Router-GigabitEthernet3/0/3] attack-defense apply policy 2 [Router-GigabitEthernet3/0/3] quit Verifying the configuration Use the display attack-defense policy command to view the contents of attack protection policy 1 and 2.

  • Page 507: Traffic Statistics Configuration Example

    Verifying the configuration Use the display blacklist all command to view the added blacklist entries. [Router] display blacklist all Blacklist information ------------------------------------------------------------------------- Blacklist : enabled Blacklist items ------------------------------------------------------------------------------ Type Aging started Aging finished Dropped packets YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss Total blacklist items on slot 0 5.5.5.5 manual 2008/04/09 16:02:20 Never 192.168.1.4...
  • Page 508 # Apply policy 1 to GigabitEthernet 3/0/1. [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] attack-defense apply policy 1 # Enable the traffic statistics function in the outbound direction of GigabitEthernet 3/0/1. [Router-GigabitEthernet3/0/1] flow-statistic enable outbound # Enable traffic statistics based on destination IP address. [Router-GigabitEthernet3/0/1] flow-statistic enable destination-ip Verifying the configuration If you suspect that the server is under an attack, you can view the traffic statistics information on the...

  • Page 509: Tcp Proxy Configuration Example

    the server is under a UDP flood attack. Use the display attack-defense statistics command to view the related statistics collected after the UDP flood protection function takes effect. TCP proxy configuration example Network requirements Configure the TCP proxy function on the router to protect internal servers from SYN flood attacks. Configure the function to operate in bidirectional mode.
  • Page 510 [Router] interface gigabitethernet 3/0/2 [Router-GigabitEthernet3/0/2] tcp-proxy enable [Router-GigabitEthernet3/0/2] quit Verifying the configuration When a SYN flood attack targeting an internal server occurs, use the display tcp-proxy protected-ip command to view information about the IP addresses protected by the TCP proxy function. [Router] display tcp-proxy protected-ip Protected IP Port number...

  • Page 511: Configuring Tcp Attack Protection

    Configuring TCP attack protection Overview Attackers can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the following features: • SYN Cookie Protection against Naptha attacks • This chapter describes the attacks that these features can prevent, working mechanisms of these features, and configuration procedures.

  • Page 512: Enabling Protection Against Naptha Attacks

    Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only SYN_RECEIVED state. Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these connections in same state (any of the six), and request for no data so as to exhaust the memory resource of the server.

  • Page 513: Configuring Ip Source Guard

    Configuring IP source guard This feature is available only for SAP interface modules operating in Layer 2 mode. Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent invalid hosts from using a valid IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address, and VLAN tag.

  • Page 514: Dynamic Ip Source Guard Entries

    A static IPv4 source guard entry binds an IP address, MAC address, VLAN, or any combination of the three with a port. Such an entry is effective on only the specified port. A port forwards a packet only when the IP address, MAC address, and VLAN tag (if any) of the packet all match those in a static binding entry on the port.

  • Page 515: Configuring A Static Ipv4 Source Guard Entry

    Follow these guidelines when you enable IPv4 source guard on a port: • You cannot enable IPv4 source guard on a link aggregation member port. If IPv4 source guard is enabled on a port, you cannot assign the port to a link aggregation group. The keyword specified in the ip verify source command is only for instructing the generation of •...

  • Page 516: Setting The Maximum Number Of Ipv4 Source Guard Entries

    Step Command Remarks By default, no static IPv4 binding ip source binding { ip-address entry is configured on a port. ip-address | ip-address ip-address Configure a static IPv4 source mac-address mac-address | A static source guard entry can be guard entry on the port. mac-address mac-address } [ vlan configured on only Layer 2 vlan-id ]...

  • Page 517: Static Ipv4 Source Guard Entry Configuration Example

    Static IPv4 source guard entry configuration example Network requirements As shown in Figure 245, Host A and Host B are connected to ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/1 of Router B respectively, Host C is connected to port GigabitEthernet 3/0/2 of Router A, and Router B is connected to port GigabitEthernet 3/0/1 of Router A.
  • Page 518 [RouterA-GigabitEthernet3/0/1] ip verify source ip-address mac-address # Configure GigabitEthernet 3/0/1 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass. [RouterA-GigabitEthernet3/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [RouterA-GigabitEthernet3/0/1] quit Configure Router B: # Enable IPv4 source guard on GigabitEthernet 3/0/2 to filter packets based on both the source IP address and MAC address.

  • Page 519: Dynamic Ipv4 Source Guard By Dhcp Snooping Configuration Example

    Dynamic IPv4 source guard by DHCP snooping configuration example Network requirements As shown in Figure 246, the router connects to the host (client) and the DHCP server through ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, respectively. The host obtains an IP address from the DHCP server.

  • Page 520: Dynamic Ipv4 Source Guard By Dhcp Relay Configuration Example

    DHCP Snooping is enabled. The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= 192.168.0.1 0001-0203-0406 86335 GigabitEthernet3/0/1 The output shows that a dynamic IPv4 source guard entry has been generated based on the DHCP snooping entry.

  • Page 521: Troubleshooting Ip Source Guard

    [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] ip verify source ip-address mac-address [Router-GigabitEthernet3/0/1] quit Verifying the configuration # Display the generated IPv4 source guard entries. [Router] display ip source binding Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 GE3/0/1 DHCP-RLY...

  • Page 522: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and prevent such attacks. Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 523: Configuring Unresolvable Ip Attack Protection

    Task Remarks Optional. Configuring ARP gateway Configure this function on access devices protection (recommended). Optional. Configuring ARP filtering Configure this function on access devices (recommended). Configuring unresolvable IP attack protection If a device receives from a host a large number of IP packets that cannot be resolved by ARP (called unresolvable IP packets), the following situations can occur: •...

  • Page 524: Displaying And Maintaining Arp Source Suppression

    Displaying and maintaining ARP source suppression Task Command Remarks Display ARP source suppression display arp source-suppression [ | { begin Available in any view. configuration information. | exclude | include } regular-expression ] Configuration example Network requirements As shown in Figure 248, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20.

  • Page 525: Configuring Arp Packet Rate Limit

    Configuration procedure # Enable ARP source suppression and set the threshold to 100. <Device> system-view [Device] arp source-suppression enable [Device] arp source-suppression limit 100 # Enable ARP black hole routing. <Device> system-view [Device] arp resolving-route enable Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU.

  • Page 526: Configuring Arp Active Acknowledgement

    Configuring ARP active acknowledgement Configure this feature on gateway devices to prevent user spoofing. ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. For more information about its working mechanism, see ARP Attack Protection Technology White Paper. To configure ARP active acknowledgement: Step Command Remarks...

  • Page 527: Configuration Example (On A Dhcp Server)

    Configuration example (on a DHCP server) Network requirements Configure the DHCP server with an IP address pool of 10.1.1.0/24 on Router A. Enable authorized ARP on GigabitEthernet 3/0/1 of Router A to ensure user validity. Configure the DHCP client on Router B to obtain an IP address from the DHCP server. Figure 249 Network diagram Configuration procedure Configure Router A:...

  • Page 528: Authorized Arp Configuration Example (On A Dhcp Relay Agent)

    Router B must use the IP address and MAC address in the authorized ARP entry to communicate with Router A. Otherwise, the communication fails. Thus user validity is ensured. Authorized ARP configuration example (on a DHCP relay agent) Network requirements Configure Router A as a DHCP server with an IP address pool of 10.10.1.0/24.

  • Page 529: Configuring Arp Detection

    [RouterB-GigabitEthernet3/0/1] ip address 10.1.1.2 24 [RouterB-GigabitEthernet3/0/1] quit [RouterB] interface gigabitethernet 3/0/2 [RouterB-GigabitEthernet3/0/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on GigabitEthernet 3/0/2. [RouterB-GigabitEthernet3/0/2] dhcp select relay [RouterB-GigabitEthernet3/0/2] quit # Add the DHCP server 10.1.1.1 to DHCP server group 1. [RouterB] dhcp relay server-group 1 ip 10.1.1.1 # Correlate GigabitEthernet 3/0/2 to DHCP server group 1.

  • Page 530: Configuring User Validity Check

    If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies. ARP detection does not check ARP packets received from ARP trusted ports. Configuring user validity check After you enable this feature, the device checks user validity as follows: Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and MAC addresses of the ARP packet against user validity check rules.

  • Page 531: Configuring Arp Packet Validity Check

    Step Command Remarks Optional. Configure the port as a trusted port that is excluded from ARP arp detection trust A port is an untrusted detection. port by default. At least a user validity check rule, a static IP source guard binding entry, a DHCP snooping entry, or an 802.1X security entry must be available to perform user validity check.

  • Page 532: Displaying And Maintaining Arp Detection

    If the packets are ARP requests, they are forwarded through the trusted interface. • • If the packets are ARP replies, they are forwarded according to their destination MAC address. If no match is found in the MAC address table, they are forwarded through the trusted interface. Before configuring this feature, configure user validity check.
  • Page 533 Figure 251 Network diagram Configuration procedure Add all ports on Router B into VLAN 10, and configure the IP address of VLAN-interface 10 on Router A. (Details not shown.) Configure the DHCP server on Router A. <RouterA> system-view [RouterA] dhcp enable [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP...

  • Page 534: User Validity Check And Arp Packet Validity Check Configuration Example

    [RouterB-GigabitEthernet3/0/3] arp detection trust [RouterB-GigabitEthernet3/0/3] quit After the configurations are completed, ARP packets received on interfaces GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 are checked against 802.1X entries. User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 252, Configure the DHCP server on Router A.

  • Page 535: Arp Restricted Forwarding Configuration Example

    [RouterB] interface gigabitethernet 3/0/3 [RouterB-GigabitEthernet3/0/3] dhcp-snooping trust [RouterB-GigabitEthernet3/0/3] quit # Enable ARP detection for VLAN 10. [RouterB] vlan 10 [RouterB-vlan10] arp detection enable # Configure the upstream port as a trusted port (a port is an untrusted port by default). [RouterB-vlan10] interface gigabitethernet 3/0/3 [RouterB-GigabitEthernet3/0/3] arp detection trust [RouterB-GigabitEthernet3/0/3] quit...
  • Page 536 Figure 253 Network diagram Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface. (Details not shown.) Configure the DHCP server on Router A: <RouterA> system-view [RouterA] dhcp enable [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure the DHCP client on Hosts A and Host B.

  • Page 537: Configuring Arp Automatic Scanning And Fixed Arp

    # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [RouterB] arp detection validate dst-mac ip src-mac # Configure port isolation. [RouterB] interface gigabitethernet 3/0/1 [RouterB-GigabitEthernet3/0/1] port-isolate enable [RouterB-GigabitEthernet3/0/1] quit [RouterB] interface gigabitethernet 3/0/2 [RouterB-GigabitEthernet3/0/2] port-isolate enable [RouterB-GigabitEthernet3/0/2] quit After the preceding configurations are complete, ARP packets received on interfaces...

  • Page 538: Configuration Procedure

    The number of static ARP entries changed from dynamic ARP entries is restricted by the number of • static ARP entries that the device supports. As a result, the device might fail to change all dynamic ARP entries into static ARP entries. •...

  • Page 539: Arp Gateway Protection Configuration Example

    ARP gateway protection configuration example Network requirements As shown in Figure 254, Host B launches gateway spoofing attacks to Router B. As a result, traffic that Router B intends to send to Router A is sent to Host B. Configure Router B to block such attacks. Figure 254 Network diagram Configuration procedure # Configure ARP gateway protection on Router B.

  • Page 540: Arp Filtering Configuration Example

    The arp filter source and arp filter binding command cannot be both configured on an interface. • • If ARP filtering works with ARP detection and ARP snooping, ARP filtering applies first. To configure ARP filtering: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type interface-number...

  • Page 541: Configuring Nd Attack Defense

    Configuring ND attack defense Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.

  • Page 542: Enabling Source Mac Consistency Check For Nd Packets

    The mapping between the source IPv6 address and the source MAC address in the Ethernet frame • header is invalid. To identify forged ND packets, HP developed the ND detection feature. For more information about the five functions of the ND protocol, see Layer 3—IP Services Configuration Guide.

  • Page 543: Configuring Urpf

    Configuring URPF Overview Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator.

  • Page 544: Urpf Work Flow

    URPF work flow Figure 258 shows how URPF works. Figure 258 URPF work flow...
  • Page 545 NOTE: URPF does not check multicast packets. URPF checks source address validity: Discards packets with the limited broadcast address (255.255. 255. 255) as the destination address. Discards packets with an all-zero source address but a destination address other than the limited broadcast address.

  • Page 546: Network Application

    Network application Figure 259 Network diagram Configure strict URPF check between an ISP network and a customer network, and loose URPF • check between ISPs. • Configure ACLs for special packets or users. Configuring URPF on an interface URPF checks only packets arriving at an enabled interface. Do not configure the allow-default-route keyword for loose URPF check.

  • Page 547: Urpf Configuration Example

    URPF configuration example Network requirements As shown in Figure 260, enable strict URPF check on GigabitEthernet 3/0/1 of Router B and permit packets from network 10.1.1.0/24. Enable strict URPF check on GigabitEthernet 3/0/1 of Router A to allow using the default route for URPF check.

  • Page 548: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the security requirements for cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the device supports Level 2.

  • Page 549: Conditional Self-Tests

    Type Operations Test the following algorithms used by cryptographic engines: • DSA (signature and authentication) • RSA (signature and authentication) • RSA (encryption and decryption) Cryptographic engine self-tests • • 3DES • SHA1 • HMAC-SHA1 • Random number generator algorithms Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked.

  • Page 550: Configuration Considerations

    SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5. • Configuration considerations To enter the FIPS mode, follow these steps: Enable FIPS mode. Enable the password control function. Configure the username and password to log in to the device in FIPS mode. The password must comprise at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters.

  • Page 551: Configuration Procedure

    Figure 261 Network diagram Configuration procedure # Enable the FIPS mode. <Sysname> system-view [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue?[Y/N]:y Modify the configuration to be fully compliant with FIPS mode, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode. # Enable the password control function.

  • Page 552: Verifying The Configuration

    # Reboot the device. <Sysname> reboot Verifying the configuration After the device reboots, enter the username (test) and password (AAbbcc1234%). The system prompts that your first login is successful, and asks you to enter a new password. Enter a new password which has at least four characters different than the previous one and confirm the password.

  • Page 553: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 554: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 555 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 556: Index

    Index A B C D E F H I J L M N O P R S T U V Configuring an ASPF,444 Configuring an Auth-Fail VLAN,96 AAA configuration considerations and task list,20 Configuring an IKE peer,298 AAA configuration examples,54 Configuring an IKE proposal,297 Advantages of SSL...
  • Page 557 FTP ALG configuration example,450 Displaying and maintaining user profile,201 Displaying and maintaining web filtering,470 HP implementation of 802.1X,83 Displaying and recording the host public key information,218 Displaying or exporting the local host public key,218 Ignoring authorization information from the...
  • Page 558 Implementing IPsec,254 Password control configuration example,210 Implementing tunnel interface-based IPsec,270 Password control configuration task list,204 Initiating 802.1X authentication,77 Performing configurations in user profile view,201 IPsec configuration examples,276 PKI configuration examples,237 PKI configuration task list,228 Port security configuration examples,188 Java blocking configuration example,473 Portal configuration examples,147...
  • Page 559 Specifying an autoredirection URL for authenticated Troubleshooting IKE,310 portal users,142 Troubleshooting IP source guard,507 Specifying supported domain name delimiters,98 Troubleshooting PKI,247 Specifying the device ID used in stateful failover Troubleshooting port security,198 mode,53 Troubleshooting portal,176 Specifying the peer public key on the local device,219 Troubleshooting SSL,353...

This manual is also suitable for:

Hsr6600

Table of Contents