Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Contents Configuring AAA ························································································································································· 1 RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 Domain-based user management ··························································································································· 9 RADIUS server feature of the switch ···················································································································· 10 Protocols and standards ······································································································································· 11 RADIUS attributes ·················································································································································· 11 AAA configuration considerations and task list ·········································································································· 14 Configuring AAA schemes ············································································································································...
Page 4
Configuring 802.1X ·················································································································································· 71 HP implementation of 802.1X ······································································································································ 71 Access control methods ········································································································································ 71 Using 802.1X authentication with other features ······························································································ 71 Configuration prerequisites ·································································································································· 74 802.1X configuration task list ······························································································································ 74 Enabling 802.1X ··················································································································································· 74 Enabling EAP relay or EAP termination ·············································································································· 75 Setting the port authorization state ······················································································································...
Page 5
Configuring port security ········································································································································ 107 Port security features ··········································································································································· 107 Port security modes ············································································································································· 107 Support for guest VLAN and Auth-Fail VLAN ··································································································· 110 Port security configuration task list ····························································································································· 110 Enabling port security ·················································································································································· 111 Configuration prerequisites ································································································································ 111 Configuration procedure ····································································································································...
Page 6
PKI operation ······················································································································································· 149 PKI configuration task list ············································································································································ 149 Configuring an entity DN ············································································································································ 150 Configuring a PKI domain ·········································································································································· 151 Submitting a PKI certificate request ···························································································································· 153 Submitting a certificate request in auto mode ·································································································· 153 Submitting a certificate request in manual mode ····························································································· 153 Retrieving a certificate manually ································································································································...
Page 7
Displaying help information ······························································································································· 193 Terminating the connection to the remote SFTP server ···················································································· 193 SFTP client configuration example ····························································································································· 193 SFTP server configuration example ···························································································································· 197 Configuring SSL ······················································································································································· 200 SSL security mechanism ······································································································································ 200 SSL protocol stack ··············································································································································· 200 SSL configuration task list ············································································································································...
Page 8
How URPF works ················································································································································· 244 Network application ··········································································································································· 247 URPF configuration ······················································································································································· 247 URPF configuration examples ····································································································································· 247 Support and other resources ·································································································································· 249 Contacting HP ······························································································································································ 249 Subscription service ············································································································································ 249 Related information ······················································································································································ 249 Documents ···························································································································································· 249 Websites ······························································································································································ 249 Conventions ··································································································································································...
Configuring AAA AAA provides a uniform framework for implementing network access management. It can provide the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and •...
RADIUS RADIUS is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813 for accounting.
Page 11
Figure 3 Basic RADIUS message exchange process Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host accesses the resources 7) Accounting-Request (stop) 8) Accounting-Response 9) Notification of access termination RADIUS operates in the following manner: The host initiates a connection request that carries the user’s username and password to the RADIUS client.
Page 12
Figure 4 RADIUS packet format Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
Page 13
The Attributes field, variable in length, carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with these sub-fields: Type, Length, and Value. Type (1 byte long) indicates the type of the attribute. It ranges from 1 to 255. See Table 2 •...
Page 14
Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0; the other three bytes • contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...
Figure 5 Segment of a RADIUS packet containing an extended attribute HWTACACS HWTACACS is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP users, VPDN users, and terminal users.
Page 16
Figure 6 Basic HWTACACS message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...
The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication.
In addition, AAA provides the following services for login users to enhance switch security: Command authorization—Enables the NAS to defer to the authorization server to determine • whether a command entered by a login user is permitted for the user, ensuring that login users execute only commands they are authorized to execute.
A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an HP switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an HP switch as the RADIUS server.
Page 20
User identification that the NAS sends to the server. For the LAN Calling-Station-Id access service provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses for indicating itself.
Page 21
Number Attribute Description String for describing the port of the NAS that is authenticating the NAS-Port-Id user. HP proprietary RADIUS sub-attributes Number Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps. Input-Average-Rate Average rate in the direction from the user to the NAS, in bps.
Number Sub-attribute Description Information that needs to be sent from the server to the client User_Notify transparently. Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored User_HeartBeat in the user list on the device and is used for verifying the handshake messages from the 802.1X user.
Page 23
To control access of login users by using AAA methods, you must configure the login authentication mode for the user interfaces as scheme. For more information about the configuration command, see Fundamentals Command Reference. Figure 9 AAA configuration diagram Local AAA Configure AAA methods Configure local users and related attributes...
Configuring AAA schemes Configuring local users To implement local user authentication, authorization, and accounting, you must create local users and configure user attributes on the switch. The local users and attributes are stored in the local user database on the switch. A local user is uniquely identified by a username. Configurable local user attributes are as follows: Service type Types of services that the user can use.
Page 25
You can configure an authorization attribute in user group view or local user view to make the attribute effective for all local users in the group or only for the local user. The setting of an authorization attribute in local user view takes precedence over that in user group view. Local user configuration task list Task Remarks...
Page 26
To do… Use the command… Remarks Optional. By default, there is no limit to the Set the maximum number of maximum number of concurrent users concurrent users of the local access-limit max-user-number of a local user account. user account. The limit is effective only for local accounting and is not effective for FTP users.
Page 27
To do… Use the command… Remarks Optional. Assign the local user to a user group group-name By default, a local user belongs to the group. default user group system. For more information about relevant commands, see Security Command Reference. When the password control feature is enabled globally (by using the password-control enable command), local user passwords are not displayed, and the local-user password-display-mode command is not effective.
To do… Use the command… Remarks Optional. Set the password By default, the global password-control aging aging-time aging time. setting (90 days by default) is used. Configure Optional. password control Set the minimum By default, the global password-control length length attributes for password length.
Page 29
authentication/authorization servers and accounting servers, or primary servers and secondary servers. The parameters include the IP addresses of the servers, the shared keys, and the RADIUS server type. RADIUS scheme configuration task list Task Remarks Creating a RADIUS scheme Required Specifying the RADIUS authentication/authorization servers Required Specifying the RADIUS accounting servers and the relevant parameters...
Page 30
To do… Use the command… Remarks Enter system view. system-view — Enter RADIUS scheme view. radius scheme radius-scheme-name — Specify the primary RADIUS primary authentication { ip-address | Required. authentication/authorization ipv6 ipv6-address } [ port-number | key [ Configure at least one server.
Page 31
To do… Use the command… Remarks Enable buffering of stop- Optional. accounting requests to stop-accounting-buffer enable which no responses are Enabled by default. received. Set the maximum number Optional. of stop-accounting retry stop-accounting retry-times 500 by default. attempts. The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.
Page 32
Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • Extended—Uses the proprietary RADIUS protocol of HP. • When the RADIUS server runs iMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies.
Page 33
specified limit but it still receives no response, it tries to communicate with other RADIUS servers in the active state. If no other servers are in the active state at the time, it considers the authentication or accounting attempt a failure. For more information about RADIUS server states, see "Setting the status of RADIUS servers."...
Page 34
After receiving an authentication/accounting response from a server, the switch changes the status • of the server identified by the source IP address of the response to active if the current status of the server is blocked. By default, the switch sets the status of all RADIUS servers to active. In some cases, however, you may need to change the status of a server.
Page 35
To specify a source IP address for all RADIUS schemes: To do… Use the command… Remarks Enter system view. system-view — Required. Specify a source IP radius nas-ip { ip-address | address for outgoing By default, the IP address of the outbound ipv6 ipv6-address } RADIUS packets.
Page 36
Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
Page 37
The NAS checks the validity of received control packets and accepts only control packets from known servers. To use a security policy server that is independent of the AAA servers, you must configure the IP address of the security policy server on the NAS. To implement all EAD functions, configure both the IP address of the iMC security policy server and that of the iMC configuration platform on the NAS.
Page 38
The failure ratio is generally small. If a trap message is triggered because the failure ratio is higher than the threshold, troubleshoot the configuration and the communication between the NAS and the RADIUS server. To enable the trap function for RADIUS: To do…...
Configuring HWTACACS schemes You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use. HWTACACS configuration task list Task Remarks Creating an HWTACACS scheme Required Specifying the HWTACACS authentication servers Required Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers and the relevant parameters Optional...
Page 40
To do… Use the command… Remarks Enter system view. system-view — Enter HWTACACS hwtacacs scheme hwtacacs-scheme- — scheme view. name Specify the primary primary authentication ip-address [ port- HWTACACS Required. number ] authentication server. Configure at least one command. Specify the secondary No authentication server is secondary authentication ip-address [ HWTACACS...
Page 41
the number of stop-accounting attempts reaches the configured limit. In the latter case, the switch discards the packet. An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time. The IP addresses of the primary and secondary accounting servers cannot be the same.
Page 42
Setting the username format and traffic statistics units A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP domain to which the user belongs. The switch uses it to determine which users belong to which ISP domains.
Page 43
The IP address of the outbound interface specified by the route To specify a source IP address for all HWTACACS schemes: To do… Use the command… Remarks Enter system view. system-view — Required. Specify a source IP address for outgoing hwtacacs nas-ip ip-address By default, the IP address of the outbound HWTACACS packets.
To do… Use the command… Remarks Optional Set the real-time accounting timer realtime-accounting minutes interval. 12 minutes by default Displaying and maintaining HWTACACS To do… Use the command… Remarks display hwtacacs [ hwtacacs-server- Display the configuration information name [ statistics ] ] [ slot slot-number ] [ Available in any view or statistics of HWTACACS schemes | { begin | exclude | include } regular-...
On the switch, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the switch considers the user as belonging to the default ISP domain. To create an ISP domain: To do… Use the command… Remarks Enter system view.
To do… Use the command… Remarks Optional. Disabled by default. Configure the idle cut function. idle-cut enable minute [ flow ] This command is effective only for LAN users. Enable the self-service server Optional. location function and specify self-service-url enable url-string the URL of the self-service Disabled by default.
To configure AAA authentication methods for an ISP domain: To do… Use the command… Remarks Enter system view. system-view — Enter ISP domain view. domain isp-name — authentication default { hwtacacs-scheme Specify the default Optional. hwtacacs-scheme-name [ local ] | local | authentication method none | radius-scheme radius-scheme-name [ It is set to local by default.
Page 48
No authorization (none)—The NAS performs no authorization exchange. After passing • authentication, non-login users can access the network, FTP users can access the root directory of the NAS, and other login users have only the rights of Level 0 (visiting). Local authorization (local)—The NAS performs authorization according to the user attributes •...
If you specify the radius-scheme radius-scheme-name local, hwtacacs-scheme hwtacacs-scheme-name [ local | none ] option when you configure an authorization method, local authorization or no authorization is the backup method and is used only when the remote server is not available. If you specify only the local or none keyword in an authorization method configuration command, the switch has no backup authorization method and performs only local authorization or does not perform any authorization.
To do… Use the command… Remarks Optional. Specify the command accounting command hwtacacs- The default accounting method accounting method. scheme hwtacacs-scheme-name is used by default. Optional. accounting lan-access { local | none | Specify the accounting radius-scheme radius-scheme-name [ The default accounting method method for LAN users.
To do… Use the command… Remarks Create a NAS ID profile and aaa nas-id profile profile-name Required. enter NAS ID profile view. Required. Configure a NAS ID-VLAN nas-id nas-identifier bind vlan By default, no NAS ID-VLAN binding. vlan-id binding exists. Configuring a switch as a RADIUS server RADIUS server functions configuration task list Task...
ACL does not exist on the NAS, ACL assignment fails, and the NAS forcibly logs the RADIUS user out. If the assigned VLAN does not exist on the NAS, the NAS creates the VLAN and adds the RADIUS user or the access port to the VLAN.
Page 53
Figure 10 Configure AAA for Telnet users by an HWTACACS server Configuration procedure Configure the switch. # Assign IP addresses to the interfaces. (Details not shown) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.
Verify the configuration. Telnet to the switch as a user, and enter the correct username and password. You pass authentication and log in to the switch. By issuing the display connection command on the switch, you can see information about the user connection. AAA for Telnet users by separate servers Network requirements As shown in...
[Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a local user named hello. [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] quit # Configure the AAA methods for the ISP domain. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login radius-scheme rd [Switch-isp-bbb] quit...
Page 56
Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select Device Management Service as the service type. Select HP(A-Series) as the access device type. Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2.
Page 57
Click OK to finish the operation. Figure 14 Add an account for device management Configure the switch. # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch accesses the server.
# Create RADIUS scheme rad. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for authentication packets to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs iMC.
Page 59
Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select LAN Access Service as the service type. Select HP(A-Series) as the access device type. Select the switch from the device list, or manually add the switch whose IP address is 10.1.1.2.
Page 60
Figure 16 Add an access device # Add a charging policy. See Figure Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree to enter the charging policy configuration page. Then, click Add to enter the Add Charging Plan page, and perform the following configurations: Add a plan named UserAcct.
Page 61
Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree to enter the Service Configuration page. Then, click Add to enter the Add Service Configuration page, and perform the following configurations: Add a service named Dot1x auth and set the Service Suffix to bbb, which indicates the authentication domain for the 802.1X user.
Page 62
Figure 19 Add an access user account Configure the switch. Configure a RADIUS scheme. • # Create a RADIUS scheme named rad and enter its view. <Switch> system-view [Switch] radius scheme rad # Set the server type for the RADIUS scheme. When using the iMC server, set the server type to extended.
Page 63
Enable IEEE 802.1X authentication for this network option and specify the EAP type as MD5-Challenge. If the HP iNode client is used, no advanced authentication options need to be enabled. When using the HP iNode client, the user can pass authentication after entering username dot1x@bbb and the correct password in the client property page.
Start=2011-04-26 19:41:12 ,Current=2011-04-26 19:41:25 ,Online=00h00m14s Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in Figure 20, configure the switch to use local authentication for the Telnet user, and assign the privilege level of 0 to the user after the user passes authentication.
Page 65
[Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit # Enable the switch to provide Telnet service. [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.
Page 66
Configure the HWTACACS server. NOTE: The HWTACACS server in this example runs ACSv4.0. Add a user named test on the HWTACACS server, and configure advanced attributes for the user as shown in Figure Select Max Privilege for any AAA Client and set the privilege level to level 3. After these configurations, the user needs to use the password enabpass when switching to level 1, level 2, or level 3.
Login authentication Username:test@bbb Password: <Switch> ? User view commands: display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function When switching to user privilege level 3, the Telnet user only needs to enter password enabpass as...
Page 68
Figure 22 RADIUS authentication and authorization for Telnet users by a switch Configuration procedure # Configure an IP address for each interface as shown in Figure 22. (Details not shown) Configure the NAS. # Enable the Telnet server on Switch A. <SwitchA>...
# Create RADIUS user aaa and enter its view. <SwitchB> system-view [SwitchB] radius-server user aaa # Configure simple-text password aabbcc for user aaa. [SwitchB-rdsuser-aaa] password simple aabbcc [SwitchB-rdsuser-aaa] quit # Specify the IP address of the RADIUS client as 10.1.1.1 and the shared key as abc. [SwitchB] radius-server client-ip 10.1.1.1 key abc Verify the configuration.
Analysis The NAS and the RADIUS server cannot communicate with each other. The NAS is not configured with the IP address of the RADIUS server. The UDP ports for authentication/authorization and accounting are not correct. The port numbers of the RADIUS server for authentication, authorization, and accounting are being used by other applications.
In the unauthorized state, a controlled port denies incoming and outgoing traffic in one of the • following ways: Performs bidirectional traffic control to deny traffic to and from the client. Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control.
Figure 24 Authorization state of a controlled port 802.1X-related protocols 802.1X uses EAP to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model. It supports a variety of authentication methods, including MD5-Challenge, EAP-TLS, and PEAP. 802.1X defines EAPOL for passing EAP packets between the client and the network access device over a wired or wireless LAN.
Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 5 lists the types of EAPOL packets that the HP • implementation of 802.1X supports. Table 5 Types of EAPOL packets Value...
03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client (for example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets.
EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an EAP termination supports PAP or CHAP authentication. HP iNode 802.1X client. • The processing is complex on the network access device. EAP relay Figure 31 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5...
Page 77
The authentication server compares the received encrypted password with the one it generated at Step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP- Success packet to the client, and it sets the controlled port in the authorized state so the client can access the network.
EAP termination Figure 32 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 32 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server that generates an MD5 challenge for password encryption (see Step 4).
Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network (a WLAN, for example) that requires different authentication methods for different users on a port.
Page 80
For more information about VLAN configuration and MAC-based VLAN, see Layer 2 LAN Switching — Configuration Guide. Guest VLAN You can configure a guest VLAN on a port to accommodate users who have not performed 802.1X authentication so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
Page 81
For more information about VLAN configuration and MAC-based VLAN, see Layer 2 LAN Switching — Configuration Guide. Auth-Fail VLAN You can configure an Auth-Fail VLAN to accommodate users who have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password.
ACL assignment You can specify an ACL for an 802.1X user to control the user’s access to network resources. After the user passes 802.1X authentication, the authentication server (either the local access device or a RADIUS server) assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the ACL on the access device.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...
auto—Places the port initially in the unauthorized state to allow only EAPOL packets to pass. After • a user passes authentication, sets the port in the authorized state to allow access to the network. You can use this option in most scenarios. You can set the authorization state for one port in Ethernet interface view or for multiple ports in system view.
To do… Use the command… Remarks Set the dot1x max-user user-number [ In system view maximum interface interface-list ] Optional. number of interface interface-type interface- concurrent Use either approach. number In Ethernet 802.1X 1024 by default. interface view users on a dot1x max-user user-number [ port interface interface-list ]...
To use the online handshake security function, make sure that the online user handshake function is • enabled. HP recommends that you use the iNode client software and iMC server to ensure normal operation of the online user handshake security function.
request attempts set with the dot1x retry command is reached (see "Setting the maximum number of authentication request attempts"). The identity request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger. Configuration guidelines Follow these guidelines when you configure the authentication trigger function: Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start...
Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response.
Configuring an 802.1X guest VLAN Configuration guidelines Follow these guidelines when you configure an 802.1X guest VLAN: You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different • ports can be different. Assign different IDs for the default VLAN and the 802.1X guest VLAN on a port so the port can •...
To do… Use the command… Remarks dot1x guest-vlan guest-vlan-id Configuring an Auth-Fail VLAN Configuration guidelines Follow these guidelines when you configure an 802.1X Auth-Fail VLAN: Assign different IDs for the default VLAN and the 802.1X Auth-Fail VLAN on a port so the port can •...
Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users who use other domain name delimiters. The configurable delimiters include the at sign (@), back slash (\), and forward slash (/). If an 802.1X username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter.
Page 92
For information about the RADIUS commands used on the access device in this example, see Command Reference Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown) Configure the RADIUS servers and add user accounts for the 802.1X users.
Page 93
# Specify the IP addresses of the primary authentication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.2 [Device-radius-radius1] secondary accounting 10.1.1.2 # Specify the shared key between the access device and the authentication server.
Verification Use the display dot1x interface gigabitethernet 1/0/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view the user connection information. If the user fails RADIUS authentication, local authentication is performed.
Page 95
Figure 34 Network diagram for 802.1X with guest VLAN and VLAN assignment configuration Update server Authentication server VLAN 10 VLAN 2 GE1/0/1 GE1/0/4 VLAN 1 VLAN 5 GE1/0/2 GE1/0/3 Device Internet Host Port added to the guest VLAN Update server Authentication server Update server Authentication server...
Page 96
[Device-vlan5] quit Configure a RADIUS scheme. # Configure RADIUS scheme 2000 and enter its view. <Device> system-view [Device] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Device-radius-2000] primary authentication 10.11.1.1 1812 [Device-radius-2000] primary accounting 10.11.1.1 1813 [Device-radius-2000] key authentication abc...
802.1X with ACL assignment configuration example Network requirements As shown in Figure 35, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.
Page 98
# Create an ISP domain, and specify the RADIUS scheme 2000 as the default AAA scheme for the domain. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00. [Device] time-range ftp 8:00 to 18:00 working-day # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 on the weekdays during business hours.
Configuring EAD fast deployment EAD is an HP integrated endpoint access control solution that enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
To do… Use the command… Remarks Required. dot1x free-ip ip-address { mask- Configure a free IP. By default, no free IP is address | mask-length } configured. When global MAC authentication or port security is enabled, the free IP does not take effect. If you use the free IP, guest VLAN, and Auth-Fail VLAN features together, make sure that the free IP segments are in both guest VLAN and Auth-Fail VLAN.
EAD fast deployment configuration example Network requirements As shown in Figure 36, the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet 1/0/1 of the network access device, and they use DHCP to obtain IP addresses. Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network.
Page 102
<Device> system-view [Device] dhcp enable # Configure a DHCP server for a DHCP server group. [Device] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent VLAN interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select relay # Correlate VLAN interface 2 to the DHCP server group. [Device-Vlan-interface2] dhcp relay server-select 1 [Device-Vlan-interface2] quit Configure a RADIUS scheme and an ISP domain.
Troubleshooting EAD fast deployment Web browser users cannot be correctly redirected Symptom Unauthenticated users are not redirected to the specified redirect URL after they enter external website addresses in their web browsers. Analysis Redirection does not happen for one of the following reasons: The address is in the string format.
Configuring MAC authentication MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to enter a username and password for network access. MAC authentication works as follows: The device initiates a MAC authentication process when it detects an unknown source MAC •...
MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
If a user in the guest VLAN passes MAC authentication, the user is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
To do… Use the command… Remarks Optional. mac-authentication user-name-format By default, the username and Configure the properties { fixed [ account name ] [ password { password for a MAC of MAC authentication cipher | simple } password ] | mac- authentication user account must user accounts.
To do… Use the command… Remarks authentication users. Use either approach. interface interface-type interface- number By default, the system default authentication domain is used for mac-authentication domain domain- MAC authentication users. name Configuring a MAC authentication guest VLAN Configuration prerequisites Before you configure a MAC authentication guest VLAN on a port, complete the following tasks: Enable MAC authentication.
Displaying and maintaining MAC authentication To do… Use the command… Remarks display mac-authentication [ Display MAC authentication interface interface-list ] [ | { begin Available in any view information | exclude | include } regular- expression ] Clear MAC authentication reset mac-authentication statistics Available in user view statistics...
Page 110
# Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication on port GigabitEthernet 1/0/1. [Device] mac-authentication interface gigabitethernet 1/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain aabbcc.net # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts.
RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 38, a host connects to port GigabitEthernet 1/0/1 on the access device. The device uses RADIUS servers for authentication, authorization, and accounting. Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure that: The device detects whether a user has gone offline every 180 seconds.
Page 112
# Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication on port GigabitEthernet 1/0/1. [Device] mac-authentication interface gigabitethernet 1/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain 2000 # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Specify username aaa and password 123456 for the account shared by MAC authentication users.
ACL assignment configuration example Network requirements As shown in Figure 39, a host connects to the device’s port GigabitEthernet 1/0/1, and the device uses RADIUS servers to perform authentication, authorization, and accounting. Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure that an authenticated user can access the Internet but not the FTP server at 10.0.0.1.
Page 114
[Sysname-isp-2000] authorization default radius-scheme 2000 [Sysname-isp-2000] accounting default radius-scheme 2000 [Sysname-isp-2000] quit # Enable MAC authentication globally. [Sysname] mac-authentication # Specify the ISP domain for MAC authentication. [Sysname] mac-authentication domain 2000 # Configure the device to use MAC-based user accounts, and specify that the MAC addresses are separated by hyphens and in lowercase characters.
MAC authentication. They apply to scenarios that require both 802.1X authentication and MAC authentication. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends that you configure 802.1X authentication or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
Page 116
Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Table 9 describes the port security modes and the security features. Table 9 Port security modes Features that can Purpose Security mode be triggered noRestrictions (the default mode) Turning off the port security...
Page 117
The dynamic MAC address learning function in MAC address management is disabled on ports operating in autoLearn mode, but you can configure MAC addresses by using the mac-address dynamic and mac-address static commands. secure MAC address learning is disabled on a port in secure mode. You configure MAC addresses by using the mac-address static and mac-address dynamic commands.
For non-802.1X frames, a port in this mode performs only MAC authentication. For 802.1X frames, it performs MAC authentication and then, if the authentication fails, 802.1X authentication. macAddressElseUserLoginSecureExt This mode is similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users, as the keyword Ext implies.
Enabling port security Configuration prerequisites To enable port security, you must first disable 802.1X and MAC authentication globally. Configuration procedure To enable port security: To do… Use the command… Remarks Enter system view. system-view — Required. Enable port security. port-security enable By default, the port security is disabled.
The port security’s limit on the number of MAC addresses on a port is independent of the MAC learning limit described in MAC address table configuration in Layer 2—LAN Switching Configuration Guide. Setting the port security mode Configuration prerequisites Before you set a port security mode for a port, complete the following tasks: Disable 802.1X and MAC authentication.
After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, use the undo port-security port-mode command to restore the default port security mode first. Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are...
To do… Use the command… Remarks Enter system view. system-view — Enter Layer 2 Ethernet interface interface-type interface- — interface view. number Required. port-security intrusion-mode { Configure the intrusion blockmac | disableport | By default, intrusion protection is protection feature. disableport-temporarily } disabled.
By default, sticky MAC addresses do not age out. Use the port-security timer autolearn aging command to set an aging timer for sticky MAC addresses. When the timer expires, the sticky MAC addresses are removed. This aging mechanism prevents the unauthorized use of a sticky MAC address when the authorized user is offline, and it removes outdated secure MAC addresses so new secure MAC addresses can be learned.
To do… Use the command… Remarks Enter system view. system-view — Enter Layer 2 Ethernet interface interface-type interface- — interface view. number Required. Ignore the authorization By default, a port uses the information from the RADIUS port-security authorization ignore authorization information from the server.
Page 125
Figure 40 Network diagram for configuring the autoLearn mode Configuration procedure Configure port security. # Enable port security. <Device> system-view [Device] port-security enable # Set the sticky MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Enable intrusion protection traps on port GigabitEthernet 1/0/1. [Device] port-security trap intrusion [Device] interface gigabitethernet 1/0/1 # Set port security’s limit on the number of MAC addresses to 64 on the port.
Page 126
The output shows that the port security's limit on the number of secure MAC addresses on the port is 64, the port security mode is autoLearn, intrusion protection traps are enabled, and the intrusion protection action is disabling the port (DisablePortTemporarily) for 30 seconds. Use the command repeatedly to track the number of MAC addresses learned by the port, or use the display this command in Layer 2 Ethernet interface view to display the secure MAC addresses learned: <Device>...
Configuring the userLoginWithOUI mode Network requirements As shown in Figure 41, a client is connected to the device through port GigabitEthernet 1/0/1. The device authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. The RADIUS server at 192.168.1.2 functions as the primary authentication server and the •...
Page 128
[Device-radius-radsun] secondary accounting 192.168.1.2 [Device-radius-radsun] key authentication name [Device-radius-radsun] key accounting money [Device-radius-radsun] timer response-timeout 5 [Device-radius-radsun] retry 5 [Device-radius-radsun] timer realtime-accounting 15 [Device-radius-radsun] user-name-format without-domain [Device-radius-radsun] quit # Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and accounting of all types of users.
Page 129
IP: 192.168.1.3 Port: 1812 State: active Encryption Key : N/A Second Acct Server: IP: 192.168.1.2 Port: 1813 State: active Encryption Key : N/A Auth Server Encryption Key : name Acct Server Encryption Key : money Accounting-On packet disable, send times : 5 , interval : 3s Interval for timeout(second) Retransmission times for timeout Interval for realtime accounting(minute)
Page 130
Stored MAC address number is 0 Authorization is permitted After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. You can also use the following command to view information about 802.1X: <Device>...
In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port. Use the following command to view the related information: <Device> display mac-address interface gigabitethernet 1/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
Page 132
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to macAddressElseUserLoginSecure. [Device-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure # Set the NTK mode of the port to ntkonly. [Device-GigabitEthernet1/0/1] port-security ntk-mode ntkonly Verify the configuration. After completing the configurations, use the following command to view the port security configuration information: <Device>...
Page 133
1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS Use the following command to view 802.1X authentication information: <Device> display dot1x interface gigabitethernet 1/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled...
Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode. [Device-GigabitEthernet1/0/1] port-security port-mode autolearn Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly.
Page 135
Analysis Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user is online. Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode. [Device-GigabitEthernet1/0/1] quit [Device] cut connection interface gigabitethernet 1/0/1 [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] undo port-security port-mode...
Configuring password control Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. Minimum password length By setting a minimum password length, you enforce users to use passwords long enough for system security.
Page 137
Password history With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones. The new password must be different from the used ones by at least four characters, and the four characters must not be the same.
configures a password, the system checks the complexity of the password. If the password is not qualified, the system refuses the password and displays a password configuration failure message. You can impose the following password complexity requirements: A password cannot contain the username or the reverse of the username. For example, if the •...
Task Remarks Setting super password control parameters Optional Setting a local user password in interactive mode Optional Enabling password control To enable password control functions, you must do the following: Enable the password control feature in system view. Password control configurations take effect only after the password control feature is enabled globally.
To do… Use the command… Remarks Optional. By default, the minimum number password-control composition Configure the password of password composition types is type-number policy-type [ type- composition policy. 1, and the minimum number of length type-length ] characters of a password composition type is also 1.
To do… Use the command… Remarks Optional. Configure the minimum By default, the minimum password password length for the user password-control length length length configured in system view group. is used. Optional. Configure the password password-control composition By default, the password composition policy for the type-number type-number [ type- composition policy configured in...
To do… Use the command… Remarks Enter system view. system-view — Optional. Set the password aging time password-control super aging for super passwords. aging-time 90 days by default. Optional. Configure the minimum length password-control super length for super passwords. length 10 characters by default.
Password control configuration example Network requirements Implement the following global password control policy: An FTP or VTY user failing to provide the correct password in two successive login attempts is • permanently prohibited from logging in. A user can log in five times within 60 days after the password expires. •...
Page 144
[Sysname] super password level 3 simple 12345ABGFTweuix # Create a local user named test. [Sysname] local-user test # Set the service type of the user to Telnet. [Sysname-luser-test] service-type telnet # Set the minimum password length to 12 for the local user. [Sysname-luser-test] password-control length 12 # Set the minimum number of password composition types to 2 and the minimum number of characters of each password composition type to 5 for the local user.
Page 145
The contents of local user test: State: Active ServiceType: telnet Access-limit: Disable Current AccessNum: 0 User-group: system Bind attributes: Authorization attributes: Password aging: Enabled (20 days) Password length: Enabled (12 characters) Password composition: Enabled (2 types, 5 characters per type) Total 1 local user(s) matched.
Configuring public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 42 Encryption and decryption The keys that participate in the conversion between the plain text and the cipher text can be the same or...
Task Remarks asymmetric key pair on Displaying or exporting the local host public key Optional the local device Destroying a local asymmetric key pair Optional Specifying the peer public key on the local device Optional Configuring a local asymmetric key pair on the local device Creating a local asymmetric key pair Configuration guidelines...
Page 148
Displaying the host public key in a specific format and saving it to a file • Exporting the host public key in a specific format to a file • If your local device functions to authenticate the peer device, you must specify the peer public key on the local device.
The recorded public key must asymmetric key pair. be in the correct format, or the manual configuration of a • If the peer device is an HP format-incompliant public key device, use the display public- Manually configure the public fails.
To manually configure the peer public key on the local device: To do… Use the command… Remarks Enter system view. system-view — Specify a name for the public key and enter public key public-key peer keyname Required. view. Enter public key code view. public-key-code begin —...
Page 151
Configuration procedure Configure Device A. # Create local RSA key pairs on Device A, setting the modulus length to the default, 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
[DeviceB-pkey-key- code]30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814 F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669 A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3B CA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 [DeviceB-pkey-key-code] public-key-code end [DeviceB-pkey-public-key] peer-public-key end # Display the host public key of Device A saved on Device B. [DeviceB] display public-key peer name devicea ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854...
Page 153
Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06 2011/03/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854 C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784A...
Page 154
User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] get devicea.pub 227 Entering Passive Mode (10,1,1,1,5,148). 125 BINARY mode data connection already open, transfer starting for /devicea.pub. 226 Transfer complete. FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec.
With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for SSL. PKI terms Digital certificate A digital certificate is a file signed by a CA for an entity.
might use different methods to check the binding of a public key with an entity, make sure that you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture A PKI system consists of entities, a CA, an RA, and a PKI repository. See Figure Figure 45 PKI architecture Entity...
PKI applications The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples. A VPN is a private data communication network built on the public communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in conjunction with PKI-based encryption and digital signature technologies for confidentiality.
Task Remarks Optional. Retrieving a certificate manually Optional. Configuring PKI certificate verification Optional. Destroying a local RSA key pair Optional. Deleting a certificate Optional. Configuring an access control policy Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity DN.
To do… Use the command… Remarks Optional. Configure the IP address for ip ip-address No IP address is specified by the entity. default. Optional. Configure the locality for the locality locality-name entity. No locality is specified by default. Optional. Configure the organization organization org-name No organization is specified by name for the entity.
Page 160
Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity • needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity rejects the root certificate.
Submitting a PKI certificate request When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which are the major components of the certificate. A certificate request can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an out-of-band method such as phone, disk, or email.
To do… Use the command… Remarks Required. Generate a local RSA key public-key local create rsa No local RSA key pair exists by pair. default. pki request-certificate domain Submit a local certificate domain-name [ password ] [ Required. request manually. pkcs10 [ filename filename ] ] If a PKI domain already has a local certificate, creating an RSA key pair results in inconsistency between the key pair and the certificate.
To do… Use the command… Remarks pki retrieval-certificate { ca | local } domain Online domain-name Retrieve a Required. certificate pki import-certificate { ca | local } domain Use either command. manually. Offline domain-name { der | p12 | pem } [ filename filename ] If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it.
To do… Use the command… Remarks Verify the validity of a pki validate-certificate { ca | local Required. certificate. } domain domain-name The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The CRL update period setting manually configured on the switch is prior to that carried in the CRLs.
To do… Use the command… Remarks Enter system view. system-view — pki delete-certificate { ca | local } Delete certificates. Required domain domain-name Configuring an access control policy When you configure a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server.
To do… Use the command… Remarks display pki certificate attribute- Display information about group { group-name | all } [ | { Available in any view certificate attribute groups begin | exclude | include } regular-expression ] display pki certificate access- Display information about control-policy { policy-name | all } certificate attribute-based access...
Page 167
After the configuration, make sure that the system clock of the switch is synchronous to that of the CA, so that the switch can request certificates and retrieve CRLs properly. Configure the switch. Configure the entity DN. • # Configure the entity name as aaa and the common name as device. <Device>...
Page 168
SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..CA certificates retrieval success. # Retrieve CRLs and save them locally. [Device] pki retrieval-crl domain torsa Connecting to server for retrieving CRL.
Page 170
From the Start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA. Right-click the CA server in the navigation tree, and select Properties > Policy Module. Click Properties and then select Follow the settings in the certificate template, if applicable.
Page 171
Apply for certificates. • # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..
Page 173
Configuration procedure NOTE: For more information about SSL configuration, see "Configuring SSL." • Fundamentals Configuration Guide For more information about HTTPS configuration, see • The PKI domain to be referenced by the SSL policy must be created in advance. For information •...
Troubleshooting PKI Failed to retrieve a CA certificate Symptom Failed to retrieve a CA certificate. Analysis Possible reasons include the following: The network connection is not normal. For example, the network cable might be damaged or loose. • No trusted CA is specified. •...
Use the ping command to check whether the RA server is reachable. • Specify the authority for certificate request. • Configure the required entity DN parameters. • Failed to retrieve CRLs Symptom Failed to retrieve CRLs. Analysis Possible reasons include the following: The network connection is not normal.
Configuring SSH2.0 SSH offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
Page 177
The server compares the version number carried in the packet with that of its own. If the server supports the version, the negotiation succeeds, and the server and the client proceed with key and algorithm negotiation. Otherwise, the negotiation fails, and the server breaks the TCP connection. All packets involved in the preceding steps are transferred in plain text.
The server authenticates the client. If the authentication fails, the server sends the client a message to inform the client of the failure and the methods available for re-authentication. The client selects a method from the list to initiate another authentication. The preceding process repeats until the authentication succeeds or the number of failed authentication attempts exceeds the maximum of authentication attempts.
Generating a DSA or RSA key pair In the key and algorithm negotiation stage, the DSA or RSA key pair is required to generate the session key and session ID and for the client to authenticate the server. To generate a DSA or RSA key pair on the SSH server: To do…...
(in binary) to the server through FTP or TFTP. HP recommends that you configure a client public key by importing it from a public key file. Configuring a client public key manually To do…...
To do… Use the command… Remarks Return to system view. peer-public-key end — Importing a client public key from a public key file To do… Use the command… Remarks Enter system view. system-view — Import the public key from a public-key peer keyname import Required public key file.
A user without an SSH account can still pass password authentication and log in to the server through Stelnet or SFTP, as long as the user can pass AAA authentication and the service type is SSH. For successful login through SFTP, you must set the user service type to sftp or all. SSH1 does not support the service type sftp.
Configuring the switch as an SSH client SSH client configuration task list Task Remarks Specifying a source ip address/interface for the SSH client Optional Configuring whether first-time authentication is supported Optional Establishing a connection between the SSH client and server Required Specifying a source ip address/interface for the SSH client Specify a source IP address or interface for the client to access the SSH server, improving service...
To do... Use the command… Remarks Optional. Enable the switch to support ssh client first-time enable By default, first-time authentication first-time authentication. is supported on a client. Disable first-time authentication For successful authentication of an SSH client not supporting first-time authentication, the server host public key must be configured on the client, and the public key name must be specified.
Displaying and maintaining SSH To do… Use the command… Remarks Display the source IP address or display sftp client source [ | { interface currently set for the SFTP begin | exclude | include } Available in any view client regular-expression ] Display the source IP address or display ssh client source [ | {...
Page 186
# Generate the RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
Establish a connection between the SSH client and the SSH server. NOTE: The switch supports a variety of SSH client software, such as PuTTY, and OpenSSH. The following is an example of configuring SSH client using PuTTY Version 0.58. # Establish a connection to the SSH server. Launch PuTTY.exe to enter the following interface.
Page 188
Figure 51 Switch acts as server for publickey authentication Configuration procedure NOTE: During SSH server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before you configure the SSH server. Configure the SSH client.
Page 189
Figure 53 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. See Figure Figure 54 Generate a key pair on the client 3)
Page 190
Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). See Figure Figure 55 Save a key pair on the client 4) Then, transmit the public key file to the server through FTP or TFTP.
Page 191
[Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3. [Switch-ui-vty0-4] user privilege level 3 [Switch-ui-vty0-4] quit # Import the client’s public key from file key.pub and name it Switch001. [Switch] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.
Figure 57 SSH client configuration interface 2) Click Open to connect to the server. If the connection is normal, you are prompted to enter the username. After entering the username (client002), you can enter the configuration interface of the server. SSH client configuration examples When the switch acts as client for password authentication Network requirements...
Page 193
<SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
Page 194
# Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit If the client supports first-time authentication, you can directly establish a connection from the client • to the server. # Establish an SSH connection to server 10.165.87.136.
[SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server (10.165.87.136) as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA>...
Page 196
Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server.
Page 197
# Set the user command privilege level to 3. [SwitchB-ui-vty0-4] user privilege level 3 [SwitchB-ui-vty0-4] quit # Import the peer public key from the file key.pub. [SwitchB] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.
Configuring SFTP SFTP is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure file transfer.
Configuring the switch as an SFTP client Specifying a source IP address or interface for the SFTP client You can configure a client to use only a specified source IP address or interface to access the SFTP server, enhancing the service manageability. To specify a source IP address or interface for the SFTP client: To do…...
Changing the name of a directory on the server • Creating or deleting a directory • To work with the SFTP directories: To do… Use the command… Remarks Required. For more information, see Enter SFTP client view. "Establishing a connection to the Execute the command in user SFTP server."...
To do… Use the command… Remarks Optional. dir [ -a | -l ] [ remote-path ] Display the files under a The dir command functions as the directory. ls [ -a | -l ] [ remote-path ] ls command. Optional. delete remote-file&<1-10>...
Page 202
Configuration procedure NOTE: During SFTP server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before you configure the SFTP server. Configure the SFTP client. # Create VLAN-interface 1 and assign an IP address to it. <SwitchA>...
Page 203
NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server. [SwitchB] ssh server enable # Enable the SFTP server.
Page 204
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub -rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z sftp-client> delete z The following File will be deleted: Are you sure to delete it? [Y/N]:y This operation might take a long time.Please wait...
Page 206
NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server. [Switch] ssh server enable # Enable the SFTP server.
Configuring SSL SSL is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the •...
Figure 64 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and • encrypts the data before transmitting it to the peer end. SSL handshake protocol—Negotiates the cipher suite to be used for secure communication •...
To do... Use the command... Remarks Create an SSL server policy ssl server-policy policy-name Required. and enter its view. Required. Specify a PKI domain for the pki-domain domain-name By default, no PKI domain is SSL server policy. specified for an SSL server policy. ciphersuite [ rsa_3des_ede_cbc_sha | Optional.
Page 211
To achieve the goal, perform the following configurations (see Figure 65): Configure the device to work as the HTTPS server, and request a certificate for the device. Request a certificate for the host so that the device can authenticate the identity of the host. Configure a CA server to issue certificates to the device and the host.
[Device] ssl server-policy myssl # Specify the PKI domain for the SSL server policy as 1. [Device-ssl-server-policy-myssl] pki-domain 1 # Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable HTTPS service.
To do… Use the command… Remarks Optional. Specify a PKI domain for the pki-domain domain-name No PKI domain is configured by SSL client policy. default. prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | Optional. Specify the preferred cipher rsa_aes_256_cbc_sha | suite for the SSL client policy. rsa_rc4_128_md5 by default.
Page 214
Solution Issue the debugging ssl command, and view the debugging information to locate the problem: If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, • request one for it. If the server’s certificate cannot be trusted, install the root certificate of the CA that issued the local •...
Configuring TCP attack protection An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature The establishing of a TCP connection involves the following handshakes: The request originator sends a SYN message to the target server.
Configuring IP source guard IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent illegal hosts from using a legal IP address to access the network. IP source guard can filter packets according to the packet source IP address and source MAC address. It supports these types of binding entries: IP-port binding entry •...
Port-based static binding entries are used to check the validity of users who are trying to access a port. Dynamic IP source guard binding entries Dynamic IP source guard entries are generated dynamically according to client entries on the DHCP snooping or DHCP relay agent device.
On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains the DHCP snooping entries generated during dynamic IP address allocation, and generates IP source guard entries accordingly. On a Layer 3 Ethernet port or VLAN interface, IP source guard cooperates with DHCP relay, dynamically obtains the DHCP relay entries generated during dynamic IP address allocation across network segments, and generates IP source guard entries accordingly.
To do… Use the command… Remarks interface interface-type interface- Enter Layer 2 interface view. — number ip source binding { ip-address ip- Required. Configure a static IPv4 source address | ip-address ip-address guard binding entry on the By default, no static IPv4 binding mac-address mac-address | mac- port.
Cooperating with DHCPv6 snooping, IP source guard dynamically generates IP source guard entries based on the DHCPv6 snooping entries that are generated during dynamic IP address allocation. Cooperating with ND snooping, IP source guard dynamically generates IP source guard entries based on dynamic ND snooping entries.
To do… Use the command… Remarks ipv6 source binding { ipv6- Required. address ipv6-address | ipv6- Configure a static IPv6 address ipv6-address mac- By default, no static IPv6 binding binding entry on a port. address mac-address | mac- entry is configured on a port. address mac-address } You cannot configure the same static binding entry on one port repeatedly, but you can configure the same static binding entry on different ports.
To do… Use the command… Remarks display ip source binding static [ interface interface-type interface-number | ip- Display static IPv4 source guard address ip-address | mac-address mac- Available in any view binding entries address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display ip source binding [ interface interface-type interface-number | ip-...
Page 223
Figure 67 Network diagram for configuring static IPv4 source guard binding entries Configuration procedure Configure Device A. # Configure the IPv4 source guard function on GigabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address. <DeviceA>...
# Configure the IPv4 source guard function on GigabitEthernet 1/0/1 to filter packets based on the source IP address. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address # Configure GigabitEthernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass.
Configuration procedure Configure DHCP snooping. # Enable DHCP snooping. <Device> system-view [Device] dhcp-snooping # Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port. [Device] interface gigabitethernet1/0/2 [Device-GigabitEthernet1/0/2] dhcp-snooping trust [Device-GigabitEthernet1/0/2] quit Configure the IPv4 source guard function. # Configure the IPv4 source guard function on port GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.
Page 226
Enable the IPv4 source guard binding function on the switch’s VLAN-interface 100 to filter packets based on the DHCP relay entry, allowing only packets from clients that obtain IP addresses from the DHCP server to pass. Figure 69 Network diagram for configuring dynamic IPv4 source guard binding through DHCP relay DHCP client DHCP relay agent DHCP server...
Static IPv6 source guard binding entry configuration example Network requirements As shown in Figure 70, the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a static IPv6 source guard binding entry for GigabitEthernet 1/0/1 of the device to allow only packets from the host to pass.
Page 228
Figure 71 Network diagram for configuring dynamic IPv6 source guard binding by DHCPv6 snooping Configuration procedure Configure DHCPv6 snooping. # Enable DHCPv6 snooping globally. <Device> system-view [Device] ipv6 dhcp snooping enable # Enable DHCPv6 snooping in VLAN 2. [Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable [Device-vlan2] quit # Configure the port connecting to the DHCP server as a trusted port.
Dynamic IPv6 source guard binding by ND snooping configuration example Network requirements As shown in Figure 72, the client is connected to the device through port GigabitEthernet 1/0/1. Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. Enable the IPv6 source guard function on port GigabitEthernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.
Troubleshooting IP source guard Cannot configure static binding entries or dynamic binding function Symptom Failed to configure static binding entries or the dynamic binding function on a port. Analysis IP source guard is not supported on a port in an aggregation group. Solution Remove the port from the aggregation group.
Configuring ARP attack protection The term "interface" in the ARP attack protection features refers to Layer 3 interfaces, including VLAN interfaces and route-mode (or Layer 3) Ethernet ports. You can set an Ethernet port to operate in route mode by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide). CAUTION: Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
Task Remarks prevention Optional. Configuring ARP active acknowledgement Configure this function on gateways (recommended). Optional. Configuring ARP detection Configure this function on access devices (recommended). Optional. Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Configuring ARP defense against IP packet attacks If the device receives a large number of IP packets from a host addressed to unreachable destinations, the following occur: The device sends a large number of ARP requests to the destination subnets.
Enabling ARP black hole routing To do… Use the command… Remarks Enter system view. system-view — Optional Enable ARP black hole arp resolving-route enable routing. Enabled by default Displaying and maintaining ARP defense against IP packet attacks To do… Use the command… Remarks display arp source-suppression [ Display the ARP source suppression...
Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function by doing the following: Enable ARP source suppression. • Set the threshold for ARP packets from the same source address to 100. If the number of ARP •...
Configuring source MAC address-based ARP attack detection With this feature enabled, the device checks the source MAC address of ARP packets delivered to the CPU. It detects an attack when one MAC address sends more ARP packets in 5 seconds than the specified threshold.
Source MAC address-based ARP attack detection configuration example Network requirements As shown in Figure 74, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway may crash and cannot process requests from the clients.
[Device] arp anti-attack source-mac aging-time 60 # Configure 0012-3f86-e94c as a protected MAC address. [Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC address consistency check The ARP packet source MAC address consistency check feature enables a gateway device to filter out ARP packets that have a different source MAC address in the Ethernet header from the sender MAC address in the message, so that the gateway device can learn correct ARP entries.
If both the ARP detection based on specified objects and the ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1X security entries are enabled, the former one applies first, and then the latter applies. Enabling ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1x security entries With this feature enabled, the device compares the sender IP and MAC addresses of an ARP packet received from the VLAN against the static IP source guard binding entries, DHCP snooping entries, or...
To do… Use the command… Remarks Return to system view. quit — Enter Layer 2 Ethernet interface/Layer 2 interface interface-type — aggregate interface interface-number view. Configure the port as a Optional. trusted port on which arp detection trust ARP detection does not The port is an untrusted port by default.
Configuring ARP restricted forwarding ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted ports and have passed ARP detection in the following cases: If the packets are ARP requests, they are forwarded through the trusted ports. •...
Page 241
Figure 75 Network diagram for ARP detection configuration Gateway DHCP server Switch A GE1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B Configuration procedure Add all ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A.
# Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default). [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit After the preceding configurations are complete, when ARP packets arrive at interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, they are checked against 802.1X security entries.
[SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default).
Page 244
Figure 77 Network diagram for ARP restricted forwarding configuration Gateway DHCP server Switch A GE1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 73.
ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafe.
Page 246
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries into static ARP entries. To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address command.
Configuring ND attack defense The IPv6 ND protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
To identify forged ND packets, HP developed the source MAC consistency check and ND detection features. For more information about the functions of the ND protocol, see Layer 3—IP Services Configuration Guide. Enabling source MAC consistency check for ND packets Use source MAC consistency check on a gateway to filter out ND packets that carry different source MAC addresses in the Ethernet frame header and the source link layer address option.
The ND snooping table is created automatically by the ND snooping module. For more information, see Layer 3—IP Services Configuration Guide. Configuring ND detection ND detection performs source check by using the binding tables of IP source guard, DHCPv6 snooping, and ND snooping.
Enable ND detection on Switch B to filter out forged ND packets. Network diagram Figure 79 Network diagram for ND detection configuration Internet Gateway Switch A GE1/0/3 Vlan-int10 10::1 VLAN 10 ND snooping GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10::5 10::6...
Configuring URPF The term "router" in this document refers to both routers and Layer 3 switches. URPF protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers launch attacks by creating a series of packets with forged source addresses. For applications using IP-address-based authentication, this type of attack allows unauthorized users to access the system in the name of authorized users, or even to access the system as the administrator.
Page 253
Figure 81 URPF work flow URPF checks the source address validity and does the following: Discards packets with a broadcast source address. • Discards packets with an all-zero source address but a non-broadcast destination address. (A • packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet, and it is not discarded.)
Page 254
For other packets, proceed to Step 2. • URPF checks whether the source address matches a FIB entry: If it does, proceed to Step 3. • If it does not, proceed to Step 6. • URPF checks whether the check mode is loose: If it is, proceed to Step 8.
{ loose | strict } Disabled by default The routing table size decreases by half when URPF is enabled on the HP A5830 switches. To prevent loss of routes and packets, URPF cannot be enabled if the number of route entries the switch maintains exceeds half the routing table size.
Page 256
Figure 83 Network diagram for URPF configuration Configuration procedure Configure Switch A. # Enable strict URPF check. <SwitchA> system-view [SwitchA] ip urpf strict Configure Switch B. # Enable strict URPF check. <SwitchB> system-view [SwitchB] ip urpf strict...
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 259
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 262
mechanism (RADIUS), 2 maintaining ARP detection, 232 maintaining defense against IP packet attack, 225 Message-Authentication attribute (802.1X), 66 maintaining source MAC address-based ARP procedures (802.1X), 66 attack detection, 227 RADIUS server for SSH/Telnet user (AAA), 47 assigning setting maximum number of authentication request attempts (802.1X), 77 ACL (802.1X), 74 VLAN (802.1X), 71...
Page 263
ARP attack protection, 223 submitting request, 153 submitting request in auto-mode (PKI), 153 authentication (802.1X), 83 submitting request in manual mode (PKI), 153 authentication trigger function (802.1X), 78 certificate authority (CA), 148 Auth-Fail VLAN (802.1X), 73, 82 class attribute autoLearn mode (port security), 116 configuring interpretation as CAR parameters automatic scanning (ARP attack protection), 237 (RADIUS), 29...
Page 264
public key, 138, 142 for HWTACACS server Telnet user (AAA), 44 for separate server Telnet user (AAA), 46 quiet timer (802.1X), 80 free IP (EAD fast deployment), 91 RADIUS user, 43 guest VLAN (802.1X), 72, 81, 86 RADIUS-based MAC authentication, 103 interpretation of class attribute as CAR parameters redirect URL (EAD fast deployment), 92 (RADIUS), 29...
Page 266
exporting enabling EAP termination (802.1X), 75 Message attribute (802.1X), 65 host public key in specific format to a file, 140 Message-Authentication attribute (802.1X), 66 feature over RADIUS (802.1X), 65 ACL assignment (MAC authentication), 97 packet format (802.1X), 64 configuring autoLearn mode (port security), 116 EAPOL configuring intrusion protection (port security), 113 packet format (802.1X), 65...
Page 267
configuring SSH client (SSH2.0), 171 HWTACACS configuring AAA for HWTACACS server Telnet intrusion protection (port security), 107 user, 44 configuring scheme, 31 configuring defense against packet attack (ARP creating scheme, 31 attack protection), 224 specifying client source address/interface (SFTP), differences from RADIUS, 7 displaying, 36 specifying source address/interface for client level switching authentication for Telnet user, 56...
Page 268
loose URPF, 244 setting maximum number of IPv6 source guard binding entries, 213 static binding entries, 208 authentication approaches, 96 troubleshooting, 222 authentication timers, 97 IPv4 configuring authentication, 96 configuring IPv4 source guard on a port, 209 performing authentication (port security), 109 configuring IPv6 source guard on a port, 211 performing MAC-802.1X...
Page 269
performing MAC authentication (port security), ARP defense against IP packet attack, 225 ARP detection, 232 performing MAC-802.1X authentication (port EAD fast deployment, 92 security), 109 HWTACACS, 36 PKI, 149 IP source guard, 213 port security, 107 local user (AAA), 20 SSH (SSH2.0), 168 local user group (AAA), 20 NAS ID...
Page 271
terminology, 147 setting super password control parameter, 133 setting user group control parameter, 132 troubleshooting, 166 virtual private network (VPN), 149 applications, 149 web security, 149 architecture, 148 port certificate authority (CA), 148 authorization status (802.1X), 63 certificate authority (CA) policy, 147 controlled/uncontrolled (802.1X), 63 certificate revocation list (CRL), 147 enabling client listening port (RADIUS), 30...
Page 272
configuring CRL-checking enabled certificate trap, 107 verification (PKI), 155 troubleshooting, 126 configuring detection (ARP attack protection), 229, VLAN support, 110 233, 234 procedure configuring detection function (ND attack defense), AAA for RADIUS server 802.1X user (AAA), 50 authentication (802.1X), 66 configuring domain (PKI), 151 configuring AAA for RADIUS server 802.1X user configuring dynamic IPv4 binding by DHCP relay...
Page 273
configuring server policy (SSL), 201, 203, 204 configuring level switching authentication for Telnet user (HWTACACS), 56 configuring source MAC address-based detection configuring local user (AAA), 16 (ARP attack protection), 227, 228 configuring local user attributes (AAA), 17 configuring source suppression (ARP attack protection), 224...
Page 274
ignoring server authorization information (port deleting certificate (PKI), 156 security), 115 destroying local asymmetric key pair (public key), importing client public key from public key file (SSH2.0), 173 destroying local RSA key pair (PKI), 156 importing public key from public key file, 144 disabling first-time authentication...
Page 275
protocols setting user group control parameter (password control), 132 802.1X, 64 setting username format (HWTACACS), 34 AAA, 11 setting username format (RADIUS), 23 HWTACACS, 11 specifying access control method (802.1X), 76 RADIUS, 11 specifying accounting server and parameters public key (RADIUS), 22 configuration, 138, 142 specifying authentication domain for users (MAC...
Page 277
security mode (port security), 112 RADIUS server authentication/authorization for SSH/Telnet user (AAA), 47 server status (RADIUS), 25 setting status (RADIUS), 25 super password control parameter (password setting supported type (RADIUS), 24 control), 133 setting timer control communication supported server type (RADIUS), 24 (HWTACACS), 35 timer control...
Page 278
interaction, 170 peer public key on local device, 141 RADIUS client, 44 key negotiation, 169 source address outgoing packets maintaining, 177 (HWTACACS), 34 session request, 170 source IP address for outgoing packets (RADIUS), setting management parameter, 174 specifying source IP address/interface for client, source IP address/interface for client (SSH2.0), SSH operation, 168 supported domain name delimiters (802.1X), 83...
Page 279
cannot change port security mode when a user is configuring as RADIUS server, 43 online (port security), 126 configuring as server (SFTP), 190 cannot configure secure MAC addresses (port configuring as SSH server (SSH2.0), 170 security), 126 enabling first-time authentication support (SSH2.0), cannot configure static binding entries or dynamic binding function (IP source guard), 222 RADIUS server feature, 10...
Page 280
domain-based management (AAA), 9 VLAN enabling periodic online user re-authentication assignment (802.1X), 71 function (802.1X), 80 assignment (MAC), 97 level switching authentication for Telnet user Auth-Fail (802.1X), 73 (HWTACACS), 56 configuring assignment (802.1X), 86 RADIUS server 802.1X user (AAA), 50 configuring guest VLAN (802.1X), 86 RADIUS server authentication/authorization for configuring NAS ID-VLAN binding (AAA), 42...