Page of 424
Download Table of ContentsContents Print This PagePrint Bookmark
   
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424
HP 5920 & 5900 Switch Series
Security
Part number: 5998-5310a
Software version: Release 23xx
Document version: 6W101-20150320

Advertising

   Summary of Contents for HP 5920 Series

  • Page 1: Configuration Guide

    HP 5920 & 5900 Switch Series Security Configuration Guide Part number: 5998-5310a Software version: Release 23xx Document version: 6W101-20150320...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents Configuring AAA ························································································································································· 1   Overview ············································································································································································ 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   LDAP ·········································································································································································· 9   AAA implementation on the device ····················································································································· 11   AAA for MPLS L3VPNs ········································································································································· 13   Protocols and standards ······································································································································· 14  ...

  • Page 4: Table Of Contents

    EAP relay ································································································································································ 67   EAP termination ····················································································································································· 68   Configuring 802.1X ·················································································································································· 70   HP implementation of 802.1X ······································································································································ 70   Configuration prerequisites ··········································································································································· 70   802.1X configuration task list ······································································································································· 70   Enabling 802.1X ···························································································································································· 71   Enabling EAP relay or EAP termination ······················································································································· 71  ...

  • Page 5: Table Of Contents

    Configuration restrictions and guidelines ··········································································································· 96   Configuration procedure ······································································································································ 96   Referencing a portal Web server for an interface ······································································································ 96   Controlling portal user access ······································································································································ 97   Configuring a portal-free rule······························································································································· 97   Configuring an authentication source subnet ····································································································· 98  ...

  • Page 6: Table Of Contents

    macAddressElseUserLoginSecure configuration example ··············································································· 159   Troubleshooting port security ······································································································································ 162   Cannot set the port security mode ····················································································································· 162   Cannot configure secure MAC addresses ········································································································ 163   Configuring password control ································································································································ 164   Overview ······································································································································································· 164   Password setting ·················································································································································· 164  ...

  • Page 7: Table Of Contents

    Configuration guidelines ···································································································································· 192   Configuring automatic certificate request ········································································································· 192   Manually requesting a certificate ······················································································································ 193   Aborting a certificate request ····································································································································· 194   Obtaining certificates ·················································································································································· 194   Configuration prerequisites ································································································································ 194   Configuration guidelines ···································································································································· 194  ...

  • Page 8: Table Of Contents

    Configuring a manual IPsec profile ··················································································································· 238   Configuring SNMP notifications for IPsec ················································································································· 240   Displaying and maintaining IPsec ······························································································································ 240   IPsec configuration examples······································································································································ 241   Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 241   Configuring an IKE-based IPsec tunnel for IPv4 packets ·················································································...

  • Page 9: Table Of Contents

    Configuring the device as an SFTP client ·················································································································· 281   SFTP client configuration task list ······················································································································· 281   Specifying the source IP address for SFTP packets ·························································································· 281   Establishing a connection to an SFTP server ···································································································· 281   Working with SFTP directories ··························································································································· 283  ...

  • Page 10: Table Of Contents

    Configuring unresolvable IP attack protection ·········································································································· 326   Configuring ARP source suppression ················································································································ 327   Configuring ARP blackhole routing ··················································································································· 327   Displaying and maintaining unresolvable IP attack protection ······································································ 328   Configuration example ······································································································································· 328   Configuring ARP packet rate limit ······························································································································ 329  ...

  • Page 11: Table Of Contents

    uRPF operation ····················································································································································· 353   Network application ··········································································································································· 356   Configuring uRPF·························································································································································· 356   Displaying and maintaining uRPF ······························································································································ 357   uRPF configuration example········································································································································ 357   Configuring crypto engines ···································································································································· 358   Overview ······································································································································································· 358   Displaying and maintaining crypto engines ············································································································· 358  ...

  • Page 12: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. AAA specifies the following security functions: • Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights and controls their access to resources and •...

  • Page 13: Radius

    The device performs dynamic password authentication. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.

  • Page 14

    Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.

  • Page 15

    RADIUS packet format RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.

  • Page 16

    The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) includes specific authentication, authorization, and accounting information.

  • Page 17

    Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code • compliant to RFC 1700. • Vendor-Type—Type of the sub-attribute. Vendor-Length—Length of the sub-attribute. • Vendor-Data—Contents of the sub-attribute. • For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...

  • Page 18: Hwtacacs

    Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.

  • Page 19

    Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 20: Ldap

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.

  • Page 21

    The search operation constructs search conditions and obtains the directory resource information of • the LDAP server. In LDAP authentication, the client completes the following operations: Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search.

  • Page 22: Aaa Implementation On The Device

    To obtain the right to search, the LDAP client uses the administrator DN and password to send an administrator bind request to the LDAP server. The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an acknowledgment to the LDAP client.

  • Page 23

    Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal • users can access through console ports. Portal—Portal users must pass portal authentication to access the network. • Web—Web users log in to the Web interface of the device through HTTP or HTTPS. •...

  • Page 24: Aaa For Mpls L3vpns

    No accounting—The NAS does not perform accounting for the users. • • Local accounting—Local accounting is implemented on the NAS. It counts and controls the number of concurrent users who use the same local user account, but does not provide statistics for charging.

  • Page 25: Protocols And Standards

    Protocols and standards The following protocols and standards are related to AAA, RADIUS, HWTACACS, and LDAP: • RFC 2865, Remote Authentication Dial In User Service (RADIUS) RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support •...

  • Page 26

    Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.

  • Page 27

    Sub-attribute Description Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps. Output-Average-Rate Average rate in the direction from the NAS to the user, in bps. Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps. Total remaining available traffic for the connection, in different units for Remanent_Volume different server types.

  • Page 28: Fips Compliance

    Sub-attribute Description Number of packets input within an accounting interval in the unit set on Input-Interval-Packets the NAS. Number of packets output within an accounting interval in the unit set on Output-Interval-Packets the NAS. Input-Interval-Gigawords Amount of bytes input within an accounting interval, in units of 4G bytes. Amount of bytes output within an accounting interval, in units of 4G Output-Interval-Gigawords bytes.

  • Page 29: Configuring Aaa Schemes

    To configure AAA, perform the following tasks: Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: • Configuring local users • Configuring RADIUS schemes • Configuring HWTACACS schemes • Configuring LDAP schemes (Required.) Configure AAA methods for ISP domains: (Required.)

  • Page 30

    User group—Each local user belongs to a local user group and has all attributes of the group, such • as the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes." Binding attributes—Binding attributes control the scope of users, and are checked during local •...

  • Page 31

    For other types of local users, no authorization attributes are effective. To configure local user attributes: Step Command Remarks Enter system view. system-view Add a local user and enter local-user user-name [ class By default, no local user exists. local user view. { manage | network } ] Network access user passwords are encrypted with the encryption...

  • Page 32: Configuring User Group Attributes

    Step Command Remarks By default, no binding attribute is configured for a local user. bind-attribute { ip ip-address | (Optional.) Configure Binding attribute ip applies only to location interface interface-type binding attributes for the LAN users using 802.1X. interface-number | mac local user.

  • Page 33: Configuring Radius Schemes

    To configure user group attributes: Step Command Remarks Enter system view. system-view By default, there is a Create a user group and system-defined user group named user-group group-name enter its view. system, which is the default user group. authorization-attribute { acl By default, no authorization Configure authorization acl-number | vlan vlan-id |...

  • Page 34

    Configuration task list Tasks at a glance (Required.) Creating a RADIUS scheme (Required.) Specifying the RADIUS authentication servers (Optional.) Specifying the RADIUS accounting servers and the relevant parameters (Optional.) Specifying the shared keys for secure RADIUS communication (Optional.) Specifying a VPN for the scheme (Optional.) Setting the username format and traffic statistics units (Optional.)

  • Page 35

    You can specify one primary authentication server and up to 16 secondary authentication servers for a RADIUS scheme. When the primary server is not available, the device tries to communicate with the secondary servers in the order they are configured, and communicates with the first secondary server in active state.

  • Page 36

    Configure hostname-to-IP address mappings for the VPN by using the ip host or ipv6 host • command. Configure a DNS server for the VPN by using the dns server or ipv6 dns server command. • For more information about these commands, see Layer 3—IP Services Command Reference. To specify RADIUS accounting servers and the relevant parameters for a RADIUS scheme: Step Command...

  • Page 37

    Specifying a VPN for the scheme The VPN specified for a RADIUS scheme applies to all authentication and accounting servers in that scheme. If a VPN is also configured for an individual RADIUS server, the VPN specified for the RADIUS scheme does not take effect on that server.

  • Page 38

    Step Command Remarks data-flow-format { data { byte | (Optional.) Set the data flow giga-byte | kilo-byte | By default, traffic is counted in and packet measurement mega-byte } | packet bytes and packets. units for traffic statistics. { giga-packet | kilo-packet | mega-packet | one-packet } }* Setting the maximum number of RADIUS request transmission attempts RADIUS uses UDP packets to transfer data.

  • Page 39

    When you remove a server in use, communication with the server times out. The device looks for a • server in active state by first checking the primary server, and then checking secondary servers in the order they are configured. •...

  • Page 40

    You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme, or in system view for all RADIUS schemes whose servers are in a VPN or the public network. Before sending a RADIUS packet, the NAS selects a source IP address in the following order: The source IP address specified for the RADIUS scheme.

  • Page 41

    When a number of secondary servers are configured, the client connections of access modules that • have a short client connection timeout period might still be timed out during initial authentication or accounting, even if the packet transmission attempt limit and server response timeout period are configured with small values.

  • Page 42

    The security policy server is the management and control center of the HP EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS. To configure the IP address of a security policy server for a scheme:...

  • Page 43: Configuring Hwtacacs Schemes

    You can configure SNMP parameters to control the output of these SNMP notifications. For more information, see Network Management and Monitoring Configuration Guide. To enable SNMP notifications for RADIUS: Step Command Remarks Enter system view. system-view snmp-agent trap enable radius [ accounting-server-down | By default, all types of SNMP Enable SNMP notifications for...

  • Page 44

    To create an HWTACACS scheme: Step Command Remarks Enter system view. system-view Create an HWTACACS hwtacacs scheme By default, no HWTACACS scheme and enter its view. hwtacacs-scheme-name scheme is defined. Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to 16 secondary authentication servers for an HWTACACS scheme.

  • Page 45

    function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time. To specify an HWTACACS server by hostname in an MPLS VPN network, first complete one of the following tasks on the device: Configure hostname-to-IP address mappings for the VPN by using the ip host or ipv6 host •...

  • Page 46

    Step Command Remarks Enter system view. system-view Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS accounting server: By default, no accounting server is primary accounting { host-name | specified. ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | The host-name argument is simple } string | single-connection | available in Release 2310 and...

  • Page 47

    Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, an HWTACACS Specify a VPN for the vpn-instance vpn-instance-name scheme belongs to the public HWTACACS scheme. network. Setting the username format and traffic statistics units A username is typically in the userid@isp-name format, where isp-name represents the user's ISP domain name.

  • Page 48

    The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides. The IP address of the outbound interface specified by the route. To specify a source IP address for all HWTACACS schemes of a VPN or the public network: Step Command Remarks...

  • Page 49

    If the secondary server is unreachable, the device does the following: • Changes the server's status to blocked. Starts a quiet timer for the server. Tries to communicate with the next secondary server in active state that has the highest priority. •...

  • Page 50: Configuring Ldap Schemes

    Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server: • (Required.) Creating an LDAP server • (Required.) Configuring the IP address of the LDAP server • (Optional.) Specifying the LDAP version • (Optional.) Setting the LDAP server timeout period •...

  • Page 51

    Step Command Remarks By default, LDAPv3 is used. Specify the LDAP version. protocol-version { v2 | v3 } A Microsoft LDAP server supports only LDAPv3. Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server but does not receive a response from the server within the LDAP server timeout period, the device considers that the authentication or authorization request has timed out and tries the backup authentication or authorization method.

  • Page 52

    User object class • If the LDAP server contains many directory levels, a user DN search starting from the root directory can take a long time. To improve efficiency, you can change the start point by specifying the search base DN. To configure LDAP user attributes: Step Command...

  • Page 53: Configuring Aaa Methods For Isp Domains

    Task Command Display the configuration of LDAP schemes. display ldap scheme [ scheme-name ] Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain view. Each ISP domain has a set of system-defined AAA methods, which are local authentication, local authorization, and local accounting.

  • Page 54: Configuring Isp Domain Attributes

    Configuring ISP domain attributes In an ISP domain, you can configure the domain status. By placing the ISP domain in active or blocked state, you allow or deny network service requests from users in the domain. To configure ISP domain attributes: Step Command Remarks...

  • Page 55: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks authentication default { hwtacacs-scheme By default, the default hwtacacs-scheme-name [ radius-scheme authentication method is Specify the default radius-scheme-name ] [ local ] [ none ] | local. authentication method for ldap-scheme ldap-scheme-name [ local ] all types of users. [ none ] | local [ none ] | none | radius-scheme The none keyword is not radius-scheme-name [ hwtacacs-scheme...

  • Page 56: Configuring Accounting Methods For An Isp Domain

    Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme By default, the authorization hwtacacs-scheme-name [ radius-scheme Specify the default method is local. radius-scheme-name ] [ local ] [ none ] | authorization method for local [ none ] | none | radius-scheme...

  • Page 57: Enabling The Session-control Feature

    Local accounting does not provide statistics for charging. It only counts and controls the number of • concurrent users who use the same local user account. The threshold is configured by using the access-limit command. Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks...

  • Page 58: Setting The Maximum Number Of Concurrent Login Users

    Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users who can log on to the device through a specific protocol, regardless of their authentication methods: no authentication, local authentication, or remote authentication.

  • Page 59

    Figure 11 Network diagram Configuration procedure Configure the HWTACACS server: # Set the shared keys for secure communication with the switch to expert. (Details not shown.) # Add an account named hello for the SSH user, and specify the password. (Details not shown.) Configure the switch: # Assign IP addresses to the interfaces.

  • Page 60: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users

    # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator. [Switch] role default-role enable Verifying the configuration # Initiate an SSH connection to the switch, and enter the username hello@bbb and the password.

  • Page 61

    # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...

  • Page 62: Authentication And Authorization For Ssh Users By A Radius Server

    Set the ports for authentication and accounting to 1812 and 1813, respectively. Select the service type Device Management Service. Select the access device type HP. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).

  • Page 63

    The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch. The source IP address is chosen in the following order on the switch: IP address specified by the nas-ip command. IP address specified by the radius nas-ip command.

  • Page 64

    Figure 15 Adding an account for device management Configure the switch: # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.

  • Page 65: Authentication For Ssh Users By An Ldap Server

    # Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.

  • Page 66

    Configuration procedure Configure the LDAP server: NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. On the LDAP server, select Start > Control Panel > Administrative Tools. Double-click Active Directory Users and Computers.

  • Page 67

    Figure 18 Setting the user's password Click OK. # Add user aaa to group Users. From the navigation tree, click Users under the ldap.com node. On the right pane, right-click aaa and select Properties. In the dialog box, click the Member Of tab and click Add.

  • Page 68

    Figure 19 Modifying user properties In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.

  • Page 69

    # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.

  • Page 70: Troubleshooting Radius

    Verifying the configuration # Initiate an SSH connection to the switch, and enter the username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) Troubleshooting RADIUS RADIUS authentication failure...

  • Page 71: Radius Accounting Error

    Solution Check that: • The link between the NAS and the RADIUS server work well at both the physical and data link layers. The IP address of the RADIUS server is correctly configured on the NAS. • The authentication and accounting UDP port numbers configured on the NAS are the same as those •...

  • Page 72

    The administrator DN or password is not configured. • • Some user attributes (for example, the username attribute) configured on the NAS are not consistent with those configured on the server. No user search base DN is specified for the LDAP scheme. •...

  • Page 73: X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs. It has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 74: X-related Protocols

    Performs unidirectional traffic control to deny traffic from the client. The HP devices support − only unidirectional traffic control. Figure 22 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server.

  • Page 75: Eap Over Radius

    Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • • Type—Type of the EAPOL packet. Table 4 lists the types of EAPOL packets supported by HP implementation of 802.1X. Table 4 Types of EAPOL packets Value Type...

  • Page 76: X Authentication Initiation

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client (for example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets.

  • Page 77: X Authentication Procedures

    period of time. This process continues until the maximum number of request attempts set by using the dot1x retry command is reached. The username request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger. 802.1X authentication procedures 802.1X authentication has two methods: EAP relay and EAP termination.

  • Page 78: Eap Relay

    Limitations • Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication Works with any RADIUS server that initiated by an HP iNode 802.1X EAP termination supports PAP or CHAP client. authentication. • The processing is complex on the network access device.

  • Page 79: Eap Termination

    In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the network access device. The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database.

  • Page 80

    Figure 30 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption. The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 81: Configuring 802.1x

    Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port. It is described in "Configuring port...

  • Page 82: Enabling 802.1x

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "Comparing EAP relay and EAP...

  • Page 83: Setting The Port Authorization State

    NOTE: If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The access device sends the authentication data from the client to the server without any modification. Setting the port authorization state The port authorization state determines whether the client is granted access to the network.

  • Page 84: Setting The Maximum Number Of Authentication Request Attempts

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Set the maximum number of By default, the maximum concurrent 802.1X users on a dot1x max-user user-number number of concurrent 802.1X port. users on a port is 2048. Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request...

  • Page 85: Configuring The Online User Handshake Feature

    Step Command Remarks Set the server timeout dot1x timer server-timeout The default is 100 seconds. timer. server-timeout-value Configuring the online user handshake feature The online user handshake feature checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command.

  • Page 86: Specifying A Mandatory Authentication Domain On A Port

    Step Command Remarks Enter system view. system-view (Optional.) Set the username dot1x timer tx-period The default is 30 seconds. request timeout timer. tx-period-value Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, the multicast trigger is Enable an authentication dot1x { multicast-trigger | enabled, and the unicast trigger is trigger.

  • Page 87: Enabling The Periodic Online User Reauthentication Feature

    Enabling the periodic online user reauthentication feature Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server. The reauthentication interval is user configurable. The periodic online user reauthentication timer can also be set by the authentication server in the session-timeout attribute.

  • Page 88: Configuration Procedure

    192.168.1.2/24 Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

  • Page 89: Verifying The Configuration

    # Specify the shared key between the access device and the authentication server. [Device-radius-radius1] key authentication simple name # Specify the shared key between the access device and the accounting server. [Device-radius-radius1] key accounting simple money # Exclude the ISP domain name from the usernames sent to the RADIUS servers. [Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit NOTE:...

  • Page 90: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 91: Configuration Prerequisites

    For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." Configuration prerequisites Before you configure MAC authentication, complete the following tasks: Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA." For local authentication, you must also create local user accounts (including usernames and passwords), and specify the lan-access service for local users.

  • Page 92: Specifying A Mac Authentication Domain

    Step Command Remarks Enter Layer 2 Ethernet interface interface interface-type view. interface-number Enable MAC authentication on By default, MAC authentication is mac-authentication the port. disabled on a port. Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: Specify a global authentication domain in system view.

  • Page 93: Configuring Mac Authentication Timers

    Step Command Remarks • Use one MAC-based user account for each user: mac-authentication Use either method. user-name-format mac-address By default, the device uses the [ { with-hyphen | without-hyphen } Configure the MAC MAC address of a user as the [ lowercase | uppercase ] ] authentication user username and password for...

  • Page 94: Configuring Mac Authentication Delay

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type view. interface-number By default, the maximum number Set the maximum number of mac-authentication max-user of concurrent MAC concurrent MAC authentication user-number authentication users on a port is users on the port 2048.

  • Page 95: Mac Authentication Configuration Examples

    MAC authentication configuration examples Local MAC authentication configuration example Network requirements As shown in Figure 32, configure local MAC authentication on Ten-GigabitEthernet 1/0/1 to control Internet access of users on the hosts, as follows: Configure the device to detect whether a user has gone offline every 180 seconds, and if a user fails •...

  • Page 96: Radius-based Mac Authentication Configuration Example

    [Device] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lower case. [Device] mac-authentication user-name-format mac-address with-hyphen lowercase # Enable MAC authentication globally. [Device] mac-authentication Verifying the configuration # Display MAC authentication settings and statistics.

  • Page 97

    Configure all users to belong to the ISP domain bbb. • • Use a shared user account for all users, with the username aaa and password 123456. Figure 33 Network diagram Configuration procedure Make sure the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account.

  • Page 98

    # Enable MAC authentication globally. [Device] mac-authentication Verifying the configuration # Display MAC authentication settings and statistics. [Device] display mac-authentication MAC authentication is enabled User name format is fixed account Fixed username: aaa Fixed password: ****** Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s Max number of users is 2048 per slot...

  • Page 99: Configuring Portal Authentication

    Resource access restriction—Allows an authenticated user to access certain network resources such • as the virus server and the patch server. Users can access more Internet resources after passing security check. Security check must cooperate with the HP IMC security policy server and the iNode client.

  • Page 100: Portal System Components

    Portal system components A typical portal system consists of these basic components: authentication client, access device, portal authentication server, portal Web server, AAA server, and security policy server. Figure 34 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server...

  • Page 101: Interaction Between Portal System Components

    Web server. The user can also visit the authentication website to log in. The user must log in through the HP iNode client for extended portal functions. The user enters the authentication information on the authentication page/dialog box and submits the information.

  • Page 102: Portal Authentication Process

    Re-DHCP authentication saves public IP addresses. For example, an ISP can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. Only the HP iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device.

  • Page 103

    The portal authentication server and the access device exchange CHAP messages. This step is skipped for PAP authentication. The portal authentication server decides the method (CHAP or PAP) to use. The portal authentication server adds the username and password into an authentication request packet and sends it to the access device.

  • Page 104: Portal Configuration Task List

    After receiving the authentication success packet, the client obtains a public IP address through DHCP. The client then notifies the portal authentication server that it has a public IP address. The portal authentication server notifies the access device that the client has obtained a public IP address.

  • Page 105

    Configuration prerequisites The portal feature provides a solution for user identity authentication and security check. To complete user identity authentication, portal must cooperate with RADIUS. The prerequisites for portal authentication configuration are as follows: The portal authentication server, portal Web server, and RADIUS server have been installed and •...

  • Page 106: Configuring A Portal Web Server

    Step Command Remarks • To specify an IPv4 portal server: Specify an IPv4 portal ip ipv4-address [ vpn-instance authentication server, an IPv6 vpn-instance-name] [ key { cipher | authentication portal server, or Specify the IP address of simple } key-string ] both.

  • Page 107: Configuration Restrictions And Guidelines

    With re-DHCP portal authentication, HP recommends that you also configure authorized ARP on the • interface to make sure only valid users can access the network. With authorized ARP configured on the interface, the interface learns ARP entries only from the users who have obtained a public address from DHCP.

  • Page 108: Controlling Portal User Access

    An interface can reference both an IPv4 portal Web server and an IPv6 portal Web server. To reference a portal Web server for an interface: Step Command Remarks Enter system view. system-view The interface must be a Layer 3 Enter interface view. interface interface-type interface-number interface.

  • Page 109: Configuring An Authentication Source Subnet

    Step Command Remarks portal free-rule rule-number { destination ipv6 { ipv6-address prefix-length | any } [ tcp Configure an tcp-port-number | udp By default, no IPv6-based portal-free IPv6-based portal-free udp-port-number ] | source ipv6 rule exists. rule. { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } * To configure a source-based portal-free rule:...

  • Page 110: Configuring An Authentication Destination Subnet

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no IPv4 portal portal layer3 source authentication source subnet is Configure an IPv4 portal ipv4-network-address configured, and users from any authentication source subnet. { mask-length | mask } subnets must pass portal authentication.

  • Page 111: Setting The Maximum Number Of Portal Users

    Step Command Remarks Enter system view. system-view Enter interface view. interface interface-type interface-number By default, no IPv6 portal Configure an IPv6 authentication destination subnet is portal ipv6 free-all except destination portal authentication configured, and users accessing any ipv6-network-address prefix-length destination subnet. subnets must pass portal authentication.

  • Page 112: Configuring Portal Detection Functions

    Step Command Remarks By default, no ISP domain is Specify an IPv4 portal portal domain domain-name specified for IPv4 portal users on authentication domain. the interface. To specify an IPv6 portal authentication domain: Step Command Remarks Enter system view. system-view Enter interface view.

  • Page 113: Configuring Portal Authentication Server Detection

    Step Command Remarks Enter system view. system-view Enter interface view. interface interface-type interface-number Configure online portal ipv6 user-detect type { icmpv6 | By default, this function is disabled detection of IPv6 nd } [ retry retries ] [ interval interval ] on the interface.

  • Page 114: Configuring Portal Web Server Detection

    Configuring portal Web server detection A portal authentication process cannot complete if the communication between the access device and the portal Web server is broken. To address this problem, you can enable portal Web server detection on the access device. With the portal Web server detection function, the access device simulates a Web access process to initiate a TCP connection to the portal Web server.

  • Page 115: Configuring The Portal Fail-permit Function

    Upon receiving the synchronization packet, the access device compares the users carried in the packet with its own user list. If a user contained in the packet does not exist on the access device, the access device informs the portal authentication server to delete the user. The access device starts the synchronization detection timer (timeout timeout) immediately when a user logs in.

  • Page 116: Configuring Bas-ip For Unsolicited Portal Packets Sent To The Portal Authentication Server

    Step Command Remarks Enable portal By default, portal fail-permit is portal [ ipv6 ] fail-permit server fail-permit for a portal disabled for a portal server-name authentication server. authentication server. Enable portal portal [ ipv6 ] apply web-server By default, portal fail-permit is fail-permit for a portal server-name fail-permit disabled for a portal Web server.

  • Page 117: Enabling Portal Roaming

    Enabling portal roaming Portal roaming takes effect only on portal users logging in from VLAN interfaces. If portal roaming is enabled on a VLAN interface, an online portal user can access resources from any Layer 2 port in the VLAN without re-authentication. If portal roaming is disabled, to access external network resources from a Layer 2 port different from the current access port in the VLAN, the user must do the following: First log out from the current port.

  • Page 118: Portal Configuration Examples

    Task Command Display portal Web server information. display portal web-server [ server-name ] Display packet statistics for portal authentication display portal packet statistics [ server server-name ] servers. display portal user { all | interface interface-type Display portal user information. interface-number } Clear packet statistics for portal authentication reset portal packet statistics [ server server-name ]...

  • Page 119

    Select Access Service > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server parameters as needed. This example uses the default values. Click OK. Figure 38 Portal authentication server configuration Configure the IP address group: Select Access Service >...

  • Page 120

    Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the host. Enter the key, which must be the same as that configured on the switch. Set whether to enable IP address reallocation.

  • Page 121

    Figure 42 Port group configuration Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations.

  • Page 122

    Figure 43 Portal server configuration Configure the IP address group: Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.

  • Page 123

    Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the host. Enter the key, which must be the same as that configured on the switch.

  • Page 124

    Figure 46 Device list Figure 47 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...

  • Page 125

    [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

  • Page 126: Configuring Re-dhcp Portal Authentication

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.

  • Page 127

    Figure 48 Network diagram Portal Server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 10.0.0.1/24 sub 192.168.0.100/24 DHCP server Host Switch 192.168.0.112/24 automatically obtains an IP address RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines Configure IP addresses for the switch and servers as shown in Figure 48 and make sure the host, •...

  • Page 128

    [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...

  • Page 129

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.

  • Page 130: Configuring Cross-subnet Portal Authentication

    VPN instance: -- VLAN Interface 0015-e9a6-7cfe 20.20.20.2 Vlan-interface100 Configuring cross-subnet portal authentication Network requirements As shown in Figure 49, Switch A supports portal authentication. The host accesses Switch A through Switch B. A portal server serves as both a portal authentication server and a portal Web server. A RADIUS server serves as the authentication/accounting server.

  • Page 131

    # Exclude the ISP domain name from the username sent to the RADIUS server. [SwitchA-radius-rs1] user-name-format without-domain [SwitchA-radius-rs1] quit # Enable RADIUS session control. [SwitchA] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [SwitchA] domain dm1 # Configure AAA methods for the ISP domain.

  • Page 132

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HP iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.1 1 1:8080/portal and all Web requests will be redirected to the authentication page.

  • Page 133: Configuring Extended Direct Portal Authentication

    Configuring extended direct portal authentication Network requirements As shown in Figure 50, the host is directly connected to the switch (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server serves as both a portal authentication server and a portal Web server.

  • Page 134

    # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...

  • Page 135

    IP address Prefix length Before a user performs portal authentication by using the HP iNode client, the user can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests the user initiates will be redirected to the authentication page. If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.

  • Page 136: Configuring Extended Re-dhcp Portal Authentication

    VPN instance: -- VLAN Interface 0015-e9a6-7cfe 2.2.2.2 Vlan-interface100 Configuring extended re-DHCP portal authentication Network requirements As shown in Figure 51, the host is directly connected to the switch (the access device). The host obtains an IP address through the DHCP server. A portal server serves as both a portal authentication server and a portal Web server.

  • Page 137

    address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides. The public IP address range for the IP address group is the public subnet 20.20.20.0/24. Configuration procedure Perform the following tasks on the switch. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.

  • Page 138

    # Configure DHCP relay. [Switch] dhcp enable [Switch] dhcp relay client-information record [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0 [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub [Switch-Vlan-interface100] dhcp select relay [Switch-Vlan-interface100] dhcp relay server-address 192.168.0.112 # Enable authorized ARP. [Switch-Vlan-interface100] arp authorized enable [Switch-Vlan-interface100] quit Configure portal authentication:...

  • Page 139: Configuring Extended Cross-subnet Portal Authentication

    IP address Prefix length Before a user performs portal authentication by using the HP iNode client, the user can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests the user initiates will be redirected to the authentication page. If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.

  • Page 140

    Figure 52 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the switch and servers as shown in Figure 52 and make sure the host, • switch, and servers can reach each other. Configure the RADIUS server properly to provide authentication and accounting functions. •...

  • Page 141

    [SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1 [SwitchA-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

  • Page 142

    IP address Prefix length Before a user performs portal authentication by using the HP iNode client, the user can access only the authentication page http://192.168.0.1 1 1:8080/portal. All Web requests the user initiates will be redirected to the authentication page. If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.

  • Page 143: Configuring Portal Server Detection And Portal User Synchronization

    Configuring portal server detection and portal user synchronization Network requirements As shown in Figure 53, the host is directly connected to the switch (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server serves as both a portal authentication server and a portal Web server.

  • Page 144

    Configuring the portal authentication server on IMC PLAT 3.20 This example assumes that the portal server runs on IMC PLAT 3.20-R2602P13 and IMC UAM 3.60-E6301. Configure the portal authentication server: Log in to IMC and click the Service tab. Select Access Service > Portal Service Management > Server from the navigation tree to enter the portal server configuration page, as shown in Figure Configure the portal server heartbeat interval and user heartbeat interval.

  • Page 145

    Figure 55 Adding an IP address group Add a portal device: Select Access Service > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS.

  • Page 146

    Figure 57 Device list Click Add to enter the page shown in Figure Figure 58 Port group configuration Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. User default values for other parameters.

  • Page 147

    Figure 59 Portal authentication server configuration Configure the IP address group: Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.

  • Page 148

    Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the host. Enter the key, which must be the same as that configured on the switch.

  • Page 149

    Figure 62 Device list Figure 63 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...

  • Page 150

    [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

  • Page 151: Configuring Cross-subnet Portal Authentication For Mpls L3vpns

    Portal server: newpt : 192.168.0.111 VPN instance : Not configured Port : 50100 Server Detection : Timeout 40s Action: log User synchronization : Timeout 600s Status : Up The Up status of the portal authentication server indicates that the portal authentication server is reachable.

  • Page 152

    [SwitchA-radius-rs1] vpn-instance vpn3 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.111 [SwitchA-radius-rs1] primary accounting 192.168.0.111 [SwitchA-radius-rs1] key accounting simple radius [SwitchA-radius-rs1] key authentication simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.

  • Page 153: Troubleshooting Portal

    [SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3 [SwitchA–Vlan-interface3] quit Verifying the configuration Verify the portal configuration by executing the display portal interface command. After the user passes authentication, execute the display portal user command to display the portal user information. [SwitchA] display portal user all Total portal users: 1 Username: abc Portal server: newpt...

  • Page 154: Cannot Log Out Portal Users On The Radius Server

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HP IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.

  • Page 155: Re-dhcp Portal Authenticated Users Cannot Log In Successfully

    Solution Configure the BAS-IP or BAS-IPv6 attribute on the interface enabled with portal authentication. Make sure the attribute value is the same as the portal device IP address specified on the portal authentication server. Re-DHCP portal authenticated users cannot log in successfully Symptom The device performs re-DHCP portal authentication for users.

  • Page 156: Configuring Port Security

    This automatic mechanism enhances network security, and reduces human intervention. NOTE: For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you use the 802.1X authentication or MAC authentication feature rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...

  • Page 157

    Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode.

  • Page 158

    TIP: userLogin specifies 802.1X authentication and port-based access control. userLogin with Secure • specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.

  • Page 159: Configuration Task List

    This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific OUI. The port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames.

  • Page 160: Enabling Port Security

    Tasks at a glance Remarks (Optional.) Ignoring authorization information from the server (Optional.) Enabling MAC move Enabling port security Before you enable port security, disable 802.1X and MAC authentication globally. When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state.

  • Page 161: Setting The Port Security Mode

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number Set the maximum number of By default, port security does not port-security max-mac-count secure MAC addresses limit the number of secure MAC count-value allowed on a port. addresses on a port. Setting the port security mode Before you set a port security mode for a port, complete the following tasks: Disable 802.1X and MAC authentication.

  • Page 162: Configuring Port Security Features

    Step Command Remarks By default, a port operates in noRestrictions mode. port-security port-mode { autolearn | mac-authentication | After enabling port security, you mac-else-userlogin-secure | can change the port security mode mac-else-userlogin-secure-ext | of a port only when the port is secure | userlogin | operating in noRestrictions (the Set the port security mode.

  • Page 163: Configuring Secure Mac Addresses

    A blocked MAC address is restored to normal state after being blocked for 3 minutes. The interval is fixed and cannot be changed. disableport—Disables the port until you bring it up manually. • disableport-temporarily—Disables the port for a specific period of time. The period can be •...

  • Page 164

    Can be saved and Type Address sources Aging mechanism survive a device reboot? NOTE: When the maximum number of secure MAC address entries is reached, the port changes to secure mode, and it cannot add or learn any more secure MAC addresses. The port allows only frames sourced from a secure MAC address or a MAC address configured by using the mac-address dynamic or mac-address static command to pass through.

  • Page 165: Enabling Mac Move

    If MAC move is disabled and an 802.1X authenticated user moves to another port, it is not reauthenticated. HP recommends you enable MAC move for wireless users that roam between ports to access the network. To enable MAC move:...

  • Page 166: Port Security Configuration Examples

    Port security configuration examples autoLearn configuration example Network requirements Figure 65. Configure port Ten-GigabitEthernet 1/0/1 on the device, as follows: Accept up to 64 users on the port without authentication. • Permit the port to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC •...

  • Page 167: Userloginwithoui Configuration Example

    Ten-GigabitEthernet1/0/1 is link-up Port mode: autoLearn NeedToKnow mode: Disabled Intrusion protection mode: DisablePortTemporarily Max number of secure MAC addresses: 64 Current number of secure MAC addresses: 5 Authorization is permitted The output shows that the port security's limit on the number of secure MAC addresses on the port is 64, the port security mode is autoLearn, and the intrusion protection action is disabling the port (DisablePortTemporarily) for 30 seconds.

  • Page 168: Configure Aaa

    The RADIUS server response timeout time is 5 seconds and the maximum number of RADIUS packet • retransmission attempts is five. The Device sends real-time accounting packets to the RADIUS server at 15-minute intervals, and sends usernames without domain names to the RADIUS server. Configure port Ten-GigabitEthernet 1/0/1 of the device to allow only one 802.1X user and a user that uses one of the specified OUI values to be authenticated.

  • Page 169

    # Enable port security. [Device] port-security enable # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address 1234-0100-1111 [Device] port-security oui index 2 mac-address 1234-0200-1111 [Device] port-security oui index 3 mac-address 1234-0300-1111 [Device] port-security oui index 4 mac-address 1234-0400-1111...

  • Page 170: Macaddresselseuserloginsecure Configuration Example

    Access-limit: Disabled Access-Count: 0 lan-access Authentication Scheme: radius: radsun lan-access Authorization Scheme: radius: radsun lan-access Accounting Scheme: radius: radsun default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local # Display the port security configuration. [Device] display port-security interface ten-gigabitethernet 1/0/1 Port security is enabled globally AutoLearn aging time is 0 minutes Disableport Timeout: 20s...

  • Page 171

    Use the MAC address of each user as the username and password for authentication, and require • that the MAC addresses are hyphenated and in upper case. Set the total number of MAC authenticated users and 802.1X authenticated users to 64. •...

  • Page 172

    Disableport Timeout: 20s OUI value: Ten-GigabitEthernet1/0/1 is link-up Port mode: macAddressElseUserLoginSecure NeedToKnow mode: NeedToKnowOnly Intrusion protection mode: NoAction Max number of secure MAC addresses: 64 Current number of secure MAC addresses: 0 Authorization is permitted After users pass authentication, you can use the following commands to display the user authentication information on the port: # Display MAC authentication information.

  • Page 173: Troubleshooting Port Security

    Max number of 802.1X users is 2048 per slot Current number of online 802.1X users is 1 Ten-GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled 802.1X unicast-trigger is disabled Periodic reauthentication is disabled The port is an authenticator Authentication mode is Auto Port access control type is MAC-based 802.1X multicast-trigger is enabled...

  • Page 174: Cannot Configure Secure Mac Addresses

    Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses. Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn. Solution Set the port security mode to autoLearn. [Device-Ten-GigabitEthernet1/0/1] undo port-security port-mode [Device-Ten-GigabitEthernet1/0/1] port-security max-mac-count 64 [Device-Ten-GigabitEthernet1/0/1] port-security port-mode autolearn [Device-Ten-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1...

  • Page 175: Configuring Password Control

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. Control user login status based on predefined policies. • Local users are divided into two types: device management users and network access users. This feature applies only to device management users.

  • Page 176: Password Updating And Expiration

    Password complexity checking policy A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password.

  • Page 177: User Login Control

    Password history With this feature enabled, the system stores passwords that a user has used. When a user changes the password, the system checks the new password against the current password and those stored in the password history records. The new password must be different from the current one and those stored in the history records by at least four characters.

  • Page 178: Logging

    Logging The system logs all successful password changing events and user adding events to the password control blacklist. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

  • Page 179: Setting Global Password Control Parameters

    To enable password control: Step Command Remarks Enter system view. system-view • In non-FIPS mode, the global password control feature is disabled by default. Enable the global password password-control enable • In FIPS mode, the global control feature. password control feature is enabled by default, and cannot be disabled.

  • Page 180: Setting User Group Password Control Parameters

    Step Command Remarks password-control complexity By default, the system does not Configure the password { same-character | user-name } perform password complexity complexity checking policy. check checking. Set the maximum number of password-control history history password records for The default setting is 4. max-record-num each user.

  • Page 181: Setting Local User Password Control Parameters

    Step Command Remarks Specify the maximum number of login attempts and the password-control login-attempt By default, the login-attempt policy action to be taken when a login-times [ exceed { lock | of the user group equals the global user in the user group fails to lock-time time | unlock } ] login-attempt policy.

  • Page 182: Setting Super Password Control Parameters

    Step Command Remarks Specify the maximum number By default, the settings equal those of login attempts and the for the user group to which the password-control login-attempt action to be taken for the local local user belongs. If no login-times [ exceed { lock | user when the user fails to log login-attempt policy is configured lock-time time | unlock } ]...

  • Page 183: Password Control Configuration Example

    NOTE: The reset password-control history-record command can delete the history password records of one or all users even when the password history feature is disabled. Password control configuration example Network requirements Configure a global password control policy to meet the following requirements: •...

  • Page 184

    [Sysname] password-control update-interval 36 # Specify that a user can log in 5 times within 60 days after the password expires. [Sysname] password-control expired-user-login delay 60 times 5 # Set the maximum account idle time to 30 days. [Sysname] password-control login idle-time 30 # Refuse any password that contains the username or the reverse of the username.

  • Page 185

    Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (16 characters) Password composition: Enabled (4 types, 4 characters per type) Password history: Enabled (max history record:4) Early notice on password expiration: 7 days Maximum login attempts: Action for exceeding login attempts: Lock Minimum interval between two updates: 36 hours...

  • Page 186: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the following: • Revest-Shamir-Adleman Algorithm (RSA). Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). • Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 68.

  • Page 187: Creating A Local Key Pair

    • In FIPS mode: 2048 bits. pair, and both key pairs use their default names. HP recommendation: a minimum of 768 bits. • In FIPS mode: If you do not specify a key pair name, the system creates a host key pair with the default name.

  • Page 188

    Configuration procedure To create a local key pair: Step Command Remarks Enter system view. system-view • In Release 2307 and Release 2310: public-key local create { dsa | ecdsa | rsa } [ name key-name ] • In Release 231 1P04 and later versions: In non-FIPS mode: Create a local key pair.

  • Page 189: Exporting A Host Public Key And Saving It To A File

    Step Command Remarks • Export an RSA host public key: In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } filename In FIPS mode: public-key local export rsa [ name The public-key local export ecdsa Export a local host key-name ] { openssh | ssh2 } command is available in Release...

  • Page 190: Destroying A Local Key Pair

    IMPORTANT: key displayed by the display Manually enter (type or copy) If the peer device is an HP device, use public-key local public command, the peer host public key the display public-key local public the system saves the key.

  • Page 191: Importing A Peer Host Public Key From A Public Key File

    For information about displaying or exporting host public keys, see "Distributing a local host public key." Importing a peer host public key from a public key file Step Command Remarks Enter system view. system-view Import a peer host public key public-key peer keyname import sshkey By default, no peer host from a public key file.

  • Page 192

    Figure 69 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).

  • Page 193: Example For Importing A Public Key From A Public Key File

    Enter public key view. Return to system view with "peer-public-key end" command. [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea...

  • Page 194

    # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 195

    # Use FTP in binary mode to get the public key file devicea.pub from Device A. <DeviceB> ftp 10.1.1.1 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files.

  • Page 196: Configuring Pki

    PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. HP's PKI system provides certificate management for IPsec and SSL. PKI terminology Digital certificate A digital certificate is a document signed by a certificate authority (CA).

  • Page 197: Pki Architecture

    A certificate must be revoked when, for example, the username changes, the private key is compromised, or the user is no longer certified by the CA. The CA periodically publishes a CRL that contains the serial numbers of all revoked certificates. CRLs provide an effective way for verifying the validity of certificates. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.

  • Page 198: Pki Applications

    A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the LDAP server or other certificate repositories to provide directory navigation services.

  • Page 199

    Figure 72 PKI support for MPLS L3VPN FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity...

  • Page 200: Configuring A Pki Domain

    FQDN of the entity. • • IP address of the entity. Whether the categories are required or optional depends on the CA policy. Follow the CA policy to configure the entity settings. For example, if the CA policy requires the entity DN, but you configure only the IP address, the CA rejects the certificate request from the entity.

  • Page 201

    Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. The trusted CA name uniquely Specify the trusted CA. ca identifier name identifies the CA to be used if multiple CAs exist on the same CA server.

  • Page 202

    Step Command Remarks Before a PKI entity can enroll with a CA, it must authenticate the CA by obtaining the self-signed certificate of the CA and verifying the fingerprint of the CA certificate. If a fingerprint is not entered in the PKI domain, and if the CA In non-FIPS mode: certificate is imported or obtained...

  • Page 203: Requesting A Certificate

    Requesting a certificate To request a certificate, a PKI entity must provide its identity information and public key to a CA. A certificate request can be submitted to a CA in offline or online mode. Offline mode—A certificate request is submitted by an out-of-band means, such as phone, disk, or •...

  • Page 204: Manually Requesting A Certificate

    entity automatically submits a certificate request and saves the certificate locally after obtaining it from the CA. A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate request. To configure automatic certificate request: Step Command...

  • Page 205: Aborting A Certificate Request

    Aborting a certificate request Before the CA issues a certificate, you can abort a certificate request to change some parameters, such as the common name, country code, and FQDN, in the certificate request. You can use display pki certificate request-status to display the certificate request status. Alternatively, you can also remove a PKI domain to abort the certificate request.

  • Page 206

    If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be • obtained has been revoked, the certificate cannot be obtained. The device compares the validity period of a certificate with the local system time to determine •...

  • Page 207: Verifying Certificates Without Crl Checking

    Step Command Remarks Enter PKI domain view. pki domain domain-name (Optional.) Specify the URL crl url url-string [ vpn-instance By default, the URL of the CRL of the CRL repository. vpn-instance-name ] repository is not specified. Enable CRL checking. crl check enable By default, CRL checking is enabled.

  • Page 208: Exporting Certificates

    After you change the storage path for the certificates or CRLs, the certificate files (with the .cer or .p12 extension) and CRL files (with the .crl extension) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Remarks...

  • Page 209: Configuring A Certificate Access Control Policy

    You can remove the CA certificate, local certificate, or peer certificates in a PKI domain. After you remove the CA certificate, the system automatically removes the local certificates, peer certificates, and CRLs in the domain. You can remove a local certificate and request a new one when the local certificate is about to expire or the certificate's private key is compromised.

  • Page 210: Displaying And Maintaining Pki

    Step Command Remarks Enter system view. system-view Create a certificate attribute pki certificate attribute-group By default, no certificate attribute group and enter its view. group-name group exists. attribute id { alt-subject-name (Optional.) Configure an { fqdn | ip } | { issuer-name | attribute rule for issuer name, By default, not attribute rule is subject-name } { dn | fqdn | ip } }...

  • Page 211: Requesting A Certificate From An Rsa Keon Ca Server

    Requesting a certificate from an RSA Keon CA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 73 Network diagram Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA.

  • Page 212

    [Device-pki-domain-torsa] certificate request from ca # Specify the PKI entity name as aaa. [Device-pki-domain-torsa] certificate request entity aaa # Specify the URL of the CRL repository. [Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [Device-pki-domain-torsa] public-key rsa general name abc length 1024 [Device-pki-domain-torsa] quit Generate a local RSA key pair.

  • Page 213: Requesting A Certificate From A Windows Server 2003 Ca Server

    Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ab:45:64:a8:6c:10:70:3b:b9:46:34:8d:eb:1a: a1:b3:64:b2:37:27:37:9d:15:bd:1a:69:1d:22:0f: 3a:5a:64:0c:8f:93:e5:f0:70:67:dc:cd:c1:6f:7a: 0c:b1:57:48:55:81:35:d7:36:d5:3c:37:1f:ce:16: 7e:f8:18:30:f6:6b:00:d6:50:48:23:5c:8c:05:30: 6f:35:04:37:1a:95:56:96:21:95:85:53:6f:f2:5a: dc:f8:ec:42:4a:6d:5c:c8:43:08:bb:f1:f7:46:d5: f1:9c:22:be:f3:1b:37:73:44:f5:2d:2c:5e:8f:40: 3e:36:36:0d:c8:33:90:f3:9b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5...

  • Page 214

    Select Control Panel > Add or Remove Programs from the start menu. Select Add/Remove Windows Components > Certificate Services. Click Next to begin the installation. Set the CA name. In this example, set the CA name to myca. Install the SCEP add-on: By default, Windows Server 2003 does not support SCEP.

  • Page 215

    [Device-pki-domain-winserver] certificate request from ra # Specify the PKI entity name as aaa. [Device-pki-domain-winserver] certificate request entity aaa # Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits. [Device-pki-domain-winserver] public-key rsa general name abc length 1024 [Device-pki-domain-winserver] quit Generate an RSA local key pair: [Device] public-key local create rsa name abc...

  • Page 216

    00:c3:b5:23:a0:2d:46:0b:68:2f:71:d2:14:e1:5a: 55:6e:c5:5e:26:86:c1:5a:d6:24:68:02:bf:29:ac: dc:31:41:3f:5d:5b:36:9e:53:dc:3a:bc:0d:11:fb: d6:7d:4f:94:3c:c1:90:4a:50:ce:db:54:e0:b3:27: a9:6a:8e:97:fb:20:c7:44:70:8f:f0:b9:ca:5b:94: f0:56:a5:2b:87:ac:80:c5:cc:04:07:65:02:39:fc: db:61:f7:07:c6:65:4c:e4:5c:57:30:35:b4:2e:ed: 9c:ca:0b:c1:5e:8d:2e:91:89:2f:11:e3:1e:12:8a: f8:dd:f8:a7:2a:94:58:d9:c7:f8:1a:78:bd:f5:42: 51:3b:31:5d:ac:3e:c3:af:fa:33:2c:fc:c2:ed:b9: ee:60:83:b3:d3:e5:8e:e5:02:cf:b0:c8:f0:3a:a4: b7:ac:a0:2c:4d:47:5f:39:4b:2c:87:f2:ee:ea:d0: c3:d0:8e:2c:80:83:6f:39:86:92:98:1f:d2:56:3b: d7:94:d2:22:f4:df:e3:f8:d1:b8:92:27:9c:50:57: f3:a1:18:8b:1c:41:ba:db:69:07:52:c1:9a:3d:b1: 2d:78:ab:e3:97:47:e2:70:14:30:88:af:f8:8e:cb: 68:f9:6f:07:6e:34:b6:38:6a:a2:a8:29:47:91:0e: 25:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encip herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points:...

  • Page 217: Requesting A Certificate From An Openca Server

    0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03: bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27: 90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a: 00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47: 6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06: 7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14: 02:09:ad:08 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 75 Network diagram Configuring the OpenCA server Configure the OpenCA server as instructed in related manuals.

  • Page 218

    # Configure the certificate request URL. The URL is in the format http://host/cgi-bin/pki/scep, where host is the host IP address of the OpenCA server. [Device-pki-domain-openca] certificate request url http://192.168.222.218/cgi-bin/pki/scep # Configure the device to send certificate requests to the RA. [Device-pki-domain-openca] certificate request from ra # Specify PKI entity aaa for certificate request.

  • Page 219

    Not After : May 1 09:09:09 2012 GMT Subject: CN=rnd, O=test, OU=software, C=CN Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b8:7a:9a:b8:59:eb:fc:70:3e:bf:19:54:0c:7e: c3:90:a5:d3:fd:ee:ff:c6:28:c6:32:fb:04:6e:9c: d6:5a:4f:aa:bb:50:c4:10:5c:eb:97:1d:a7:9e:7d: 53:d5:31:ff:99:ab:b6:41:f7:6d:71:61:58:97:84: 37:98:c7:7c:79:02:ac:a6:85:f3:21:4d:3c:8e:63: 8d:f8:71:7d:28:a1:15:23:99:ed:f9:a1:c3:be:74: 0d:f7:64:cf:0a:dd:39:49:d7:3f:25:35:18:f4:1c: 59:46:2b:ec:0d:21:1d:00:05:8a:bf:ee:ac:61:03: 6c:1f:35:b5:b4:cd:86:9f:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME...

  • Page 220: Certificate Import And Export Configuration Example

    ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57: 8f:d4:3e:4f:51:c1:34:e6:c1:1e:71:b5:0d:85:86:a5:ed:63: 1e:08:7f:d2:50:ac:a0:a3:9e:88:48:10:0b:4a:7d:ed:c1:03: 9f:87:97:a3:5e:7d:75:1d:ac:7b:6f:bb:43:4d:12:17:9a:76: b0:bf:2f:6a:cc:4b:cd:3d:a1:dd:e0:dc:5a:f3:7c:fb:c3:29: b0:12:49:5c:12:4c:51:6e:62:43:8b:73:b9:26:2a:f9:3d:a4: 81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. Certificate import and export configuration example Network requirements As shown in Figure 76, Device B will replace Device A in the network.

  • Page 221

    # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111. [DeviceA] pki export domain exportdomain pem local 3des-cbc 111111 filename pkilocal.pem Now, Device A has three certificate files in PEM format: A CA certificate file named pkicachain.pem.

  • Page 222

    … -----END ENCRYPTED PRIVATE KEY----- Download the certificate files pkicachain.pem, pkilocal.pem-sign, and pkilocal.pem-encr from Device A to the host through FTP. (Details not shown.) Upload the certificate files pkicachain.pem, pkilocal.pem-sign, and pkilocal.pem-encr from the host to Device B through FTP. (Details not shown.) Import the certificate files to Device B: # Disable CRL checking.

  • Page 223

    6c:bf:0d:8c:f4:4e:ca:69:e5:3f:37:5c:83:ea:83: ad:16:b8:99:37:cb:86:10:6b:a0:4d:03:95:06:42: ef:ef:0d:4e:53:08:0a:c9:29:dd:94:28:02:6e:e2: 9b:87:c1:38:2d:a4:90:a2:13:5f:a4:e3:24:d3:2c: bf:98:db:a7:c2:36:e2:86:90:55:c7:8c:c5:ea:12: 01:31:69:bf:e3:91:71:ec:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier:...

  • Page 224

    5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption...

  • Page 225: Troubleshooting Pki Configuration

    DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 53:69:66:5f:93:f0:2f:8c:54:24:8f:a2:f2:f1:29:fa:15:16: 90:71:e2:98:e3:5c:c6:e3:d4:5f:7a:f6:a9:4f:a2:7f:ca:af: c4:c8:c7:2c:c0:51:0a:45:d4:56:e2:81:30:41:be:9f:67:a1: 23:a6:09:50:99:a1:40:5f:44:6f:be:ff:00:67:9d:64:98:fb: 72:77:9e:fd:f2:4c:3a:b2:43:d8:50:5c:48:08:e7:77:df:fb: 25:9f:4a:ea:de:37:1e:fb:bc:42:12:0a:98:11:f2:d9:5b:60: bc:59:72:04:48:59:cc:50:39:a5:40:12:ff:9d:d0:69:3a:5e: 3a:09:5a:79:e0:54:67:a0:32:df:bf:72:a0:74:63:f9:05:6f: 5e:28:d2:e8:65:49:e6:c7:b5:48:7d:95:47:46:c1:61:5a:29: 90:65:45:4a:88:96:e4:88:bd:59:25:44:3f:61:c6:b1:08:5b: 86:d2:4f:61:4c:20:38:1c:f4:a1:0b:ea:65:87:7d:1c:22:be: b6:17:17:8a:5a:0f:35:4c:b8:b3:73:03:03:63:b1:fc:c4:f5: e9:6e:7c:11:e8:17:5a:fb:39:e7:33:93:5b:2b:54:72:57:72: 5e:78:d6:97:ef:b8:d8:6d:0c:05:28:ea:81:3a:06:a0:2e:c3:...

  • Page 226: Failed To Obtain Local Certificates

    The fingerprint information is illegal. • Solution Make sure the network connection is physically proper. Verify that the required configurations are correct. Use ping to verify that the registration server is reachable. Synchronize the system time of the device with the CA server. Specify the correct source IP address for PKI protocol packets that the CA server can accept.

  • Page 227: Failed To Request Local Certificates

    Failed to request local certificates Symptom Local certificate requests cannot be submitted. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No CA certificate has been obtained before you submit the certificate request. •...

  • Page 228: Failed To Import The Ca Certificate

    The URL of the CRL repository is not configured, and the proper URL cannot be obtained from the • CA certificate or local certificates in the PKI domain. The specified URL of the CRL repository is incorrect. • The device tries to obtain CRLs through SCEP, but the PKI domain does not have local certificates, •...

  • Page 229: Failed To Export Certificates

    CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained. • • The specified format does not match the actual format of the imported file. The device and the certificate do not have the local key pair. •...

  • Page 230

    The specified storage path is illegal. • • The disk space is full. Solution Use mkdir to create the path. Specify the correct storage path for certificates or CRLs. Clear up the disk space of the device.

  • Page 231: Configuring Ipsec

    Configuring IPsec The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide). CAUTION: If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match •...

  • Page 232: Security Protocols And Encapsulation Modes

    Good compatibility. You can apply IPsec to all IP-based application systems and services without • modifying them. Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility • and greatly enhances IP security. Security protocols and encapsulation modes Security protocols IPsec comes with two security protocols, AH and ESP.

  • Page 233: Security Association

    • IKE negotiation mode—The peers negotiate and maintain the SA through IKE. This configuration mode is simple and has good expansibility. In medium- and large-scale dynamic networks, HP recommends setting up SAs through IKE negotiations. A manually configured SA never ages out. An IKE-created SA has a lifetime, which comes in two types: •...

  • Page 234: Authentication And Encryption

    Traffic-based lifetime—Defines the maximum traffic that the SA can process. • If both lifetime timers are configured for an SA, the SA becomes invalid when either of the lifetime timers expires. Before the SA expires, IKE negotiates a new SA, which takes over immediately after its creation. Authentication and encryption Authentication algorithms IPsec uses hash algorithms to perform authentication.

  • Page 235

    ACL-based IPsec To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, reference the ACL in an IPsec policy, and then apply the IPsec policy to an interface. When packets sent by the interface match the permit rule of the ACL, the packets are protected by the outbound IPsec SA and encapsulated with IPsec.

  • Page 236: Implementing Acl-based Ipsec

    interface (see "Implementing ACL-based IPsec"). The IPsec tunnel establishment steps are the same in an IPv4 network and in an IPv6 network. Application-based IPsec tunnel—Protects the packets of an application. This method can be used to • protect IPv6 routing protocols. It does not require any ACL. To establish application-based IPsec tunnels, configure manual IPsec profiles and bind the profiles to an IPv6 routing protocol.

  • Page 237: Configuring An Acl

    Tasks at a glance (Optional.) Binding a source interface to an IPsec policy (Optional.) Enabling QoS pre-classify (Optional.) Enabling logging of IPsec packets (Optional.) Configuring the DF bit of IPsec packets (Optional.) Configuring SNMP notifications for IPsec Configuring an ACL IPsec uses ACLs to identify the traffic to be protected.

  • Page 238: Configuring An Ipsec Transform Set

    Configuring an IPsec transform set An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms. Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the updated parameters.

  • Page 239: Configuring A Manual Ipsec Policy

    Step Command Remarks By default, the security protocol encapsulates IP packets in tunnel mode. Specify the mode in The transport mode applies only which the security encapsulation-mode { transport | when the source and destination IP protocol encapsulates IP tunnel } addresses of data flows match packets.

  • Page 240

    Step Command Remarks Enter system view. system-view Create a manual IPsec ipsec { ipv6-policy | policy } policy entry and enter its By default, no IPsec policy exists. policy-name seq-number manual view. (Optional.) Configure a description for the IPsec description text By default, no description is configured.

  • Page 241: Configuring An Ike-based Ipsec Policy

    Step Command Remarks • Configure an authentication key in hexadecimal format for sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication By default, no keys are configured for the key in character format for AH: IPsec SA.

  • Page 242

    The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional • on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. For an IPsec SA established through IKE negotiation: The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.

  • Page 243

    Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the Specify the local IP address of local-address { ipv4-address | ipv6 interface to which the IPsec policy...

  • Page 244

    Step Command Remarks ipsec { ipv6-policy-template | Create an IPsec policy By default, no IPsec policy template policy-template } template-name template and enter its view. exists. seq-number (Optional.) Configure a By default, no description is description for the IPsec policy description text configured.

  • Page 245: Applying An Ipsec Policy To An Interface

    Step Command Remarks (Optional.) Enable the global IPsec SA idle timeout function, By default, the global IPsec SA idle ipsec sa idle-time seconds and set the global SA idle timeout function is disabled. timeout. Create an IPsec policy by ipsec { ipv6-policy | policy } referencing the IPsec policy policy-name seq-number isakmp By default, no IPsec policy exists.

  • Page 246: Configuring The Ipsec Anti-replay Function

    Step Command Remarks Enter system view. system-view Enable ACL checking for ipsec decrypt-check enable By default, this feature is enabled. de-encapsulated packets. Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window.

  • Page 247: Binding A Source Interface To An Ipsec Policy

    Binding a source interface to an IPsec policy For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively.

  • Page 248: Enabling Logging Of Ipsec Packets

    Step Command Remarks • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number [ isakmp | manual ] Enter IPsec policy view or • Use either command. To enter IPsec policy template IPsec policy template view. view: ipsec { policy-template | ipv6-policy-template }...

  • Page 249: Configuring Ipsec For Ipv6 Routing Protocols

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the DF bit of By default, the interface uses the IPsec packets on the ipsec df-bit { clear | copy | set } global DF bit setting. interface.

  • Page 250

    consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group. The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For •...

  • Page 251: Configuring Snmp Notifications For Ipsec

    Configuring SNMP notifications for IPsec After you enable SNMP notifications for IPsec, the IPsec module notifies the NMS of important module events. The notifications are sent to the device's SNMP module. You can configure the notification transmission parameters for the SNMP module to specify how the SNMP module displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.

  • Page 252: Ipsec Configuration Examples

    Task Command Clear IPsec statistics. reset ipsec statistics [ tunnel-id tunnel-id ] IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 80, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches.

  • Page 253

    # Apply ACL 3101. [SwitchA-ipsec-policy-manual-map1-10] security acl 3101 # Apply the IPsec transform set tran1. [SwitchA-ipsec-policy-manual-map1-10] transform-set tran1 # Specify the remote IP address of the IPsec tunnel as 2.2.3.1. [SwitchA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1 # Configure inbound and outbound SPIs for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP.

  • Page 254: Configuring An Ike-based Ipsec Tunnel For Ipv4 Packets

    [SwitchB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321 [SwitchB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345 # Configure the inbound and outbound SA keys for ESP. [SwitchB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba [SwitchB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-policy-manual-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration...

  • Page 255

    Specify the encapsulation mode as tunnel, the security protocol as ESP, the encryption algorithm as • AES-CBC- 1 92, and the authentication algorithm as HMAC-SHA1. Set up SAs through IKE negotiation. • Figure 81 Network diagram   Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1.

  • Page 256

    # Apply ACL 3101. [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101 # Apply the IPsec transform set tran1. [SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.2.1 and 2.2.3.1. [SwitchA-ipsec-policy-isakmp-map1-10] local-address 2.2.2.1 [SwitchA-ipsec-policy-isakmp map1-10] remote-address 2.2.3.1 # Apply the IKE profile profile1.

  • Page 257: Configuring Ipsec For Ripng

    [SwitchB-ike-profile-profile1] quit # Create an IKE mode IPsec policy entry, with the policy name use1, and sequence number 10. [SwitchB] ipsec policy use1 10 isakmp # Apply ACL 3101. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Apply the IPsec transform set tran1. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1.

  • Page 258

    Apply the IPsec profile to a RIPng process or to an interface. Configuration procedure Configure Switch A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. <SwitchA> system-view [SwitchA] ripng 1 [SwitchA-ripng-1] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ripng 1 enable [SwitchA-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1.

  • Page 259

    [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create and configure the IPsec profile named profile001. [SwitchB] ipsec profile profile001 manual [SwitchB-ipsec-profile-profile001] transform-set tran1 [SwitchB-ipsec-profile-profile001] sa spi outbound esp 123456 [SwitchB-ipsec-profile-profile001] sa spi inbound esp 123456 [SwitchB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1.

  • Page 260

    Verifying the configuration After the previous configurations, Switch A, Switch B, and Switch C learn IPv6 routing information through RIPng. IPsec SAs are set up successfully on the switches to protect RIPng packets. The following example uses Switch A to illustrate how to view the IPsec-related information. # Use the display ripng command to display the RIPng configuration.

  • Page 261: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).

  • Page 262: Ike Security Mechanism

    Figure 84 IKE exchange process in main mode As shown in Figure 84, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. Key exchange—Used for exchanging the DH public value and other values, such as the random •...

  • Page 263

    the pre-shared key authentication method, you must configure a pre-shared key for each branch on the Headquarters node. DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials.

  • Page 264: Configuring An Ike Profile

    Tasks at a glance Remarks Required when the IKE profile needs to (Optional.) Configuring an IKE proposal reference IKE proposals. Required when pre-shared authentication is (Optional.) Configuring an IKE keychain used in IKE negotiation phase 1. (Optional.) Configuring the global identity information (Optional.) Configuring the IKE keepalive function (Optional.)

  • Page 265

    Specify a priority number for the IKE profile. To determine the priority of an IKE profile: First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority. If a tie exists, the device compares the priority numbers.

  • Page 266: Configuring An Ike Proposal

    Step Command Remarks By default, the IKE DPD function is not configured for an IKE profile and an IKE profile uses the DPD settings configured in (Optional.) Configure IKE dpd interval interval-seconds [ retry system view. If the IKE DPD DPD.

  • Page 267: Configuring An Ike Keychain

    Step Command Remarks Enter system view. system-view By default, there is an IKE Create an IKE proposal and ike proposal proposal-number proposal that is used as the enter its view. default IKE proposal. By default: • In non-FIPS mode: • In non-FIPS mode, an IKE encryption-algorithm { 3des-cbc | proposal uses the 56-bit DES...

  • Page 268: Configuring The Global Identity Information

    You can specify a priority number for the IKE keychain. To determine the priority of an IKE keychain: The device examines the existence of the match local address command. An IKE keychain with the match local address command configured has a higher priority. If a tie exists, the device compares the priority numbers.

  • Page 269: Configuring The Ike Keepalive Function

    When pre-shared key authentication is used, you cannot set the DN as the identity. • To configure the global identity information: Step Command Remarks Enter system view. system-view ike identity { address By default, the IP address of the { ipv4-address | ipv6 Configure the global identity interface to which the IPsec policy or ipv6-address } | dn | fqdn...

  • Page 270: Configuring The Ike Nat Keepalive Function

    Configuring the IKE NAT keepalive function If IPsec traffic passes through a NAT device, you must configure the NAT traversal function. If no packet travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted, disabling the tunnel from transmitting data to the intended end.

  • Page 271: Enabling Invalid Spi Recovery

    Step Command Remarks ike dpd interval interval-seconds Enable sending IKE DPD [ retry seconds ] { on-demand | By default, IKE DPD is disabled. messages. periodic } Enabling invalid SPI recovery An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer.

  • Page 272: Configuring Snmp Notifications For Ike

    Configuring SNMP notifications for IKE After you enable SNMP notifications for IKE, the IKE module notifies the NMS of important module events. The notifications are sent to the device's SNMP module. You can configure the notification transmission parameters for the SNMP module to specify how the SNMP module displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide.

  • Page 273: Ike Configuration Examples

    IKE configuration examples Main mode IKE with pre-shared key authentication configuration example Network requirements As shown in Figure 85, configure an IPsec tunnel that uses IKE negotiation between Switch A and Switch B to secure the communication. Configure Switch A and Switch B to use the default IKE proposal for the IKE negotiation to set up the IPsec SA.

  • Page 274

    [SwitchA-ike-keychain-keychain1] quit # Create IKE profile profile1. [SwitchA] ike profile profile1 # Specify IKE keychain keychain1. [SwitchA-ike-profile-profile1] keychain keychain1 # Configure a peer ID with the identity type of IP address and the value of 2.2.2.2. [SwitchA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0 [SwitchA-ike-profile-profile1] quit # Create an IPsec policy entry, and specify the IPsec policy name as map1, the sequence number as 10, and the IPsec SA setup mode as IKE.

  • Page 275

    # Specify the plaintext abcde as the pre-shared key to be used with the remote peer at 1.1.1.1. [SwitchB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchB-ike-keychain-keychain1] quit # Create IKE profile profile1. [SwitchB] ike profile profile1 # Specify IKE keychain keychain1 [SwitchB-ike-profile-profile1] keychain keychain1 # Configure a peer ID with the identity type of IP address and the value of 1.1.1.1.

  • Page 276: Ike Negotiation Failed Because No Ike Proposals Or Ike Keychains Are Referenced Correctly

    When IKE event debugging and packet debugging are enabled, the following messages appear: IKE event debugging message: The attributes are unacceptable. IKE packet debugging message: Construct notification packet: NO_PROPOSAL_CHOSEN. Analysis Certain IKE proposal settings are incorrect. Solution Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals. Modify the IKE proposal configuration to make sure the two ends have matching IKE proposals.

  • Page 277: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found

    IPsec SA negotiation failed because no matching IPsec transform sets were found Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.

  • Page 278

    Local IP: 192.168.222.5 Local ID type: IPV4_ADDR Local ID: 192.168.222.5 Remote IP: 192.168.222.71 Remote ID type: IPV4_ADDR Remote ID: 192.168.222.71 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 85847 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Verify that the IPsec policy is referencing an IKE profile.

  • Page 279

    # On the responder: [Sysname] display acl 3000 Advanced ACL 3000, named -none-, 2 rules, ACL's step is 5 rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0 Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the IPsec transform set has all necessary settings configured.

  • Page 280: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.

  • Page 281: Ssh Authentication Methods

    CLI. The text pasted at one time must be no more than 2000 bytes. Interaction HP recommends that you paste commands in the same view. Otherwise, the server might not be able to correctly execute the commands. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server.

  • Page 282

    Informs the client of the authentication result. If the remote AAA server requires the user to enter a password for secondary authentication, it send the SSH server an authentication response carrying a prompt. The prompt is transparently transmitted to the client to notify the user to enter a specific password. After the user enters the correct password and passes validity check by the remote AAA server, the SSH server returns an authentication success message to the client.

  • Page 283: Configuring The Device As An Ssh Server

    Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks (Optional.) Generating local key pairs (Required.) Enabling the SSH server function Required for Stelnet and SCP servers. (Required.) Enabling the SFTP server function Required for SFTP servers.

  • Page 284: Enabling The Ssh Server Function

    The public-key local create rsa command generates a server key pair and a host key pair for RSA. • SSH1 uses the public key in the server key pair of the SSH server to encrypt the session key before transmitting the session key. Because SSH2 uses the DH algorithm to separately generate the session key on the SSH server and the client, no session key transmission is required and thus the server key pair is not used in SSH2.

  • Page 285: Enabling The Sftp Server Function

    Enabling the SFTP server function This SFTP server function enables clients to log in to the device through SFTP. To enable the SFTP server function: Step Command Remarks Enter system view. system-view Enable the SFTP server By default, the SFTP server function sftp server enable function.

  • Page 286: Configuring A Client's Host Public Key

    PKCS format. HP recommends that you configure no more than 20 SSH client host public keys on an SSH server. To manually configure a client's host public key:...

  • Page 287: Configuring An Ssh User

    Step Command Remarks Return to system view. peer-public-key end To import a client's host public key from a public key file: Step Command Enter system view. system-view Import a client's public key public-key peer keyname import sshkey filename from a public key file. Configuring an SSH user To configure an SSH user that uses publickey authentication, perform the procedure in this section.

  • Page 288: Setting The Ssh Management Parameters

    If a client directly sends the user's public key information to the server, you must specify the client's public key on the server and the specified public key must already exist. For more information about public keys, see "Configuring a client's host public key."...

  • Page 289: Configuring The Device As An Stelnet Client

    Step Command Remarks The default setting is 60 seconds. If a user does not finish the Set the SSH user ssh server authentication-timeout authentication when the timeout authentication timeout period. time-out-value timer expires, the connection cannot be established. The default setting is 3. If the authentication method is any, Set the maximum number of ssh server authentication-retries...

  • Page 290: Specifying The Source Ip Address For Ssh Packets

    Specifying the source IP address for SSH packets HP recommends that you specify a loopback interface as the source interface for SSH packets for the following purposes: • Ensuring the communication between the Stelnet client and the Stelnet server. Improving the manageability of Stelnet clients in authentication service.

  • Page 291

    Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher...

  • Page 292: Configuring The Device As An Sftp Client

    Terminating the connection with the SFTP server Specifying the source IP address for SFTP packets HP recommends that you specify a loopback interface as the source interface for SFTP packets for the following purposes: Ensuring the communication between the SFTP client and the SFTP server.

  • Page 293

    In an insecure network, HP recommends that you configure the server's host public key on the device. After the connection is established, you can directly enter SFTP client view on the server to perform operations, such as working with directories or files.

  • Page 294: Working With Sftp Directories

    Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return to the upper-level directory. cdup Available in SFTP client view. Display the current working Available in SFTP client view. directory on the SFTP server.

  • Page 295: Terminating The Connection With The Sftp Server

    If you choose to continue, the device accesses the server and downloads the server's host public key. If you choose to not continue, the connection cannot be established. • In an insecure network, HP recommends that you configure the server's host public key on the device. To transfer files with an SCP server:...

  • Page 296

    Task Command Remarks • In non-FIPS mode, connect to the IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 297: Displaying And Maintaining Ssh

    Displaying and maintaining SSH Execute display commands in any view. Task Command Display the source IP address configured for the display sftp client source SFTP client. Display the source IP address configured for the display ssh client source Stelnet client. Display SSH server status or sessions.

  • Page 298

    <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...

  • Page 299

    To establish a connection to the Stelnet server: Launch PuTTY.exe to enter the interface shown in Figure In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. Figure 87 Specifying the host name (or IP address) Click Open to connect to the server.

  • Page 300: Publickey Authentication Enabled Stelnet Server Configuration Example

    Publickey authentication enabled Stelnet server configuration example Network requirements As shown in Figure 88, you can log in to the switch through the Stelnet client (SSH2) that runs on the host and are assigned the user role network-admin for configuration management. The switch acts as the Stelnet server and uses publickey authentication and the RSA public key algorithm.

  • Page 301

    Continuously move the mouse and do not place the mouse over the green progress bar shown Figure 90. Otherwise, the progress bar stops moving and the key pair generating progress stops. Figure 90 Generating process After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save.

  • Page 302

    Figure 91 Saving a key pair on the client Click Save private key to save the private key. A confirmation dialog box appears. Click Yes, enter a file name (private.ppk in this example), and click Save. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate RSA key pairs.

  • Page 303

    Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Enable the SSH server function. [Switch] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this IP address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit...

  • Page 304

    Figure 92 Specifying the host name (or IP address) Select Connection > SSH from the navigation tree. The window shown in Figure 93 appears. Specify the Preferred SSH protocol version as 2 in the Protocol options area. Figure 93 Specifying the preferred SSH version...

  • Page 305: Password Authentication Enabled Stelnet Client Configuration Example

    Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 94 appears. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 94 Specifying the private key file Click Open to connect to the server.

  • Page 306

    Configuration procedure Configure the Stelnet server: # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 307

    Establish a connection to the Stelnet server 192.168.1.40: # Assign an IP address to VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit Before establishing a connection to the server, you can configure the server's host public key on the client to authenticate the server.

  • Page 308: Publickey Authentication Enabled Stelnet Client Configuration Example

    [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you log in to Switch B successfully. If you do not configure the server's host public key on the client, when you access the server, the system will ask you whether to continue with the access.

  • Page 309

    If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP.

  • Page 310: Sftp Configuration Examples

    [SwitchB-line-vty0-63] quit # Import the peer public key from the file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user client002 with the authentication method publickey, and assign the public key switchkey to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user client002 with the service type ssh and the user role...

  • Page 311

    Configuration procedure Configure the SFTP server: # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 312: Publickey Authentication Enabled Sftp Client Configuration Example

    NOTE: PSFTP supports only password authentication. To establish a connection to the SFTP server: Run the psftp.exe to launch the client interface shown in Figure 98, and enter the following command: open 192.168.1.45 Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 98 SFTP client interface Publickey authentication enabled SFTP client configuration example...

  • Page 313

    Configure the SFTP client: # Assign an IP address to VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit # Generate RSA key pairs. [SwitchA] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.

  • Page 314

    # Enable the SFTP server function. [SwitchB] sftp server enable # Assign an IP address to VLAN-interface 2. The SFTP client uses the address as the destination for SSH connection. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Import the peer public key from the file pubkey, and name it switchkey.

  • Page 315: Scp Configuration Examples

    sftp> mkdir new1 sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup...

  • Page 316: Scp File Transfer With Password Authentication

    SCP file transfer with password authentication Network requirements As shown in Figure 100, you can log in to Switch B through the SCP client that runs on Switch A. After login, you are assigned the user role network-admin and can securely transfer files with Switch B. Switch B uses the password authentication method and the client 's username and password are saved on Switch B.

  • Page 317: Netconf Over Ssh Configuration Example With Password Authentication

    # Create a local device management user named client001 with the plaintext password aabbcc, the service type ssh, and the user role network-admin. [SwitchB] local-user client001 class manage [SwitchB-luser-manage-client001] password simple aabbcc [SwitchB-luser-manage-client001] service-type ssh [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Configure an SSH user client001 with service type scp and authentication method password.

  • Page 318

    Figure 101 Network diagram Configuration procedure # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 319

    [Switch] local-user client001 class manage # Set the password to aabbcc in plain text for the local user client001. [Switch-luser-manage-client001] password simple aabbcc # Authorize the local user client001 to use the SSH service. [Switch-luser-manage-client001] service-type ssh # Assign the user role network-admin to the local user client001. [Switch-luser-manage-client001] authorization-attribute user-role network-admin [Switch-luser-manage-client001] quit # Configure an SSH user client001.

  • Page 320: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: Privacy—SSL uses a symmetric encryption algorithm to encrypt data and uses an asymmetric key...

  • Page 321

    Figure 103 SSL protocol stack The following describes the major functions of SSL protocols: SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to • the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), authenticates the server and client, and securely exchanges the key between the server and client.

  • Page 322

    Step Command Remarks Enter system view. system-view By default, the device supports SSL 3.0. (Optional.) Disable SSL 3.0. ssl version ssl3.0 disable This command is available in Release 2311P05 and later versions. Create an SSL server policy and By default, no SSL server ssl server-policy policy-name enter its view.

  • Page 323: Configuring An Ssl Client Policy

    If SSL 3.0 is specified, the client uses SSL 3.0 to connect to the SSL server, whether you disable SSL • 3.0 or not. To ehance system security, HP recommends disabling SSL 3.0 on the device and specifying TLS 1.0 for an SSL client policy. To configure an SSL client policy:...

  • Page 324: Displaying And Maintaining Ssl

    Step Command Remarks • In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | • In non-FIPS mode: rsa_des_cbc_sha | The default preferred cipher rsa_rc4_128_md5 | suite is rsa_rc4_128_md5. rsa_rc4_128_sha } Specify the preferred cipher •...

  • Page 325: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard prevents spoofing attacks by using an IP source guard binding table to match legitimate packets. It drops all packets that do not match the table. The IP source guard binding table can include the following binding entries: Global binding entries •...

  • Page 326: Static Ip Source Guard Binding Entries

    Static IP source guard binding entries Static IP source guard binding entries are configured manually. They are suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a static IP source guard binding entry on an interface that connects to a server.

  • Page 327: Ip Source Guard Configuration Task List

    Dynamic IPv6 source guard IPv6 source guard on an interface obtains information from DHCPv6 snooping entries to generate IPv6 source guard binding entries for packet filtering. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide. IP source guard configuration task list To configure IPv4 source guard, perform the following tasks: Tasks at a glance (Required.)

  • Page 328: Configuring A Static Ipv4 Source Guard Binding Entry

    Step Command Remarks The following interface types are supported: • Layer 2 Ethernet port. interface interface-type • Enter interface view. Layer 3 Ethernet interface. interface-number • Layer 3 Ethernet subinterface. • VLAN interface. • Layer 3 aggregate interface. By default, the function is disabled on an interface.

  • Page 329: Configuring The Ipv6 Source Guard Function

    Step Command Remarks By default, no static IPv4 source guard binding entry is configured on an interface. The vlan vlan-id option is supported only in Layer 2 Ethernet interface view. ip source binding { ip-address Configure a static IPv4 ip-address | ip-address To configure a static binding entry for the source guard binding ip-address mac-address...

  • Page 330: Configuring A Static Ipv6 Source Guard Binding Entry

    Step Command Remarks By default, the function is disabled on an interface. ipv6 verify source { ip-address | Enable the IPv6 source guard If you configure this command on ip-address mac-address | function. an interface multiple times, the mac-address } most recent configuration takes effect.

  • Page 331: Ip Source Guard Configuration Examples

    For IPv4 source guard: Task Command display ip source binding [ static | [ vpn-instance vpn-instance-name ] Display IPv4 source guard [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] binding entries. [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] For IPv6 source guard: Task...

  • Page 332

    <SwitchA> system-view [SwitchA] interface ten-gigabitethernet 1/0/2 [SwitchA-Ten-GigabitEthernet1/0/2] ip verify source ip-address mac-address # On Ten-GigabitEthernet 1/0/2, configure a static IPv4 source guard binding entry for Host C. [SwitchA-Ten-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [SwitchA-Ten-GigabitEthernet1/0/2] quit # Enable IPv4 source guard on Ten-GigabitEthernet 1/0/1. [SwitchA] interface ten-gigabitethernet 1/0/1 [SwitchA-Ten-GigabitEthernet1/0/1] ip verify source ip-address mac-address # On Ten-GigabitEthernet 1/0/1, configure a static IPv4 source guard binding entry for Host A.

  • Page 333: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example

    Dynamic IPv4 source guard using DHCP snooping configuration example Network requirements As shown in Figure 106, the host (the DHCP client) obtains an IP address from the DHCP server. Enable DHCP snooping on the device to record the IPv4 address and the MAC address of the host in a DHCP snooping entry.

  • Page 334: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example

    The output shows that a dynamic IPv4 source guard binding entry is generated based on a DHCP snooping entry. Dynamic IPv4 source guard using DHCP relay configuration example Network requirements As shown in Figure 107, DHCP relay is enabled on the switch. The host obtains an IP address from the DHCP server through the DHCP relay agent.

  • Page 335: Static Ipv6 Source Guard Configuration Example

    192.168.0.1 0001-0203-0406 Vlan100 DHCP relay The output shows that a dynamic IPv4 source guard binding entry is generated based on a DHCP relay entry. Static IPv6 source guard configuration example Network requirements As shown in Figure 108, configure a static IPv6 source guard binding entry for Ten-GigabitEthernet 1/0/1 of the device to allow only IPv6 packets from the host to pass.

  • Page 336

    Figure 109 Network diagram Configuration procedure Configure DHCPv6 snooping: # Enable DHCPv6 snooping globally. <Switch> system-view [Switch] ipv6 dhcp snooping enable # Configure the interface connecting to the DHCP server as a trusted interface. [Switch] interface ten-gigabitethernet 1/0/2 [Switch-Ten-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Switch-Ten-GigabitEthernet1/0/2] quit Enable IPv6 source guard: # Enable IPv6 source guard on Ten-GigabitEthernet 1/0/1 and verify the source IP address and...

  • Page 337: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 338: Configuring Arp Source Suppression

    ARP source suppression—Stops resolving packets from a host if the upper limit on unresolvable IP • packets from the host is reached within an interval of 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.

  • Page 339: Displaying And Maintaining Unresolvable Ip Attack Protection

    Displaying and maintaining unresolvable IP attack protection Execute display commands in any view. Task Command Display ARP source suppression configuration information. display arp source-suppression Configuration example Network requirements As shown in Figure 1 10, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20.

  • Page 340: Configuring Arp Packet Rate Limit

    Configuration procedure # Enable ARP source suppression and set the threshold to 100. <Device> system-view [Device] arp source-suppression enable [Device] arp source-suppression limit 100 # Enable ARP blackhole routing. [Device] arp resolving-route enable Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP detection enabled device will send all received ARP packets to the CPU for inspection.

  • Page 341: Configuring Source Mac-based Arp Attack Detection

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface or Layer 2 aggregate interface-number interface view. By default, ARP packet rate limit is Enable ARP packet rate limit arp rate-limit [ pps ] enabled, and the rate limit is 100 and configure the rate limit.

  • Page 342: Displaying And Maintaining Source Mac-based Arp Attack Detection

    Displaying and maintaining source MAC-based ARP attack detection Execute display commands in any view. Task Command Display ARP attack entries detected by source display arp source-mac { slot slot-number | interface MAC-based ARP attack detection. interface-type interface-number } Configuration example Network requirements As shown in Figure 1 1...

  • Page 343: Configuring Arp Packet Source Mac Consistency Check

    Exclude the MAC address of the server from this detection. Configuration procedure # Enable source MAC-based ARP attack detection, and specify the handling method as filter. <Device> system-view [Device] arp source-mac filter # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds.

  • Page 344: Configuring Authorized Arp

    Step Command Remarks Enter system view. system-view Enable the ARP active arp active-ack [ strict ] By default, ARP active acknowledgement acknowledgement function. enable function is disabled. Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent.

  • Page 345: Configuration Example (on A Dhcp Relay Agent)

    [SwitchA] interface ten-gigabitethernet 1/0/1 [SwitchA-Ten-GigabitEthernet1/0/1] port link-mode route [SwitchA-Ten-GigabitEthernet1/0/1] ip address 10.1.1.1 24 [SwitchA-Ten-GigabitEthernet1/0/1] quit # Configure DHCP. [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 1 [SwitchA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0 [SwitchA-dhcp-pool-1] quit # Enter Layer 3 Ethernet interface view. [SwitchA] interface ten-gigabitethernet 1/0/1 # Enable authorized ARP.

  • Page 346: Enable Dhcp

    Figure 113 Network diagram Configuration procedure Configure Switch A: # Specify the IP address for Ten-GigabitEthernet 1/0/1. <SwitchA> system-view [SwitchA] interface ten-gigabitethernet 1/0/1 [SwitchA-Ten-GigabitEthernet1/0/1] port link-mode route [SwitchA-Ten-GigabitEthernet1/0/1] ip address 10.1.1.1 24 [SwitchA-Ten-GigabitEthernet1/0/1] quit # Configure DHCP. [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 1 [SwitchA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0 [SwitchA-dhcp-pool-1] gateway-list 10.10.1.1...

  • Page 347: Configuring Arp Detection

    # Enable recording of relay entries on the relay agent. [SwitchB] dhcp relay client-information record Configure Switch C: <SwitchC> system-view [SwitchC] ip route-static 10.1.1.0 24 10.10.1.1 [SwitchC] interface ten-gigabitethernet 1/0/2 [SwitchC-Ten-GigabitEthernet1/0/1] port link-mode route [SwitchC-Ten-GigabitEthernet1/0/2] ip address dhcp-alloc [SwitchC-Ten-GigabitEthernet1/0/2] quit Verifying the configuration # Display authorized ARP information on Switch B.

  • Page 348: Configuring Arp Packet Validity Check

    Make sure at least one of static IP source guard binding and DHCP snooping is configured for user • validity check. Otherwise, ARP packets received from ARP untrusted ports are discarded. You must specify a VLAN for an IP source guard binding entry. Otherwise, no ARP packets can •...

  • Page 349: Configuring Arp Restricted Forwarding

    Step Command Remarks Enter Layer 2 Ethernet interface view interface interface-type or Layer 2 aggregate interface view. interface-number (Optional.) Configure the interface as a trusted interface excluded from arp detection trust By default, an interface is untrusted. ARP detection. Configuring ARP restricted forwarding NOTE: ARP restricted forwarding does not apply to ARP packets with multiport MAC as their destination MAC addresses.

  • Page 350: User Validity Check And Arp Packet Validity Check Configuration Example

    User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 1 14, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts. Figure 114 Network diagram Gateway DHCP server...

  • Page 351: Configuring Arp Scanning And Fixed Arp

    [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface. [SwitchB-vlan10] interface ten-gigabitethernet 1/0/3 [SwitchB-Ten-GigabitEthernet1/0/3] arp detection trust [SwitchB-Ten-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface Ten-GigabitEthernet 1/0/2 for user validity check.

  • Page 352

    To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address • [ vpn-instance-name ] command. Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries. Configuration procedure To configure ARP scanning and fixed ARP: Step...

  • Page 353: Configuration Example

    Step Command Remarks Enable ARP gateway protection By default, ARP gateway arp filter source ip-address for the specified gateway. protection is disabled. Configuration example Network requirements As shown in Figure 1 15, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B.

  • Page 354: Configuration Guidelines

    An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded. Configuration guidelines Follow these guidelines when you configure ARP filtering: You can configure a maximum of eight permitted entries on an interface.

  • Page 355

    Figure 116 Network diagram Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface ten-gigabitethernet 1/0/1 [SwitchB-Ten-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-Ten-GigabitEthernet1/0/1] quit [SwitchB] interface ten-gigabitethernet 1/0/2 [SwitchB-Ten-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 Verifying the configuration # Verify that Ten-GigabitEthernet 1/0/1 permits ARP packets from Host A, and discards other ARP packets.

  • Page 356: Configuring Mff

    Configuring MFF Overview Traditional Ethernet networking solutions use the VLAN technology to isolate users at Layer 2 and to allow them to communicate at Layer 3. When a large number of hosts need to be isolated at Layer 2, you have to assign a network segment for each VLAN and an IP address for each VLAN interface for Layer 3 communication.

  • Page 357: Basic Concepts

    VLAN mapping (see Layer 2—LAN Switching Configuration Guide). • NOTE: When MFF works with static IP source guard entries, you must configure VLAN IDs in the static entries. Otherwise, IP packets allowed by IP source guard are permitted even if their destination MAC addresses are not the MAC address of the gateway.

  • Page 358: Mff Operation Modes

    MFF operation modes The manual mode applies to networks where IP addresses are statically assigned to the hosts, and the hosts cannot obtain the gateway information through DHCP. A VLAN maintains only the MAC address of the default gateway. In manual mode, after receiving an ARP request for a host's MAC address from the gateway, the MFF device directly replies the host's MAC address to the gateway according to the ARP snooping entries.

  • Page 359: Configuring A Network Port

    Configuring a network port Step Command Remarks Enter system view. system-view • Layer 2 Ethernet interface view: interface interface-type Enter Layer 2 Ethernet interface-number interface view or Layer 2 Use either command. • Layer 2 aggregate interface aggregate interface view. view: interface bridge-aggregation interface-number...

  • Page 360: Displaying And Maintaining Mff

    To specify the IP addresses of servers: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id By default, no server IP address is specified. If the server's interface connecting Specify the IP addresses of mac-forced-forwarding server to the MFF device uses secondary IP servers.

  • Page 361

    Figure 118 Network diagram Configuration procedure Assign IP addresses to the hosts and the gateway. (Details not shown.) Configure Switch A: # Configure manual-mode MFF on VLAN 100. [SwitchA] vlan 100 [SwitchA-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100.

  • Page 362: Manual-mode Mff Configuration Example In A Ring Network

    Manual-mode MFF configuration example in a ring network Network requirements As shown in Figure 1 19, all the devices are in VLAN 100, and the switches form a ring. Hosts A, B, and C are assigned IP addresses manually. Configure MFF to isolate the hosts at Layer 2 and allow them to communicate with each other through the gateway at Layer 3.

  • Page 363

    # Configure manual-mode MFF on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchB-vlan100] arp snooping enable [SwitchB-vlan100] quit # Configure Ten-GigabitEthernet 1/0/4 and Ten-GigabitEthernet 1/0/6 as network ports. [SwitchB] interface ten-gigabitethernet 1/0/4 [SwitchB-Ten-GigabitEthernet1/0/4] mac-forced-forwarding network-port [SwitchB-Ten-GigabitEthernet1/0/4] quit...

  • Page 364: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 365

    Figure 121 uRPF work flow Checks the received packet Broadcast source address? All-zero source address? Broadcast destination Discards the packet address? Matching FIB entry Default route found? found? Loose uRPF? Loose uRPF? Matching route is a direct Receiving route? interface matches the output interface of the default route?...

  • Page 366

    uRPF checks whether the source address matches a FIB entry: If yes, proceeds to step 3. If no, proceeds to step 6. uRPF checks whether the check mode is loose: If yes, proceeds to step 8. If no, uRPF checks whether the matching route is a direct route: If yes, proceeds to step 5.

  • Page 367: Network Application

    Network application Figure 122 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User Configure strict uRPF check between an ISP network and a customer network, and loose uRPF check between ISPs. Configuring uRPF When you configure uRPF, follow these restrictions and guidelines: Global uRPF configuration takes effect on both IPv4 and IPv6 routes.

  • Page 368: Displaying And Maintaining Urpf

    Displaying and maintaining uRPF Execute display commands in any view. Task Command Display uRPF configuration. display ip urpf [ slot slot-number ] uRPF configuration example Network requirements As shown in Figure 123, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks.

  • Page 369: Configuring Crypto Engines

    Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.

  • Page 370: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high. The device supports Level 2.

  • Page 371: Configuring Fips Mode

    save. Other commands used for configuration preparation to enter FIPS mode. Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and • non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the following tasks: Delete the local user and configure a new local user.

  • Page 372: Configuration Changes In Fips Mode

    The system automatically uses the startup configuration file to reboot the device and enter FIPS mode. You can only use the configured username and password to log in to the FIPS device. After login, you are assigned a user role of crypto officer. Manual reboot To use manual reboot to enter FIPS mode: Enable the password control function globally.

  • Page 373: Exiting Fips Mode

    When the device acts as a server to authenticate a client through public keys, the key pairs for the client must also have a modulus length of 2048 bits. SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, and MD5. •...

  • Page 374: Fips Self-tests

    You can also trigger a self-test. If the power-up self-test fails, the device where the self-test process exists reboots. If the conditional self-test fails, the system outputs self-test failure information. NOTE: If a self-test fails, contact HP Support. Power-up self-tests Power-up self-tests include the following types: Known-answer test (KAT) •...

  • Page 375: Conditional Self-tests

    Table 11 Power-up self-test list Type Operations Tests the following algorithms: • DSA (signature and authentication). • RSA (signature and authentication). • RSA (encryption and decryption). Cryptographic algorithm • AES. self-test • 3DES. • SHA1. • HMAC-SHA1. • Random number generator algorithms. Table 12 Power-up self-test list Type Operations...

  • Page 376: Triggering Self-tests

    Triggering self-tests To examine whether the cryptography modules operate correctly, you can trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device where the self-test process exists reboots. To trigger a self-test: Step Command...

  • Page 377: Entering Fips Mode Through Manual Reboot

    Verifying the configuration After the device reboots, enter the username root and the password 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters.

  • Page 378

    [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal. [Sysname] local-user test class manage [Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB [Sysname-luser-manage-test] authorization-attribute user-role network-admin...

  • Page 379: Exiting Fips Mode Through Automatic Reboot

    Updating user information. Please wait ..… <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode.

  • Page 380

    # Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file.

  • Page 381: Configuring Attack Detection And Prevention

    Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions, such as packet dropping, to protect a private network. The device supports only TCP fragment attack prevention. Configuring TCP fragment attack prevention The TCP fragment attack prevention feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that traditional packet filter cannot detect.

  • Page 382: Index

    HWTACACS, EAP-Message attribute, displaying LDAP, EAPOL packet format, displaying local users/local user groups, enable, displaying RADIUS, HP MAC-based access control, FIPS compliance, HP port-based access control, HWTACACS accounting server specification, maintaining, HWTACACS authentication server specification, mandatory port authentication domain,...

  • Page 383

    HWTACACS traffic statistics units, RADIUS shared keys specification, HWTACACS username format, RADIUS SNMP notification, HWTACACS/RADIUS differences, RADIUS timers, ISP domain accounting methods RADIUS traffic statistics units, configuration, RADIUS username format, ISP domain attribute configuration, scheme configuration, ISP domain authentication methods SSH user local authentication+HWTACACS configuration, authorization+RADIUS accounting,...

  • Page 384

    AAA RADIUS, displaying ARP detection, security AAA RADIUS common standard attributes, displaying unresolvable IP attack protection, security AAA RADIUS extended attributes, filtering configuration, 342, security AAA RADIUS HP proprietary attributes, fixed ARP configuration, security AAA RADIUS scheme configuration,...

  • Page 385

    security AAA scheme configuration, security AAA SSH user local authentication+HWTACACS security AAA user group attribute authorization+RADIUS accounting, configuration, security IPsec, authenticating security IPsec authentication algorithms, port security authentication modes, security IPsec Authentication Header. Use port security client macAddressElseUserLoginSecure security IPsec configuration, 220, configuration, security IPsec Encapsulating Security Payload.

  • Page 386

    configuring BAS-IP for unsolicited portal packets configuration, sent to portal authentication server, configuration (DHCP relay agent), configuring cross-subnet portal, 1 19 configuration (DHCP server), configuring destination subnet (portal), authorizing configuring direct portal, security 802.1X port authorization state, configuring extended direct portal, security 802.1X port authorization status, configuring extended re-DHCP portal, security 802.1X port authorized-force state,...

  • Page 387

    security PKI certificate request abort, command security PKI certificate verification, security AAA command accounting method, security PKI CRL, security AAA command authorization method, security PKI domain configuration, communication security PKI entity configuration, security peer host public key entry, security PKI storage path specification, comparing troubleshooting PKI CA certificate import security 802.1X EAP relay/termination...

  • Page 388

    portal authentication source subnet, security AAA user group attributes, portal detection functions, security ARP active acknowledgement, portal fail-permit, security ARP attack protection, portal server detection, security ARP attack protection (unresolvable IP attack), portal user synchronization, 103, security ARP blackhole routing, portal Web server, security ARP detection, portal Web server detection,...

  • Page 389

    security IPsec IPv6 routing protocols, security SSH device as server, security IPsec packet DF bit, security SSH device as SFTP client, security IPsec policy, security SSH device as Stelnet client, security IPsec policy (IKE-based), security SSH SCP, security IPsec policy (IKE-based/direct), security SSH SCP client device, security IPsec policy (IKE-based/template), security SSH SCP file with password...

  • Page 390

    portal authentication server, security PKI, portal Web server, security PKI architecture, security authorized ARP (DHCP server), security PKI CA policy, security IPv4 source guard dynamic configuration with DHCP relay, security PKI certificate access control policy, security MFF server IP address specification, security PKI certificate export, security NETCONF-over-SSH client user line security PKI certificate removal,...

  • Page 391

    security IPv4 source guard dynamic security AAA local users/local user groups, configuration with DHCP relay, security AAA RADIUS, security IPv4 source guard dynamic security ARP detection, configuration with DHCP snooping, security ARP source MAC-based attack security IPv6 source guard dynamic detection, configuration with DHCPv6 snooping, security ARP unresolvable IP attack protection,...

  • Page 392

    security SSH client host public key security 802.1X EAP termination, configuration, security 802.1X periodic online user security SSH DSA host key pair, reauthentication, security SSH Stelnet client publickey security AAA RADIUS session-control feature, authentication, security AAA RADIUS SNMP notification, dst-mac validity check (ARP), security IPsec ACL de-encapsulated packet dynamic check,...

  • Page 393

    security SSH configuration, security ARP packets, 342, security SSH server configuration, FIPS security SSL services, configuration, 359, entering configuration restrictions, security FIPS mode (automatic displaying, reboot), 360, mode configuration, security FIPS mode (manual reboot), 360, mode entry, security peer host public key, 180, mode entry (automatic reboot), mode entry (manual reboot), IPsec security protocol 50,...

  • Page 394

    Hypertext Transfer Protocol. Use HTTP security SSH local key pair, identity security IPsec IKE global identity information configuration, security AAA RADIUS HP proprietary attributes, ignoring handshake feature (802.1X online user), port security server authorization information, handshake protocol (SSL), IKE, 250, See also...

  • Page 395

    AAA RADIUS session-control IP addressing feature, security AAA HWTACACS outgoing packet source implementing IP address, security 802.1X HP MAC-based access security AAA LDAP server IP address control, configuration, security 802.1X HP port-based access security AAA RADIUS outgoing packet source IP...

  • Page 396

    displaying, IKE troubleshooting, dynamic binding entry, IKE-based tunnel for IPv4 packets configuration, IPv4. See IPv4 source guard implementation, IPv6. See IPv6 source guard IPv6. See IPv6 IPsec maintaining, maintaining, static binding entry, mirror image ACLs, ip validity check (ARP), non-mirror image ACLs, IPsec packet DF bit configuration, ACL configuration,...

  • Page 397

    static entry (global), key pair static entry (on interface), security SSH host key pair, 272, IPv6 security SSH server key pair, IPsec. See IPv6 IPsec keychain source guard. See IPv6 source guard security IPsec IKE configuration, IPv6 IPsec keyword routing protocol profile, security IPsec ACL rule keywords, routing protocols configuration, IPv6 source guard...

  • Page 398

    version specification, Lightweight Directory Access Protocol. Use LDAP address. See MAC address limiting authentication. See MAC authentication port security secure MAC addresses, security SSL services, security ARP packet rate limit configuration, MAC address local MAC local authentication configuration, host public key export, RADIUS-based MAC authentication configuration, host public key save to file,...

  • Page 399

    max number concurrent port users manual configuration, security MFF manual-mode in ring network, port security authentication control mode, security MFF manual-mode in tree network, port security client security MFF operation mode, macAddressElseUserLoginSecure message configuration, security ARP attack protection configuration, port security client userLoginWithOUI Message Authentication Code.

  • Page 400

    security 802.1X multicast trigger mode, security 802.1X unicast trigger mode, security IPsec IKE keepalive function configuration, security IPsec ACL-based implementation aggregation, need to know. Use security IPsec ACL-based implementation negotiating per-host, security IPsec IKE negotiation, security IPsec ACL-based implementation security IPsec IKE negotiation mode, standard, NETCONF security IPsec application-based...

  • Page 401

    security AAA HWTACACS scheme security IP source guard dynamic binding entry, configuration, security IP source guard static binding entry, security AAA ISP domain accounting methods security IPsec ACL configuration, configuration, security IPsec ACL de-encapsulated packet security AAA ISP domain attribute check, configuration, security IPsec ACL-based implementation, 224,...

  • Page 402

    security NETCONF-over-SSH client user line security super password control parameters, configuration, security uRPF application, security password control global security uRPF check modes, parameters, security uRPF configuration, security password control local user security uRPF operation, parameters, SSH packet source IP address, security password control user group SSH SFTP packet source IP address, parameters,...

  • Page 403

    security IPsec tunnel for IPv4 packets security AAA no accounting method, configuration, security AAA no authentication, security IPv4 source guard dynamic security AAA no authorization, configuration with DHCP relay, notifying security IPv4 source guard dynamic security AAA RADIUS SNMP notification, configuration with DHCP snooping, security IPsec IKE SNMP notification, security IPv6 source guard dynamic...

  • Page 404

    security ARP packet validity check, security SSH Stelnet client password authentication, security ARP user/packet validity check, security SSH Stelnet server password security IPsec ACL de-encapsulated packet authentication, check, password control security IPsec anti-replay configuration, configuration, 164, 167, security IPsec implementation, displaying, security IPsec packet DF bit configuration, enable,...

  • Page 405

    CA storage path specification, extended portal authentication functions, certificate access control policy, security AAA RADIUS security policy server IP address configuration, certificate export, security IPsec application to interface, certificate import/export, security IPsec configuration, certificate obtain, security IPsec configuration (IKE-based/direct), certificate removal, security IPsec configuration certificate request, (IKE-based/template),...

  • Page 406

    802.1X overview, configuring extended direct authentication, authentication modes, configuring extended re-DHCP authentication, client macAddressElseUserLoginSecure configuring fail-permit, configuration, configuring online detection of users, client userLoginWithOUI configuration, configuring portal-free rule, configuration, 145, 148, configuring re-DHCP authentication, 1 15 displaying, configuring user synchronization, enabling, configuring Web server, feature configuration,...

  • Page 407

    detection and prevention. See attack D&P configuring portal authentication destination subnet, procedure configuring portal authentication server, applying security IPsec policy to interface, configuring portal authentication server authenticating with security 802.1X EAP detection, relay, configuring portal authentication source subnet, authenticating with security 802.1X EAP termination, configuring portal detection functions, binding security IPsec source interface to...

  • Page 408

    configuring security AAA RADIUS schemes, configuring security FIPS mode exit (automatic reboot), configuring security AAA RADIUS security policy server IP address, configuring security FIPS mode exit (manual reboot), configuring security AAA RADIUS server SSH user authentication+authorization, configuring security fixed ARP, configuring security AAA schemes, configuring security IP source guard, configuring security AAA SSH user local...

  • Page 409

    configuring security IPv4 dynamic source guard configuring security SSH device as SFTP client, with DHCP snooping, configuring security SSH device as Stelnet configuring security IPv4 source guard, client, configuring security IPv4 static source configuring security SSH SCP, guard, configuring security SSH SCP client device, configuring security IPv6 dynamic source guard configuring security SSH SCP file transfer with with DHCPv6 snooping,...

  • Page 410

    displaying security 802.1X, enabling security IPsec IKE invalid SPI recovery, displaying security AAA, enabling security IPsec packet logging, displaying security AAA HWTACACS, enabling security IPsec QoS pre-classify, displaying security AAA LDAP, enabling security IPv4 source guard on interface, displaying security AAA local users/local user groups, enabling security IPv6 source guard on interface,...

  • Page 411

    maintaining security IPsec IKE, setting security super password control parameters, maintaining security IPv4 source guard, specifying portal authentication domain, maintaining security IPv6 source guard, specifying security 802.1X access control maintaining security MAC authentication, method, maintaining security password control, specifying security 802.1X mandatory port obtaining security PKI certificate, authentication domain, referencing portal Web server,...

  • Page 412

    troubleshooting security AAA RADIUS packet security 802.1X related protocols, delivery failure, security AAA, troubleshooting security IPsec IKE, security AAA HWTACACS, 7, troubleshooting security IPsec IKE negotiation security AAA RADIUS, 2, failure (no proposal match), security IPsec, troubleshooting security IPsec IKE negotiation security IPsec IKE, failure (no proposal or keychain referenced security LDAP, 9,...

  • Page 413

    RADIUS server, common standard attributes, user authentication methods, displaying, username format, extended attributes, rate HP proprietary attributes, security ARP packet rate limit configuration, HWTACACS/RADIUS differences, real-time information exchange security mechanism, security AAA HWTACACS real-time accounting Login-Service attribute check method, timer,...

  • Page 414

    requesting security IKE SA max number set, security PKI certificate request, security IPsec SA negotiation failure (invalid identity info), resource access restriction (portal authentication), security IPsec SA negotiation failure (no transform restricted forwarding configuration (ARP), set match), restrictions security IPsec transform set configuration, FIPS configuration restrictions, saving IPsec policy configuration (IKE-based),...

  • Page 415

    AAA ISP domain creation, crypto engine configuration, AAA ISP domain methods configuration, displaying 802.1X, AAA LDAP implementation, displaying AAA, AAA LDAP scheme configuration, displaying ARP detection, AAA LDAP server SSH user authentication, displaying crypto engine, AAA local user configuration, displaying IPsec IKE, AAA max concurrent logins, displaying MAC authentication, AAA MPLS L3VPN implementation,...

  • Page 416

    IPsec IKE keepalive function configuration, MAC authentication configuration, 79, 80, IPsec IKE keychain configuration, MAC authentication delay configuration, 83, IPsec IKE mechanism, MAC authentication domain specification, IPsec IKE NAT keepalive function MAC authentication enable, configuration, MAC authentication max number concurrent port IPsec IKE negotiation failure (no proposal or users configuration, keychain referenced correctly),...

  • Page 417

    PKI CA storage path specification, SFTP server function enable, PKI certificate access control policy, SSH authentication methods, PKI certificate export, SSH client host public key configuration, PKI certificate export failure, SSH configuration, PKI certificate import/export, SSH local key pair generation, PKI certificate obtain, SSH management parameters, PKI certificate removal,...

  • Page 418

    server security 802.1X authentication timeout timers, authentication, authorization, and accounting security 802.1X port authorization state, (portal authentication), security 802.1X port max number users, configuring portal authentication server, security AAA HWTACACS timer, configuring portal authentication server security AAA HWTACACS traffic statistics unit, detection, security AAA HWTACACS username format, configuring portal fail-permit,...

  • Page 419

    security AAA RADIUS notifications, security uRPF configuration, 353, 356, security IPsec IKE SNMP notification, security IPsec SNMP notification, AAA RADIUS Login-Service attribute check method, software authentication methods, security crypto engine configuration, client host public key configuration, source configuration, configuring a portal authentication subnet, displaying, configuring BAS-IP for unsolicited portal packets sent to portal authentication server,...

  • Page 420

    Stelnet, security SSH server password authentication, Stelnet client device configuration, security SSH server publickey authentication, Stelnet client password authentication, server connection establishment, Stelnet client publickey authentication, sticky secure MAC address, Stelnet client user line configuration, storage Stelnet configuration, security PKI CA storage path, Stelnet server connection establishment, troubleshooting PKI storage path set failure, Stelnet server password authentication,...

  • Page 421

    security SSH SFTP server connection, security MFF manual-mode in ring network, testing security MFF manual-mode in tree network, security FIPS conditional self-test, transform set (IPsec), security FIPS power-up self-test, Transmission Control Protocol. Use security FIPS triggered self-test, transporting TFTP security IPsec encapsulation transport mode, security local host public key distribution, triggered self-test, time...

  • Page 422

    security IPsec encapsulation tunnel mode, security 802.1X port max number users, security IPsec IKE-based tunnel for IPv4 packets security ARP user validity check, configuration, security ARP user/packet validity check, security IPsec RIPng configuration, setting max number portal users, security IPsec tunnel establishment, troubleshooting/cannot log out portal users on security IPsec tunnel for IPv4 packets access device,...

  • Page 423

    security password not displayed, security MFF manual-mode in ring network, security password setting, security MFF manual-mode in tree network, security password updating, 165, security password user first login, cross-subnet portal authentication for MPLS L3VPN, security password user login attempt limit, security AAA HWTACACS scheme VPN security password user login control, specification,...

  • Page 424

    port security client macAddressElseUserLoginSecure configuration, port security client userLoginWithOUI configuration, port security configuration, 145, 148, port security MAC address autoLearn mode configuration, security 802.1X overview, working with security SSH SFTP directories, security SSH SFTP files, X.500 security AAA LDAP implementation,...

This manual also for:

5900 series

Comments to this Manuals

Symbols: 0
Latest comments: