Page of 263
Download Table of ContentsContents Print This PagePrint Bookmark
HP 5920 & 5900 Switch Series
Security
Part number: 5998-2898
Software version: Release2207
Document version: 6W100-20121130

Advertising

   Summary of Contents for HP 5920 Series

  • Page 1: Configuration Guide

    HP 5920 & 5900 Switch Series Security Configuration Guide Part number: 5998-2898 Software version: Release2207 Document version: 6W100-20121130...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...

  • Page 3: Table Of Contents

    Contents Configuring AAA ························································································································································· 1   Overview ············································································································································································ 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   LDAP ·········································································································································································· 9   AAA implementation on the device ····················································································································· 11   AAA for MPLS L3VPNs ········································································································································· 13   Protocols and standards ······································································································································· 13  ...

  • Page 4: Table Of Contents

      EAP relay ································································································································································ 62   EAP termination ····················································································································································· 63   Configuring 802.1X ·················································································································································· 65   HP implementation of 802.1X ······································································································································ 65   Configuration prerequisites ··········································································································································· 65   802.1X configuration task list ······································································································································· 65   Enabling 802.1X ···························································································································································· 66  ...

  • Page 5: Table Of Contents

    Configuration task list ···················································································································································· 85   Enabling port security ···················································································································································· 85   Setting port security's limit on the number of secure MAC addresses on a port ···················································· 86   Setting the port security mode ······································································································································ 86   Configuring port security features ································································································································ 87  ...

  • Page 6: Table Of Contents

    Importing a peer host public key from a public key file ·················································································· 112   Entering a peer public key ································································································································· 113   Displaying and maintaining public keys ··················································································································· 113   Example for inputting a peer public key ··················································································································· 113   Example for importing a public key from a public key file ·····················································································...

  • Page 7: Table Of Contents

    Enabling the SFTP server function ······················································································································ 155   Configuring the user interfaces for SSH clients ································································································ 155   Configuring a client's host public key ··············································································································· 156   Configuring an SSH user ···································································································································· 157   Setting the SSH management parameters ········································································································ 158  ...

  • Page 8: Table Of Contents

    Configuring uRPF·························································································································································· 217   Displaying and maintaining uRPF ······························································································································ 217   uRPF configuration example········································································································································ 218   Support and other resources ·································································································································· 219   Contacting HP ······························································································································································ 219   Subscription service ············································································································································ 219   Related information ······················································································································································ 219   Documents ···························································································································································· 219  ...

  • Page 9: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It specifies the following security functions: Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights and controls their access to resources and •...

  • Page 10: Radius

    The device performs dynamic password authentication. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.

  • Page 11

    Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS operates in the following manner: The host sends a connection request that carries the user's username and password to the RADIUS client.

  • Page 12

    RADIUS packet format RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.

  • Page 13

    The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) carries specific authentication, authorization, and accounting information.

  • Page 14

    Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code • compliant to RFC 1700. Vendor-Type—Type of the sub-attribute. • Vendor-Length—Length of the sub-attribute. • Vendor-Data—Contents of the sub-attribute. • For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...

  • Page 15: Hwtacacs

    Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.

  • Page 16

    Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 17: Ldap

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.

  • Page 18

    An LDAP client uses the LDAP server administrator DN to bind with the LDAP server, establishes a connection to the server, and obtains the search rights. The LDAP client uses the username in the authentication information of a user to construct search conditions, searches for the user in the specified root directory of the server, and obtains a user DN list.

  • Page 19: Aaa Implementation On The Device

    After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server, which checks whether the user password is correct.

  • Page 20

    AAA also supports configuring a set of default methods for an ISP domain. These default methods are used for users for whom no specific AAA methods are configured. The device supports the following authentication methods: No authentication—All users are trusted and no authentication is performed. Generally, do not use •...

  • Page 21: Aaa For Mpls L3vpns

    AAA for MPLS L3VPNs In an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated, you can deploy AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs. For example, in the network shown in Figure 9, you can deploy the AAA across VPNs feature, so that the multi-VPN-instance CE (MCE) at the left side of the MPLS backbone serves as a NAS and transparently...

  • Page 22

    Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.

  • Page 23

    Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.

  • Page 24: Aaa Configuration Considerations And Task List

    Sub-attribute Description Result of the Trigger-Request or SetPolicy operation, zero for success and Result_Code any other value for failure. Connect_ID Index of the user connection. FTP user working directory. When the RADIUS client acts as the FTP Ftp_Directory server, this attribute is used to set the FTP directory for an FTP user on the RADIUS client.

  • Page 25: Configuring Aaa Schemes

    Configure AAA methods for the users' ISP domains. Remote AAA methods need to reference the configured RADIUS, HWTACACS, and LDAP schemes. Figure 10 AAA configuration procedure Local AAA Configure AAA methods for different types of users or/and Configure local users and related the default methods for all attributes types of users...

  • Page 26: Configuring Local Users

    Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types: Device management user—User who logs in to the device for device management.

  • Page 27

    information about password management and global password configuration, see "Configuring password control." Local user configuration task list Tasks at a glance (Required.) Configuring local user attributes (Optional.) Configuring user group attributes (Optional.) Displaying and maintaining local users and local user groups Configuring local user attributes Follow these guidelines when you configure local user attributes: When the password control feature is globally enabled by using the password-control enable...

  • Page 28: Configuring User Group Attributes

    Step Command Remarks (Optional.) Place the local By default, a created local user is in user to the active or state { active | block } active state and can request network blocked state. services. By default, no binding attribute is configured for a local user.

  • Page 29: Configuring Radius Schemes

    Step Command Remarks By default, there is a system Create a user group and predefined user group named user-group group-name enter its view. system, which is the default user group. authorization-attribute { acl By default, no authorization Configure authorization acl-number | idle-cut minute | vlan attribute is configured for a user attributes for the user group.

  • Page 30

    Tasks at a glance (Optional.) Setting the username format and traffic statistics units (Optional.) Setting the maximum number of RADIUS request transmission attempts (Optional.) Setting the status of RADIUS servers (Optional.) Specifying the source IP address for outgoing RADIUS packets (Optional.) Setting RADIUS timers (Optional.)

  • Page 31

    Step Command Remarks • Specify the primary RADIUS authentication server: primary authentication { ipv4-address | ipv6 ipv6-address } Configure at least one command. [ port-number | key { cipher | By default, no authentication server simple } string | vpn-instance is specified.

  • Page 32

    Specifying the shared keys for secure RADIUS communication The RADIUS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. They must use the same key for each type of communication.

  • Page 33

    Step Command Remarks radius scheme Enter RADIUS scheme view. radius-scheme-name Optional. Set the format for usernames user-name-format { keep-original By default, the ISP domain name is sent to the RADIUS servers. | with-domain | without-domain } included in a username. Optional.

  • Page 34

    If the quiet timer of a server expires or an authentication or accounting response is received from the server, the status of the server changes back to active automatically, but the device does not check the server again during the authentication or accounting process. If no server is found reachable during one search process, the device considers the authentication or accounting attempt a failure.

  • Page 35

    RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. If yes, the server processes the packet. If not, the server drops the packet. The source address of outgoing RADIUS packets is typically the IP address of an egress interface on the NAS to communicate with the RADIUS server.

  • Page 36

    If the device receives no response to the accounting-on packet, it resends the packet to the RADIUS server at a particular interval for a specified number of times. The accounting-on feature requires the cooperation of the HP IMC network management system. To configure the accounting-on feature for a RADIUS scheme:...

  • Page 37: Configuring Hwtacacs Schemes

    NAS. The security policy server is the management and control center of the HP EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.

  • Page 38

    Tasks at a glance (Optional.) Specifying the HWTACACS accounting servers (Required.) Specifying the shared keys for secure HWTACACS communication (Optional.) Specifying a VPN for the scheme (Optional.) Setting the username format and traffic statistics units (Optional.) Specifying the source IP address for outgoing HWTACACS packets (Optional.) Setting HWTACACS timers (Optional.)

  • Page 39

    Step Command Remarks • Specify the primary HWTACACS authentication server: primary authentication { ipv4-address Configure at least one command. | ipv6 ipv6-address } [ port-number | By default, no authentication key { cipher | simple } string | server is specified. vpn-instance vpn-instance-name ] * Specify HWTACACS Two HWTACACS authentication...

  • Page 40

    function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time. HWTACACS does not support accounting for FTP users. To specify HWTACACS accounting servers for an HWTACACS scheme: Step Command Remarks Enter system view.

  • Page 41

    Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, an HWTACACS Specify a VPN for the vpn-instance vpn-instance-name scheme belongs to the public HWTACACS scheme. network. Setting the username format and traffic statistics units A username is usually in the format userid@isp-name, where isp-name represents the user's ISP domain name.

  • Page 42

    You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for a specific HWTACACS scheme, or in system view for all HWTACACS schemes whose servers are in a VPN or the public network. Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: The source IP address specified for the HWTACACS scheme.

  • Page 43: Configuring Ldap Schemes

    Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, the HWTACACS server response timeout timer is 5 Set the HWTACACS server seconds. timer response-timeout seconds response timeout timer. This command is not supported in the current software version and is reserved for future support.

  • Page 44

    Creating an LDAP server Step Command Remarks Enter system view. system-view Create an LDAP server and ldap server server-name By default, no LDAP server exists. enter its view. Configuring the IP address of the LDAP server Step Command Remarks Enter system view. System-view Enter LDAP server view.

  • Page 45

    Step Command Remarks Set the LDAP server timeout By default, the LDAP server timeout server-timeout time-interval period. period is 10 seconds. Configuring administrator attributes To configure the administrator DN and password for binding with the LDAP server during LDAP authentication: Step Command Remarks...

  • Page 46: Configuring Aaa Methods For Isp Domains

    Step Command Remarks user-parameters (Optional.) Specify the By default, the username attribute user-name-attribute username attribute. is cn. { name-attribute | cn | uid } user-parameters (Optional.) Specify the By default, the username format is user-name-format { with-domain | username format. without-domain.

  • Page 47: Configuration Prerequisites

    Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device first. "Configuring local user attributes." To use remote authentication, authorization, and accounting, create the required RADIUS, HWTACACS, and LDAP schemes as described in "Configuring RADIUS schemes,"...

  • Page 48: Configuring Authentication Methods For An Isp Domain

    Step Command Remarks Enter ISP domain view. domain isp-name (Optional.) Place the ISP By default, an ISP domain is in active state, domain to the active or state { active | block } and users in the domain can request blocked state.

  • Page 49: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks authentication lan-access { local [ none ] | none By default, the default Specify the authentication | radius-scheme radius-scheme-name [ local ] authentication method is method for LAN users. [ none ] } used for LAN users. authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default...

  • Page 50: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme Specify the default radius-scheme-name ] [ local ] [ none ] | By default, the authorization authorization method for local [ none ] | none | radius-scheme method is local. all types of users.

  • Page 51: Displaying And Maintaining Aaa

    Step Command Remarks accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme Specify the default radius-scheme-name ] [ local ] [ none ] | By default, the accounting accounting method for all local [ none ] | none | radius-scheme method is local. types of users.

  • Page 52: Configuration Procedure

    Figure 11 Network diagram Configuration procedure Configure the HWTACACS server: # On the HWTACACS server, set the shared keys for secure communication with the switch to expert, add an account for the SSH user, and specify the password. (Details not shown.) Configure the switch: # Assign IP addresses to the interfaces.

  • Page 53: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users

    # Enable the default-user-role authorization function, so that an SSH user gets the default user role network-operator after passing authentication. [Switch] role default-role enable Verify the configuration: When the user initiates an SSH connection to the switch and enter the correct username and password, the user successfully logs in and can use the commands for the network-operator user role.

  • Page 54: Authentication And Authorization For Ssh Users By A Radius Server

    [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 [Switch-hwtacacs-hwtac] key authorization simple expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure a RADIUS scheme. [Switch] radius scheme rd [Switch-radius-rd] primary accounting 10.1.1.1 1813 [Switch-radius-rd] key accounting simple expert [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a device management user.

  • Page 55

    Set the ports for authentication and accounting to 1812 and 1813, respectively. Select the service type Device Management Service. Select the access device type HP(General). Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).

  • Page 56

    Figure 14 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows: Enter the account name hello@bbb and specify the password.

  • Page 57

    Figure 15 Adding an account for device management Configure the switch: # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.

  • Page 58: Authentication For Ssh Users By An Ldap Server

    [Switch-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit # Create ISP domain bbb and configure authentication and authorization methods for login users. [Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] quit Verify the configuration:...

  • Page 59

    Select Action > New > User from the menu to open the dialog box for adding a user. Enter the username aaa and click Next. Figure 17 Adding user aaa In the pop-up dialog box, enter the password ldap!123456, select options as needed, and click Next.

  • Page 60

    From the pop-up dialog box, click the Member Of tab and then select Domain Users and click Add. Figure 19 Modifying user properties In the pop-up Select Groups dialog box, click OK to add user aaa to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.

  • Page 61

    # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.

  • Page 62: Troubleshooting Radius

    Troubleshooting RADIUS RADIUS authentication failure Symptom User authentication always fails. Analysis Possible reasons include: A communication failure exists between the NAS and the RADIUS server. • The username is not in the format userid@isp-name, or the ISP domain is not correctly configured on •...

  • Page 63: Radius Accounting Error

    The authentication and accounting UDP port numbers configured on the NAS are the same as those • of the RADIUS server. The RADIUS server's authentication and accounting port numbers are available. • RADIUS accounting error Symptom A user is authenticated and authorized, but accounting for the user is not normal. Analysis The accounting server configuration on the NAS is not correct.

  • Page 64

    The NAS and the LDAP server can ping each other. • • The IP address and port number of the LDAP server configured on the NAS match those of the server. The username is in the correct format and the ISP domain for the user authentication is correctly •...

  • Page 65: X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs, and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 66: X-related Protocols

    • Performs unidirectional traffic control to deny traffic from the client. • The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.

  • Page 67: Packet Formats

    Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • • Type—Type of the EAPOL packet. Table 4 lists the types of EAPOL packets supported by HP implementation of 802.1X. Table 4 Types of EAPOL packets Value Type...

  • Page 68: Eap Over Radius

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client (for example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets.

  • Page 69: Access Device As The Initiator

    Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets. One example is the 802.1X client available with Windows XP. The access device supports the following modes: • Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication.

  • Page 70: Eap Relay

    • Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication Works with any RADIUS server that initiated by an HP iNode 802.1X EAP termination supports PAP or CHAP client. authentication. • The processing is complex on the network access device.

  • Page 71: Eap Termination

    The network access device responds with an Identity EAP-Request packet to ask for the client username. In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the network access device. The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server.

  • Page 72

    Figure 30 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption. The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 73: Configuring 802.1x

    Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port.

  • Page 74: Enabling 802.1x

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...

  • Page 75: Setting The Port Authorization State

    Setting the port authorization state The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: authorized-force—Places the port in the authorized state, enabling users on the port to access the •...

  • Page 76: Setting The Maximum Number Of Authentication Request Attempts

    Step Command Remarks Set the maximum number of The default maximum number dot1x max-user user-number concurrent 802.1X users on a of concurrent 802.1X users on [ interface interface-list ] port. a port is 256. Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period...

  • Page 77: Configuring The Online User Handshake Function

    Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command. If no response is received from an online user after the maximum number of handshake attempts (set by the dot1x retry command) has been made, the network access device sets the user in the offline state.

  • Page 78

    Configuration procedure To configure the authentication trigger function on a port: Step Command Remarks Enter system view. system-view (Optional.) Set the username dot1x timer tx-period The default is 30 seconds. request timeout timer. tx-period-value interface interface-type Enter Ethernet interface view. interface-number By default, the multicast trigger is Enable an authentication...

  • Page 79: Enabling The Periodic Online User Re-authentication Function

    Step Command Remarks dot1x timer quiet-period (Optional.) Set the quiet timer. The default is 60 seconds. quiet-period-value Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users, and updates the authorization attributes assigned by the server. The re-authentication interval is user configurable. The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute.

  • Page 80

    192.168.1.2/24 Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

  • Page 81: Verifying The Configuration

    [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.2 [Device-radius-radius1] secondary accounting 10.1.1.2 # Specify the shared key between the access device and the authentication server. [Device-radius-radius1] key authentication simple name # Specify the shared key between the access device and the accounting server.

  • Page 82: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 83

    Configuration prerequisites Before you configure MAC authentication, complete the following tasks: Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA." For local authentication, you must also create local user accounts (including usernames and passwords), and specify the lan-access service for local users. For RADIUS authentication, make sure the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server.

  • Page 84: Specifying A Mac Authentication Domain

    Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: Specify a global authentication domain in system view. This domain setting applies to all ports •...

  • Page 85: Setting The Maximum Number Of Concurrent Mac Authentication Users On A Port

    Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user. •...

  • Page 86: Local Mac Authentication Configuration Example

    Local MAC authentication configuration example Network requirements As shown in Figure 32, configure local MAC authentication on port Ten-GigabitEthernet 1/0/1 to control Internet access, as follows: Configure the device to detect whether a user has gone offline every 180 seconds, and if a user fails •...

  • Page 87

    # Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lower case. [Device] mac-authentication user-name-format mac-address with-hyphen lowercase Verifying the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC authentication is enabled User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx Fixed username: mac Fixed password: Not configured...

  • Page 88

    Figure 33 Network diagram Configuration procedure Make sure the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account. Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme.

  • Page 89

    # Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users. [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verifying the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC authentication is enabled User name format is fixed account Fixed username: aaa...

  • Page 90: Configuring Port Security

    This automatic mechanism enhances network security, and reduces human intervention. NOTE: For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you use the 802.1X authentication or MAC authentication feature rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...

  • Page 91

    Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode.

  • Page 92

    A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address, but to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 93: Configuration Task List

    For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. macAddressOrUserLoginSecureExt This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users. macAddressElseUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies.

  • Page 94: Setting Port Security's Limit On The Number Of Secure Mac Addresses On A Port

    802.1X access control mode is MAC-based, and the port authorization state is auto. • • Port security mode is noRestrictions. For more information about 802.1X authentication and MAC authentication configuration, see "Configuring 802.1X" and "Configuring MAC authentication." Setting port security's limit on the number of secure MAC addresses on a port You can set the maximum number of secure MAC addresses that port security allows on a port for the following purposes:...

  • Page 95: Configuring Port Security Features

    Step Command Remarks Enter system view. system-view By default, no OUI value is configured for user authentication. This command is required for the userlogin-withoui mode. (Optional.) Set an OUI value port-security oui index index-value You can set multiple OUIs, but for user authentication.

  • Page 96: Configuring Intrusion Protection

    To configure the NTK feature: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number port-security ntk-mode By default, NTK is disabled on a Configure the NTK feature. { ntk-withbroadcasts | port and all frames are allowed to ntk-withmulticasts | ntkonly } be sent.

  • Page 97

    Table 6 A comparison of static and sticky secure MAC addresses Can be saved and Type Address sources Aging mechanism survive a device reboot? Not available. They never age out unless you manually remove Static Manually added Yes. them, change the port security mode, or disable the port security feature.

  • Page 98: Ignoring Authorization Information From The Server

    Ignoring authorization information from the server You can configure a port to ignore the authorization information received from the server (an RADIUS server or the local device) after an 802.1X user or MAC authentication user passes authentication. To configure a port to ignore authorization information from the server: Step Command Remarks...

  • Page 99

    Figure 34 Network diagram XGE1/0/1 Internet Device Host Configuration procedure # Enable port security. <Device> system-view [Device] port-security enable # Set the secure MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Set port security's limit on the number of secure MAC addresses to 64 on port Ten-GigabitEthernet 1/0/1.

  • Page 100: Userloginwithoui Configuration Example

    After the configuration takes effect, the port allows for MAC address learning, and you can view the number of learned MAC addresses in the Current number of secure MAC addresses field. To view more information about the learned MAC addresses, use the display this command in interface view. [Device] interface ten-gigabitethernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1] display this interface Ten-GigabitEthernet1/0/1...

  • Page 101

    Figure 35 Network diagram Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference. Make sure the host and the RADIUS server can reach each other. Configure AAA: # Configure a RADIUS scheme named radsun. <Device>...

  • Page 102

    # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address 1234-0100-1111 [Device] port-security oui index 2 mac-address 1234-0200-1111 [Device] port-security oui index 3 mac-address 1234-0300-1111 [Device] port-security oui index 4 mac-address 1234-0400-1111 [Device] port-security oui index 5 mac-address 1234-0500-1111...

  • Page 103: Macaddresselseuserloginsecure Configuration Example

    Access-Count: 0 lan-access Authentication Scheme: radius: radsun lan-access Authorization Scheme: radius: radsun lan-access Accounting Scheme: radius: radsun default Authentication Scheme: local default Authorization Scheme: local default Accounting Scheme: local # Display the port security configuration. [Device] display port-security interface ten-gigabitethernet 1/0/1 Port security is enabled globally AutoLearn aging time is 0 minutes Disableport Timeout: 20s...

  • Page 104

    For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X • authentication. Allow only one 802.1X user to log on. Use a fixed username and password for MAC authentication of all users. • Set the total number of MAC authenticated users and 802.1X authenticated users to 64. •...

  • Page 105

    Port security is enabled globally AutoLearn aging time is 0 minutes Disableport Timeout: 20s OUI value: Ten-GigabitEthernet1/0/1 is link-up Port mode: macAddressElseUserLoginSecure NeedToKnow mode: NeedToKnowOnly Intrusion protection mode: NoAction Max number of secure MAC addresses: 64 Current number of secure MAC addresses: 0 Authorization is permitted After users pass authentication, you can use the following commands to display the user authentication information on the port:...

  • Page 106: Troubleshooting Port Security

    Reauth Period 3600 s Max attempts for sending an auth request Max number of 802.1X users is 1024 per slot Current number of online 802.1X users is 1 Ten-GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled 802.1X unicast-trigger is disabled Periodic reauthentication is disabled The port is an authenticator Authentication mode is Auto...

  • Page 107: Cannot Configure Secure Mac Addresses

    Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses. Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn. Solution Set the port security mode to autoLearn. [Device-Ten-GigabitEthernet1/0/1] undo port-security port-mode [Device-Ten-GigabitEthernet1/0/1] port-security max-mac-count 64 [Device-Ten-GigabitEthernet1/0/1] port-security port-mode autolearn [Device-Ten-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1...

  • Page 108: Configuring Password Control

    Configuring password control Overview Password control refers to a set of functions provided by the device to manage device management users' login and super password setup, expirations, and updates, and to control user login status based on predefined policies. NOTE: Local users are divided into two types: device management users and network access users.

  • Page 109: Password Updating And Expiration

    to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password. If the password is not qualified, the configuration will fail. You can apply the following password complexity requirements: A password cannot contain the username or the reverse of the username.

  • Page 110: User Login Control

    You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the most recent record overwrites the earliest one. Current login passwords of device management users are not stored in the password history, because a device management user password is saved in cipher text and cannot be recovered to a plaintext password.

  • Page 111: Password Control Configuration Task List

    Password control configuration task list The password control functions can be configured in several different views, and different views support different functions. The settings configured in different views or for different objects have the following application ranges: Global settings in system view apply to all local user passwords. •...

  • Page 112: Setting Global Password Control Parameters

    Setting global password control parameters The settings in system view have global significance and apply to all device management users. The password expiration time, minimum password length, and password composition policy can be configured in system view, user group view, or local user view. The password settings with a smaller application scope have a higher priority.

  • Page 113: Setting Local User Password Control Parameters

    Step Command Remarks By default, no user group exists. Create a user group and enter For information about how to user-group group-name user group view. configure a user group, see "Configuring AAA." By default, the password Configure the password expiration time of the user group is expiration time for the user password-control aging aging-time the same as the global password...

  • Page 114: Setting Super Password Control Parameters

    Setting super password control parameters Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time Configure the minimum length password-control super length The default setting is 10 for super passwords.

  • Page 115

    Implement the following super password control policy required for switching to user role network-operator: A super password must contain at least three types of valid characters, five or more characters of each type. Implement the following password control policy for local Telnet user test: The password must contain at least 12 characters.

  • Page 116

    [Sysname-luser-manage-test] password-control aging 20 # Configure the password of the local user in interactive mode. [Sysname-luser-manage-test] password Password: Confirm : Updating user information. Please wait ..[Sysname-luser-manage-test] quit Verifying the configuration # Display the global password control configuration. <Sysname> display password-control Global password control configurations: Password control: Enabled...

  • Page 117: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the Revest-Shamir-Adleman Algorithm (RSA), the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 37.

  • Page 118

    • Table 7 A comparison of different types of asymmetric key algorithms Type Number of key pairs Modulus length HP recommendation • If you specify a key pair name, the command creates a host key pair. 512 to 2048 bits •...

  • Page 119: Exporting A Host Public Key In A Specific Format To A File

    Exporting a host public key in a specific format to a file (use this method if you can import public • keys from a file on the peer device) Displaying a host public key in a specific format and saving it to a file (use this method if you can •...

  • Page 120: Destroying A Local Key Pair

    For information about displaying or exporting host public keys, see "Distributing a local host public key." HP recommends that you configure no more than 20 peer public keys on the device. Importing a peer host public key from a public key file Step...

  • Page 121: Entering A Peer Public Key

    Entering a peer public key Step Command Remarks Enter system view. system-view Specify a name for the peer public key and enter public public-key peer keyname By default, no peer host public key exists. key view. You can use spaces and carriage returns, Type or copy the key.

  • Page 122

    If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys....++++++ ........++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Display all local RSA public keys. [DeviceA] display public-key local rsa public ============================================= Key name: hostkey (default)

  • Page 123: Example For Importing A Public Key From A Public Key File

    [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B...

  • Page 124

    ..++++++++ ....++++++++ Create the key pair successfully. # Display all local RSA public keys. [DeviceA] display public-key local rsa public ============================================= Key name: hostkey (default) Key type: RSA Time when key pair created: 16:48:31 2012/06/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 =============================================...

  • Page 125

    200 TYPE is now 8-bit binary ftp> get devicea.pub 500 Unknown command 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred 301 bytes received in 0.003 seconds (98.0 kbyte/s) ftp> quit 221-Goodbye. You uploaded 0 and downloaded 1 kbytes. 221 Logout.

  • Page 126: Configuring Pki

    PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. HP's PKI system provides certificate management for IPsec and SSL. PKI terminology Digital certificate A digital certificate is a document signed by a certificate authority (CA).

  • Page 127: Pki Architecture

    sure you understand the CA policy before you select a trusted CA for certificate request because different CAs might use different policies. PKI architecture A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository, as shown in Figure Figure 40 PKI architecture PKI entity...

  • Page 128: Pki Applications

    After receiving the certificate from the CA, the RA sends the certificate to the LDAP server or other certificate repositories to provide directory navigation services, and notifies the PKI entity that the certificate is successfully issued. The entity obtains the certificate from the certificate repository. PKI applications The PKI technology can satisfy security requirements of online transactions.

  • Page 129: Configuring A Pki Entity

    Tasks at a glance (Required.) Configuring a PKI entity (Required.) Configuring a PKI domain (Required.) Requesting a certificate • Configuring automatic certificate request • Manually requesting a certificate (Optional.) Aborting a certificate request (Optional.) Obtaining certificates (Optional.) Verifying PKI certificates (Optional.) Specifying the storage path for the certificates and CRLs (Optional.)

  • Page 130: Configuring A Pki Domain

    Step Command Remarks Set the country code of the country country-code-string By default, the country code is not set. entity. Set the locality of the entity. locality locality-name By default, the locality is not set. Set the organization of the organization org-name By default, the organization is not set.

  • Page 131

    Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. Specify the trusted CA. ca identifier name The trusted CA name is in SCEP messages, and the CA server does not use this name unless the server has two CAs configured with the same registration server.

  • Page 132: Requesting A Certificate

    Step Command Remarks • Specify an RSA key pair: public-key rsa { { encryption name Use at least one command. encryption-key-name [ length By default, no key pair is specified. key-length ] | signature name signature-key-name [ length You can specify a non-existing key key-length ] } * | general name pair, which is generated during the Specify the key pair for...

  • Page 133: Configuring Automatic Certificate Request

    Configuring automatic certificate request IMPORTANT: If an automatically requested certificate will soon expire or has expired, the entity does not initiate a re-request to the CA automatically, and the applications using the certificate might be interrupted. In auto request mode, a PKI entity automatically submits a certificate request to the CA when an application works with the PKI entity that does not have a local certificate.

  • Page 134: Aborting A Certificate Request

    The key pair is used for certificate request. Upon receiving the public key and the identity • information, the CA signs and issues a certificate. After the CA issues the certificate, the device obtains and saves it locally. Configuration guidelines A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA, •...

  • Page 135: Obtaining Certificates

    Step Command Remarks Enter system view. system-view pki abort-certificate-request This command is not saved in the Abort a certificate request. domain domain-name configuration file. Obtaining certificates You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from a CA and save them locally for higher lookup efficiency.

  • Page 136: Verifying Pki Certificates

    Step Command Remarks Enter system view. system-view • Import certificates in offline mode: pki import domain domain-name { der { ca | local | peer } filename filename | p12 local The pki filename filename | pem { ca | local | peer } retrieve-certificate [ filename filename ] } Import or obtain certificates.

  • Page 137: Verifying Certificates Without Crl Checking

    Step Command Remarks Verify the validity of the pki validate-certificate domain certificates. domain-name { ca | local } Verifying certificates without CRL checking Step Command Remarks Enter system view. system-view Enter PKI domain view. pki domain domain-name By default, CRL checking is Disable CRL checking.

  • Page 138: Removing A Certificate

    IMPORTANT: To export all certificates in the PKCS12 format, the PKI domain must have at least one local certificate. Otherwise, the export operation fails. To back up or import certificates, you can export the CA certificate and the local certificates in a PKI domain to local files or display them on a terminal.

  • Page 139: Configuring A Certificate Access Control Policy

    Step Command Remarks If no serial number is pki delete-certificate domain domain-name { ca | specified, the command Remove a certificate. local | peer [ serial serial-num ] } removes all peer certificates. Configuring a certificate access control policy You can configure a certificate access control policy on a server to control user access, securing the server.

  • Page 140: Displaying And Maintaining Pki

    Step Command Remarks By default, no statement is configured, and all certificates can Create a certificate access pass the verification. rule [ id ] { deny | permit } control rule (or statement). group-name You can create multiple statements for a certificate access control policy.

  • Page 141

    Configuring the CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA. Subject DN—DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).

  • Page 142

    Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain torsa ca The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y...

  • Page 143: Certificate Request From A Windows 2003 Ca Server

    D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B...

  • Page 144

    Select Control Panel > Administrative Tools > Certificate Authority from the start menu. If the certificate service component and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA. Right-click the CA server in the navigation tree and select Properties > Policy Module. Click Properties and then select Follow the settings in the certificate template, if applicable.

  • Page 145

    Input the modulus length [default = 1024]: Generating Keys......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain winserver ca The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y...

  • Page 146: Certificate Request From An Openca Server

    Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption...

  • Page 147

    [Device-pki-entity-aaa] common-name device [Device-pki-entity-aaa] country CN [Device-pki-entity-aaa] organization test [Device-pki-entity-aaa] organization-unit software [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named openca and enter its view. [Device] pki domain openca # Specify the name of the trusted CA as myca. [Device-pki-domain-openca] ca identifier myca # Configure the URL of the registration server in the form of http://host/cgi-bin/pki/scep, where host is the host IP address of the OpenCA server.

  • Page 148

    [Device] display pki certificate domain openca local Certificate: Data: Version: 3 (0x2) Serial Number: 21:1d:b8:d2:e4:a9:21:28:e4:de Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shanghai , ST=beijing, O=OpenCA Labs, OU=mysubUnit, CN=sub-ca, DC=pki-subdomain, DC=mydomain-sub, DC=com Validity Not Before: Jun 30 09:09:09 2011 GMT Not After : May 1 09:09:09 2012 GMT Subject: CN=device, O=test, OU=software, C=CN Subject Public Key Info:...

  • Page 149: Certificate Import And Export Configuration Example

    OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 5c:4c:ba:d0:a1:35:79:e6:e5:98:69:91:f6:66:2a:4f:7f:8b: 0e:80:de:79:45:b9:d9:12:5e:13:28:17:36:42:d5:ae:fc:4e: ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57: 8f:d4:3e:4f:51:c1:34:e6:c1:1e:71:b5:0d:85:86:a5:ed:63: 1e:08:7f:d2:50:ac:a0:a3:9e:88:48:10:0b:4a:7d:ed:c1:03: 9f:87:97:a3:5e:7d:75:1d:ac:7b:6f:bb:43:4d:12:17:9a:76: b0:bf:2f:6a:cc:4b:cd:3d:a1:dd:e0:dc:5a:f3:7c:fb:c3:29: b0:12:49:5c:12:4c:51:6e:62:43:8b:73:b9:26:2a:f9:3d:a4: 81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command.

  • Page 150

    Figure 45 Network diagram Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a file named pkicachain.pem in PEM format. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.

  • Page 151

    Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=beijing/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...

  • Page 152

    Serial Number: 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus:...

  • Page 153

    Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT...

  • Page 154: Troubleshooting Pki Configuration

    CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/...

  • Page 155: Failed To Obtain The Ca Certificate

    Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No trusted CA is specified. • The URL of the registration server is not correct or not specified.

  • Page 156: Failed To Request Local Certificates

    Specify the key pair used for certificate request in the PKI domain, generate the proper key pair, and make sure it matches the local certificates to the obtained. Reference the proper PKI entity in the PKI domain, and correctly configure the PKI entity. Obtain CRLs.

  • Page 157: Failed To Obtain Crls

    Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. No CA certificate has been obtained before you try to obtain CRLs. •...

  • Page 158: Failed To Import A Local Certificate

    Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis The PKI domain has no CA certificate, and the certificate file to be imported does not contain the • CA certificate chain. CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained. •...

  • Page 159: Failed To Set The Storage Path

    Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis The specified storage path does not exist. • The specified storage path is illegal. • The disk space is full. • Solution Use mkdir to create the path.

  • Page 160: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.

  • Page 161: Ssh Authentication Methods

    CLI. The text pasted at one time must be no more than 2000 bytes. Interaction HP recommends that you paste commands in the same view. Otherwise, the server might not be able to correctly execute the commands. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server.

  • Page 162: Configuring The Device As An Ssh Server

    Password-publickey authentication—The server requires SSH2 clients to pass both password • authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the server. • Any authentication—The server requires clients to pass either password authentication or publickey authentication.

  • Page 163: Enabling The Ssh Server Function

    The public-key local create dsa command generates only a host key pair. SSH1 does not support • the DSA algorithm. The key modulus length must be less than 2048 bits when you use the public-key local create dsa • command to generate the DSA key pair on the SSH server. Configuration procedure To generate local DSA or RSA key pairs on the SSH server: Step...

  • Page 164: Configuring A Client's Host Public Key

    PKCS format. HP recommends that you configure no more than 20 SSH client host public keys on an SSH server. To manually configure a client's host public key:...

  • Page 165: Configuring An Ssh User

    Step Command Remarks When you enter the contents for a host public key, you can use spaces and carriage returns between characters. When you Configure a client's host Enter the content of the host public save the host public key, spaces public key.

  • Page 166: Setting The Ssh Management Parameters

    If publickey authentication, whether with password authentication or not, is used, the user role is specified by the authorization-attribute command in the associated local user view. If you change the authentication method or public key for an SSH user that has been logged in, the •...

  • Page 167: Configuring The Device As An Stelnet Client

    To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends you to specify a loopback interface or dialer interface as the source interface.

  • Page 168: Establishing A Connection To An Stelnet Server

    Step Command Remarks • Specify a source IPv4 address or source interface for the Stelnet client: Use either command. ssh client source { interface interface-type interface-number | ip By default, an Stelnet client uses Specify a source address ip-address } the IP address of the outbound or source interface for the interface specified by the route...

  • Page 169: Configuring The Device As An Sftp Client

    Task Command Remarks • Establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- compress zlib | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } |...

  • Page 170: Establishing A Connection To An Sftp Server

    SFTP clients in the authentication service, HP recommends you to specify a loopback interface or dialer interface as the source interface. To specify a source IP address or source interface for the SFTP client:...

  • Page 171: Working With Sftp Directories

    Task Command Remarks • Establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- compress zlib | preferctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 |...

  • Page 172: Displaying Help Information

    Task Command Remarks Download a file from the remote get remote-file [ local-file ] Available in SFTP client view. server and save it locally. Upload a local file to the SFTP put local-file [ remote-file ] Available in SFTP client view. server.

  • Page 173: Displaying And Maintaining Ssh

    Task Command Remarks • Connect to the IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange...

  • Page 174: Stelnet Configuration Examples

    Stelnet configuration examples This section provides examples of configuring Stelnet on switches. Password authentication enabled Stelnet server configuration example Network requirements As shown in Figure 46, you can log in to Switch through the Stelnet client that runs on the host and are assigned the user role network-admin for configuration management.

  • Page 175

    # Assign an IP address to VLAN-interface 2, which the Stelnet client will use as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme [Switch-ui-vty0-15] quit...

  • Page 176: Publickey Authentication Enabled Stelnet Server Configuration Example

    Figure 47 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001 in this case) and password (aabbcc in this case), you can enter the command-line interface of the server.

  • Page 177

    Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are a variety of Stelnet client software, such as PuTTY, and OpenSSH. This example uses an Stelnet client that runs PuTTY Version 0.58.

  • Page 178

    Figure 50 Generating process After the key pair is generated, click Save public key, enter a file name (key.pub in this case), and click Save. Figure 51 Saving a key pair on the client...

  • Page 179

    Click Save private key to save the private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes, enter a file name (private.ppk in this case), and click Save. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.

  • Page 180

    # Create a local device management user client002 with the service type as ssh and the user role as network-admin. [Switch] local-user client002 class manage [Switch-luser-manage-client002] service-type ssh [Switch-luser-manage-client002] authorization-attribute user-role network-admin [Switch-luser-manage-client002] quit Specify the private key file and establish a connection to the Stelnet server: Launch PuTTY.exe on the Stelnet client to enter the interface as shown in Figure In the Host Name (or IP address) field, enter the IP address of the Stelnet server...

  • Page 181

    Figure 53 Specifying SSH version Select Connection > SSH > Auth from the navigation tree. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this case) and click OK. The window as shown in Figure 54 appears.

  • Page 182: Password Authentication Enabled Stelnet Client Configuration Example

    Figure 54 Specifying the private key file Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the command-line interface of the server. Password authentication enabled Stelnet client configuration example Network requirements...

  • Page 183

    The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ # Generate a DSA key pair.

  • Page 184

    You can determine whether to configure the host public key of the server on the client before establishing a connection to the server. If you do not configure the host public key of the server on the client, establish an SSH connection to the Stelnet server (192.168.1.40).

  • Page 185: Publickey Authentication Enabled Stelnet Client Configuration Example

    8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server 192.168.1.40 and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you successfully log in to Switch B. Publickey authentication enabled Stelnet client configuration example Network requirements...

  • Page 186

    [SwitchA] quit Then, transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048) If the key modulus is greater than 512, it will take a few minutes.

  • Page 187: Sftp Configuration Examples

    [SwitchB-luser-manage-client002] quit Establish an SSH connection to the Stelnet server (192.168.1.40). <SwitchA> ssh2 192.168.1.40 Username: client002 The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n You can log in to Router B successfully for the first time without configuring its host public key, because the client supports the first authentication by default.

  • Page 188

    Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ # Enable the SSH server function. [Switch] ssh server enable # Enable the SFTP server. [Switch] sftp server enable # Assign an IP address to VLAN-interface 2, which the client will use as the destination for SSH connection.

  • Page 189: Publickey Authentication Enabled Sftp Client Configuration Example

    Figure 58 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 59, you can log in to Switch B through the SFTP client that runs on Switch A and are assigned the user role network-admin to execute file management and transfer operations. Switch B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm.

  • Page 190: Ssh Connection

    If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ # Export the host public key to the file pubkey. [SwitchA] public-key local export rsa ssh2 pubkey [SwitchA] quit # Transmit the public key file pubkey to the server through FTP or TFTP.

  • Page 191

    [SwitchB-ui-vty0-15] authentication-mode scheme [SwitchB-ui-vty0-15] quit # Import the peer public key from the file pubkey, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey pubkey # Create the SSH user client001 with the service type as sftp, authentication method as publickey, and public key as switchkey.

  • Page 192: Scp File Transfer With Password Authentication

    -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename directory new1 to new2 and check if the directory has been successfully renamed . sftp> rename new1 new2 sftp> dir -l -rwxrwxrwx 1 noone nogroup...

  • Page 193

    Configuration procedure Configure the SCP server: # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 194

    [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit Connect to the SCP server, download the file remote.bin from the server, and save it locally with the name local.bin. <SwitchA> scp 192.168.0.1 get remote.bin local.bin Username: client001 Connecting to 192.168.0.1 port 22.

  • Page 195: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security mechanism SSL provides the following security services: Privacy—SSL uses a symmetric encryption algorithm to encrypt data and uses an asymmetric key...

  • Page 196: Ssl Configuration Task List

    Figure 62 SSL protocol stack The following describes the major functions of SSL protocols: SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to • the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), authenticates the server and client, and securely exchanges the key between the server and client.

  • Page 197: Configuring An Ssl Client Policy

    Step Command Remarks By default, no PKI domain is specified for an SSL server policy. If SSL clients authenticate the server through a digital certificate, you must use this (Optional.) Specify a PKI pki-domain domain-name command to specify a PKI domain for the SSL server policy.

  • Page 198: Displaying And Maintaining Ssl

    Step Command Remarks By default, no PKI domain is specified for an SSL client policy. If the SSL server authenticates the SSL client through a digital certificate, you must use this command to specify (Optional.) Specify a PKI a PKI domain and request a local pki-domain domain-name domain for the SSL client policy.

  • Page 199: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard is a security feature. It is usually configured on a user access interface to help prevent spoofing attacks, in which an attacker uses, for example, the IP address of a valid host, to access the network.

  • Page 200: Dynamic Ipv4 Source Binding Entries

    Dynamic IPv4 source binding entries IP source guard can automatically obtain user information from other modules to generate IPv4 binding entries. On interfaces configured with the dynamic IPv4 source guard function, IP source guard cooperates with different modules to generate IPv4 binding entries dynamically: On an Ethernet port, IP source guard can cooperate with DHCP snooping, obtain the DHCP •...

  • Page 201: Configuring A Static Ipv4 Source Guard Entry On An Interface

    Dynamic IPv4 binding entries can contain such information as the MAC address, IPv4 address, VLAN tag, ingress interface information, and entry type (such as DHCP snooping and DHCP relay). Which information in an entry is used by IP source guard to filter IPv4 packets is determined by the IPv4 source guard configuration on the interface: •...

  • Page 202: Configuring The Ipv6 Source Guard Function

    Configuring the IPv6 source guard function You cannot configure the IPv6 source guard function on a service loopback interface. If IPv6 source guard is enabled on an interface, you cannot assign the interface to a service loopback group. Enabling IPv6 source guard on an interface You must first enable the IPv6 source guard function on an interface before the interface can use static IPv6 binding entries to filter packets.

  • Page 203: Static Ipv4 Source Guard Configuration Example

    Task Command display ip source binding [ static | [ vpn-instance vpn-instance-name ] Display IPv4 binding [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] entries. [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] reset ip source binding [ static [ ip-address ip-address ] | [ vpn-instance Clear IPv4 biding entries.

  • Page 204

    # Enable IPv4 source guard on port Ten-GigabitEthernet 1/0/2. <SwitchA> system-view [SwitchA] interface ten-gigabitEthernet 1/0/2 [SwitchA-Ten-GigabitEthernet1/0/2] ip verify source ip-address mac-address # On Ten-GigabitEthernet 1/0/2, configure a static IPv4 source guard entry to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.

  • Page 205: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example

    192.168.0.3 0001-0203-0406 XGE1/0/1 Static # Display static IPv4 source guard entries on Switch B. The output shows that the static IPv4 source guard entries are configured successfully. <SwitchB> display ip source binding static Total entries found: 2 IP Address MAC Address Interface VLAN Type 192.168.0.1...

  • Page 206: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example

    [Switch-Ten-GigabitEthernet1/0/1] ip verify source ip-address mac-address [Switch-Ten-GigabitEthernet1/0/1] quit Verify the configuration: # Display dynamic IPv4 source guard entries obtained from DHCP snooping. [Switch] display ip source binding dhcp-snooping Total entries found: 1 IP Address MAC Address Interface VLAN Type 192.168.0.1 0001-0203-0406 XGE1/0/1 DHCP snooping The output shows that IP source guard has generated a dynamic IPv4 binding entry on port...

  • Page 207: Static Ipv6 Source Guard Configuration Example

    [Switch-Vlan-interface100] dhcp select relay # Specify the IP address of the DHCP server. [Switch-Vlan-interface100] dhcp relay server-address 10.1.1.1 [Switch-Vlan-interface100] quit Verify the configuration: # Display dynamic IPv4 source guard entries. [Switch] display ip source binding dhcp-relay Total entries found: 1 IP Address MAC Address Interface...

  • Page 208: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 209: Configuring Arp Source Suppression

    ARP source suppression—If the attack packets have the same source address, you can enable the • ARP source suppression function, and set the maximum number of unresolvable IP packets that the device can receive from a host within 5 seconds. If the threshold is reached, the device stops resolving packets from the host until the 5 seconds elapse.

  • Page 210: Configuring Arp Packet Rate Limit

    Figure 68 Network diagram IP network ARP attack protection Gateway Device VLAN 10 VLAN 20 Host A Host B Host C Host D R&D Office Configuration considerations If the attack packets have the same source address, configure the ARP source suppression function as follows: Enable ARP source suppression.

  • Page 211: Configuration Guidelines

    Configuration guidelines Configure this feature when ARP detection, ARP snooping, or when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. Log messages are sent to the information center of the device. You can set output rules for log messages on the information center.

  • Page 212: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    Step Command Remarks Enable source MAC address based ARP attack detection arp source-mac { filter | monitor } By default, this feature is disabled. and specify the handling method. arp source-mac threshold Configure the threshold. By default, the threshold is 30. threshold-value Configure the aging timer for By default, the lifetime is 300...

  • Page 213: Configuration Considerations

    Figure 69 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address.

  • Page 214: Configuring Arp Packet Source Mac Consistency Check

    Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body, so that the gateway can learn correct ARP entries.

  • Page 215: Configuring Arp Packet Validity Check

    DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide. Configuration guidelines • Make sure at least one among static IP source guard binding entries and DHCP snooping entries is available for user validity check. Otherwise, ARP packets received from ARP untrusted ports are discarded.

  • Page 216: Configuring Arp Restricted Forwarding

    Step Command Remarks Enable ARP packet validity check arp detection validate By default, ARP packet validity check and specify the objects to be { dst-mac | ip | src-mac } is disabled. checked. Enter Ethernet interface view or interface interface-type aggregate interface view.

  • Page 217: User Validity Check And Arp Packet Validity Check Configuration Example

    User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 70, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts. Figure 70 Network diagram Gateway DHCP server...

  • Page 218: Configuring Arp Automatic Scanning And Fixed Arp

    # Configure the upstream interface as a trusted interface (an interface is an untrusted interface by default). [SwitchB-vlan10] interface ten-gigabitethernet 1/0/3 [SwitchB-Ten-GigabitEthernet1/0/3] arp detection trust [SwitchB-Ten-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface Ten-GigabitEthernet 1/0/2 for user validity check.

  • Page 219: Configuring Arp Gateway Protection

    Step Command Enter system view. system-view Enter VLAN interface view. interface interface-type interface-number Enable ARP automatic scanning. arp scan [ start-ip-address to end-ip-address ] Return to system view. quit Enable fixed ARP. arp fixup Configuring ARP gateway protection Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks. When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway.

  • Page 220: Configuring Arp Filtering

    Figure 71 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B. <SwitchB> system-view [SwitchB] interface ten-gigabitethernet 1/0/1 [SwitchB-Ten-GigabitEthernet1/0/1] arp filter source 10.1.1.1 [SwitchB-Ten-GigabitEthernet1/0/1] quit [SwitchB] interface ten-gigabitethernet 1/0/2 [SwitchB-Ten-GigabitEthernet1/0/2] arp filter source 10.1.1.1 After the configuration is complete, Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway.

  • Page 221: Configuration Example

    Step Command Remarks Enter system view. system-view Enter Ethernet interface or interface interface-type interface-number aggregate interface view. Enable ARP filtering and arp filter binding ip-address By default, ARP filtering is configure a permitted entry. mac-address disabled. Configuration example Network requirements As shown in Figure 72, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349- 1 233...

  • Page 222: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 223

    Figure 74 uRPF work flow URPF works in the following steps: URPF checks source address validity: Discards packets with a source broadcast address. Discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.)

  • Page 224

    Proceeds to step 2 for other packets. URPF checks whether the source address matches a FIB entry: If yes, proceeds to step 3. If not, proceeds to step 6. URPF checks whether the check mode is loose: If yes, proceeds to step 8. If not, URPF checks whether the matching route is a direct route: if yes, proceeds to step 5.

  • Page 225: Network Application

    Network application Figure 75 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User Configure strict uRPF check between an ISP network and a customer network, and loose uRPF check between ISPs. Configuring uRPF Follow these guidelines when you configure uRPF: uRPF checks only incoming packets on an interface.

  • Page 226: Urpf Configuration Example

    Task Command Display uRPF configuration display ip urpf [ slot slot-number ] uRPF configuration example Network requirements As shown in Figure 76, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict URPF check on Switch A and Switch B to prevent source address spoofing attacks. Figure 76 Network diagram Configuration procedure Enable strict URPF check on Switch A.

  • Page 227: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 228: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 229

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 230: Index

    Index 802.1X port security enable, 85 access device as authentication initiator, 61 port security macAddressElseUserLoginSecure configuration, 95 architecture, 57 port security userLoginWithOUI configuration, authentication initiation, 60 client as authentication initiator, 60 RADIUS Message-Authentication attribute, 60 configuration, 65, 71 setting authentication timeout timers, 68 configuring quiet timer, 70 setting max number authentication request controlled/uncontrolled port, 57...

  • Page 231

    HWTACACS scheme creation, 30 RADIUS accounting-on feature configuration, HWTACACS scheme VPN specification, 32 RADIUS authentication server specification, 22 HWTACACS server SSH user AAA, 43 RADIUS implementation, 2 HWTACACS shared keys specification, 32 RADIUS max request transmission attempts, 25 HWTACACS timers, 34 RADIUS scheme configuration, 21 HWTACACS traffic statistics units, 33 RADIUS scheme creation, 22...

  • Page 232

    ARP restricted forwarding configuration, 208 RADIUS, 13 ARP user validity check configuration, 206 RADIUS common standard attributes, 13 ARP user/packet validity check configuration, RADIUS extended attributes, 6 RADIUS HP proprietary attributes, 15 black hole routing, 201 authenticating configuration, 200 AAA configuration, 1, 16...

  • Page 233

    LDAP authentication, 9 enabling 802.1X periodic online user re-authentication function, 71 RADIUS user authentication mechanisms, 2 enabling MAC authentication, 75 SCP file transfer with password authentication, MAC authentication local approach, 74 SFTP client publickey authentication MAC authentication RADIUS approach, 74 configuration, 181 port security autoLearn configuration, 90 SFTP...

  • Page 234

    PKI automatic certificate request configuration, client 802.1X access device as authentication initiator, PKI CA policy, 1 18 PKI certificate, 1 18 802.1X architecture, 57 PKI certificate export, 129 802.1X authentication client timeout timer, 68 PKI certificate obtain, 127 802.1X authentication initiation, 60 PKI certificate removal, 130 802.1X client as authentication initiator, 60 802.1X configuration, 65, 71...

  • Page 235

    ARP detection, 206 MAC authentication user account format, 76 PKI, 1 18, 120, 132 ARP filtering, 212, 213 ARP gateway protection, 21 1 PKI automatic certificate request, 125 ARP packet rate limit, 202 PKI certificate access control policy, 131 ARP packet source MAC consistency check, PKI certificate import/export, 141 PKI certificate request abort, 126 ARP packet validity check, 207...

  • Page 236

    SFTP server password authentication, 179 PKI certificate removal, 130 troubleshooting PKI CRL obtain failure, 149 SSH, 152 SSH client host public key, 156 data encryption SSH client user interface, 155 PKI configuration, 1 18, 120, 132 SSH user, 157 data security SSH user local authentication+HWTACACS SSL configuration, 187, 188 authorization+RADIUS accounting, 45...

  • Page 237

    RADIUS-based authentication PKI domain configuration, 122 configuration, 79 PKI entity configuration, 121 SCP client configuration, 164 PKI local certificate, 1 18 setting password, 100 PKI manual certificate request configuration, SFTP client configuration, 161 SFTP server function enable, 155 PKI MPLS L3VPN support, 120 SSH client user interface configuration, 155 OpenCA server...

  • Page 238

    public key, 1 13 802.1X packet format, 59 802.1X RADIUS EAP-Message attribute, 60 RADIUS, 29 SFTP help information, 164 802.1X RADIUS Message-Authentication attribute, 60 source MAC address based ARP attack detection, 204 802.1X relay and termination authentication mode comparison, 61 SSH, 165 802.1X relay authentication, 62 SSL, 190...

  • Page 239

    IPv4 source guard on interface, 192 port security intrusion protection, 82 port security NTK, 82 IPv6 source guard on interface, 194 MAC authentication, 75 file port security, 85 host public key export to file, 1 1 1 SFTP server function, 155 importing public key from file, 1 15 SSH server function, 155 peer host public key import from file, 1 12...

  • Page 240

    (password), 101 information, 90 implementing RADIUS HP proprietary attributes, 15 AAA for MPLS L3VPNs, 13 HTTP AAA HWTACACS, 7 SSL configuration, 187, 188 AAA LDAP, 9 HW Terminal Access Controller Access Control AAA on device, 1 1 System.

  • Page 241

    port security disableport-temporarily mode IPv4 configuration, 192 configuration, 88 IPv4 dynamic configuration with DHCP relay, port security feature, 82 IPv4 dynamic configuration with DHCP snooping, 197 uRPF configuration, 214, 217 IPv4 on interface, 192 uRPF configuration (on switch), 218 IPv4 static configuration, 195 IP addressing IPv4 static entry on interface, 193 ARP active acknowledgement, 206...

  • Page 242

    server timeout period, 36 troubleshooting, 55 AAA implementation, 1 1 domain accounting methods user attribute configuration, 37 configuration, 42 version specification, 36 AAA ISP domain attribute configuration, 39 Lightweight Directory Access Protocol. Use LDAP AAA ISP domain authentication methods limiting configuration, 40 number of secure MAC addresses on port, 86 domain...

  • Page 243

    logging password events, 102 port security autoLearn configuration, 90 port security configuration, 82, 85 login expired password login, 101 port security intrusion protection, 82 user first login, 102 port security intrusion protection configuration, user login attempt limit, 102 port security macAddressElseUserLoginSecure user login control, 102 configuration, 95 loose...

  • Page 244

    port security userLoginWithOUI configuration, port security MAC learning control mode, 82 port security macAddressWith Radius RADIUS approach, 74 authentication mode, 84 RADIUS-based configuration, 79 port security NTK ntkonly mode, 87 setting port security mode, 86 port security NTK ntk-withbroadcasts mode, 87 timer configuration, 76 port security NTK ntk-withmulticasts mode, 87 user account format configuration, 76...

  • Page 245

    802.1X EAP relay enable, 66 ARP source suppression configuration, 201 ARP user validity check configuration, 206 802.1X EAP termination enable, 66 802.1X enable, 66 ARP user/packet validity check configuration, 802.1X online user handshake function, 69 enabling 802.1X periodic online user AAA device implementation, 1 1 re-authentication function, 71 AAA HWTACACS implementation, 7...

  • Page 246

    PKI domain configuration, 122 SSH client user interface configuration, 155 SSH configuration, 152 PKI entity configuration, 121 PKI manual certificate request configuration, SSH management parameters, 158 SSH server configuration, 154 PKI MPLS L3VPN support, 120 SSH server function enable, 155 PKI operation, 1 19 SSH user configuration, 157 PKI secure email application, 120...

  • Page 247

    password control local user parameters, 105 Stelnet server publickey authentication configuration, 168 password control user group parameters, 104 super password control parameters, 106 PKI certificate import/export configuration, 141 uRPF configuration, 214, 217 PKI configuration, 1 18, 120, 132 uRPF configuration (on switch), 218 OpenCA server certificate...

  • Page 248

    ARP attack protection configuration, 200 IPv6 source guard static configuration, 199 parameter ARP automatic scanning configuration, 210 ARP black hole routing, 201 AAA RADIUS accounting server parameters specification, 23 ARP detection configuration, 206 password control global parameters, 104 ARP filtering configuration, 212, 213 password control local user parameters, 105 ARP gateway protection configuration, 21 1 password control user group parameters, 104...

  • Page 249

    setting local user parameters, 105 domain configuration, 122 entity configuration, 121 setting password, 100 setting super parameters, 106 local digital certificate, 1 18 setting user group parameters, 104 manual certificate request configuration, 125 user first login, 102 MPLS L3VPN support, 120 user login attempt limit, 102 OpenCA server certificate request configuration, user login control, 102...

  • Page 250

    SSL client policy configuration, 189 autoLearn configuration, 90 configuration, 82, 85 SSL server policy configuration, 188 policy (password control configuration), 100, 103, displaying, 90 enabling, 85 port feature, 82 802.1X authorization status, 57 ignoring server authorization information, 90 802.1X configuration, 65, 71 intrusion protection blockmac...

  • Page 251

    authenticating with 802.1X EAP termination, 63 configuring device as SFTP client, 161 configuring device as Stelnet client, 159 configuring 802.1X, 65, 71 configuring 802.1X online user handshake configuring fixed ARP, 210 function, 69 configuring HWTACACS server SSH user AAA, configuring 802.1X quiet timer, 70 configuring AAA, 16 configuring IP source guard, 192 configuring AAA accounting methods for ISP...

  • Page 252

    configuring PKI certificate request abort, 126 configuring SFTP client publickey authentication, configuring PKI domain, 122 configuring SFTP server password configuring PKI entity, 121 authentication, 179 configuring PKI manual certificate request, 125 configuring SSH client host public key, 156 configuring PKI OpenCA server certificate configuring SSH client user interfaces, 155 request, 138 configuring SSH user, 157...

  • Page 253

    displaying IP source guard, 194 exporting PKI certificate, 129 ignoring port security server authorization displaying IPv4 source guard, 194 information, 90 displaying IPv6 source guard, 194 importing peer host public key from file, 1 12 displaying LDAP, 38 importing public key from file, 1 15 displaying MAC authentication, 77 limiting number of secure MAC addresses on displaying password control, 106...

  • Page 254

    setting RADIUS max request transmission troubleshooting PKI configuration, 146 attempts, 25 troubleshooting PKI CRL obtain failure, 149 setting RADIUS server status, 25 troubleshooting PKI local certificate import setting RADIUS timer, 27 failure, 150 setting RADIUS traffic statistics unit, 24 troubleshooting PKI local certificate obtain failure, 147 setting RADIUS username format, 24 troubleshooting PKI local certificate request...

  • Page 255

    181 displaying, 29 SSH client host public key configuration, 156 extended attributes, 6 SSH password-publickey authentication, 153 HP proprietary attributes, 15 SSH publickey authentication, 153 ignoring port security server authorization information, 90 SSH user configuration, 157 information exchange security mechanism, 2...

  • Page 256

    SSH user local authentication+HWTACACS authorization+RADIUS accounting, 45 entering peer public key, 1 13 traffic statistics units, 24 host public key display, 1 1 1 troubleshooting, 54 host public key export to file, 1 1 1 troubleshooting accounting error, 55 host public key save to file, 1 1 1 troubleshooting authentication failure, 54 importing public key from file, 1 15 troubleshooting packet delivery failure, 54...

  • Page 257

    AAA MPLS L3VPN implementation, 13 password control global parameters, 104 password control local user parameters, 105 AAA RADIUS implementation, 2 ARP active acknowledgement, 206 password control user group parameters, 104 ARP attack protection configuration, 200 password event logging, 102 ARP automatic scanning configuration, 210 password expiration, 101 ARP black hole routing, 201 password expiration early notification, 101...

  • Page 258

    PKI operation, 1 19 802.1X architecture, 57 802.1X authentication server timeout timer, 68 PKI RSA Keon CA server certificate request configuration, 132 802.1X configuration, 65, 71 PKI secure email application, 120 ignoring port security server authorization PKI terminology, 1 18 information, 90 PKI VPN application, 120 PKI MPLS L3VPN support, 120...

  • Page 259

    password control user group parameters, 104 HWTACACS scheme VPN, 32 HWTACACS shared keys, 32 RADIUS max request transmission attempts, 25 RADIUS server status, 25 LDAP authentication server, 38 RADIUS timer, 27 LDAP version, 36 RADIUS traffic statistics unit, 24 MAC authentication domain, 76 RADIUS username format, 24 PKI CA storage path, 129 SSH management parameters, 158...

  • Page 260

    server function enable, 155 static IP source guard static binding entries, 191 SFTP client device configuration, 161 SFTP client publickey authentication IPv4 source guard static configuration, 195 configuration, 181 IPv4 source guard static entry on interface, 193 SFTP client source IP address or interface IPv6 source guard static configuration, 199 specification, 161 IPv6 source guard static entry on interface, 194...

  • Page 261

    Stelnet client publickey authentication configuring 802.1X quiet timer, 70 configuration, 177 authentication offline detect timer configuration, 76 Stelnet server password authentication configuration, 166 MAC authentication quiet timer configuration, Stelnet server publickey authentication configuration, 168 authentication server timeout timer configuration, 76 AAA HWTACACS implementation, 7 setting 802.1X authentication timeout timers, 68 SSL client policy configuration, 189...

  • Page 262

    AAA RADIUS max request transmission attempts, IPv4 source guard dynamic configuration with DHCP snooping, 197 IPv4 source guard static configuration, 195 RADIUS packet format, 4 unauthorized-force (802.1X port authorization state), IPv6 source guard static configuration, 199 user authentication unicast expired password login, 101 802.1X trigger mode, 61 max user account idle time, 102 Unicast Reverse Path Forwarding.

  • Page 263

    verifying WAPI PKI configuration, 1 18, 120, 132 certificate with CRL checking, 128 certificate without CRL checking, 129 PKI certificate, 128 PKI application, 120 version Windows 2000 LDAP version specification, 36 CA server SCEP add-on, 121 VLAN PKI entity configuration, 121 802.1X enable, 66 Windows 2003 IP source guard configuration, 191, 192...

This manual also for:

5900 series

Comments to this Manuals

Symbols: 0
Latest comments: