Page of 304
Download Table of ContentsContents Print This PagePrint Bookmark
HP A5120 EI Switch Series
Security
Abstract
This document describes the software features for the HP A Series products and guides you through the
software configuration procedures. These configuration guides also provide configuration examples to
help you apply software features to different network scenarios.
This documentation is intended for network planners, field technical support and servicing engineers, and
network administrators working with the HP A Series products.
Part number: 5998-1800
Software version: Release 2208
Document version: 5W100-20110530

Advertising

   Related Manuals for HP 5120 EI Switch Series

   Summary of Contents for HP 5120 EI Switch Series

  • Page 1: Configuration Guide

    Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...

  • Page 3: Table Of Contents

    Contents AAA configuration ··························································································································································· 1 AAA overview ··································································································································································· 1 RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 Domain-based user management ··························································································································· 9 RADIUS server feature of the device ··················································································································· 10 Protocols and standards ······································································································································· 11 RADIUS attributes ·················································································································································· 11 AAA configuration considerations and task list ·········································································································· 14 Configuring AAA schemes ············································································································································...

  • Page 4: Table Of Contents

    802.1X configuration ···················································································································································· 71 HP implementation of 802.1X ······································································································································ 71 Access control methods ········································································································································ 71 Using 802.1X authentication with other features ······························································································ 71 Configuring 802.1X ······················································································································································ 74 Configuration prerequisites ·································································································································· 74 802.1X configuration task list ······························································································································ 74 Enabling 802.1X ··················································································································································· 75 Specifying EAP relay or EAP termination ···········································································································...

  • Page 5: Table Of Contents

    MAC authentication configuration examples ············································································································ 101 Local MAC authentication configuration example ·························································································· 101 RADIUS-based MAC authentication configuration example ·········································································· 103 ACL assignment configuration example ··········································································································· 105 Portal configuration ···················································································································································· 108 Portal overview ····························································································································································· 108 Introduction to portal ··········································································································································· 108 Extended portal functions ··································································································································· 108 Portal system components ···································································································································...

  • Page 6: Table Of Contents

    Setting the port security mode ···································································································································· 145 Configuration prerequisites ································································································································ 145 Configuration procedure ···································································································································· 145 Configuring port security features ······························································································································ 146 Configuring NTK ················································································································································· 146 Configuring intrusion protection ························································································································ 147 Configuring port security traps ·························································································································· 147 Configuring secure MAC addresses ·························································································································· 148 Configuration prerequisites ································································································································...

  • Page 7: Table Of Contents

    Key algorithm types ············································································································································ 179 Asymmetric key algorithm applications ············································································································ 179 Configuring the local asymmetric key pair ··············································································································· 180 Creating an asymmetric key pair ······················································································································ 180 Displaying or exporting the local RSA or DSA host public key ····································································· 180 Destroying an asymmetric key pair ··················································································································· 181 Configuring a peer public key ····································································································································...

  • Page 8: Table Of Contents

    Displaying and maintaining SSH ······························································································································· 217 SSH server configuration examples ··························································································································· 218 When switch acts as server for password authentication ··············································································· 218 When switch acts as server for publickey authentication ··············································································· 220 SSH client configuration examples····························································································································· 225 When switch acts as client for password authentication ················································································ 225 When switch acts as client for publickey authentication ················································································...

  • Page 9: Table Of Contents

    Static IPv4 source guard binding entry configuration example ····································································· 256 Global static binding excluded port configuration example ·········································································· 257 Dynamic IPv4 source guard binding by DHCP snooping configuration example ······································· 259 Dynamic IPv4 source guard binding by DHCP relay configuration example ·············································· 260 Static IPv6 source guard binding entry configuration example ·····································································...

  • Page 10: Table Of Contents

    Configuring ND detection ·································································································································· 285 Displaying and maintaining ND detection ······································································································· 285 ND detection configuration example ························································································································· 286 Support and other resources ····································································································································· 288 Contacting HP ······························································································································································ 288 Subscription service ············································································································································ 288 Related information ······················································································································································ 288 Documents ···························································································································································· 288 Websites ······························································································································································ 288 Conventions ··································································································································································...

  • Page 11: Aaa Configuration

    AAA configuration AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: Authentication—Identifies users and determines whether a user is valid.  Authorization—Grants different users different rights and controls their access to resources and ...

  • Page 12: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol.

  • Page 13

    Figure 3 RADIUS basic message exchange process Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host accesses the resources 7) Accounting-Request (stop) 8) Accounting-Response 9) Notification of access termination RADIUS operates in the following manner: The host initiates a connection request carrying the username and password to the RADIUS client.

  • Page 14

    Figure 4 RADIUS packet format Code Identifier Length Authenticator (16bytes) Attribute Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 Main values of the Code field Code Packet type Description From the client to the server.

  • Page 15

    The Attribute field, with a variable length, carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response. This field contains multiple attributes, and each attribute is represented in triplets of Type, Length, and Value. ...

  • Page 16

    Vendor-ID (4 bytes long)—Indicates the ID of the vendor. Its most significant byte is 0; the other three  bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see ―HP proprietary RADIUS sub-attributes.―...

  • Page 17: Hwtacacs

    Figure 5 Segment of a RADIUS packet containing an extended attribute Type Length Vendor-ID Vendor-ID (continued) Vendor-Type Vendor-Length Vendor-Data (Specified attribute value……) …… HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.

  • Page 18

    Figure 6 HWTACACS basic message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 19: Domain-based User Management

    The user inputs the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication.

  • Page 20: Radius Server Feature Of The Device

    For a user who has logged in to the device, AAA provides the following services to enhance device security: Command authorization—Enables the NAS to defer to the authorization server to determine whether  a command entered by a login user is permitted for the user, ensuring that login users execute only commands they are authorized to execute.

  • Page 21: Protocols And Standards

    NOTE: The UDP port number for RADIUS authentication is 1812 in the standard RADIUS protocol, but is 1645 on HP devices. Specify 1645 as the authentication port number when you use an HP device as a RADIUS client. Protocols and standards The following protocols and standards are related to AAA, RADIUS, and HWTACACS: ...

  • Page 22

    Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. With the LAN access Calling-Station-Id service provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses for indicating itself.

  • Page 23

    Access-Requests. This attribute is used when RADIUS supports EAP Authenticator authentication. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.

  • Page 24: Aaa Configuration Considerations And Task List

    Sub-attribute Description Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the device and is User_HeartBeat used for verifying the handshake messages from the 802.1X user. This attribute exists in only Access-Accept and Accounting-Request packets.

  • Page 25

    Figure 9 AAA configuration diagram Local AAA Configure AAA methods Configure local users and related attributes none Authentication method local (default method) scheme Create an ISP domain No AAA and enter its view Authorization method none/ local/ scheme Accounting method Configure the RADIUS, HWTACACS none/ local/ scheme...

  • Page 26: Configuring Aaa Schemes

    Configuring AAA schemes Configuring local users For local authentication, you must create local users and configure user attributes on the device in advance. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by a username.

  • Page 27

    You can configure an authorization attribute in user group view or local user view, making the attribute effective for all local users in the group or only for the local user. The setting of an authorization attribute in local user view takes precedence over that in user group view. Local user configuration task list Task Remarks...

  • Page 28

    To do… Use the command… Remarks Optional Configure the password-control composition By default, the setting for the password type-number type-number [ user group is used. If there is no composition type-length type-length ] such setting for the user group, policy the global setting is used.

  • Page 29: Configuring User Group Attributes

    NOTE:  For more information about password control attribute commands, see the chapter “Password control configuration.”  On a device supporting the password control feature, local user passwords are not displayed, and the local-user password-display-mode command is not effective.  With the local-user password-display-mode cipher-force command configured, a local user password is always displayed in cipher text, regardless of the configuration of the password command.

  • Page 30: Configuring Radius Schemes

    To do… Use the command… Remarks authorization-attribute { acl acl- Optional number | callback-number By default, no Configure the authorization attributes callback-number | idle-cut minute | authorization attribute is for the user group level level | user-profile profile-name configured for a user | vlan vlan-id | work-directory group.

  • Page 31

    Task Remarks Configuring RADIUS accounting-on Optional Specifying a security policy server Optional Configuring interpretation of RADIUS class attribute as CAR Optional parameters Enabling the RADIUS trap function Optional Enabling the listening port of the RADIUS client Optional Displaying and maintaining RADIUS Optional Creating a RADIUS scheme Before performing other RADIUS configurations, follow these steps to create a RADIUS scheme and enter...

  • Page 32

    NOTE:  If both the primary and secondary authentication/authorization servers are specified, the secondary one is used when the primary one is not reachable.  If redundancy is not required, specify only the primary RADIUS authentication/authorization server.  In practice, you may specify one RADIUS server as the primary authentication/authorization server, and up to 16 RADIUS servers as the secondary authentication/authorization servers, or specify a server as the primary authentication/authorization server for a scheme and as the secondary authentication/authorization servers for another scheme at the same time.

  • Page 33

    NOTE:  The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.  All servers for authentication/authorization and accountings, primary or secondary, must use IP addresses of the same IP version. ...

  • Page 34

    Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later.  Extended—Uses the proprietary RADIUS protocol of HP.  When the RADIUS server runs iMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies.

  • Page 35

    accounting server, real-time accounting requests and stop-accounting requests of the user cannot be delivered to the server anymore. If you remove an authentication or accounting server in use, the communication of the device with  the server will soon time out, and the device will look for a server in the active state from scratch: it checks the primary server (if any) first and then the secondary servers in the order they are configured.

  • Page 36

    Follow these steps to set the username format and the traffic statistics units for a RADIUS scheme: To do… Use the command… Remarks Enter system view system-view — radius scheme radius-scheme- Enter RADIUS scheme view — name Optional user-name-format { keep-original Set the format for usernames sent | with-domain | without-domain By default, the ISP domain name...

  • Page 37

    To do… Use the command… Remarks Enter system view system-view — radius scheme radius-scheme- Enter RADIUS scheme view — name Required Specify a source IP address nas-ip { ip-address | ipv6 By default, the IP address of the outbound for outgoing RADIUS packets ipv6-address } interface is used as the source IP address.

  • Page 38

    NOTE:  For an access module, the maximum number of transmission attempts multiplied by the RADIUS server response timeout period must be less than the client connection timeout time and must not exceed 75 seconds. Otherwise, stop-accounting messages cannot be buffered, and the primary/secondary server switchover cannot take place. For example, because the client connection timeout time for voice access is 10 seconds, the product of the two parameters must be less than 10 seconds;...

  • Page 39

    The NAS checks the validity of received control packets and accepts only control packets from known servers. To use a security policy server that is independent of the AAA servers, you must configure the IP address of the security policy server on the NAS. To implement all EAD functions, configure both the IP address of the iMC security policy server and that of the iMC configuration platform on the NAS.

  • Page 40: Configuring Hwtacacs Schemes

    The failure ratio is generally small. If you see a trap message triggered due to a higher failure ratio, check the configurations on the NAS and the RADIUS server and the communications between them. Follow these steps to enable the RADIUS trap function: To do…...

  • Page 41

    HWTACACS configuration task list Task Remarks Creating an HWTACACS scheme Required Specifying the HWTACACS authentication servers Required Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers Optional Setting the shared keys for HWTACACS packets Required Setting the username format and traffic statistics units Optional Specifying a source IP address for outgoing HWTACACS packets Optional...

  • Page 42

    NOTE:  If both the primary and secondary authentication servers are specified, the secondary one is used when the primary one is not reachable.  If redundancy is not required, specify only the primary HWTACACS authentication server.  The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

  • Page 43

    To do… Use the command… Remarks Enable the device to buffer Optional stop-accounting requests stop-accounting-buffer enable Enabled by default getting no responses Set the maximum number of Optional stop-accounting request retry stop-accounting retry-times 100 by default transmission attempts NOTE:  If both the primary and secondary accounting servers are specified, the secondary server is used when the primary server is not reachable.

  • Page 44

    To do… Use the command… Remarks hwtacacs scheme hwtacacs-scheme- Enter HWTACACS scheme view — name Optional Set the format of usernames sent user-name-format { keep-original | By default, the ISP domain name to the HWTACACS servers with-domain | without-domain } is included in the username.

  • Page 45

    To do… Use the command… Remarks Enter HWTACACS scheme hwtacacs scheme hwtacacs- — view scheme-name Required Specify a source IP address for outgoing HWTACACS nas-ip ip-address By default, the IP address of the outbound packets interface is used as the source IP address. Setting timers for controlling communication with HWTACACS servers Follow these steps to set timers regarding HWTACACS servers: To do…...

  • Page 46: Configuring Aaa Methods For Isp Domains

    Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain view. Each ISP domain has a set of default AAA methods, which are local authentication, local authorization, and local accounting by default and can be customized. If you do not configure any AAA methods for an ISP domain, the device uses the system default AAA methods for authentication, authorization, and accounting of the users in the domain.

  • Page 47: Configuring Aaa Authentication Methods For An Isp Domain

    To do… Use the command… Remarks Enter ISP domain view domain isp-name — Optional Place the ISP domain to the state of By default, an ISP domain is in the state { active | block } active or blocked active state, and users in the domain can request network services.

  • Page 48

    no authentication as the backup method to be used when the remote server is not available. No authentication can only be configured for LAN users as the backup method of remote authentication. You can configure AAA authentication to work alone without authorization and accounting. By default, an ISP domain uses the local authentication method.

  • Page 49: Configuring Aaa Authorization Methods For An Isp Domain

    NOTE:  The authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode.  With an authentication method that references a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server.

  • Page 50: Configuring Aaa Accounting Methods For An Isp Domain

    Determine whether to configure an authorization method for all access modes or service types. Follow these steps to configure AAA authorization methods for an ISP domain: To do… Use the command… Remarks Enter system view system-view — Enter ISP domain view domain isp-name —...

  • Page 51

    Local accounting (local)—Local accounting is implemented on the access device. It is for counting  and controlling the number of concurrent users who use the same local user account; it does not provide statistics for charging. The maximum number of concurrent users using the same local user account is set by the access-limit command in local user view.

  • Page 52: Tearing Down User Connections Forcibly

    NOTE:  With the accounting optional command configured, a user that would be otherwise disconnected can still use the network resources even when no accounting server is available or communication with the current accounting server fails.  The local accounting method is not used to implement accounting, but to work together with the access-limit command, which is configured in local user view, to limit the number of local user connections.

  • Page 53: Specifying A Radius Client

    To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS user and radius-server user user-name enter RADIUS server user view No RADIUS user exists by default. Optional Configure a password for the password [ cipher | simple ] RADIUS user password By default, no password is specified.

  • Page 54: Displaying And Maintaining Aaa

    Displaying and maintaining AAA To do… Use the command… Remarks Display the configuration display domain [ isp-name ] [ | { begin | Available in any view information of ISP domains exclude | include } regular-expression ] display connection [ access-type { dot1x | mac-authentication | portal } | domain isp- name | interface interface-type interface- Display information about user...

  • Page 55: Aaa For Telnet Users By Separate Servers

    # Specify the primary authentication server. [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server. [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 # Specify the primary accounting server. [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 # Set the shared key for authentication, authorization, and accounting packets to expert. [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] key accounting expert...

  • Page 56

    Figure 11 Configure AAA by separate servers for Telnet users HWTACACS RADIUS authorization server accounting server 10.1.1.2/24 10.1.1.1/24 Internet Telnet user Switch Configuration procedure # Configure the IP addresses of various interfaces (omitted). # Enable the Telnet server on the switch. <Switch>...

  • Page 57: Authentication/authorization For Ssh/telnet Users By A Radius Server

    [Switch] domain bbb [Switch-isp-bbb] authentication default local [Switch-isp-bbb] authorization default hwtacacs-scheme hwtac [Switch-isp-bbb] accounting default radius-scheme rd When telnetting to the switch, a user enters username telnet@bbb for authentication using domain bbb. Authentication/Authorization for SSH/Telnet users by a RADIUS server NOTE: The configuration of authentication and authorization for SSH users is similar to that for Telnet users.

  • Page 58

    Specify the ports for authentication and accounting as 1812 and 1813 respectively  Select Device Management Service as the service type  Select HP(A-Series) as the access device type  Select the access device from the device list or manually add the device with the IP address of ...

  • Page 59

    Figure 14 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 60: Aaa For 802.1x Users By A Radius Server

    [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for authentication packets to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs iMC.

  • Page 61

     Select LAN Access Service as the service type  Select HP(A-Series) as the access device type Select the access device from the device list or manually add the device whose IP address is 10.1.1.2  Adopt the default settings for other parameters and click OK to finish the operation.

  • Page 62

    Figure 16 Add an access device # Add a charging policy. Select the Service tab, and select Accounting Manager > Charging Plans from the navigation tree to enter the charging policy configuration page. Then, click Add to enter the Add Charging Plan page and perform the following configurations: Add a plan named UserAcct ...

  • Page 63

    Select the Service tab, and select User Access Manager > Service Configuration from the navigation tree to enter the Service Configuration page. Then, click Add to enter the Add Service Configuration page and perform the following configurations:  Add a service named Dot1x auth and set the Service Suffix to bbb, which indicates the authentication domain for the 802.1X user.

  • Page 64

    Figure 19 Add an access user account Configure the switch Configure a RADIUS scheme  # Create a RADIUS scheme named rad and enter its view. <Switch> system-view [Switch] radius scheme rad # Set the server type for the RADIUS scheme. When using the iMC server, set the server type to extended.

  • Page 65

    # Configure bbb as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at login, the authentication and accounting methods of the default domain will be used for the user. [Switch] domain default enable bbb Configure 802.1X authentication ...

  • Page 66: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    Priority=Disable Start=2011-04-26 19:41:12 ,Current=2011-04-26 19:41:25 ,Online=00h00m14s Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in Figure 20, configure the switch to use local authentication for the Telnet user and assign the privilege level of 0 to the user after the user passes authentication.

  • Page 67

    <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit # Enable the switch to provide Telnet service.

  • Page 68

    [Switch] quit Configure the HWTACACS server NOTE: The HWTACACS server in this example runs ACSv4.0. Add a user named tester on the HWTACACS server and configure advanced attributes for the user as follows and as shown in Figure Select Max Privilege for any AAA Client and set the privilege level to level 3. After these ...

  • Page 69: Radius Authentication And Authorization For Telnet Users By A Network Device

    Connected to 192.168.1.70 ... ****************************************************************************** * Copyright (c) 2010-2011 Hewlett-Packard Development Company, L.P. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** Login authentication Username:test@bbb Password: <Switch> ? User view commands: cluster Run cluster command display Display current system information ping...

  • Page 70

    Set the shared keys for authentication and authorization packets exchanged between the NAS and the RADIUS server to abc. Configure the switch to remove the domain names in usernames before sending usernames to the RADIUS server. Figure 22 RADIUS authentication and authorization for Telnet users by a network device RADIUS server Vlan-int3 Vlan-int2...

  • Page 71: Troubleshooting Aaa

    # Configure bbb as the default ISP domain. Then, if a user enters a username without any ISP domain at login, the authentication and accounting methods of the default domain will be used for the user. [SwitchA] domain default enable bbb Configure the RADIUS server # Create RADIUS user aaa and enter its view.

  • Page 72: Troubleshooting Hwtacacs

    Symptom 2 RADIUS packets cannot reach the RADIUS server. Analysis The communication link between the NAS and the RADIUS server is down (at the physical layer and data link layer). The NAS is not configured with the IP address of the RADIUS server. The UDP ports for authentication/authorization and accounting are not correct.

  • Page 73: X Fundamentals

    802.1X fundamentals 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 74: X-related Protocols

    Performs unidirectional traffic control to deny traffic from the client.  NOTE: The HP switches support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.

  • Page 75

    Protocol version: The EAPOL protocol version used by the EAPOL packet sender.  Type: Type of the EAPOL packet. Table 5 lists the types of EAPOL packets that the HP implementation  of 802.1X supports. Table 5 Types of EAPOL packets...

  • Page 76: Eap Over Radius

     Packet body: Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body field contains an EAP packet. EAP over RADIUS RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see the chapter ―AAA configuration.‖ EAP-Message RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure...

  • Page 77: X Authentication Procedures

     Multicast trigger mode—The access device multicasts EAP-Request/Identify packets periodically (every 30 seconds by default) to initiate 802.1X authentication. Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC  address table, the access device sends an EAP-Request/Identify packet out of the receiving port to the unknown MAC address.

  • Page 78: Eap Relay

    Packet exchange method Benefits Limitations  Supports only MD5-Challenge EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an EAP termination supports PAP or CHAP authentication. iNode 802.1X client.  The processing is complex on the network access device.

  • Page 79: Eap Termination

    In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP- Response packet to the network access device. The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database.

  • Page 80

    Figure 32 802.1X authentication procedure in EAP termination mode Authentication server Client Device EAPOL RADIUS (1) EAPOL-Start (2) EAP-Request / Identity (3) EAP-Response / Identity (4) EAP-Request / MD5 challenge (5) EAP-Response / MD5 challenge (6) RADIUS Access-Request (CHAP-Response/MD5 challenge) (7) RADIUS Access-Accept (CHAP-Success) (8) EAP-Success...

  • Page 81: X Configuration

    802.1X configuration This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, for example, that requires different authentication methods for different users on a port. Port security is beyond the scope of this chapter.

  • Page 82

    Access control VLAN manipulation  If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The default VLAN of the port does not change. When a user logs off, the MAC- to-VLAN mapping for the user is removed.

  • Page 83

    Authentication status VLAN manipulation A user has not passed Creates a mapping between the MAC address of the user and the 802.1X 802.1X authentication yet guest VLAN. The user can access resources in the guest VLAN. If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user to the Auth-Fail VLAN.

  • Page 84: Configuring 802.1x

    On a port that performs MAC-based access control Authentication status VLAN manipulation A user fails 802.1X Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can authentication access only resources in the Auth-Fail VLAN. A user in the Auth-Fail VLAN The user is still in the Auth-Fail VLAN.

  • Page 85: Enabling 802.1x

    Task Remarks Setting the port authorization state Optional Specifying an access control method Optional Setting the maximum number of concurrent 802.1X users on a port Optional Setting the maximum number of authentication request attempts Optional Setting the 802.1X authentication timeout timers Optional Configuring the online user handshake function Optional...

  • Page 86: Setting The Port Authorization State

    use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP termination" for help. For more information about EAP relay and EAP termination, see "802.1X authentication procedures." Follow these steps to configure EAP relay or EAP termination: To do…...

  • Page 87: Specifying An Access Control Method

    To do… Use the command… Remarks dot1x port-control { authorized-force | In system view auto | unauthorized-force } [ interface Optional interface-list ] Set the port authorization Use either approach. interface interface-type interface-number In Layer 2 state By default, auto applies. Ethernet dot1x port-control { authorized-force | interface view...

  • Page 88: Setting The Maximum Number Of Authentication Request Attempts

    Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command).

  • Page 89: Configuring The Authentication Trigger Function

    If not, the device will tear down the connections with these online users for not receiving handshake responses.  HP recommends that you use the iNode client software and iMC server to ensure the normal operation of the online user handshake security function. Configuring the authentication trigger function About the authentication trigger function The authentication trigger function enables the network access device to initiate 802.1X authentication...

  • Page 90: Specifying A Mandatory Authentication Domain On A Port

    response within a period of time. This process continues until the maximum number of request attempts set with the dot1x retry command (see ―Setting the maximum number of authentication request attempts‖) is reached. The identity request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger.

  • Page 91: Enabling The Quiet Timer

    Enabling the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response.

  • Page 92: Configuring An 802.1x Guest Vlan

    Configuring an 802.1X guest VLAN Configuration guidelines Follow these guidelines when configuring an 802.1X guest VLAN: You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different  ports can be different. Assign different IDs for the voice VLAN, the default VLAN, and the 802.1X guest VLAN on a port, so ...

  • Page 93: Configuring An Auth-fail Vlan

    To do… Use the command… Remarks interface view dot1x guest-vlan guest-vlan-id Configuring an Auth-Fail VLAN Configuration guidelines Follow these guidelines when configuring an 802.1X Auth-Fail VLAN:  Assign different IDs for the voice VLAN, the default VLAN, and the 802.1X guest VLAN on a port, so the port can correctly process VLAN tagged incoming traffic.

  • Page 94: Displaying And Maintaining 802.1x

    Displaying and maintaining 802.1X To do… Use the command… Remarks Display 802.1X session display dot1x [ sessions | statistics ] [ information, statistics, or interface interface-list ] [ | { begin | Available in any view configuration information of exclude | include } regular-expression ] specified or all ports reset dot1x statistics [ interface interface- Clear 802.1X statistics...

  • Page 95

    Configure the 802.1X client. If iNode is used, do not select the Carry version info option in the client configuration. (Details not shown) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown) Configure user accounts for the 802.1X users on the access device. # Add a local user with the username localuser, and password localpass in plaintext.

  • Page 96: X With Guest Vlan And Vlan Assignment Configuration Example

    [Device-isp-aabbcc.net] access-limit enable 30 # Configure the idle cut function to log off any online domain user that has been idle for 20 minutes. [Device-isp-aabbcc.net] idle-cut enable 20 [Device-isp-aabbcc.net] quit # Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name, it is assigned to the default ISP domain.

  • Page 97

    Figure 34 Network diagram for 802.1X with guest VLAN and VLAN assignment configuration Update server Authentication server VLAN 10 VLAN 2 GE1/0/1 GE1/0/4 VLAN 1 VLAN 5 GE1/0/2 GE1/0/3 Device Internet Host Port added to the guest VLAN Update server Authentication server Update server Authentication server...

  • Page 98

    [Device-vlan5] quit Configure a RADIUS scheme. # Configure RADIUS scheme 2000 and enter its view. <Device> system-view [Device] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Device-radius-2000] primary authentication 10.11.1.1 1812 [Device-radius-2000] primary accounting 10.11.1.1 1813 [Device-radius-2000] key authentication abc...

  • Page 99: X With Acl Assignment Configuration Example

    802.1X with ACL assignment configuration example Network requirements As shown in Figure 35, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.

  • Page 100

    [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1. [Device] acl number 3000 [Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 # Enable 802.1X globally.

  • Page 101: Ead Fast Deployment Configuration

    EAD fast deployment configuration EAD fast deployment overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access a network that deploys EAD, it must have an EAD client, which performs 802.1X authentication.

  • Page 102: Displaying And Maintaining Ead Fast Deployment

    To do… Use the command… Remarks Enter system view system-view — Required dot1x free-ip ip-address { mask- Configure a free IP By default, no free IP is address | mask-length } configured. NOTE: When global MAC authentication, Layer-2 portal authentication, or port security is enabled, the free IP does not take effect.

  • Page 103: Ead Fast Deployment Configuration Example

    EAD fast deployment configuration example Network requirements As shown in Figure 36, the hosts at the intranet 192.168.1.0/24 are attached to port GigabitEthernet 1/0/1 of the network access device, and they use DHCP to obtain IP addresses. Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network.

  • Page 104

    [Device] dhcp enable # Configure a DHCP server for a DHCP server group. [Device] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent VLAN interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select relay # Correlate VLAN interface 2 to the DHCP server group. [Device-Vlan-interface2] dhcp relay server-select 1 [Device-Vlan-interface2] quit Configure a RADIUS scheme and an ISP domain.

  • Page 105: Troubleshooting Ead Fast Deployment

    example, 3.3.3.3 or http://3.3.3.3. The external website address should not be on the freely accessible network segment. Troubleshooting EAD fast deployment Web browser users cannot be correctly redirected Symptom Unauthenticated users are not redirected to the specified redirect URL after they enter external website addresses in their web browsers.

  • Page 106: Mac Authentication Configuration

    MAC authentication configuration MAC authentication overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 107: Mac Authentication Timers

    For more information about configuring local authentication and RADIUS authentication, see the chapter ―AAA configuration.‖ MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards ...

  • Page 108: Mac Authentication Configuration Task List

    MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any network resources. If a user in the guest VLAN passes MAC authentication, it is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. NOTE: A hybrid port is always assigned to a guest VLAN as an untagged member.

  • Page 109: Specifying An Authentication Domain For Mac Authentication Users

    To do… Use the command… Remarks Required Enable MAC authentication mac-authentication globally Disabled by default Optional mac-authentication timer { offline- By default, the offline detect timer Configure MAC detect offline-detect-value | quiet quiet- is 300 seconds, the quiet timer is authentication timers value | server-timeout server-timeout- 60 seconds, and the server...

  • Page 110: Configuring A Mac Authentication Guest Vlan

    MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see the chapter ―AAA configuration.‖ Follow these steps to specify an authentication domain for MAC authentication users: To do…...

  • Page 111: Displaying And Maintaining Mac Authentication

    Table 8 Relationships of the MAC authentication guest VLAN with other security features Feature Relationship description Reference The MAC authentication guest VLAN MAC authentication function has higher priority. A user can MAC authentication timers quiet function access any resources in the guest VLAN. The MAC authentication guest VLAN function has higher priority than the block The chapter ―Port security...

  • Page 112

    Configuration procedure Configure local MAC authentication. # Add a local user account, set both the username and password to 00-e0-fc- 1 2-34-56, the MAC address of the user host, and enable LAN access service for the account. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit...

  • Page 113: Radius-based Mac Authentication Configuration Example

    Current online user number is 1 MAC Addr Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS # After the user passes authentication, use the display connection command to display the online user information. <Device> display connection Index=29 ,Username=00-e0-fc-12-34-56@aabbcc.net MAC=00e0-fc12-3456 IP=N/A IPv6=N/A Total 1 connection(s) matched. RADIUS-based MAC authentication configuration example Network requirements As shown in...

  • Page 114

    [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000...

  • Page 115: Acl Assignment Configuration Example

    # After the user passes authentication, use the display connection command to display the online user information. <Device> display connection Index=29 ,Username=aaa@2000 MAC=00e0-fc12-3456 IP=N/A IPv6=N/A Total 1 connection(s) matched. ACL assignment configuration example Network requirements As shown in Figure 39, a host connects to the device’s port GigabitEthernet 1/0/1, and the device performs RADIUS servers for authentication, authorization, and accounting.

  • Page 116

    [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813 [Sysname-radius-2000] key authentication abc [Sysname-radius-2000] key accounting abc [Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting. [Sysname] domain 2000 [Sysname-isp-2000] authentication default radius-scheme 2000 [Sysname-isp-2000] authorization default radius-scheme 2000 [Sysname-isp-2000] accounting default radius-scheme 2000...

  • Page 117

    Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),...

  • Page 118: Portal Configuration

    Portal configuration Portal overview Introduction to portal Portal authentication helps control access to the Internet. Portal authentication is also called ―web authentication‖. A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website;...

  • Page 119

    Figure 40 Portal system components Authentication client Security policy server Authentication client Access device Portal server Authentication/accounting Authentication client server Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. The client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.

  • Page 120: Portal System Using The Local Portal Server

    to the portal server’s web authentication homepage. For extended portal functions, authentication clients must run the portal client software. On the authentication homepage/authentication dialog box, the user enters and submits the authentication information, which the portal server then transfers to the access device. Upon receipt of the authentication information, the access device communicates with the authentication/accounting server for authentication and accounting.

  • Page 121: Portal Authentication Modes

    Authentication page customization support The local portal server function allows you to customize authentication pages. You can customize authentication pages by editing the corresponding HTML files and then compress and save the files to the storage medium of the device. A set of customized authentication pages consists of six authentication pages—the logon page, the logon success page, the online page, the logoff success page, the logon failure page, and the system busy page.

  • Page 122: Portal Configuration Task List

    The access device and the RADIUS server exchange RADIUS packets to authenticate the user. If the user passes RADIUS authentication, the local portal server pushes a logon success page to the authentication client. Authorized VLAN Layer 2 portal authentication supports VLAN assignment by the authentication server. After a user passes portal authentication, if the authentication server is configured with an authorized VLAN for the user, the authentication server assigns the authorized VLAN to the access device, which will then add the user to the authorized VLAN and generate a MAC VLAN entry.

  • Page 123: Configuration Prerequisites

    Task Remarks Specifying the local portal server for Layer 2 portal authentication Required Customizing authentication pages Optional Configuring the local portal server Configuring the local portal server Required Configuring a portal-free rule Setting the maximum number of online portal users Controlling access of portal Optional Specifying an authentication domain for portal...

  • Page 124: Specifying The Local Portal Server For Layer 2 Portal Authentication

    IP address of the local portal server. HP strongly recommends that you use the IP address of a loopback interface rather than a physical Layer 3 interface, because: The status of a loopback interface is stable.

  • Page 125

    Table 9 Main authentication page file names Main authentication page File name Logon page logon.htm Logon success page logonSuccess.htm Logon failure page logonFail.htm Online page online.htm Pushed after the user gets online for online notification System busy page busy.htm Pushed when the system is busy or the user is in the logon process Logoff success page logoffSuccess.htm NOTE:...

  • Page 126

    The following example shows part of the script in page online.htm. <form action=logon.cgi method = post > <p><input type=SUBMIT value=“Logoff” name=“PtButton” style=“width:60px;”> </form> Rules on page file compression and saving A set of authentication page files must be compressed into a standard zip file. The name of a zip ...

  • Page 127: Configuring The Local Portal Server

    </html> NOTE:  HP recommends that you use browser IE 6.0 or above on the authentication clients.  Ensure that the browser of an authentication client permits pop-ups or permits pop-ups from the access device. Otherwise, the user cannot log off by closing the logon success or online page and can only click Cancel to return back to the logon success or online page.

  • Page 128: Enabling Layer 2 Portal Authentication

    Not enabled by default. NOTE:  To ensure normal operation of portal authentication on a Layer 2 port, HP does not recommend you to enable port security, guest VLAN of 802.1X, or EAD fast deployment of 802.1X on the port. ...

  • Page 129: Controlling Access Of Portal Users

    Controlling access of portal users Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. For Layer 2 portal authentication, you can configure only a portal-free rule that is from any source address to any or a specified destination address.

  • Page 130: Specifying An Authentication Domain For Portal Users

    Specifying an authentication domain for portal users After you specify an authentication domain for portal users on an interface, the device uses the authentication domain for authentication, authorization, and accounting (AAA) of all portal users on the interface, ignoring the domain names carried in the usernames. This allows you to specify different authentication domains for different interfaces as needed.

  • Page 131: Enabling Support For Portal User Moving

    NOTE:  If the port number of a web proxy server is 80, you do not need to configure the port number of the server on the device.  If a user’s browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover web proxy servers, you need to add the port numbers of the web proxy servers on the device, and configure portal-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication.

  • Page 132: Specifying The Auth-fail Vlan For Portal Authentication

    Specifying the Auth-Fail VLAN for portal authentication NOTE: Only Layer 2 portal authentication supports this feature. You can specify the Auth-Fail VLAN to be assigned to users failing portal authentication. Before specifying the Auth-Fail VLAN, be sure to create the VLAN. Follow these steps to specify the Auth-Fail VLAN for portal authentication: To do…...

  • Page 133: Configuring Portal Detection Functions

    NOTE: period The wait-time keyword and argument combination is effective to only local portal authentication. Configuring portal detection functions After a Layer 2 portal user gets online, the device starts a detection timer for the user, and checks whether the user’s MAC address entry has been aged out or the user’s MAC address entry has been matched (a match means a packet has been received from the user) at the interval.

  • Page 134: Portal Configuration Examples

    To do… Use the command… Remarks display portal tcp-cheat statistics [ | { Display TCP spoofing statistics begin | exclude | include } regular- Available in any view expression ] display portal user { all | interface Display information about portal interface-type interface-number } [ | { users on a specified interface or Available in any view...

  • Page 135: Configuration Procedures

    Figure 43 Network diagram for Layer 2 portal authentication configuration DHCP server RADIUS server 1.1.1.3/24 1.1.1.2/24 Vlan-int1 1.1.1.1 Vlan-int8 Switch (DHCP relay) 192.168.1.1/24 IP network Vlan-int3 GE1/0/1 3.3.3.1 Vlan-int2 Host 2.2.2.1/24 Update server 2.2.2.2/24 Configuration procedures NOTE:  Ensure that the host, switch, and servers can reach each other before portal authentication is enabled. ...

  • Page 136

    # Configure the local portal server to support HTTPS and reference SSL server policy sslsvr. [Switch] portal local-server https server-policy sslsvr # Configure the IP address of loopback interface 12 as 4.4.4.4. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify IP address 4.4.4.4 as the listening IP address of the local portal server for Layer 2 portal authentication.

  • Page 137

    # Enable DHCP. [Switch] dhcp enable # Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group. [Switch] dhcp relay server-group 1 ip 1.1.1.3 # Enable the DHCP relay agent on VLAN-interface 8. [Switch] interface vlan-interface 8 [Switch-Vlan-interface8] dhcp select relay # Correlate DHCP server group 1 with VLAN-interface 8.

  • Page 138: Troubleshooting Portal

    Use the display mac-vlan all command to view the generated MAC-VLAN entries, which record the MAC addresses passing authentication and the corresponding VLANs. [Switch] display mac-vlan all The following MAC VLAN addresses exist: S:Static D:Dynamic MAC ADDR MASK VLAN ID PRIO STATE --------------------------------------------------------...

  • Page 139

    the portal server can receive the ACK_LOGOUT message correctly, no matter whether the listening port is configured on the access device. The user can log off the portal server. Solution Use the display portal server command to display the listening port of the portal server configured on the access device and use the portal server command in the system view to modify it to ensure that it is the actual listening port of the portal server.

  • Page 140: Triple Authentication Configuration

    Triple authentication configuration Triple authentication overview The terminals in a LAN may support different authentication methods. As shown in Figure 44, a printer supports only MAC authentication, a PC installed with the 802.1X client supports 802.1X authentication, and the other PC carries out portal authentication. To satisfy the different authentication requirements, the port of the access device which connects to the terminals needs to support all the three types of authentication and allow a terminal to access the network after the terminal passes one type of authentication.

  • Page 141: Using Triple Authentication With Other Features

    Upon receiving an HTTP packet from a terminal, the access port performs portal authentication on  the terminal. If a terminal triggers different types of authentication, the authentications are processed at the same time. A failure of one type of authentication does not affect the others. When a terminal passes one type of authentication, the other types of authentication being performed are terminated.

  • Page 142: Triple Authentication Configuration Examples

    To do… Use the command… Remarks Configure at least one type of Configure MAC See the chapter ―MAC authentication authentication. authentication configuration‖ Configure Layer-2 portal See the chapter ―Portal configuration‖ authentication NOTE: 802.1X authentication must use MAC-based access control. Triple authentication configuration examples Triple authentication basic function configuration example Network requirements As shown in...

  • Page 143

    NOTE:  Make sure that the terminals, the server, and the switch can reach each other.  The host of the web user must have a route to the listening IP address of the local portal server.  Complete the configuration on the RADIUS server and make sure the authentication, authorization, and accounting functions work normally.

  • Page 144

    [Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys. [Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify usernames sent to the RADIUS server to carry no domain names. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an ISP domain.

  • Page 145: Triple Authentication Supporting Vlan Assignment And Auth-fail Vlan Configuration Example

    Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example Network requirement As shown in Figure 46, the terminals are connected to a switch to access the IP network. It is required to configure triple authentication on the Layer-2 interface of the switch which connects to the terminals, so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network.

  • Page 146

    NOTE:  Make sure that the terminals, the servers, and the switch can reach each other.  When using an external DHCP server, ensure that the terminals can get IP addresses from the server before and after authentication.  Complete the configuration on the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally.

  • Page 147

    [Switch-dhcp-pool-3] network 3.3.3.0 mask 255.255.255.0 [Switch-dhcp-pool-3] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-3] gateway-list 3.3.3.1 [Switch-dhcp-pool-3] quit # Configure IP address pool 4, and bind the printer MAC address 0015-e9a6-7cfe to the IP address 3.3.3.1 1 1/24 in this address pool. [Switch] dhcp server ip-pool 4 [Switch-dhcp-pool-4] static-bind ip-address 3.3.3.111 mask 255.255.255.0 [Switch-dhcp-pool-4] static-bind mac-address 0015-e9a6-7cfe...

  • Page 148

    # Enable MAC authentication on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] mac-authentication [Switch–GigabitEthernet1/0/1] mac-authentication guest-vlan 2 [Switch–GigabitEthernet1/0/1] quit Configure a RADIUS scheme. # Create a RADIUS scheme named rs1. [Switch] radius scheme rs1 # Specify the server type for the RADIUS scheme, which must be extended when the iMC server is used.

  • Page 149

    IP=3.3.3.2 IPv6=N/A MAC=0002-0002-0001 Index=32 , Username=001588f80dd7@triple IP=N/A IPv6=N/A MAC=0015-88f8-0dd7 Total 3 connection(s) matched on slot 1. Total 3 connection(s) matched. Use the display mac-vlan all command to view the MAC-VLAN entries of online users. VLAN 3 is the authorized VLAN. [Switch] display mac-vlan all The following MAC VLAN addresses exist: S:Static...

  • Page 150: Port Security Configuration

    MAC authentication. They apply to scenarios that require both 802.1X authentication and MAC authentication. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you configure 802.1X authentication or MAC authentication rather than port security. For information about 802.1X and MAC authentication, see the chapters “802.1X configuration”...

  • Page 151

    MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is  permitted on a port in autoLearn mode and disabled in secure mode. Authentication—Security modes of this category use MAC authentication, 802.1X authentication, or  their combinations to implement authentication. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.

  • Page 152

    A port in this mode can learn MAC addresses, and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A secure MAC address never ages out by default.

  • Page 153: Support For Guest Vlan And Auth-fail Vlan

    macAddressElseUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. For non-802.1X frames, a port in this mode performs only MAC authentication. For 802.1X frames, it performs MAC authentication and then, if the authentication fails, 802.1X authentication.

  • Page 154: Enabling Port Security

    Task Remarks Ignoring authorization information from the server Optional Enabling port security Configuration prerequisites Disable 802.1X and MAC authentication globally. Configuration procedure Follow these steps to enable port security: To do… Use the command… Remarks Enter system view system-view — Required Enable port security port-security enable...

  • Page 155: Setting The Port Security Mode

    Control the number of secure MAC addresses that a port can learn for port security.  Control the maximum number of users who are allowed to access the network through the port.  Follow these steps to set the maximum number of secure MAC addresses allowed on a port: To do…...

  • Page 156: Configuring Port Security Features

    To do… Use the command… Remarks Enter Layer 2 Ethernet interface interface-type interface- — interface view number port-security port-mode { autolearn | mac-authentication | mac-else- userlogin-secure | mac-else- Required userlogin-secure-ext | secure | Set the port security mode By default, a port operates in userlogin | userlogin-secure | noRestrictions mode.

  • Page 157: Configuring Intrusion Protection

    To do… Use the command… Remarks Required port-security ntk-mode { ntk- By default, NTK is disabled on a Configure the NTK feature withbroadcasts | ntk- port and all frames are allowed to withmulticasts | ntkonly } be sent. NOTE: Support for the NTK feature depends on the port security mode. Configuring intrusion protection Intrusion protection enables a device to take one of the following actions in response to illegal frames: blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list...

  • Page 158: Configuring Secure Mac Addresses

    ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure/MAC authentication user  logon/MAC authentication user logoff. intrusion—Detection of illegal frames.  Follow these steps to enable port security traps: To do… Use the command… Remarks Enter system view system-view — port-security trap { Required addresslearned | dot1xlogfailure Enable port security traps | dot1xlogoff | dot1xlogon | By default, port security traps are...

  • Page 159: Ignoring Authorization Information From The Server

    To do… Use the command… Remarks Enter system view system-view — Optional By default, sticky MAC addresses do not age out, and you can remove them only by performing the port-security timer autolearn aging time- Set the sticky MAC aging timer undo port-security mac- value address security...

  • Page 160: Port Security Configuration Examples

    To do… Use the command… Remarks display port-security mac-address security [ interface interface-type Display information about secure interface-number ] [ vlan vlan-id ] Available in any view MAC addresses [ count ] [ | { begin | exclude | include } regular-expression ] display port-security mac-address block [ interface interface-type Display information about...

  • Page 161

    [Switch-GigabitEthernet1/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-GigabitEthernet1/0/1] quit [Switch] port-security timer disableport 30 Verify the configuration. After completing the configurations, use the following command to view the port security configuration information: <Switch>...

  • Page 162: Configuring The Userloginwithoui Mode

    Port: 9437185 MAC Addr: 00:02:00:00:00:32 VLAN ID: 1 IfAdminStatus: 1 In addition, you will see that the port security feature has disabled the port if you issue the following command: [Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: Port Security Disabled IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface ..

  • Page 163

    Figure 48 Network diagram for configuring the userLoginWithOUI mode Authentication servers (192.168.1.2/24 192.168.1.3/24) GE1/0/1 192.168.1.1/24 Internet Host Switch Configuration procedure NOTE:  The following configuration steps cover some AAA/RADIUS configuration commands. For details about the commands, see the chapter “AAA configuration commands.” ...

  • Page 164

    # Enable port security. [Switch] port-security enable # Add five OUI values. [Switch] port-security oui 1234-0100-1111 index 1 [Switch] port-security oui 1234-0200-1111 index 2 [Switch] port-security oui 1234-0300-1111 index 3 [Switch] port-security oui 1234-0400-1111 index 4 [Switch] port-security oui 1234-0500-1111 index 5 [Switch] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI.

  • Page 165

    Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme : radius:radsun Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes: Use the following command to view the port security configuration information: <Switch>...

  • Page 166: Configuring The Macaddresselseuserloginsecure Mode

    Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based 802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Max number of on-line users is 256 EAPOL Packet: Tx 16331, Rx 102...

  • Page 167

    Configuration procedure NOTE: Configurations on the host and RADIUS servers are not shown. Configure the RADIUS protocol. The required RADIUS authentication/accounting configurations and ISP domain configurations are the same as those in Configuring the userLoginWithOUI mode. Configure port security. # Enable port security. <Switch>...

  • Page 168

    Use the following command to view MAC authentication information: <Switch> display mac-authentication interface gigabitethernet 1/0/1 MAC address authentication is enabled. User name format is fixed account Fixed username:aaa Fixed password:123456 Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 3 Current domain is mac...

  • Page 169: Troubleshooting Port Security

    802.1X unicast-trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based 802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Max number of on-line users is 256 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6...

  • Page 170: Cannot Configure Secure Mac Addresses

    Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses. [Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1 Error: Security MAC address configuration failed. Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn.

  • Page 171: User Profile Configuration

    User profile configuration User profile overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile supports working with 802.1X, MAC and portal authentications. It is capable of restricting authenticated users' behaviors.

  • Page 172: Configuring A User Profile

    To do… Use the command… Remarks Enter system view system-view — Required Create a user profile, and enter its You can use the command to user-profile profile-name view enter the view of an existing user profile. Configuring a user profile After a user profile is created, apply a QoS policy in user profile view to implement restrictions on online users.

  • Page 173: Displaying And Maintaining User Profile

    NOTE:  You can only edit or remove the configurations in a disabled user profile.  Disabling a user profile logs out the users that are using the user profile. Displaying and maintaining user profile To do… Use the command… Remarks display user-profile [ | { begin | Display information about all the...

  • Page 174: Password Control Configuration

    Password control configuration Password control overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. Minimum password length By setting a minimum password length, you can enforce users to use passwords long enough for system security.

  • Page 175

    You can allow a user to log in a certain number of times within a specified period of time after the password expires, so that the user does not need to change the password immediately. For example, if you set the maximum number of logins with an expired password to three and the time period to 15 days, a user can log in three times within 15 days after the password expires.

  • Page 176: Password Control Configuration Task List

    Password complexity checking A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to ensure that all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password.

  • Page 177: Configuring Password Control

    Task Remarks Setting user group password control parameters Optional Setting local user password control parameters Optional Setting super password control parameters Optional Setting a local user password in interactive mode Optional Configuring password control Enabling password control To enable password control functions, you need to: Enable the password control feature in system view.

  • Page 178: Setting User Group Password Control Parameters

    To do… Use the command… Remarks Optional Set the minimum password password-control password update interval update interval interval 24 hours by default Optional Set the minimum password length password-control length length 10 characters by default Optional By default, the minimum number password-control composition Configure the password of password composition types is...

  • Page 179: Setting Local User Password Control Parameters

    To do… Use the command… Remarks Enter system view system-view — Create a user group and enter user-group group-name — user group view Optional Configure the password aging By default, the password aging password-control aging aging-time time for the user group time configured in system view is used.

  • Page 180: Setting Super Password Control Parameters

    Setting super password control parameters NOTE:  CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, login users fall into four levels, each corresponding to a command level. A user of a certain level can only use the commands at that level or lower levels.

  • Page 181: Password Control Configuration Example

    To do… Use the command… Remarks display password-control blacklist Display information about users [ user-name name | ip ipv4- blacklisted due to authentication address | ipv6 ipv6-address ] [ | Available in any view failure { begin | exclude | include } regular-expression ] reset password-control blacklist [ Delete users from the blacklist...

  • Page 182

    [Sysname] password-control aging 30 # Set the minimum password update interval to 36 hours. [Sysname] password-control password update interval 36 # Specify that a user can log in five times within 60 days after the password expires. [Sysname] password-control expired-user-login delay 60 times 5 # Set the maximum account idle time to 30 days.

  • Page 183

    User authentication timeout: 60 seconds Maximum failed login attempts: 2 times Login attempt-failed action: Lock Minimum password update time: 36 hours User account idle-time: 30 days Login with aged password: 5 times in 60 day(s) Password complexity: Enabled (username checking) Enabled (repeated characters checking) # Display the password control configuration information for super passwords.

  • Page 184: Habp Configuration

    HABP configuration HABP overview The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device. As shown in Figure 49, 802.1X authenticator Switch A has two switches attached to it: Switch B and Switch C.

  • Page 185: Configuring Habp

    CAUTION:  In a cluster, if a member switch with 802.1X authentication or MAC authentication enabled is attached with some other member switches of the cluster, you also need to configure HABP server on this device. Otherwise, the cluster management device will not be able to manage the devices attached to this member switch. ...

  • Page 186: Displaying And Maintaining Habp

    To do… Use the command… Remarks Optional Configure HABP to work in client undo habp server HABP works in client mode by mode default. Optional Specify the VLAN to which the habp client vlan vlan-id By default, an HABP client HABP client belongs belongs to VLAN 1.

  • Page 187: Configuration Procedure

    Figure 50 Network diagram for HABP configuration Internet Authentication server HABP server GE1/0/2 GE1/0/1 Switch A HABP client HABP client VLAN 1 VLAN 1 Switch C Switch B Host A Host B Host C Host D Configuration procedure Configure Switch A # Perform 802.1X related configurations on Switch A.

  • Page 188

    Configurations on Switch C are similar to those on Switch B. Verify your configuration # Display HABP configuration information. <SwitchA> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries. <SwitchA>...

  • Page 189: Public Key Configuration

    Public key configuration Asymmetric key algorithm overview Basic concepts  Algorithm: A set of transformation rules for encryption and decryption.  Plain text: Information without being encrypted.  Cipher text: Encrypted information. Key: A string of characters that controls the transformation between plain text and cipher text. It is ...

  • Page 190: Configuring The Local Asymmetric Key Pair

    Digital signature—The sender "signs" the information to be sent by encrypting the information with  its own private key. A receiver decrypts the information with the sender's public key and, based on whether the information can be decrypted, determines the authenticity of the information. The Revest-Shamir-Adleman Algorithm (RSA), and the Digital Signature Algorithm (DSA) are both asymmetric key algorithms.

  • Page 191: Destroying An Asymmetric Key Pair

    (PKCS) format. HP recommends that you follow this method to configure the peer public key.  Configure it manually—If the peer is an HP device, you can use the display public-key local public command to view and record its public key. On the local host, input or copy the key data in public key code view.

  • Page 192: Displaying And Maintaining Public Keys

    To do… Use the command… Remarks Import the peer host public key public-key peer keyname import Required from the public key file sshkey filename Follow these steps to configure a peer public key manually: To do… Use the command… Remarks Enter system view system-view —...

  • Page 193

    Configure Device B to use the asymmetric key algorithm of RSA for identity authentication of Device  Manually configure the host public key of Device A on Device B.  Figure 52 Network diagram for manually configuring a peer public key Device A Device B Configuration procedure...

  • Page 194: Importing A Peer Public Key From A Public Key File

    Configure Device B. # Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A. The host public key is the content of HOST_KEY displayed on Device A using the display public-key local dsa public command.

  • Page 195

    # Create RSA key pairs on Device A. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.

  • Page 196

    [DeviceB-luser-ftp] authorization-attribute level 3 [DeviceB-luser-ftp] quit Upload the public key file of Device A to Device B. # FTP the public key file devicea.pub to Device B with the file transfer mode of binary. <DeviceA> ftp 10.1.1.2 Trying 10.1.1.2 ... Press CTRL+K to abort Connected to 10.1.1.2.

  • Page 197: Pki Configuration

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for Secure Sockets Layer (SSL). PKI terms Digital certificate ...

  • Page 198: Pki Architecture

    statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email. As different CAs might use different methods to check the binding of a public key with an entity, make sure that you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture A PKI system consists of entities, a CA, a registration authority (RA), and a PKI repository.

  • Page 199: How Does Pki Work

     A virtual private network (VPN) is a private data communication network built on the public communication infrastructure. A VPN can leverage network layer security protocols—for example, IPsec— in conjunction with PKI-based encryption and digital signature technologies for confidentiality.  Secure email Emails require confidentiality, integrity, authentication, and non-repudiation.

  • Page 200: Configuring An Entity Dn

    Task Remarks Configuring an access control policy Optional Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN). A CA identifies a certificate applicant uniquely by entity DN.

  • Page 201: Configuring A Pki Domain

    To do… Use the command… Remarks Optional Configure the locality for the locality locality-name entity No locality is specified by default. Optional Configure the organization name organization org-name No organization is specified by for the entity default. Optional Configure the unit name for the organization-unit org-unit-name entity No unit is specified by default.

  • Page 202: Submitting A Pki Certificate Request

    Follow these steps to configure a PKI domain: To do… Use the command… Remarks Enter system view system-view — Required Create a PKI domain and enter its pki domain domain-name view No PKI domain exists by default. Required Specify the trusted CA ca identifier name No trusted CA is specified by default.

  • Page 203: Submitting A Certificate Request In Auto Mode

    submitted to a CA in an online mode or an offline mode. In offline mode, a certificate request is submitted to a CA by an ―out-of-band‖ means such as phone, disk, or email. An online certificate request can be submitted in manual mode or auto mode. Submitting a certificate request in auto mode In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate for an application working with PKI, and then retrieves the certificate and saves the certificate locally.

  • Page 204: Retrieving A Certificate Manually

    To do… Use the command… Remarks Required Generate a local RSA key pair public-key local create rsa No local RSA key pair exists by default. pki request-certificate domain Submit a local certificate request domain-name [ password ] [ Required manually pkcs10 [ filename filename ] ] NOTE: ...

  • Page 205: Configuring Pki Certificate Verification

    CAUTION:  If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and the local certificate first.

  • Page 206: Destroying A Local Rsa Key Pair

    To do… Use the command… Remarks Enter PKI domain view pki domain domain-name — Required Disable CRL checking crl check disable Enabled by default Return to system view quit — ―Retrieving a certificate Retrieve the CA certificate Required manually― pki validate-certificate { ca | local Verify the validity of the certificate Required } domain domain-name...

  • Page 207: Configuring An Access Control Policy

    Configuring an access control policy A certificate attribute-based access control policy can further control access to the server, providing additional security for the server. Follow these steps to configure a certificate attribute-based access control policy: To do… Use the command… Remarks Enter system view system-view...

  • Page 208: Pki Configuration Examples

    PKI configuration examples CAUTION:  When the CA uses Windows Server, the SCEP add-on is required, and you must use the certificate request from ra command to specify that the entity request a certificate from an RA.  When the CA uses RSA Keon, the SCEP add-on is not required, and you must use the certificate request from ca command to specify that the entity request a certificate from a CA.

  • Page 209

    Configure the switch Configure the entity DN  # Configure the entity name as aaa and the common name as switch. <Switch> system-view [Switch] pki entity aaa [Switch-pki-entity-aaa] common-name switch [Switch-pki-entity-aaa] quit Configure the PKI domain  # Create PKI domain torsa and enter its view. [Switch] pki domain torsa # Configure the name of the trusted CA as myca.

  • Page 210

    Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..CA certificates retrieval success. # Retrieve CRLs and save them locally. [Switch] pki retrieval-crl domain torsa Connecting to server for retrieving CRL. Please wait a while..CRL retrieval success! # Request a local certificate manually.

  • Page 211: Requesting A Certificate From A Ca Running Windows 2003 Server

    Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands—display pki certificate ca domain and display pki crl domain commands—to view detailed information about the CA certificate and CRLs.

  • Page 212

    Modify the certificate service attributes  From the start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.

  • Page 213

    +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates  # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 214: Configuring A Certificate Attribute-based Access Control Policy

    10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl...

  • Page 215

    Configuration procedure NOTE:  For more information about SSL configuration, see the chapter “SSL configuration.“  Fundamentals Configuration Guide For more information about HTTPS configuration, see the  The PKI domain to be referenced by the SSL policy must be created in advance. For how to configure a PKI domain, see “Configure the PKI domain.”...

  • Page 216: Troubleshooting Pki

    Troubleshooting PKI Failed to retrieve a CA certificate Symptom Failed to retrieve a CA certificate. Analysis Possible reasons include:  The network connection is not proper. For example, the network cable might be damaged or loose.  No trusted CA is specified. ...

  • Page 217: Failed To Retrieve Crls

    Use the ping command to check that the RA server is reachable.  Specify the authority for certificate request.  Configure the required entity DN parameters.  Failed to retrieve CRLs Symptom Failed to retrieve CRLs. Analysis Possible reasons include: The network connection is not proper.

  • Page 218: Ssh2.0 Configuration

    SSH2.0 configuration SSH2.0 overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The device can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.

  • Page 219

    secondary protocol version numbers constitute the protocol version number. The software version number is used for debugging. Upon receiving the packet, the client resolves the packet and compares the server’s protocol version number with that of its own. If the server’s protocol version is lower and supportable, the client uses the protocol version of the server;...

  • Page 220: Configuring The Device As An Ssh Server

    authentication result. The device supports using the publickey algorithms RSA and DSA for digital signature. The following gives the steps of the authentication stage: The client sends the server an authentication request that includes the username, authentication method (password authentication or publickey authentication), and information related to the authentication method (for example, the password in the case of password authentication).

  • Page 221: Generating A Dsa Or Rsa Key Pair

    Task Remarks Generating a DSA or RSA key pair Required Enabling the SSH server function Required Configuring the user interfaces for SSH clients Required Required for publickey authentication users and Configuring a client public key optional for password authentication users Configuring an SSH user Optional Setting the SSH management parameters...

  • Page 222: Configuring The User Interfaces For Ssh Clients

    To do… Use the command… Remarks Required Enable the SSH server function ssh server enable Disabled by default Configuring the user interfaces for SSH clients An SSH client accesses the device through a VTY user interface. You must configure the user interfaces for SSH clients to allow SSH login.

  • Page 223: Configuring An Ssh User

    TFTP. CAUTION:  HP recommends you to configure a client public key by importing it from a public key file.  You can configure up to 20 client public keys on an SSH server. Configuring a client public key manually Follow these steps to configure the client public key manually: To do…...

  • Page 224: Setting The Ssh Management Parameters

    Follow these steps to configure an SSH user and specify the service type and authentication mode: To do… Use the command… Remarks Enter system view system-view — ssh user username service-type stelnet authentication-type { For Stelnet password | { any | password- Create an SSH users publickey | publickey } assign...

  • Page 225: Configuring The Device As An Ssh Client

    To do… Use the command… Remarks Enter system view system-view — Optional Enable the SSH server to support ssh server compatible-ssh1x By default, the SSH server SSH1 clients enable supports SSH1 clients. Optional Set the RSA server key pair By default, the interval is 0, and ssh server rekey-interval hours update interval the RSA server key pair is not...

  • Page 226: Configuring Whether First-time Authentication Is Supported

    To do… Use the command… Remarks client uses the IP Specify a address of the source IPv6 interface specified ssh client ipv6 source { ipv6 ipv6-address | address or by the route of the interface interface-type interface-number } interface for device to access the SSH client the SSH server.

  • Page 227: Establishing A Connection Between The Ssh Client And Server

    Establishing a connection between the SSH client and server Follow these steps to establish the connection between the SSH client and the server: To do... Use the command… Remarks ssh2 server [ port-number ] [identity-key Establish a { dsa | rsa } | prefer-ctos-cipher { 3des connection | aes128 | des } | prefer-ctos-hmac { between the...

  • Page 228: Ssh Server Configuration Examples

    NOTE: For more information about the display public-key local and display public-key peer commands, see Security Command Reference SSH server configuration examples When switch acts as server for password authentication Network requirements As shown in Figure 58, an SSH connection is required between the host and the switch for secure data exchange.

  • Page 229

    # Enable the SSH server. [Switch] ssh server enable # Configure an IP address for VLAN-interface 1. This address will serve as the destination of the SSH connection. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.

  • Page 230: When Switch Acts As Server For Publickey Authentication

    Figure 59 SSH client configuration interface Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username and password. After entering the username client001 and password aabbcc, you can enter the configuration interface of the server.

  • Page 231

    Configure the SSH client # Generate the RSA key pairs. Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 61 Generate a key pair on the client 1) While the key pair is being generated, you must move the mouse continuously and keep the mouse off the green progress bar shown in Figure 62.

  • Page 232

    Figure 62 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 63 Generate a key pair on the client 3)

  • Page 233

    Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key—private in this case. Figure 64 Save a key pair on the client 4) Then, transmit the public key file to the server through FTP or TFTP.

  • Page 234

    [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3. [Switch-ui-vty0-4] user privilege level 3 [Switch-ui-vty0-4] quit # Import the client’s public key from file key.pub and name it Switch001. [Switch] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.

  • Page 235: Ssh Client Configuration Examples

    Figure 66 SSH client configuration interface 2) Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username client002, you can enter the configuration interface of the server. SSH client configuration examples When switch acts as client for password authentication Network requirements...

  • Page 236

    [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 237

    <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit  If the client supports first-time authentication, the client directly establishes a connection with the server. # Establish an SSH connection to server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 ...

  • Page 238: When Switch Acts As Client For Publickey Authentication

    8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server—10.165.87.136—as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 Press CTRL+K to abort...

  • Page 239

    Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server # Generate the RSA key pairs.

  • Page 240

    # Set the user command privilege level to 3. [SwitchB-ui-vty0-4] user privilege level 3 [SwitchB-ui-vty0-4] quit # Import the peer public key from the file key.pub. [SwitchB] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.

  • Page 241: Sftp Configuration

    SFTP configuration SFTP overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also server as an SFTP client, enabling a user to login from the device to a remote device for secure file transfer.

  • Page 242: Configuring The Device An Sftp Client

    To do… Use the command… Remarks Enter system view system-view — Optional Configure the SFTP connection sftp server idle-timeout time-out- idle timeout period value 10 minutes by default Configuring the device an SFTP client Specifying a source IP address or interface for the SFTP client You can configure a client to use only a specified source IP address or interface to access the SFTP server, enhancing the service manageability.

  • Page 243: Working With Sftp Directories

    To do… Use the command… Remarks sftp ipv6 server [ port-number ] [ identity-key { dsa | Establish a rsa } | prefer-ctos-cipher { 3des | aes128 | des } | connection to prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1- the remote IPv6 96 } | prefer-kex { dh-group-exchange | dh- SFTP server...

  • Page 244: Displaying Help Information

    Displaying a list of the files  Deleting a file  Follow these steps to work with SFTP files: To do… Use the command… Remarks Required For more information, see Enter SFTP client view ―Establishing a connection to the Execute the command in user SFTP server.‖...

  • Page 245: Sftp Client Configuration Example

    To do… Use the command… Remarks user view These three commands function in quit the same way. SFTP client configuration example Network requirements As shown in Figure 69, an SSH connection is established between Switch A and Switch B. Switch A, an SFTP client, logs in to Switch B for file management and file transfer.

  • Page 246

    Then, transmit the public key file to the server through FTP or TFTP. Configure the SFTP server # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.

  • Page 247

    # For user client001, set the service type as SFTP, authentication method as publickey, public key as Switch001, and working folder as flash:/ [SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey Switch001 work-directory flash:/ Establish a connection between the SFTP client and the SFTP server # Establish a connection to the remote SFTP server and enter SFTP client view.

  • Page 248: Sftp Server Configuration Example

    drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename directory new1 to new2 and check if the directory has been renamed successfully. sftp-client> rename new1 new2 File successfully renamed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup...

  • Page 249

    Figure 70 Network diagram for SFTP server configuration SFTP client SFTP server Vlan-int1 192.168.1.56/24 192.168.1.45/24 Host Switch Configuration procedure Configure the SFTP server # Generate the RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.

  • Page 250

    [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure a local user named client002 with the password being aabbcc and the service type being SSH. [Switch] local-user client002 [Switch-luser-client002] password simple aabbcc [Switch-luser-client002] service-type ssh [Switch-luser-client002] quit # Configure the user authentication method as password and service type as SFTP. [Switch] ssh user client002 service-type sftp authentication-type password Establish a connection between the SFTP client and the SFTP server NOTE:...

  • Page 251: Ssl Configuration

    SSL configuration SSL overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols, such as HTTP. It is widely used in E-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the asymmetric...

  • Page 252: Ssl Protocol Stack

    SSL protocol stack The SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 73 SSL protocol stack Application layer protocol (e.g.

  • Page 253

    Configuration procedure Follow these steps to configure an SSL server policy: To do... Use the command... Remarks Enter system view system-view — Create an SSL server policy and ssl server-policy policy-name Required enter its view Required Specify a PKI domain for the SSL pki-domain domain-name By default, no PKI domain is server policy...

  • Page 254

    Configure Device to work as the HTTPS server and request a certificate for Device.  Request a certificate for Host so that Device can authenticate the identity of Host.  Configure a CA server to issue certificates to Device and Host. ...

  • Page 255: Configuring An Ssl Client Policy

    # Create an SSL server policy named myssl. [Device] ssl server-policy myssl # Specify the PKI domain for the SSL server policy as 1. [Device-ssl-server-policy-myssl] pki-domain 1 # Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable HTTPS service.

  • Page 256: Displaying And Maintaining Ssl

    To do… Use the command… Remarks Create an SSL client policy and ssl client-policy policy-name Required enter its view Optional Specify a PKI domain for the SSL pki-domain domain-name No PKI domain is configured by client policy default. prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | Optional...

  • Page 257

    The server and the client have no matching cipher suite.  Solution Issue the debugging ssl command and view the debugging information to locate the problem: If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, ...

  • Page 258: Tcp Attack Protection Configuration

    TCP attack protection configuration TCP attack protection overview An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. The request originator sends a SYN message to the target server.

  • Page 259: Ip Source Guard Configuration

    IP source guard configuration IP source guard overview Introduction to IP source guard IP source guard is intended to work on a port connecting users. It filters received packets to block illegal access to network resources, improving network security. For example, it can prevent illegal hosts from using a legal IP address to access the network.

  • Page 260

    A static IPv4 source guard binding entry filters IPv4 packets received by the port or checks the  validity of users by cooperating with the ARP detection feature. A static IPv6 source guard binding entry filters IPv6 packets received by the port or checks the ...

  • Page 261: Configuring Ipv4 Source Guard Binding

    Figure 76 Network diagram for excluded port application in IP source guard global static binding Device A Vlan-int10 Vlan-int20 192.168.0.1/24 192.168.1.1/24 Src MAC Src IP 0001-0202-0202 192.168.0.2 Src MAC Src IP Global static binding entires 0001-0203-0406 192.168.0.2 GE1/0/1 0001-0203-0406 192.168.0.2 0001-0203-0407 192.168.1.2 Device B...

  • Page 262: Configuring A Static Ipv4 Source Guard Binding Entry

    Configuring a static IPv4 source guard binding entry Follow these steps to configure a global static IPv4 source guard entry: To do… Use the command… Remarks Enter system view system-view — Required Configure a global static IPv4 user-bind ip-address ip-address mac- No global static binding source guard binding entry address mac-address...

  • Page 263: Configuring Ipv6 Source Guard Binding

    On a VLAN interface, IP source guard cooperates with DHCP relay, dynamically obtains the DHCP  relay entries generated during dynamic IP address allocation across network segments, and generates IP source guard entries accordingly. Dynamic IPv4 source guard entries can contain such information as the MAC address, IP address, VLAN tag, ingress port information, and entry type (DHCP snooping or DHCP relay), where the MAC address, IP address, or VLAN tag information may not be included depending on your configuration.

  • Page 264: Configuring The Dynamic Ipv6 Source Guard Binding Function

    To do… Use the command… Remarks Optional By default, a port is not an excluded port. When you Specify the uplink port as an configure global static excluded port of the global static user-bind uplink binding entries on a switch, binding entry specify the uplink port of the switch as an excluded...

  • Page 265: Displaying And Maintaining Ip Source Guard

    To do… Use the command… Remarks Enter system view system-view — interface interface-type interface- Enter interface view — number ip check source ipv6 { ip-address Required Configure dynamic IPv6 source | ip-address mac-address | mac- guard binding function Not configured by default address } NOTE: ...

  • Page 266: Ip Source Guard Configuration Examples

    IP source guard configuration examples Static IPv4 source guard binding entry configuration example Network requirements As shown in Figure 77, Host A and Host B are connected to ports GigabitEthernet 1/0/2 and GigabitEthernet 1/0/1 of Device B respectively, Host C is connected to port GigabitEthernet 1/0/2 of Device A, and Device B is connected to port GigabitEthernet 1/0/1 of Device A.

  • Page 267: Global Static Binding Excluded Port Configuration Example

    # Configure port GigabitEthernet 1/0/2 of Device B to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass. <DeviceB> system-view [DeviceB] interface gigabitethernet 1/2 [DeviceB-GigabitEthernet1/0/2] user-bind ip-address 192.168.0.1 mac-address 0001-0203- 0406 [DeviceB-GigabitEthernet1/0/2] quit # Configure port GigabitEthernet 1/0/1 of Device B to allow only IP packets with the source MAC...

  • Page 268

    Figure 78 Network diagram for configuring global static binding excluded port Device A Vlan-int10 192.168.0.1/24 Vlan-int20 192.168.1.1/24 VLAN 10 VLAN 20 GE1/0/1 GE1/0/3 GE1/0/2 Device B VLAN 10 VLAN 20 Host A Host B IP: 192.168.0.2/24 IP: 192.168.1.2/24 MAC: 0001-0203-0406 MAC: 0001-0203-0407 Gateway: 192.168.0.1/24 Gateway: 192.168.1.1/24...

  • Page 269: Dynamic Ipv4 Source Guard Binding By Dhcp Snooping Configuration Example

    [DeviceB] display user-bind Total entries found: 2 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.2 Static 0001-0203-0407 192.168.1.2 Static Host A and Host B can ping each other. Dynamic IPv4 source guard binding by DHCP snooping configuration example Network requirements As shown in Figure 79, the device connects to the host (client) and the DHCP server through ports...

  • Page 270: Dynamic Ipv4 Source Guard Binding By Dhcp Relay Configuration Example

    [Device-GigabitEthernet1/0/1] quit Verification # Display the dynamic IPv4 source guard binding entries generated on port GigabitEthernet 1/0/1. [Device-GigabitEthernet1/0/1] display ip check source Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 GE1/0/1 DHCP-SNP # Display DHCP snooping entries to see whether they are consistent with the dynamic entries generated on GigabitEthernet 1/0/1.

  • Page 271: Static Ipv6 Source Guard Binding Entry Configuration Example

    [Switch-Vlan100] quit [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip check source ip-address mac-address [Switch-Vlan-interface100] quit Configure DHCP relay # Enable DHCP relay. [Switch] dhcp enable # Configure the IP address of the DHCP server. [Switch] dhcp relay server-group 1 ip 10.1.1.1 # Configure VLAN-interface 100 to work in DHCP relay mode.

  • Page 272: Dynamic Ipv6 Source Guard Binding By Dhcpv6 Snooping Configuration Example

    Verification # On the device, display the information about static IPv6 source guard binding entries. The output shows that the binding entry is configured successfully. [Device] display user-bind ipv6 Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0202-0202 2001::1 GE1/0/1...

  • Page 273: Dynamic Ipv6 Source Guard Binding By Nd Snooping Configuration Example

    [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ip check source ipv6 ip-address mac-address [Device-GigabitEthernet1/0/1] quit Verification # Display the dynamic IPv6 source guard binding entries generated on port GigabitEthernet 1/0/1. [Device] display ip check source ipv6 Total entries found: 1 MAC Address IP Address VLAN Interface...

  • Page 274: Troubleshooting Ip Source Guard

    # Configure dynamic IPv6 source guard binding of packet source IP address and MAC address on GigabitEthernet 1/0/1 to filter packets based on the dynamically generated ND snooping entries. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ip check source ipv6 ip-address mac-address [Device-GigabitEthernet1/0/1] quit Vefification # Display the dynamic IPv6 source guard binding entries generated on port GigabitEthernet 1/0/1.

  • Page 275: Arp Attack Protection Configuration

    ARP attack protection configuration ARP attack protection overview Although ARP is easy to implement, it provides no security mechanism and is prone to network attacks. An attacker may send the following:  ARP packets by acting as a trusted user or gateway so that the receiving devices obtain incorrect ARP entries.

  • Page 276: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks Optional Configuring ARP detection Configure this function on access devices (recommended). Optional Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Optional Configuring ARP gateway protection Configure this function on access devices (recommended). Optional Configuring ARP filtering Configure this function on access devices (recommended).

  • Page 277: Enabling Arp Black Hole Routing

    To do… Use the command… Remarks Set the maximum number of packets with the Optional same source IP address but unresolvable arp source-suppression limit destination IP addresses that the switch can limit-value 10 by default. receive in five consecutive seconds Enabling ARP black hole routing Follow these steps to configure ARP black hole routing: To do…...

  • Page 278: Configuring Source Mac Address Based Arp Attack Detection

    configuration of the information center, see the Network Management and Monitoring Configuration Guide. Follow these steps to configure ARP packet rate limit: To do… Use the command… Remarks Enter system view system-view — Optional Enable ARP packet rate limit snmp-agent trap enable arp trap rate-limit Enabled by default.

  • Page 279: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    To do… Use the command… Remarks Enter system view system-view — Enable source MAC address Required arp anti-attack source-mac { filter based ARP attack detection and | monitor } Disabled by default. specify the detection mode Optional arp anti-attack source-mac Configure the threshold threshold threshold-value 50 by default.

  • Page 280: Configuring Arp Active Acknowledgement

    To do… Use the command… Remarks Required Enable ARP packet source MAC arp anti-attack valid-check enable address consistency check Disabled by default. Configuring ARP active acknowledgement Introduction The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets.

  • Page 281: Security Entries/oui Mac Addresses

    Enabling ARP detection based on static IP source guard binding Entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses With this feature enabled, the switch compares the sender IP and MAC addresses of an ARP packet received from the VLAN against the static IP source guard binding entries, DHCP snooping entries, 802.1X security entries, or OUI MAC addresses to prevent spoofing.

  • Page 282: Configuring Arp Detection Based On Specified Objects

    To do… Use the command… Remarks Configure the port as a Optional trusted port on which ARP arp detection trust The port is an untrusted port by default. detection does not apply NOTE:  When configuring this feature, you need to configure ARP detection based on at least static IP source guard binding entries, DHCP snooping entries, or 802.1X security entries.

  • Page 283: Configuring Arp Restricted Forwarding

    Configuring ARP restricted forwarding ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted ports and have passed ARP detection in the following cases: If the packets are ARP requests, they are forwarded through the trusted ports. ...

  • Page 284

    Figure 84 Network diagram for ARP detection configuration DHCP server Switch A Vlan-int10 10.1.1.1/24 VLAN10 DHCP snooping GE1/0/1 Switch B GE1/0/2 GE1/0/3 DHCP client DHCP client Host A Host B Configuration procedure Add all the ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A.

  • Page 285: Arp Detection Configuration Example Ii

    [SwitchB-GigabitEthernet1/0/3] quit # Enable the checking of the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac After the preceding configurations are complete, when ARP packets arrive at interfaces GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3, their MAC and IP addresses are checked, and then the packets are checked against the static IP source guard binding entries and finally DHCP snooping entries.

  • Page 286: Arp Restricted Forwarding Configuration Example

    [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-Gigabitethernet 1/0/1] dot1x [SwitchB-Gigabitethernet 1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-Gigabitethernet 1/0/2] dot1x [SwitchB-Gigabitethernet 1/0/2] quit # Add local access user test. [SwitchB] local-user test [SwitchB-luser-test] service-type lan-access [SwitchB-luser-test] password simple test [SwitchB-luser-test] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an...

  • Page 287

    Figure 86 Network diagram for ARP restricted forwarding configuration Gateway DHCP server Switch A GE1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 86.

  • Page 288: Configuring Arp Automatic Scanning And Fixed Arp

    ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. NOTE: HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafé. Configuration procedure Follow these steps to configure ARP automatic scanning and fixed ARP: To do…...

  • Page 289: Configuring Arp Gateway Protection

    To do… Use the command… Remarks Enable ARP automatic arp scan [ start-ip-address to end-ip-address ] Required scanning Return to system view quit — Enable fixed ARP arp fixup Required NOTE:  IP addresses already existing in ARP entries are not scanned. ...

  • Page 290: Arp Gateway Protection Configuration Example

    NOTE:  You can enable ARP gateway protection for up to eight gateways on a port.  Commands arp filter source and arp filter binding cannot be both configured on a port.  If ARP gateway protection works with ARP detection, ARP gateway protection applies first. ARP gateway protection configuration example Network requirements As shown in...

  • Page 291

    The port checks the sender IP and MAC addresses in a received ARP packet against configured ARP filtering entries. If a match is found, the packet is handled normally. If not, the packet is discarded. Configuration procedure Follow these steps to configure ARP filtering: To do…...

  • Page 292

    <SwitchB> system-view [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface GigabitEthernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, GigabitEthernet 1/0/1 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.2 and 000f-e349- 1 233, and discard other ARP packets. GigabitEthernet 1/0/2 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.3 and 000f-e349- 1234 and discard other ARP packets.

  • Page 293: Nd Attack Defense Configuration

    ND attack defense configuration Introduction to ND attack defense The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.

  • Page 294: Enabling Source Mac Consistency Check For Nd Packets

    The mapping between the source IPv6 address and the source MAC address in the Ethernet frame  header is invalid. To identify forged ND packets, HP developed the source MAC consistency check and ND detection features. NOTE: Layer 3—IP Services...

  • Page 295: Configuring Nd Detection

    NOTE:  To create IPv6 static bindings with IP source guard, use the user-bind ipv6 command. For more information, see “ the chapter IP source guard configuration.”  The DHCPv6 snooping table is created automatically by the DHCPv6 snooping module. For more information, Layer 3—IP Services Configuration Guide see the ...

  • Page 296: Nd Detection Configuration Example

    ND detection configuration example Network requirements As shown in Figure 90, Host A and Host B connect to Switch A, the gateway, through Switch B. Host A has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and MAC address 0001-0203-0607.

  • Page 297

    [SwitchA-Vlan-interface10] quit Configuring Switch B # Enable IPv6 forwarding. <SwitchB> system-view [SwitchB] ipv6 # Create VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] quit # Assign ports GigabitEthernet 1/0/1 to GigabitEthernet 1/0/3 to VLAN 10. [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type trunk [SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 10 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface GigabitEthernet 1/0/2...

  • Page 298: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. ...

  • Page 299: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 300

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 301: Index

    Index A B C D E F G H I K L M N P R S T U V W Configuration prerequisites,161 Configuration procedure,270 A comparison of EAP relay and EAP termination,67 Configuration procedure,91 AAA for 802.1X users by a RADIUS server,50 Configuration procedure,148...

  • Page 302

    Configuring ARP restricted forwarding,273 Dynamic IPv4 source guard binding by DHCP relay configuration example,260 Configuring ARP source suppression,266 Dynamic IPv4 source guard binding by DHCP Configuring HWTACACS schemes,30 snooping configuration example,259 Configuring intrusion protection,147 Dynamic IPv6 source guard binding by DHCPv6 Configuring ISP domain attributes,36 snooping configuration...

  • Page 303

    Portal system using the local portal server,1 10 Protocols and standards,1 1 Importing a peer public key from a public key file,184 Inconsistent keys on the access device and the portal RADIUS,2 server,128 RADIUS attributes,1 1 Incorrect server port number on the access device,128 RADIUS authentication and authorization for Telnet Introduction,278...

  • Page 304

    SSL protocol stack,242 SSL security mechanism,241 SSL server policy configuration example,243 Static IPv4 source guard binding entry configuration example,256 Static IPv6 source guard binding entry configuration example,261 Submitting a certificate request in auto mode,193 Submitting a certificate request in manual mode,193 Support for guest VLAN and Auth-Fail VLAN,143...

Comments to this Manuals

Symbols: 0
Latest comments: