Download Print this page
   
1
2
Table of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682

Advertisement

HPE FlexNetwork MSR Router Series
Comware 7 Security Configuration Guide
Part number: 5998-6958
Software version: CMW710-R0403L02
Document version: 6PW200-20160226

Advertisement

Troubleshooting

   Summary of Contents for HP MSR Series

  • Page 1

    HPE FlexNetwork MSR Router Series Comware 7 Security Configuration Guide Part number: 5998-6958 Software version: CMW710-R0403L02 Document version: 6PW200-20160226...

  • Page 2

    © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring AAA ·············································································· 1     Overview ·································································································································· 1   RADIUS ···························································································································· 2   HWTACACS ······················································································································ 7   LDAP ································································································································ 9   AAA implementation on the device ························································································ 12   AAA for MPLS L3VPNs ······································································································ 14   Protocols and standards ····································································································· 14  ...

  • Page 4: Table Of Contents

      EAP relay ························································································································ 84   EAP termination ················································································································ 86 Configuring 802.1X ········································································· 88     Access control methods ············································································································ 88   802.1X VLAN manipulation ········································································································ 88   Authorization VLAN ··········································································································· 88   Guest VLAN ····················································································································· 90   Auth-Fail VLAN ················································································································· 91  ...

  • Page 5: Table Of Contents

      VLAN assignment ············································································································ 121   ACL assignment ·············································································································· 121   Periodic MAC reauthentication ··························································································· 121   Compatibility information ········································································································· 122   Feature and hardware compatibility ····················································································· 122   Command and hardware compatibility ················································································· 122   Configuration prerequisites ······································································································ 122  ...

  • Page 6: Table Of Contents

      Configuring direct portal authentication ················································································ 157   Configuring re-DHCP portal authentication ············································································ 167   Configuring cross-subnet portal authentication ······································································· 170   Configuring extended direct portal authentication ··································································· 173   Configuring extended re-DHCP portal authentication ······························································ 176   Configuring extended cross-subnet portal authentication ························································· 180  ...

  • Page 7: Table Of Contents

      FIPS compliance···················································································································· 228   Password control configuration task list ······················································································ 228   Enabling password control ······································································································· 228   Setting global password control parameters ················································································· 229   Setting user group password control parameters ·········································································· 230   Setting local user password control parameters ············································································ 231  ...

  • Page 8: Table Of Contents

      IKE negotiation with RSA digital signature from a Windows Server 2003 CA server ······················· 271   Certificate-based access control policy configuration example ·················································· 274   Certificate import and export configuration example ································································ 275   Troubleshooting PKI configuration ····························································································· 281  ...

  • Page 9: Table Of Contents

      Configuring an IKE profile ········································································································ 334   Configuring an IKE proposal ····································································································· 336   Configuring an IKE keychain ···································································································· 337   Configuring the global identity information ··················································································· 338   Configuring the IKE keepalive function ······················································································· 339   Configuring the IKE NAT keepalive function ················································································· 339  ...

  • Page 10: Table Of Contents

      Configuring the device as an Stelnet client ·················································································· 400   Stelnet client configuration task list ······················································································ 400   Generating local DSA or RSA key pairs················································································ 400   Specifying the source IP address for SSH packets ································································· 400   Establishing a connection to an Stelnet server ······································································· 401  ...

  • Page 11: Table Of Contents

    Configuring APR ·········································································· 451     Overview ······························································································································ 451   PBAR ··························································································································· 451   Group-based application recognition ··················································································· 451   Command and hardware compatibility ························································································ 452   Configuring PBAR ·················································································································· 452   Configuring application groups ·································································································· 453   Enabling application statistics on an interface ·············································································· 453  ...

  • Page 12: Table Of Contents

      Creating object policies ··········································································································· 474   Creating an IPv4 object policy ···························································································· 474   Creating an IPv6 object policy ···························································································· 475   Configuring object policy rules ·································································································· 475   Configuring an IPv4 object policy rule ·················································································· 475   Configuring an IPv6 object policy rule ·················································································· 476  ...

  • Page 13: Table Of Contents

      Configuring the IPv6SG feature ································································································· 517   Enabling IPv6SG on an interface ························································································ 517   Configuring a static IPv6SG binding ···················································································· 517   Displaying and maintaining IPSG ······························································································ 518   IPSG configuration examples ··································································································· 519   Static IPv4SG configuration example ··················································································· 519  ...

  • Page 14: Table Of Contents

      Features ························································································································ 549   IPv6 uRPF operation ········································································································ 550   Network application ········································································································· 552   Command and hardware compatibility ························································································ 552   Configuring IPv6 uRPF ············································································································ 552   Displaying and maintaining IPv6 uRPF ······················································································· 553   IPv6 uRPF configuration example ······························································································ 553 Configuring crypto engines ·····························································...

  • Page 15: Table Of Contents

      Using a DPI application profile in an object policy rule ···································································· 581   Using a DPI application profile in an IPv4 object policy rule ······················································ 581   Using a DPI application profile in an IPv6 object policy rule ······················································ 581  ...

  • Page 16: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.

  • Page 17: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.

  • Page 18

    Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.

  • Page 19

    Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Code Packet type Description...

  • Page 20

    Type—Type of the attribute. Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. Value—Value of the attribute. Its format and content depend on the Type subfield. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.

  • Page 21

    Attribute Attribute NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes.

  • Page 22: Hwtacacs

    HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS.

  • Page 23

    Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 24: Ldap

    10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.

  • Page 25

    Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.

  • Page 26

    The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound.

  • Page 27: Aaa Implementation On The Device

    The LDAP client sends an authorization search request with the username of the Telnet user to the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes.

  • Page 28

    AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.

  • Page 29: Aaa For Mpls L3vpns

    • Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.

  • Page 30: Radius Attributes

    RADIUS attributes Commonly used standard RADIUS attributes Attribute Description User-Name Name of the user to be authenticated. User password for PAP authentication, only present in Access-Request User-Password packets when PAP authentication is used. Digest of the user password for CHAP authentication, only present in CHAP-Password Access-Request packets when CHAP authentication is used.

  • Page 31

    Attribute Description Type of the Accounting-Request packet. Possible values include: • 1—Start. • 2—Stop. • 3—Interim-Update. • 4—Reset-Charge. • Acct-Status-Type 7—Accounting-On. (Defined in the 3rd Generation Partnership Project.) • 8—Accounting-Off. (Defined in the 3rd Generation Partnership Project.) • 9 to 14—Reserved for tunnel accounting. •...

  • Page 32

    Subattribute Description Operation for the session, used for session control. Possible values include: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value.

  • Page 33: Command And Hardware Compatibility

    Subattribute Description Output-Interval-Gigaword Amount of bytes output within an accounting interval, in units of 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name. Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: •...

  • Page 34: Configuring Aaa Schemes

    Figure 11 AAA configuration procedure Local AAA Configure AAA methods for different types of users or/and Configure local users and related the default methods for all attributes types of users Authentication method none/ local (the default)/scheme Create an ISP domain No AAA and enter ISP domain view...

  • Page 35: Configuring Local Users

    Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types: •...

  • Page 36

    Local user configuration task list Tasks at a glance (Required.) Configuring local user attributes (Optional.) Configuring user group attributes (Optional.) Displaying and maintaining local users and local user groups Configuring local user attributes When you configure local user attributes, follow these guidelines: •...

  • Page 37

    Step Command Remarks Network access user passwords are encrypted with the encryption algorithm • For a network access user: and saved in ciphertext. Device password { cipher | simple } management user passwords are password encrypted with the hash algorithm and •...

  • Page 38

    Step Command Remarks authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | The following default settings apply: ip ipv4-address | ipv6 • ipv6-address | ipv6-pool FTP, SFTP, and SCP users have ipv6-pool-name | ipv6-prefix the root directory of the NAS set as (Optional.) Configure ipv6-prefix prefix-length | the working directory.

  • Page 39

    Step Command Remarks Enter system view. system-view By default, there is a Create a user group and system-defined user group user-group group-name enter user group view. named system, which is the default user group. authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length |...

  • Page 40: Configuring Radius Schemes

    Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters. The device uses the parameters to exchange information with the RADIUS servers, including the server IP addresses, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Optional.)

  • Page 41

    The device stops detecting the status of the RADIUS server when one of the following operations is performed: • The RADIUS server is removed from the RADIUS scheme. • The test profile configuration is removed for the RADIUS server in RADIUS scheme view. •...

  • Page 42

    Step Command Remarks • Specify the primary RADIUS authentication server: primary authentication By default, no authentication { ipv4-address | ipv6 server is specified. ipv6-address } [ port-number | To support server status detection, key { cipher | simple } string | specify an existing test profile for test-profile profile-name | the RADIUS authentication server.

  • Page 43

    Step Command Remarks (Optional.) Set the maximum number of real-time retry realtime-accounting retry-times The default setting is 5. accounting attempts. Specifying the shared keys for secure RADIUS communication The RADIUS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption.

  • Page 44

    Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name user-name-format Set the format for usernames By default, the ISP domain name { keep-original | with-domain | sent to the RADIUS servers. is included in a username. without-domain } data-flow-format { data { byte | (Optional.) Set the data flow...

  • Page 45

    • The search process continues until the device finds an available secondary server or has checked all secondary servers in active state. If no server is available, the device considers the authentication or accounting attempt a failure. • When the quiet timer of a server expires or you manually set the server to the active state, the status of the server changes back to active.

  • Page 46

    receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. • If it is the IP address of a managed NAS, the server processes the packet. •...

  • Page 47

    • Real-time accounting timer (realtime-accounting)—Defines the interval at which the device sends real-time accounting packets to the RADIUS accounting server for online users. When you set RADIUS timers, follow these guidelines: • When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, consider the number of secondary servers.

  • Page 48

    Step Command Remarks accounting-on enable [ interval By default, the accounting-on Enable accounting-on. seconds | send send-times ] * feature is disabled. Enabling the extended accounting-on feature This feature enhances the accounting-on feature. It takes effect on a distributed device whose SPUs are rebooted without the reboot of the whole device.

  • Page 49

    Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name Interpret the RADIUS class By default, the RADIUS class attribute attribute 25 car attribute as CAR parameters. is not interpreted. Configuring the Login-Service attribute check method for SSH, FTP, and terminal users The device supports the following check methods for the Login-Service attribute (RADIUS attribute 15) of SSH, FTP, and terminal users: •...

  • Page 50

    Specifying a HUAWEI attribute version for interpretation of HUAWEI RADIUS attributes 26-1 and 26-4 Configure the device to interpret HUAWEI RADIUS attributes 26-1 and 26-4 based on the following attribute versions: • Version 1.0—Interprets attribute 26-1 as the input peak rate in bps and attribute 26-4 as the output peak rate in bps.

  • Page 51: Configuring Hwtacacs Schemes

    Task Command Clear RADIUS statistics. reset radius statistics Configuring HWTACACS schemes Configuration task list Tasks at a glance (Required.) Creating an HWTACACS scheme (Required.) Specifying the HWTACACS authentication servers (Optional.) Specifying the HWTACACS authorization servers (Optional.) Specifying the HWTACACS accounting servers (Required.) Specifying the shared keys for secure HWTACACS communication (Optional.)

  • Page 52

    Step Command Remarks • Specify the primary HWTACACS authentication server: primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | By default, no authentication simple } string | server is specified. single-connection | vpn-instance Two HWTACACS authentication vpn-instance-name ] * Specify HWTACACS servers in a scheme, primary or...

  • Page 53

    If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time. HWTACACS does not support accounting for FTP, SFTP, and SCP users. To specify HWTACACS accounting servers for an HWTACACS scheme: Step Command...

  • Page 54

    Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, an HWTACACS Specify a VPN for the vpn-instance vpn-instance-name scheme belongs to the public HWTACACS scheme. network. Setting the username format and traffic statistics units A username is typically in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.

  • Page 55

    Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: The source IP address specified for the HWTACACS scheme. The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides.

  • Page 56

    Changes the server status to blocked. Starts a quiet timer for the server. Tries to communicate with the next secondary server in active state that has the highest priority. • The search process continues until the device finds an available secondary server or has checked all secondary servers in active state.

  • Page 57: Configuring Ldap Schemes

    Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server: • (Required.) Creating an LDAP server • (Required.) Configuring the IP address of the LDAP server • (Optional.) Specifying the LDAP version • (Optional.) Setting the LDAP server timeout period •...

  • Page 58

    Step Command Remarks Enter LDAP server view. ldap server server-name By default, LDAPv3 is used. Specify the LDAP version. protocol-version { v2 | v3 } A Microsoft LDAP server supports only LDAPv3. Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server's response within the server timeout period, the authentication or authorization request times out.

  • Page 59

    • Username format. • User object class. If the LDAP server contains many directory levels, a user DN search starting from the root directory can take a long time. To improve efficiency, you can change the start point by specifying the search base DN.

  • Page 60

    Step Command Remarks map ldap-attribute By default, a new LDAP attribute ldap-attribute-name [ prefix map does not have a mapping entry. Configure a mapping prefix-value delimiter entry. Repeat this command to configure delimiter-value ] aaa-attribute multiple mapping entries. { user-group | user-profile } Creating an LDAP scheme You can configure a maximum of 16 LDAP schemes.

  • Page 61: Configuring Aaa Methods For Isp Domains

    Displaying and maintaining LDAP Execute the display command in any view. Task Command Display the configuration of LDAP schemes. display ldap scheme [ scheme-name ] Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by specifying configured AAA schemes in ISP domain view.

  • Page 62: Configuring Isp Domain Attributes

    • An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command. • You can modify the settings of the system-defined ISP domain system, but you cannot delete the domain.

  • Page 63

    Authorization session group profile—The device restricts authenticated users' behaviors based on the settings in the authorization session group profile. For portal users, the authorization session group profile can be configured in a preauthentication domain to restrict user behaviors before users pass authentication. Authorization IPv6 address prefix—The device authorizes the IPv6 address prefix to authenticated IPoE or PPP users in the domain.

  • Page 64: Configuring Authentication Methods For An Isp Domain

    Step Command Remarks authorization-attribute { acl acl-number | car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] | idle-cut minute [ flow ] | igmp max-access-number number | ip-pool pool-name | ipv6-pool Configure authorization ipv6-pool-name | ipv6-prefix By default, the authorization attributes for authenticated...

  • Page 65

    the RADIUS server for role authentication. The variable n represents a user role level. For more information about user role authentication, see Fundamentals Configuration Guide. Configuration procedure To configure authentication methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view.

  • Page 66: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks By default, the default authentication sslvpn { ldap-scheme authentication method is 10. Specify the authentication ldap-scheme-name [ local ] [ none ] | local used for SSL VPN users. method for SSL VPN [ none ] | none | radius-scheme users.

  • Page 67: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks By default, the default authorization command authorization method is used Specify the command { hwtacacs-scheme for command authorization. authorization method. hwtacacs-scheme-name [ local [ none ] | The none keyword is not local [ none ] | none } supported in FIPS mode.

  • Page 68

    Configuration guidelines When configuring accounting methods, follow these guidelines: • FTP, SFTP, and SCP users do not support accounting. • Local accounting does not provide statistics for charging. It only counts and controls the number of concurrent users who use the same local user account. The threshold is configured by using the access-limit command.

  • Page 69: Enabling The Session-control Feature

    Step Command Remarks accounting portal { broadcast By default, the default radius-scheme radius-scheme-name1 accounting method is used Specify the accounting radius-scheme radius-scheme-name2 for portal users. method for portal users. [ local ] [ none ] | local [ none ] | none | The none keyword is not radius-scheme radius-scheme-name supported in FIPS mode.

  • Page 70: Configuring The Radius Dae Server Feature

    Configuring the RADIUS DAE server feature Dynamic Authorization Extensions (DAE) to RADIUS, defined in RFC 5176, can log off online users or change their authorization information. DAE uses the client/server model. In a RADIUS network, the RADIUS server typically acts as the DAE client and the NAS acts as the DAE server.

  • Page 71: Setting The Maximum Number Of Concurrent Login Users

    Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users who can log on to the device through a specific protocol, regardless of their authentication methods. The authentication methods include no authentication, local authentication, and remote authentication. To set the maximum number of concurrent login users: Step Command...

  • Page 72: Configuring A Nas-id Profile

    Step Command Remarks Create an ITA policy and ita policy policy-name By default, no ITA policy exists. enter ITA policy view. accounting-method { none | Specify the accounting By default, the accounting radius-scheme method in the ITA policy. method is none. radius-scheme-name [ none ] } Specify a traffic level for ITA accounting-level level { ipv4 |...

  • Page 73: Displaying And Maintaining Aaa, Aaa Configuration Examples

    • Common—The Acct-Session-Id is a string of 38 characters. The string contains the session-id-prefix, date and time, serial number, LIP address of the access node, device ID, and the process job ID. • Simplified—The Acct-Session-Id is a string of 16 characters. The string contains the session-id-prefix, month, serial number, LIP address of the access node, device ID, and the process job ID.

  • Page 74

    Figure 12 Network diagram Configuration procedure Configure the RADIUS server on IMC 5.0: NOTE: In this example, the RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101). # Add the router to the IMC Platform as an access device. Log in to IMC, click the Service tab, and select User Access Manager >...

  • Page 75

    Figure 13 Adding the router as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows: a.

  • Page 76

    Figure 14 Adding an account for device management Configure the router: # Configure the IP address of interface GigabitEthernet 2/0/1, through which the SSH user accesses the router. <Router> system-view [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet2/0/1] quit # Configure the IP address of interface GigabitEthernet 2/0/2, through which the router communicates with the server.

  • Page 77: Local Authentication And Authorization For Ssh Users

    # Create a RADIUS scheme. [Router] radius scheme rad # Specify the primary authentication server. [Router-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Router-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server.

  • Page 78: Aaa For Ssh Users By An Hwtacacs Server

    # Enable the SSH service. [Router] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Create a device management user. [Router] local-user ssh class manage # Assign the SSH service for the local user.

  • Page 79

    Figure 16 Network diagram Configuration procedure Configure the HWTACACS server: # Set the shared keys for secure communication with the router to expert. (Details not shown.) # Add an account for the SSH user and specify the password. (Details not shown.) Configure the router: # Create an HWTACACS scheme.

  • Page 80: Authentication For Ssh Users By An Ldap Server

    [Router] role default-role enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Configure the IP address of interface GigabitEthernet 2/0/1, through which the SSH user accesses the router.

  • Page 81

    NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. a. On the LDAP server, select Start > Control Panel > Administrative Tools. b. Double-click Active Directory Users and Computers. The Active Directory Users and Computers window is displayed.

  • Page 82

    Figure 19 Setting the user's password g. Click OK. # Add user aaa to group Users. a. From the navigation tree, click Users under the ldap.com node. b. In the right pane, right-click the user aaa and select Properties. c. In the dialog box, click the Member Of tab and click Add.

  • Page 83

    Figure 20 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 21 Adding user aaa to group Users # Set the administrator password to admin!123456.

  • Page 84

    # Configure the IP address of interface GigabitEthernet 2/0/1, through which the SSH user accesses the router. <Router> system-view [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] ip address 192.168.1.20 24 [Router-GigabitEthernet2/0/1] quit # Configure the IP address of interface GigabitEthernet 2/0/2, through which the router communicates with the server.

  • Page 85: Authentication And Authorization For Ssl Vpn Users By An Ldap Server

    Verifying the configuration # Initiate an SSH connection to the router, and enter the username aaa@bbb and password ldap!123456. The user logs in to the router. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) Authentication and authorization for SSL VPN users by an LDAP server...

  • Page 86

    Figure 23 Adding user aaa f. In the dialog box, enter the password ldap!123456, select options as needed, and click Next. Figure 24 Setting the user's password g. Click OK. # Add user aaa to group Users. a. From the navigation tree, click Users under the ldap.com node. b.

  • Page 87

    Figure 25 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 26 Adding user aaa to group Users # Set the administrator password to admin!123456.

  • Page 88

    # Configure the IP address of interface GigabitEthernet 2/0/1, which is connected to the SSL VPN user. <Router> system-view [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] ip address 192.168.1.70 24 [Router-GigabitEthernet2/0/1] quit # Configure the IP address of interface GigabitEthernet 2/0/2, which is connected to the LDAP server.

  • Page 89

    # Specify the administrator password. [Router-ldap-server-ldap1] login-password simple admin!123456 # Configure the base DN for user search. [Router-ldap-server-ldap1] search-base-dn dc=ldap,dc=com [Router-ldap-server-ldap1] quit # Create LDAP attribute map test. [Router] ldap attribute-map test # Map a partial value string of the LDAP attribute named memberof to AAA attribute named user-group.

  • Page 90: Aaa For Ppp Users By An Hwtacacs Server

    AAA for PPP users by an HWTACACS server Network requirements As shown in Figure • Router A uses the HWTACACS server to perform PAP authentication for users from Router B. • The HWTACACS server is also the authorization server and accounting server of Router B. •...

  • Page 91: Troubleshooting Radius

    [RouterA-isp-bbb] accounting ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] quit # Enable PPP encapsulation on Serial 2/2/0. [RouterA] interface serial 2/2/0 [RouterA-Serial2/2/0] link-protocol ppp # Configure interface Serial 2/2/0 to authenticate the peer by using PAP in authentication domain bbb. [RouterA-Serial2/2/0] ppp authentication-mode pap domain bbb # Configure the IP address of interface Serial 2/2/0.

  • Page 92: Radius Packet Delivery Failure

    Solution To resolve the problem: Check the following items: The NAS and the RADIUS server can ping each other. The username is in the userid@isp-name format and the ISP domain is correctly configured on the NAS. The user is configured on the RADIUS server. The correct password is entered.

  • Page 93: Troubleshooting Hwtacacs

    Solution To resolve the problem: Check the following items: The accounting port number is correctly configured. The accounting server IP address is correctly configured on the NAS. If the problem persists, contact Hewlett Packard Enterprise Support. Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS."...

  • Page 94: X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs. The protocol has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.

  • Page 95: X-related Protocols

    Figure 29 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).

  • Page 96: Eap Over Radius

    • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identify) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 31 shows the EAPOL packet format.

  • Page 97: X Authentication Initiation

    Figure 32 EAP-Message attribute format Message-Authenticator As shown in Figure 33, RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message-Authenticator attribute value. The Message-Authenticator prevents EAP authentication packets from being tampered with during EAP authentication.

  • Page 98: X Authentication Procedures

    • Multicast trigger mode—The access device multicasts Identity EAP-Request packets to initiate 802.1X authentication at the identity request interval. • Unicast trigger mode—Upon receiving a frame from an unknown MAC address, the access device sends an Identity EAP-Request packet out of the receiving port to the MAC address. The device retransmits the packet if no response has been received within the identity request timeout interval.

  • Page 99: Comparing Eap Relay And Eap Termination

    Comparing EAP relay and EAP termination Packet exchange Benefits Limitations method • Supports various EAP The RADIUS server must support the authentication methods. EAP-Message and • EAP relay Message-Authenticator attributes, and The configuration and the EAP authentication method used by processing are simple on the the client.

  • Page 100

    Figure 36 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge (EAP-Request/MD5 challenge) (6) EAP-Request/MD5 challenge (7) EAP-Response/MD5 challenge (8) RADIUS Access-Request (EAP-Response/MD5 challenge) (9) RADIUS Access-Accept (EAP-Success) (10) EAP-Success...

  • Page 101: Eap Termination

    10. Upon receiving the RADIUS Access-Accept packet, the access device performs the following operations: a. Sends an EAP-Success packet to the client. b. Sets the controlled port in authorized state. The client can access the network. 11. After the client comes online, the access device periodically sends handshake requests to check whether the client is still online.

  • Page 102

    Figure 37 802.1X authentication procedure in EAP termination mode In EAP termination mode, the access device rather than the authentication server generates an MD5 challenge for password encryption. The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 103: Configuring 802.1x

    Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port.

  • Page 104

    NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment. Unsupported VLAN types Do not specify the following types of VLANs for VLAN authorization. The access device does not assign these VLANs to 802.1X users. •...

  • Page 105: Guest Vlan

    Table 6 VLAN manipulation Port access control VLAN manipulation method The device assigns the first authenticated user's authorization VLAN to the port as the port VLAN (PVID). All subsequent 802.1X users can access the VLAN without authentication. Port-based When the first authenticated user logs off, the previous PVID is restored, and all other online users are logged off.

  • Page 106: Auth-fail Vlan

    Auth-Fail VLAN The 802.1X Auth-Fail VLAN on a port accommodates users who have failed 802.1X authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates users who have entered a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download antivirus software and system patches.

  • Page 107: Using 802.1x Authentication With Other Features

    Authentication status VLAN manipulation A user in the 802.1X critical VLAN fails The critical VLAN is still the PVID of the port, and all 802.1X authentication because all the RADIUS users on this port are in this VLAN. servers are unreachable. If an 802.1X Auth-Fail VLAN has been configured, the PVID A user in the 802.1X critical VLAN fails of the port changes to the Auth-Fail VLAN ID, and all 802.1X...

  • Page 108: Ead Assistant

    EAD assistant Endpoint Admission Defense (EAD) is an Hewlett Packard Enterprise integrated endpoint access control solution to improve the threat defensive capability of a network. The solution enables the security client, security policy server, access device, and third-party server to operate together. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

  • Page 109: Compatibility Information

    Figure 38 802.1X authentication process with the SmartOn feature If the user attempts to use another 802.1X client for authentication, it will fail SmartOn authentication. The access device stops 802.1X authentication for the user. NOTE: After you install the SmartOn client software, add two values QX_ID and QX_PASSWORD to the Windows registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Soliton Systems K.K.\SmartOn Client\Clients\1XGate].

  • Page 110: X Configuration Task List

    Configuration prerequisites Before you configure 802.1X, complete the following tasks: • Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. • If RADIUS authentication is used, create user accounts on the RADIUS server. • If local authentication is used, create local user accounts on the access device and set the service type to lan-access.

  • Page 111: Enabling Eap Relay Or Eap Termination

    Step Command Remarks Enter system view. system-view By default, 802.1X is disabled Enable 802.1X globally. dot1x globally. Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, 802.1X is disabled Enable 802.1X on a port. dot1x on a port. Enabling EAP relay or EAP termination When configuring EAP relay or EAP termination, consider the following factors: •...

  • Page 112: Specifying An Access Control Method

    • unauthorized-force—Places the port in the unauthorized state, denying any access requests from users on the port. • auto—Places the port initially in unauthorized state to allow only EAPOL packets to pass. After a user passes authentication, sets the port in the authorized state to allow access to the network.

  • Page 113: Setting The Maximum Number Of Concurrent 802.1x Users On A Port

    Setting the maximum number of concurrent 802.1X users on a port Perform this task to prevent the system resources from being overused. To set the maximum number of concurrent 802.1X users on a port: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type...

  • Page 114: Configuring The Online User Handshake Feature

    Step Command Remarks Enter system view. system-view Set the client timeout dot1x timer supp-timeout The default is 30 seconds. timer. supp-timeout-value Set the server dot1x timer server-timeout The default is 100 seconds. timeout timer. server-timeout-value Configuring the online user handshake feature The online user handshake feature checks the connectivity status of online 802.1X users.

  • Page 115: Configuring The Authentication Trigger Feature

    Configuring the authentication trigger feature The authentication trigger feature enables the access device to initiate 802.1X authentication when 802.1X clients cannot initiate authentication. This feature provides the multicast trigger and unicast trigger (see 802.1X authentication initiation in "802.1X overview"). Configuration guidelines When you configure the authentication trigger feature, follow these guidelines: •...

  • Page 116: Setting The Quiet Timer

    Setting the quiet timer The quiet timer enables the access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can edit the quiet timer, depending on the network conditions. •...

  • Page 117: Configuring An 802.1x Guest Vlan

    Step Command Remarks By default, this feature is disabled. (Optional.) Enable the dot1x re-authenticate The device logs off online 802.1X keep-online feature for server-unreachable users if no authentication server is 802.1X users. keep-online reachable for 802.1X reauthentication. Configuring an 802.1X guest VLAN Configuration guidelines When you configure an 802.1X guest VLAN, follow these guidelines: •...

  • Page 118: Configuration Procedure

    Configuration procedure To configure an 802.1X Auth-Fail VLAN: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Configure the 802.1X dot1x auth-fail vlan By default, no 802.1X Auth-Fail Auth-Fail VLAN on the port. authfail-vlan-id VLAN is configured.

  • Page 119: Configuring The Ead Assistant Feature

    If a username string contains none of the delimiters, the access device authenticates the user in the mandatory or default ISP domain. To specify a set of domain name delimiters: Step Command Remarks Enter system view. system-view Specify a set of domain By default, only the at sign (@) name delimiters for 802.1X dot1x domain-delimiter string...

  • Page 120: Configuring 802.1x Smarton

    Step Command Remarks By default, no redirect URL is configured. (Optional.) Configure the dot1x ead-assistant url Configure the redirect URL if users will redirect URL. url-string use Web browsers to access the network. (Optional.) Set the EAD dot1x timer ead-timeout The default setting is 30 minutes.

  • Page 121: Displaying And Maintaining 802.1x

    Displaying and maintaining 802.1X Execute display commands in any view and reset commands in user view. Task Command Display 802.1X session information, display dot1x [ sessions | statistics ] [ interface interface-type statistics, or configuration information of interface-number ] specified or all ports. Display online 802.1X user information display dot1x connection [ interface interface-type (centralized devices in standalone...

  • Page 122

    Figure 39 Network diagram RADIUS server cluster Primary: 10.1.1.1/24 Secondary: 10.1.1.2/24 GE2/0/2 Supplicant Authenticator 10.1.1.10/24 GE2/0/1 Internet Vlan-int2 192.168.1.1/24 Host Device 192.168.1.2/24 Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration.

  • Page 123: X Guest Vlan And Authorization Vlan Configuration Example

    NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. Configure the ISP domain: # Create an ISP domain named bbb and enter its view. [Device] domain bbb # Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.

  • Page 124

    Figure 40 Network diagram Update server Authentication server VLAN 10 VLAN 2 GE2/0/1 GE2/0/4 VLAN 1 VLAN 5 GE2/0/2 GE2/0/3 Device Internet Host Port assigned to guest VLAN Update server Authentication server Update server Authentication server VLAN 10 VLAN 2 VLAN 10 VLAN 2 User comes...

  • Page 125

    [Device-radius-2000] primary authentication 10.11.1.1 1812 # Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.11.1.1 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device.

  • Page 126: X With Acl Assignment Configuration Example

    802.1X with ACL assignment configuration example Network requirements As shown in Figure 41, the host that connects to GigabitEthernet 2/0/1 must pass 802.1X authentication to access the Internet. Perform 802.1X authentication on GigabitEthernet 2/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server, and the RADIUS server at 10.1.1.2 as the accounting server.

  • Page 127: X With Ead Assistant Configuration Example (with Dhcp Relay Agent)

    [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure an ISP domain: # Create ISP domain bbb and enter ISP domain view. [Device] domain bbb # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting. [Device-isp-bbb] authentication lan-access radius-scheme 2000 [Device-isp-bbb] authorization lan-access radius-scheme 2000 [Device-isp-bbb] accounting lan-access radius-scheme 2000 [Device-isp-bbb] quit...

  • Page 128

    • The intranet 192.168.1.0/24 is attached to GigabitEthernet 2/0/1 of the access device. • The hosts use DHCP to obtain IP addresses. • A DHCP server and a Web server are deployed on the 192.168.2.0/24 subnet for users to obtain IP addresses and download client software. Deploy an EAD solution for the intranet to meet the following requirements: •...

  • Page 129

    # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812. [Device-radius-2000] primary authentication 10.1.1.1 1812 # Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813.

  • Page 130: X With Ead Assistant Configuration Example (with Dhcp Server)

    Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access the free IP subnet before passing 802.1X authentication.

  • Page 131

    Configure an IP address for each interface. (Details not shown.) Configure the DHCP server: # Enable DHCP. <Device> system-view [Device] dhcp enable # Enable the DHCP server on VLAN-interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select server [Device-Vlan-interface2] quit # Create DHCP address pool 0.

  • Page 132: X Smarton Configuration Example

    [Device] dot1x ead-assistant url http://192.168.2.3 # Enable the EAD assistant feature. [Device] dot1x ead-assistant enable # Enable 802.1X on GigabitEthernet 2/0/1. [Device] interface gigabitethernet 2/0/1 [Device-GigabitEthernet2/0/1] dot1x [Device-GigabitEthernet2/0/1] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify the 802.1X configuration. [Device] display dot1x # Verify that you can ping an IP address on the free IP subnet from a host.

  • Page 133

    Figure 44 Network diagram Configuration procedure Configure a RADIUS scheme: # Create RADIUS scheme 2000 and enter RADIUS scheme view. <Device> system-view [Device] radius scheme 2000 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.

  • Page 134: Troubleshooting 802.1x

    [Device-GigabitEthernet2/0/1] quit # Set the SmartOn password to 1234 in plain text and the switch ID to XYZ. [Device] dot1x smarton password simple 1234 [Device] dot1x smarton switchid XYZ # Set the SmartOn client timeout timer to 40 seconds. [Device] smarton timer supp-timeout 40 # Enable 802.1X globally.

  • Page 135: Configuring Mac Authentication, Authentication Methods

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.

  • Page 136: Vlan Assignment

    VLAN assignment You can specify the authorization VLAN for a MAC authentication user to control access to authorized network resources. • On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VLAN name. •...

  • Page 137

    The device reauthenticates an online MAC authentication user periodically only after it receives the termination action Radius-request from the authentication server for this user. The Session-Timeout attribute (session timeout period) assigned by the server is the reauthentication interval. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display mac-authentication connection command.

  • Page 138: Configuration Task List

    Make sure the port security feature is disabled. For more information about port security, see "Configuring port security." Configuration task list Tasks at a glance (Required.) Enabling MAC authentication (Optional.) Specifying a MAC authentication domain (Optional.) Configuring the user account format (Optional.) Configuring MAC authentication timers (Optional.)

  • Page 139: Configuring The User Account Format

    MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA." To specify an authentication domain for MAC authentication users: Step Command Remarks...

  • Page 140: Setting The Maximum Number Of Concurrent Mac Authentication Users On A Port

    Step Command Remarks Enter system view. system-view By default, the offline detect mac-authentication timer timer is 300 seconds, the quiet Configure MAC { offline-detect offline-detect-value | timer is 60 seconds, and the authentication timers. quiet quiet-value | server-timeout server timeout timer is 100 server-timeout-value } seconds.

  • Page 141: Enabling Mac Authentication Multi-vlan Mode On A Port

    Enabling MAC authentication multi-VLAN mode on a port The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user.

  • Page 142: Displaying And Maintaining Mac Authentication, Mac Authentication Configuration Examples, Local Mac Authentication Configuration Example

    Displaying and maintaining MAC authentication Execute display commands in any view and reset commands in user view. Task Command display mac-authentication [ interface interface-type Display MAC authentication information. interface-number ] display mac-authentication connection [ interface Display MAC authentication connections interface-type interface-number | user-mac mac-addr | (centralized devices in standalone mode).

  • Page 143

    [Device] local-user 00-e0-fc-12-34-56 class network [Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 # Specify the LAN access service for the user. [Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit # Configure ISP domain bbb to perform local authentication for LAN users. [Device] domain bbb [Device-isp-bbb] authentication lan-access local [Device-isp-bbb] quit # Enable MAC authentication on port GigabitEthernet 2/0/1.

  • Page 144: Radius-based Mac Authentication Configuration Example

    Host mode : Single VLAN Max online users : 4096 Authentication attempts : successful 1, failed 0 Current online users MAC address Auth state 00e0-fc12-3456 Authenticated The output shows that Host A has passed MAC authentication and has come online. Host B failed MAC authentication and its MAC address is marked as a silent MAC address.

  • Page 145

    [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to ISP domain bbb for authentication, authorization, and accounting. [Device] domain bbb [Device-isp-bbb] authentication default radius-scheme 2000 [Device-isp-bbb] authorization default radius-scheme 2000 [Device-isp-bbb] accounting default radius-scheme 2000 [Device-isp-bbb] quit # Enable MAC authentication on port GigabitEthernet 2/0/1. [Device] interface gigabitethernet 2/0/1 [Device-GigabitEthernet2/0/1] mac-authentication [Device-GigabitEthernet2/0/1] quit...

  • Page 146: Acl Assignment Configuration Example

    Authentication attempts : successful 1, failed 0 Current online users MAC address Auth state 00e0-fc12-3456 Authenticated ACL assignment configuration example Network requirements As shown in Figure 47, configure the device to meet the following requirements: • Use RADIUS servers to perform authentication, authorization, and accounting for users. •...

  • Page 147

    [Sysname-isp-bbb] authorization default radius-scheme 2000 [Sysname-isp-bbb] accounting default radius-scheme 2000 [Sysname-isp-bbb] quit # Specify the ISP domain for MAC authentication. [Sysname] mac-authentication domain bbb # Configure the device to use MAC-based user accounts. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. [Sysname] mac-authentication user-name-format mac-address with-hyphen lowercase # Enable MAC authentication on port GigabitEthernet 2/0/1.

  • Page 148

    # Verify that you cannot ping the FTP server from the host. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has been assigned to port GigabitEthernet 2/0/1 to deny access to the FTP server.

  • Page 149: Portal System Components

    Configuring portal authentication Overview Portal authentication controls user access to the Internet. Portal authenticates a user by the username and password the user enters on a portal authentication page. Therefore, portal authentication is also known as Web authentication. When portal authentication is deployed on a network, an access device redirects unauthenticated users to the website provided by a portal Web server.

  • Page 150

    Figure 48 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.

  • Page 151: Interaction Between Portal System Components

    Interaction between portal system components The components of a portal system interact as follows: An unauthenticated user initiates authentication by accessing an Internet website through a Web browser. When receiving the HTTP request, the access device redirects it to the Web authentication page provided by the portal Web server.

  • Page 152: Portal Authentication Process

    Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device. In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP address uniquely identifies the user. After a user passes authentication, the access device generates an ACL for the user based on the user's IP address to control forwarding of the packets from the user.

  • Page 153

    The access device sends an authentication reply packet to the portal authentication server to notify authentication success or failure. The portal authentication server sends an authentication success or failure packet to the client. If the authentication is successful, the portal authentication server sends an authentication reply acknowledgment packet to the access device.

  • Page 154: Portal Configuration Task List

    Step 13 and step 14 are for extended portal functions. 13. The client and the security policy server exchanges security check information. The security policy server detects whether or not the user host installs anti-virus software, virus definition files, unauthorized software, and operating system patches. 14.

  • Page 155

    Tasks at a glance (Optional.) Logging out portal users (Optional.) Configuring Web redirect On Etherchannel interfaces, both Web redirect and portal authentication can be enabled at the same time. On other types of interfaces, Web redirect does not work when both Web redirect and portal authentication are enabled.

  • Page 156: Configuring A Portal Web Server

    Step Command Remarks • To specify an IPv4 portal server: Specify an IPv4 portal ip ipv4-address [ vpn-instance authentication server, an IPv6 vpn-instance-name] [ key { cipher | authentication portal server, or Specify the IP address of simple } key-string ] both.

  • Page 157: Configuration Restrictions And Guidelines

    Configuration restrictions and guidelines When you enable portal authentication on an interface, follow these restrictions and guidelines: • Make sure the interface has a valid IP address before you enable re-DHCP portal authentication on the interface. • Do not add the Ethernet interface enabled with portal authentication to an aggregation group. Otherwise, portal authentication does not take effect.

  • Page 158: Controlling Portal User Access

    Step Command Remarks Reference an IPv4 portal Web • To reference an IPv4 portal Web server: server, an IPv6 portal Web portal apply web-server server-name server, or both for the Reference a portal [ fail-permit ] interface. Web server for the •...

  • Page 159: Configuring An Authentication Source Subnet

    Step Command Remarks By default, no source-based portal-free rule exists. portal free-rule rule-number source Configure a { interface interface-type If you specify both a VLAN and an source-based interface-number | mac mac-address | interface, the interface must belong portal-free rule. vlan vlan-id } * to the VLAN.

  • Page 160: Configuring An Authentication Destination Subnet

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no IPv6 portal Configure an IPv6 portal portal ipv6 layer3 source authentication source subnet is authentication source ipv6-network-address configured, and IPv6 users from subnet. prefix-length any subnets must pass portal authentication.

  • Page 161: Specifying A Portal Authentication Domain

    If you set the maximum total number smaller than the number of current online portal users on the device, this configuration still takes effect. The online users are not affected but the system forbids new portal users to log in. If you set the maximum number of portal users on an interface smaller than the number of current online portal users on the interface, this configuration still takes effect.

  • Page 162: Specifying A Preauthentication Domain

    Step Command Remarks By default, no ISP domain is Specify an IPv4 portal portal domain domain-name specified for IPv4 portal users on authentication domain. the interface. To specify an IPv6 portal authentication domain: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view.

  • Page 163: Configuring A Preauthentication Ip Address Pool For Portal Users

    Configuring a preauthentication IP address pool for portal users Perform this task to specify a preauthentication IP address pool for portal users. You must specify a preauthentication IP address pool on a portal-enabled interface in the following situation: • Portal users access the network through a subinterface of the portal-enabled interface. •...

  • Page 164: Enabling Outgoing Packets Filtering On A Portal-enabled Interface

    To enable strict-checking on portal authorization information: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the strict checking mode Enable strict checking is disabled. In this case, the portal mode on portal portal authorization acl users stay online even when the authorization strict-checking...

  • Page 165: Configuring Portal Authentication Server Detection

    • ARP or ND detection—Sends ARP or ND requests to the user and detects the ARP or ND entry status of the user at configurable intervals. If the ARP or ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP or ND entry.

  • Page 166: Configuring Portal Web Server Detection

    You can configure the device to take one or more of the following actions when the server reachability status changes: • Sending a trap message to the NMS. The trap message contains the name and current state of the portal authentication server. •...

  • Page 167: Configuring Portal User Synchronization

    Step Command Remarks Enter system view. system-view Enter portal Web portal web-server server-name server view. By default, portal Web server detection is disabled. Configure portal server-detect [ interval interval ] [ retry Web server This feature takes effect regardless retries ] { log | trap } * detection.

  • Page 168: Configuring The Portal Fail-permit Feature

    Configuring the portal fail-permit feature Perform this task to configure the portal fail-permit feature on an interface. When the access device detects that the portal authentication server or portal Web server is unreachable, it allows users on the interface to have network access without portal authentication. If you enable fail-permit for both a portal authentication server and a portal Web server on an interface, the interface does the following: •...

  • Page 169: Enabling Portal Roaming

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, the BAS-IP attribute of an Configure BAS-IP for IPv4 IPv4 portal response packet sent to the portal packets sent to the portal authentication server is the source portal bas-ip ipv4-address portal authentication IPv4 address of the packet, and that of server.

  • Page 170: Logging Out Portal Users

    Logging out portal users Logging out a user terminates the authentication process for the user or removes the user from the authenticated users list. To log out users: Step Command Enter system view. system-view portal delete-user { ipv4-address | all | interface interface-type Log out IPv4 portal users.

  • Page 171: Displaying And Maintaining Portal

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure Web web-redirect [ ipv6 ] url url-string By default, Web redirect is disabled. redirect. [ interval interval ] (Optional.) web-redirect track interface By default, Web redirect track is Configure Web interface-type interface-number disabled.

  • Page 172: Portal Configuration Examples

    Task Command display portal rule { all | dynamic | static } Display portal rules on an interface (distributed interface interface-type interface-number [ slot devices in standalone mode). slot-id ] display portal rule { all | dynamic | static } Display portal rules on an interface (distributed interface interface-type interface-number [ chassis devices in IRF mode).

  • Page 173

    Figure 51 Network diagram Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 51 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuring the portal authentication server on IMC PLAT 5.0 This example assumes that the portal server runs on IMC PLAT 5.0(E0101) and IMC UAM 5.0(E0101).

  • Page 174

    Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure c.

  • Page 175

    Figure 54 Adding a portal device Associate the portal device with the IP address group: a. As shown in Figure 55, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. b.

  • Page 176

    Figure 56 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the portal server on IMC PLAT 7.1 In this example, the portal server runs on IMC PLAT 7.1 (E0303) and IMC EIA 7.1 (F0303). Configure the portal authentication server: a.

  • Page 177

    Figure 57 Portal authentication server configuration Configure the IP address group: a. Select User Access Policy > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure c.

  • Page 178

    Figure 58 Adding an IP address group Add a portal device: a. Select User Access Policy > Portal Service > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure c.

  • Page 179

    Associate the portal device with the IP address group: a. As shown in Figure 60, click the Port Group Information Management icon for device NAS to enter the port group configuration page. b. Click Add to enter the page shown in Figure c.

  • Page 180

    # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] primary accounting 192.168.0.112 [Router-radius-rs1] key authentication simple radius [Router-radius-rs1] key accounting simple radius # Exclude the ISP domain name from the username sent to the RADIUS server. [Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit # Enable RADIUS session control.

  • Page 181

    Authorization : Strict checking : Disabled IPv4: Portal status: Enabled Authentication type: Direct Portal Web server: newpt Authentication domain: Not configured Pre-auth IP pool: Not configured BAS-IP: 2.2.2.1 User Detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address...

  • Page 182: Configuring Re-dhcp Portal Authentication

    DHCP IP pool: N/A Session group profile: N/A ACL: N/A CAR: N/A Configuring re-DHCP portal authentication Network requirements As shown in Figure 62, the host is directly connected to the router (the access device). The host obtains an IP address through the DHCP server. A portal server acts as both a portal authentication server and a portal Web server.

  • Page 183

    Configuration procedure Perform the following tasks on the router. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router> system-view [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 184

    # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] portal enable method redhcp # Reference the portal Web server newpt on GigabitEthernet 2/0/2. [Router–GigabitEthernet2/0/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 2/0/2 to the portal authentication server.

  • Page 185: Configuring Cross-subnet Portal Authentication

    IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.

  • Page 186

    Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 63 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...

  • Page 187

    [RouterA] interface gigabitethernet 2/0/2 [RouterA–GigabitEthernet2/0/2] portal enable method layer3 # Reference the portal Web server newpt on GigabitEthernet 2/0/2. [RouterA–GigabitEthernet2/0/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 2/0/2 to the portal authentication server. [RouterA–GigabitEthernet2/0/2] portal bas-ip 20.20.20.1 [RouterA–GigabitEthernet2/0/2] quit On Router B, configure a default route to subnet 192.168.0.0/24, specifying the next hop address as...

  • Page 188: Configuring Extended Direct Portal Authentication

    IP address Prefix length A user can perform portal authentication by using the HPE iNode client or through Web page. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.

  • Page 189

    • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on the router. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router> system-view [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 190

    [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable direct portal authentication on GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2 [Router–GigabitEthernet2/0/2] portal enable method direct # Reference the portal Web server newpt on GigabitEthernet 2/0/2. [Router–GigabitEthernet2/0/2] portal apply web-server newpt # Configure the BAS-IP as 2.2.2.1 for portal packets sent from GigabitEthernet 2/0/2 to the portal authentication server.

  • Page 191: Configuring Extended Re-dhcp Portal Authentication

    Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.

  • Page 192

    Figure 65 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 65 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...

  • Page 193

    # Enable RADIUS session control. [Router-radius-rs1] radius session-control enable [Router-radius-rs1] quit # Enable RADIUS session control. [Router] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1...

  • Page 194

    # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] portal enable method redhcp # Reference the portal Web server newpt on GigabitEthernet 2/0/2. [Router–GigabitEthernet2/0/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 2/0/2 to the portal authentication server.

  • Page 195: Configuring Extended Cross-subnet Portal Authentication

    IP address Prefix length Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...

  • Page 196

    Figure 66 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 66 and make sure the host, router, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...

  • Page 197

    # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [RouterA] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.

  • Page 198

    Portal Web server: newpt Authentication domain: Not configured Pre-auth IP pool: Not configured BAS-IP: 20.20.20.1 User Detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Mask Destination authenticate subnet: IP address Mask IPv6: Portal status: Disabled Authentication type: Disabled...

  • Page 199: Configuring Portal Server Detection And Portal User Synchronization

    ACL: 3001 CAR: N/A Configuring portal server detection and portal user synchronization Network requirements As shown in Figure 67, the host is directly connected to the router (the access device). The host is assigned with a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server and a portal Web server.

  • Page 200

    Configuring the portal authentication server on IMC PLAT 5.0 This example assumes that the portal server runs on IMC PLAT 5.0(E0101) and IMC UAM 5.0(E0101). Configure the portal authentication server: a. Log in to IMC and click the Service tab. b.

  • Page 201

    Figure 69 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure c.

  • Page 202

    b. Click Add to enter the page shown in Figure c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group.

  • Page 203

    Figure 73 Portal authentication server configuration Configure the IP address group: a. Select User Access Policy > Portal Service > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure c.

  • Page 204

    Figure 74 Adding an IP address group Add a portal device: a. Select User Access Policy > Portal Service > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure c.

  • Page 205

    Associate the portal device with the IP address group: a. As shown in Figure 76, click the Port Group Information Management icon for device NAS to enter the port group configuration page. b. Click Add to enter the page shown in Figure c.

  • Page 206

    # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] primary accounting 192.168.0.112 [Router-radius-rs1] key authentication simple radius [Router-radius-rs1] key accounting simple radius # Exclude the ISP domain name from the username sent to the RADIUS server. [Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit # Enable RADIUS session control.

  • Page 207: Configuring Cross-subnet Portal Authentication For Mpls L3vpns

    [Router–GigabitEthernet2/0/2] portal enable method direct # Enable portal fail-permit for the portal authentication server newpt. [Router–GigabitEthernet2/0/2] portal fail-permit server newpt # Reference the portal Web server newpt on GigabitEthernet 2/0/2. [Router–GigabitEthernet2/0/2] portal apply web-server newpt # Configure the BAS-IP as 2.2.2.1 for portal packets sent from GigabitEthernet 2/0/2 to the portal authentication server.

  • Page 208

    describes only the access authentication configuration on the user-side PE. For information about MPLS L3VPN configurations, see MPLS Configuration Guide. • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on Router A. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.

  • Page 209: Configuring Direct Portal Authentication With A Preauthentication Domain

    [RouterA-portal-server-newpt] quit # Configure a portal Web server. [RouterA] portal web-server newpt [RouterA-portal-websvr-newpt] url http://192.168.0.111:8080/portal [RouterA-portal-websvr-newpt] vpn-instance vpn3 [RouterA-portal-websvr-newpt] quit # Enable cross-subnet portal authentication on GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1 [RouterA–GigabitEthernet2/0/1] portal enable method layer3 # Reference the portal Web server newpt on GigabitEthernet 2/0/1. [RouterA–GigabitEthernet2/0/1] portal apply web-server newpt # Configure the BAS-IP as 3.3.0.3 for portal packets sent from GigabitEthernet 2/0/1 to the portal authentication server.

  • Page 210

    Figure 79 Network diagram Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 79 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on the router.

  • Page 211: Configuring Re-dhcp Portal Authentication With A Preauthentication Domain

    [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable direct portal authentication on GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2 [Router–GigabitEthernet2/0/2] portal enable method direct # Reference the portal Web server newpt on GigabitEthernet 2/0/2.

  • Page 212

    Figure 80 Network diagram Portal server 192.168.0.111/24 GE2/0/2 20.20.20.1/24 GE2/0/1 10.0.0.1/24 sub 192.168.0.100/24 DHCP server Host Router 192.168.0.112/24 Automatically obtains an IP address RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 80 and make sure the host, router, and servers can reach each other.

  • Page 213

    [Router-acl-ipv4-adv-3010] rule 1 permit ip destination 192.168.0.0 24 [Router-acl-ipv4-adv-3010] quit # Configure preauthentication domain abc on GigabitEthernet 2/0/2. [Router] interface gigabitethernet 2/0/2 [Router–GigabitEthernet2/0/2] portal pre-auth domain abc [Router–GigabitEthernet2/0/2] quit Configure DHCP relay and authorized ARP. # Configure DHCP relay. [Router] dhcp enable [Router] dhcp relay client-information record [Router] interface gigabitethernet 2/0/2 [Router–GigabitEthernet2/0/2] ip address 20.20.20.1 255.255.255.0...

  • Page 214: Troubleshooting Portal

    Session group profile: N/A ACL number: 3010 Inbound CAR: N/A Outbound CAR: N/A Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the IMC portal authentication server, no portal authentication page or error message is prompted for the user.

  • Page 215: Authentication Server

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server. Analysis The HPE IMC server uses session control packets to send disconnection requests to the access device.

  • Page 216

    discards the portal notification packet. As a result, the portal authentication server considers that the user has failed the authentication. Solution Configure the BAS-IP or BAS-IPv6 attribute on the interface enabled with portal authentication. Make sure the attribute value is the same as the portal device IP address specified on the portal authentication server.

  • Page 217: Configuring Port Security, Port Security Features, Port Security Modes

    Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port. Port security provides the following functions: •...

  • Page 218

    Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action.

  • Page 219

    A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 220: Enabling Port Security

    In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. • macAddressOrUserLoginSecureExt. This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users. • macAddressElseUserLoginSecure. This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies.

  • Page 221: Setting The Port Security Mode

    When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. Port security automatically modifies these settings in different security modes. To enable port security: Step Command Remarks Enter system view. system-view By default, port security is Enable port security.

  • Page 222

    HMIM-8GSW. HMIM-24GSW. HMIM-24GSWP. SIC-4GSW. SIC-4GSWP. • Fixed Layer 2 Ethernet ports on the following routers: MSR954(JH296A/JH297A/JH299A). MSR1002-4/1003-8S. MSR2004-24/2004-48. Before you set a port security mode for a port, complete the following tasks: • Disable 802.1X and MAC authentication. • Verify that the port does not belong to any aggregation group or service loopback group. •...

  • Page 223: Configuring Port Security Features, Configuring Ntk, Configuring Intrusion Protection

    Configuring port security features Port security features are supported only on the following ports: • Layer 2 Ethernet ports on the following modules: HMIM-8GSW. HMIM-24GSW. HMIM-24GSWP. SIC-4GSW. SIC-4GSWP. • Fixed Layer 2 Ethernet ports on the following routers: MSR954(JH296A/JH297A/JH299A). MSR1002-4/1003-8S. MSR2004-24/2004-48.

  • Page 224: Configuring Secure Mac Addresses

    • disableport-temporarily—Disables the port for a period of time. The period can be configured with the port-security timer disableport command. To configure the intrusion protection feature: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number port-security intrusion-mode Configure the intrusion...

  • Page 225

    Can be saved and Type Address sources Aging mechanism survive a device reboot? By default, sticky MAC addresses do • Manually added (by not age out. However, you can using the configure an aging timer or use the port-security aging timer together with the inactivity mac-address aging feature to remove old sticky MAC security command...

  • Page 226: Enabling Mac Move

    Step Command Remarks • In system view: port-security mac-address security [ sticky ] mac-address interface interface-type By default, no secure MAC interface-number vlan vlan-id address exists. • In Layer 2 Ethernet interface view: Configure a secure In a VLAN, a MAC address cannot MAC address.

  • Page 227: Enabling The Authorization-fail-offline Feature

    Step Command Remarks Enter system view. system-view By default, MAC move is Enable MAC move. port-security mac-move permit disabled. Enabling the authorization-fail-offline feature The authorization-fail-offline feature logs off port security users who fail ACL authorization. A user fails ACL authorization in the following situations: •...

  • Page 228: Displaying And Maintaining Port Security, Port Security Configuration Examples

    Step Command Remarks • In system view: port-security nas-id-profile profile-name • In Layer 2 Ethernet interface By default, no NAS-ID profile is view: Apply a NAS-ID profile. applied in system view or in a. interface interface-type interface view. interface-number b. port-security nas-id-profile profile-name Displaying and maintaining port security...

  • Page 229

    Configuration procedure # Enable port security. <Device> system-view [Device] port-security enable # Set the secure MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Set port security's limit on the number of secure MAC addresses to 64 on port GigabitEthernet 2/0/1.

  • Page 230: Userloginwithoui Configuration Example

    port-security mac-address security sticky 0002-0000-0015 vlan 1 port-security mac-address security sticky 0002-0000-0014 vlan 1 port-security mac-address security sticky 0002-0000-0013 vlan 1 port-security mac-address security sticky 0002-0000-0012 vlan 1 port-security mac-address security sticky 0002-0000-0011 vlan 1 [Device-GigabitEthernet2/0/1] quit # Verify that the port security mode changes to secure after the number of MAC addresses learned by the port reaches 64.

  • Page 231

    Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference. Make sure the host and the RADIUS server can reach each other. Configure AAA: # Configure a RADIUS scheme named radsun. <Device>...

  • Page 232

    Verifying the configuration # Verify the RADIUS scheme configuration. [Device] display radius scheme radsun RADIUS scheme name : radsun Index : 0 Primary authentication server: : 192.168.1.2 Port: 1812 VPN : Not configured State: Active Test profile: Not configured Primary accounting server: : 192.168.1.3 Port: 1813 VPN : Not configured...

  • Page 233: Macaddresselseuserloginsecure Configuration Example

    OUI value list Index : Value : 123401 Index : Value : 123402 Index : Value : 123403 Index : Value : 123404 Index : Value : 123405 GigabitEthernet2/0/1 is link-up Port mode : userLoginWithOUI NeedToKnow mode : Disabled Intrusion protection mode : NoAction Security MAC address attribute Learning mode...

  • Page 234

    Figure 83 Network diagram Configuration procedure Make sure the host and the RADIUS server can reach each other. Configure RADIUS authentication/accounting and ISP domain settings. (See "userLoginWithOUI configuration example.") Configure port security: # Enable port security. <Device> system-view [Device] port-security enable # Use MAC-based accounts for MAC authentication.

  • Page 235

    OUI value list GigabitEthernet2/0/1 is link-up Port mode : macAddressElseUserLoginSecure NeedToKnow mode : NeedToKnowOnly Intrusion protection mode : NoAction Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses Authorization : Permitted # After users pass authentication, display MAC authentication information.

  • Page 236

    CHAP authentication : Enabled Max-tx period : 30 s Handshake period : 15 s Quiet timer : Disabled Quiet period : 60 s Supp timeout : 30 s Server timeout : 100 s Reauth period : 3600 s Max auth requests SmartOn supp timeout : 30 s SmartOn retry counts...

  • Page 237: Troubleshooting Port Security, Cannot Set The Port Security Mode, Cannot Configure Secure Mac Addresses

    # Verify that frames with an unknown destination MAC address, multicast address, or broadcast address are discarded. (Details not shown.) Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode for a port. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command.

  • Page 238: Configuring User Profiles

    Configuring user profiles Overview A user profile saves a set of predefined parameters, such as a CAR policy or a QoS policy. The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.

  • Page 239: Configuring A User Profile

    Configuration restrictions and guidelines When you configure user profiles, follow these restrictions and guidelines: • Configure authentication parameters before you create a user profile. The user profile supports working with only PPPoE authentication. • Specify a user profile for each user account: In remote authentication, specify a user profile on the authentication server.

  • Page 240: Password Setting

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.

  • Page 241: Password Updating And Expiration

    when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.

  • Page 242: User Login Control

    Current login passwords of device management users are not stored in the password history, because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login With the global password control feature enabled, users must change the password at first login before they can access the system.

  • Page 243: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.

  • Page 244: Setting Global Password Control Parameters

    Step Command Remarks • In non-FIPS mode, the global password control feature is disabled by default. Enable the global password password-control enable • control feature. In FIPS mode, the global password control feature is enabled, and cannot be disabled by default. password-control { aging | (Optional.) Enable a specific By default, all four password...

  • Page 245: Setting User Group Password Control Parameters

    Step Command Remarks By default, the maximum number password-control login-attempt of login attempts is 3 and a user Configure the login attempt login-times [ exceed { lock | failing to log in after the specified limit. lock-time time | unlock } ] number of attempts must wait for 1 minute before trying again.

  • Page 246: Setting Local User Password Control Parameters

    Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local user exists. Local user password control applies to device management Create a device local-user user-name class users instead of network access management user and enter manage users.

  • Page 247: Password Control Configuration Example

    Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • In non-FIPS mode, the default setting is 10 Configure the minimum password-control super length characters.

  • Page 248

    • A password expires after 30 days. • The minimum password update interval is 36 hours. • The maximum account idle time is 30 days. • A password cannot contain the username or the reverse of the username. • No character appears consecutively three or more times in a password. Configure a super password control policy for user role network-operator to meet the following requirements: •...

  • Page 249: Verifying The Configuration

    [Sysname] password-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text. [Sysname] super password network-operator simple 123456789ABGFTweuix@#$%! # Create a device management user named test. [Sysname] local-user test class manage # Set the service type of the user to Telnet.

  • Page 250

    <Sysname> display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type: Telnet User group: system Bind attributes: Authorization attributes: Work directory: flash: User role list: network-operator Password control configurations: Password aging: Enabled (20 days) Password length: Enabled (24 characters)

  • Page 251: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 84.

  • Page 252: Distributing A Local Host Public Key

    • Enter an appropriate key modulus length at prompt (see Table 11). The longer the key modulus length, the higher the security, the longer the key generation time. • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default.

  • Page 253: Exporting A Host Public Key

    • Display a host public key. After the key is displayed, record the key, for example, copy it to an unformatted file. On the peer device, you must literally enter the key. Exporting a host public key When you export a host public key, follow these restrictions and guidelines: •...

  • Page 254: Configuring A Peer Host Public Key

    Step Command Enter system view. system-view public-key local destroy { dsa | ecdsa | rsa } Destroy a local key pair. [ name key-name ] Configuring a peer host public key To encrypt information sent to a peer device or authenticate the digital signature of the peer device, you must configure the peer device's public key on the local device.

  • Page 255: Displaying And Maintaining Public Keys

    Step Command Remarks When you exit public key view, the Return to system view. peer-public-key end system automatically saves the peer host public key. Displaying and maintaining public keys Execute display commands in any view. Task Command display public-key local { dsa | ecdsa | rsa } public [ name Display local public keys.

  • Page 256

    # Display all local RSA public keys. [DeviceA] display public-key local rsa public ============================================= Key name: hostkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code:...

  • Page 257: Example For Importing A Public Key From A Public Key File

    Key type: RSA Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Network requirements As shown in Figure 86, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device •...

  • Page 258

    45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 # Export the RSA host public key to the file devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub [DeviceA] quit # Enable the FTP server function, create an FTP user with the username ftp and password 123, and configure the FTP user role as network-admin.

  • Page 259

    Verifying the configuration # Verify that the peer host public key configured on Device B is the same as the key displayed on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E...

  • Page 260: Configuring Pki

    Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.

  • Page 261: Pki Architecture

    • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.

  • Page 262: Pki Applications

    The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.

  • Page 263: Pki Configuration Task List

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)

  • Page 264: Configuring A Pki Domain

    Step Command Remarks By default, no PKI entities exist. Create a PKI entity and pki entity entity-name To create multiple PKI entities, repeat enter its view. this step. Set a common name for the common-name By default, the common name is not entity.

  • Page 265

    Step Command Remarks (Optional.) Set the By default, the device polls the CA SCEP polling interval server for the certificate request certificate request polling { count and maximum status every 20 minutes. The count | interval minutes } number of polling maximum number of polling attempts.

  • Page 266: Requesting A Certificate

    Step Command Remarks • Specify the source IPv4 address for This task is required if the CA the PKI protocol packets: policy requires that the CA server source ip { ip-address | interface accept certificate requests from a 12. (Optional.) Specify a {interface-type interface-number } specific IP address or subnet.

  • Page 267: Configuring Automatic Certificate Request

    Configuring automatic certificate request IMPORTANT: The device does not support automatic certificate rollover. To avoid service interruptions, you must manually submit a certificate renewal request before the current certificate expires. In auto request mode, a PKI entity with no local certificates automatically submits a certificate request to the CA when an application works with the PKI entity.

  • Page 268: Obtaining Certificates

    Step Command Remarks This command is not saved in the configuration file. This command triggers the PKI Submit a certificate entity to automatically generate pki request-certificate domain request or generate a a key pair if the key pair domain-name [ password password ] certificate request in specified in the PKI domain [ pkcs10 [ filename filename ] ]...

  • Page 269: Configuration Guidelines

    Configuration guidelines • To import a local certificate containing an encrypted key pair, you must provide the challenge password. Contact the CA administrator to obtain the password. • If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first.

  • Page 270: Verifying Certificates Without Crl Checking

    If no CRL repository is found after the selection process, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained. When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the CA certificate chain of the domain.

  • Page 271: Specifying The Storage Path For The Certificates And Crls

    Specifying the storage path for the certificates and CRLs CAUTION: If you change the storage path, save the configuration before you reboot or shut down the device to avoid loss of the certificates or the CRLs. The device has a default storage path for certificates and CRLs. You can change the storage path and specify different paths for the certificates and CRLs.

  • Page 272: Removing A Certificate

    Step Command Remarks • Export certificates in DER format: pki export domain domain-name der { all | ca | local } filename filename • Export certificates in PKCS12 format: pki export domain domain-name p12 { all If you do not specify a file | local } passphrase p12passwordstring name when you export a Export certificates.

  • Page 273: Displaying And Maintaining Pki

    scenario, the match process stops, and the system performs the access control action defined in the access control rule. The following conditions describe how a certificate-based access control policy verifies the validity of a certificate: • If a certificate matches a permit statement, the certificate passes the verification. •...

  • Page 274: Pki Configuration Examples

    PKI configuration examples You can use different software applications, such as Windows server, RSA Keon, and OpenCA, to act as the CA server. If you use Windows server or OpenCA, you must install the SCEP add-on for Windows server or enable SCEP for OpenCA.

  • Page 275

    # Specify the name of the trusted CA. The setting must be the same as CA name configured on the CA server. This example uses myca. [Device-pki-domain-torsa] ca identifier myca # Configure the URL of the CA server. The URL format is http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.

  • Page 276: Requesting A Certificate From A Windows Server 2003 Ca Server

    Signature Algorithm: sha1WithRSAEncryption Issuer: CN=myca Validity Not Before: Jan 6 03:10:58 2013 GMT Not After : Jan 6 03:10:58 2014 GMT Subject: CN=Device Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ab:45:64:a8:6c:10:70:3b:b9:46:34:8d:eb:1a: a1:b3:64:b2:37:27:37:9d:15:bd:1a:69:1d:22:0f: 3a:5a:64:0c:8f:93:e5:f0:70:67:dc:cd:c1:6f:7a: 0c:b1:57:48:55:81:35:d7:36:d5:3c:37:1f:ce:16: 7e:f8:18:30:f6:6b:00:d6:50:48:23:5c:8c:05:30: 6f:35:04:37:1a:95:56:96:21:95:85:53:6f:f2:5a: dc:f8:ec:42:4a:6d:5c:c8:43:08:bb:f1:f7:46:d5: f1:9c:22:be:f3:1b:37:73:44:f5:2d:2c:5e:8f:40:...

  • Page 277

    Figure 90 Network diagram Configuring the Windows Server 2003 CA server Install the certificate service component: a. Select Control Panel > Add or Remove Programs from the start menu. b. Select Add/Remove Windows Components > Certificate Services. c. Click Next to begin the installation. d.

  • Page 278

    # Configure the certificate request URL. The URL format is http://host:port/certsrv/mscep/mscep.dll, where host:port is the host IP address and port number of the CA server. [Device-pki-domain-winserver] certificate request url http://4.4.4.1:8080/certsrv/mscep/mscep.dll # Configure the device to send certificate requests to ra. [Device-pki-domain-winserver] certificate request from ra # Set the PKI entity name to aaa.

  • Page 279

    Subject: CN=test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:b5:23:a0:2d:46:0b:68:2f:71:d2:14:e1:5a: 55:6e:c5:5e:26:86:c1:5a:d6:24:68:02:bf:29:ac: dc:31:41:3f:5d:5b:36:9e:53:dc:3a:bc:0d:11:fb: d6:7d:4f:94:3c:c1:90:4a:50:ce:db:54:e0:b3:27: a9:6a:8e:97:fb:20:c7:44:70:8f:f0:b9:ca:5b:94: f0:56:a5:2b:87:ac:80:c5:cc:04:07:65:02:39:fc: db:61:f7:07:c6:65:4c:e4:5c:57:30:35:b4:2e:ed: 9c:ca:0b:c1:5e:8d:2e:91:89:2f:11:e3:1e:12:8a: f8:dd:f8:a7:2a:94:58:d9:c7:f8:1a:78:bd:f5:42: 51:3b:31:5d:ac:3e:c3:af:fa:33:2c:fc:c2:ed:b9: ee:60:83:b3:d3:e5:8e:e5:02:cf:b0:c8:f0:3a:a4: b7:ac:a0:2c:4d:47:5f:39:4b:2c:87:f2:ee:ea:d0: c3:d0:8e:2c:80:83:6f:39:86:92:98:1f:d2:56:3b: d7:94:d2:22:f4:df:e3:f8:d1:b8:92:27:9c:50:57: f3:a1:18:8b:1c:41:ba:db:69:07:52:c1:9a:3d:b1: 2d:78:ab:e3:97:47:e2:70:14:30:88:af:f8:8e:cb: 68:f9:6f:07:6e:34:b6:38:6a:a2:a8:29:47:91:0e: 25:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encip herment X509v3 Subject Key Identifier:...

  • Page 280: Requesting A Certificate From An Openca Server

    CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03: bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27: 90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a: 00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47: 6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06: 7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14: 02:09:ad:08 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server.

  • Page 281

    [Device-pki-entity-aaa] organization test [Device-pki-entity-aaa] organization-unit software [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named openca and enter its view. [Device] pki domain openca # Specify the name of the trusted CA as myca. [Device-pki-domain-openca] ca identifier myca # Configure the certificate request URL.

  • Page 282

    Version: 3 (0x2) Serial Number: 21:1d:b8:d2:e4:a9:21:28:e4:de Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=mysubUnit, CN=sub-ca, DC=pki-subdomain, DC=mydomain-sub, DC=com Validity Not Before: Jun 30 09:09:09 2011 GMT Not After : May 1 09:09:09 2012 GMT Subject: CN=rnd, O=test, OU=software, C=CN Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)

  • Page 283: Requesting A Certificate From An Rsa Keon Ca Server In An Nat-pt Network

    X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 5c:4c:ba:d0:a1:35:79:e6:e5:98:69:91:f6:66:2a:4f:7f:8b: 0e:80:de:79:45:b9:d9:12:5e:13:28:17:36:42:d5:ae:fc:4e: ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57: 8f:d4:3e:4f:51:c1:34:e6:c1:1e:71:b5:0d:85:86:a5:ed:63: 1e:08:7f:d2:50:ac:a0:a3:9e:88:48:10:0b:4a:7d:ed:c1:03: 9f:87:97:a3:5e:7d:75:1d:ac:7b:6f:bb:43:4d:12:17:9a:76: b0:bf:2f:6a:cc:4b:cd:3d:a1:dd:e0:dc:5a:f3:7c:fb:c3:29: b0:12:49:5c:12:4c:51:6e:62:43:8b:73:b9:26:2a:f9:3d:a4: 81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from an RSA Keon CA server in an NAT-PT network Network requirements...

  • Page 284

    Configuring the RSA Keon CA server In this example, an RSA Keon CA server acts as the CA server. For information about configuring an RSA Keon CA server, see "Requesting a certificate from an RSA Keon CA server." Enable local certificate publishing. Configure a static route to the subnet 192.168.18.0/24 (the following describes the configuration on the Windows XP operating system): a.

  • Page 285

    # Configure the certificate request URL. The URL is in the format http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server. [DeviceA-pki-domain-torsa] certificate request url http://[3001::5]:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 # Configure the device to send certificate requests to ca. [DeviceA-pki-domain-torsa] certificate request from ca # Set the PKI entity name to aaa.

  • Page 286: Ike Negotiation With Rsa Digital Signature From A Windows Server 2003 Ca Server

    Data: Version: 3 (0x2) Serial Number: 1a:6f:8e:6c:d6:36:b9:00:37:51:19:f5:ad:e7:30:e2 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=myca Validity Not Before: Jan 6 03:18:53 2013 GMT Not After : Jan 6 03:18:53 2014 GMT Subject: CN=test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b8:65:45:a1:5e:21:e3:c0:c4:25:e5:26:97:25: f8:91:c5:3c:76:95:2c:34:66:1a:4c:af:bc:0a:92:...

  • Page 287

    Device A and Device use IKE to set up SAs, and the IKE proposal uses RSA digital signature for identity authentication. Device A and Device B use the same CA. Figure 93 Network diagram Configuring the Windows Server 2003 CA server "Requesting a certificate from a Windows Server 2003 CA server."...

  • Page 288

    [DeviceA] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...

  • Page 289: Certificate-based Access Control Policy Configuration Example

    ........++++++ Create the key pair successfully. # Obtain the CA certificate and save it locally. [DeviceB] pki retrieve-certificate ca domain 1 # Submit a certificate request manually. [DeviceB] pki request-certificate domain 1 # Create IKE proposal 1, and configure the authentication method as RSA digital signature. [DeviceB] ike proposal 1 [DeviceB-ike-proposal-1] authentication-method rsa-signature [DeviceB-ike-proposal-1] quit...

  • Page 290: Certificate Import And Export Configuration Example

    Configure certificate attribute groups: # Create a certificate attribute group named mygroup1 and add two attribute rules. The first rule defines that the DN in the subject DN contains the string of aabbcc. The second rule defines that the IP address of the certificate issuer is 10.0.0.1. [Device] pki certificate attribute-group mygroup1 [Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc [Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1...

  • Page 291

    Import the certificate files to PKI domain importdomain on Device B. Figure 95 Network diagram Configuration procedure Export the certificates on Device A: # Export the CA certificate to a .pem file. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.

  • Page 292

    # Display the local certificate file pkilocal.pem-encryption. <DeviceA> more pkicachain.pem-encr Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD …...

  • Page 293

    Serial Number: 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus:...

  • Page 294

    X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT...

  • Page 295

    X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt...

  • Page 296: Troubleshooting Pki Configuration

    Troubleshooting PKI configuration This section provides troubleshooting information for common problems with PKI. Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact.

  • Page 297: Failed To Request Local Certificates

    Obtain or import the CA certificate. Configure the correct LDAP server. Specify the key pair used for certificate request in the PKI domain, or remove the existing key pair and submit a certificate request again. Check the registration policy on the CR or RA, and make sure the attributes of the PKI entity meet the policy requirements.

  • Page 298: Failed To Obtain Crls

    Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No CA certificate has been obtained before you try to obtain CRLs. •...

  • Page 299: Failed To Import A Local Certificate

    Make sure the format of the imported file is correct. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis • The PKI domain has no CA certificate, and the certificate file to be imported does not contain the CA certificate chain.

  • Page 300: Failed To Set The Storage Path

    Configure the correct key pair in the PKI domain. Clear up the storage space of the device. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis •...

  • Page 301: Configuring Ipsec

    Configuring IPsec Overview IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.

  • Page 302

    algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.

  • Page 303: Security Association

    Security association A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers. An SA comprises the following parameters for data protection: • Security protocols (AH, ESP, or both). • Encapsulation mode (transport mode or tunnel mode). •...

  • Page 304: Ipsec Implementation

    • AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest security strength and is slower than 3DES. Crypto engine The IPsec feature is resource intensive for its complex encryption/decryption and authentication algorithms. To improve processing performance, you can use crypto engine to offload IPsec tasks. The crypto engine processes all IPsec protected packets and hands the processed packets back to the device for forwarding.

  • Page 305: Ipsec Rri

    Application-based IPsec Application-based IPsec does not require an ACL. You can implement application-based IPsec by one of the following methods: • Bind an IPsec profile to an application protocol. All packets of the application protocol are encapsulated with IPsec. This method can be used to protect IPv6 routing protocols. The supported IPv6 routing protocols include OSPFv3, IPv6 BGP, and RIPng.

  • Page 306: Protocols And Standards

    You can advertise the static routes created by IPsec RRI in the internal network, and the internal network device can use them to forward traffic in the IPsec VPN. In an MPLS L3VPN network, IPsec RRI can add static routes to VPN instances' routing tables. IPsec RRI is applicable to gateways that must provide many IPsec tunnels (for example, a headquarters gateway).

  • Page 307: Configuring An Acl

    Implementing ACL-based IPsec Use the following procedure to implement ACL-based IPsec: Configure an ACL for identifying data flows to be protected. To use IPsec to protect VPN traffic, you do not need to specify the VPN parameters in the ACL rules. Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and the encapsulation mode.

  • Page 308

    • In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires protection and continues to process it. If a deny statement is matched or no match is found, IPsec considers that the packet does not require protection and delivers it to the next function module.

  • Page 309

    ipsec policy testb 1 isakmp security acl 3001 ike-profile aa transform-set 1 On Router A, apply the IPsec policy testa to the outbound interface of Router A. The IPsec policy contains two policy entries, testa 1 and testa 2. The ACLs used by the two policy entries each contain a rule that matches traffic from 1.1.2.0/24 to 3.3.3.0/24.

  • Page 310: Configuring An Ipsec Transform Set

    Figure 101 Non-mirror image ACLs Configuring an IPsec transform set An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms. Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the updated parameters.

  • Page 311

    Step Command Remarks • (Low encryption.) Specify the encryption algorithm for ESP: esp encryption-algorithm des-cbc • (High encryption in non-FIPS mode.) Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | Configure at least one command. aes-ctr-128 | aes-ctr-192 | By default, no security algorithm is aes-ctr-256 | camellia-cbc-128 |...

  • Page 312: Configuring A Manual Ipsec Policy

    Step Command Remarks By default, the security protocol encapsulates IP packets in tunnel mode. The transport mode applies only Specify the mode in when the source and destination which the security encapsulation-mode { transport | IP addresses of data flows match protocol encapsulates tunnel } those of the IPsec tunnel.

  • Page 313

    Configuration procedure To configure a manual IPsec policy: Step Command Remarks Enter system view. system-view Create a manual IPsec ipsec { ipv6-policy | policy } policy entry and enter policy-name seq-number By default, no IPsec policy exists. its view. manual (Optional.) Configure a description for the IPsec description text...

  • Page 314: Configuring An Ike-based Ipsec Policy

    Step Command Remarks • Configure an authentication key in hexadecimal format for AH: sa hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication key in character format for By default, no keys are configured for the IPsec SA.

  • Page 315

    • The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. •...

  • Page 316

    Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied.

  • Page 317

    Step Command Remarks Enter system view. system-view ipsec { ipv6-policy-template | Create an IPsec policy By default, no IPsec policy policy-template } template-name template and enter its view. template exists. seq-number (Optional.) Configure a By default, no description is description for the IPsec description text configured.

  • Page 318: Applying An Ipsec Policy To An Interface

    Step Command Remarks sa duration { time-based 10. Configure the IPsec SA By default, the global SA lifetime seconds | traffic-based lifetime. settings are used. kilobytes } 11. (Optional.) Set the IPsec SA By default, the global SA idle sa idle-time seconds idle timeout.

  • Page 319: Enabling Acl Checking For De-encapsulated Packets

    Step Command Remarks By default, no IPsec policy is applied to the interface. You can apply only one IPsec Apply an IPsec policy to the ipsec apply { policy | policy to an interface. interface. ipv6-policy } policy-name An IKE-based IPsec policy can be applied to multiple interfaces, and a manual IPsec policy can be applied to only one interface.

  • Page 320: Configuring Ipsec Anti-replay

    Step Command Remarks Enable ACL checking for ipsec decrypt-check enable By default, this feature is enabled. de-encapsulated packets. Configuring IPsec anti-replay IPsec anti-replay protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window. This feature checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window.

  • Page 321: Binding A Source Interface To An Ipsec Policy

    To configure IPsec anti-replay redundancy: Step Command Remarks Enter system view. system-view By default, IPsec redundancy is Enable IPsec redundancy. ipsec redundancy enable disabled. • Enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number [ isakmp | manual ] Enter IPsec policy view or •...

  • Page 322: Enabling Qos Pre-classify

    Enabling QoS pre-classify CAUTION: If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match the QoS traffic classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to different queues, causing packets to be sent out of order. When IPsec anti-replay is enabled, IPsec will drop the incoming packets that are out of the anti-replay window, resulting in packet loss.

  • Page 323: Configuring Ipsec Rri

    • copy—Copies the DF bit in the original IP header to the new IP header. You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes precedence over the system-view DF bit setting. If the interface-view DF bit setting is not configured, the interface uses the system-view DF bit setting.

  • Page 324: Configuring Ipsec For Ipv6 Routing Protocols

    Configuration procedure To configure IPsec RRI: Step Command Remarks Enter system view. system-view • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number isakmp Enter IPsec policy view or • To enter IPsec policy template IPsec policy template view. view: ipsec { policy-template | ipv6-policy-template }...

  • Page 325

    • The IPsec transform set used by the IPsec profile at the two tunnel ends must have the same security protocol, encryption and authentication algorithms, and packet encapsulation mode. • The local inbound and outbound IPsec SAs must have the same SPI and key. •...

  • Page 326: Configuring Ipsec For Tunnels

    Configuring IPsec for tunnels Configuration task list Complete the following tasks to configure IPsec for tunnels: Tasks at a glance (Required.) Configuring an IPsec transform set (Required.) Configuring an IKE-based IPsec profile (Required.) Applying an IKE-based IPsec profile to a tunnel interface (Optional.) Enabling logging of IPsec packets (Optional.)

  • Page 327: Applying An Ike-based Ipsec Profile To A Tunnel Interface

    Step Command Remarks By default, no IPsec transform set is specified for an IPsec profile. Specify IPsec transform transform-set sets. transform-set-name&<1-6> The specified IPsec transform sets must use the tunnel mode. By default, no IKE profile is specified for an IPsec profile, and the device selects an IKE profile configured in system view for negotiation.

  • Page 328: Displaying And Maintaining Ipsec

    displays notifications. For more information about SNMP notifications, see Network Management and Monitoring Configuration Guide. To generate and output SNMP notifications for a specific IPsec failure or event type, perform the following tasks: Enable SNMP notifications for IPsec globally. Enable SNMP notifications for the failure or event type. To configure SNMP notifications for IPsec: Step Command...

  • Page 329: Ipsec Configuration Examples

    IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 102, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the tunnel as follows: •...

  • Page 330

    # Apply ACL 3101. [RouterA-ipsec-policy-manual-map1-10] security acl 3101 # Apply the IPsec transform set tran1. [RouterA-ipsec-policy-manual-map1-10] transform-set tran1 # Specify the remote IP address of the IPsec tunnel as 2.2.3.1. [RouterA-ipsec-policy-manual-map1-10] remote-address 2.2.3.1 # Configure inbound and outbound SPIs for ESP. [RouterA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [RouterA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP.

  • Page 331

    # Configure the inbound and outbound SPIs for ESP. [RouterB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321 [RouterB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345 # Configure the inbound and outbound SA keys for ESP. [RouterB-ipsec-policy-manual-use1-10] sa string-key outbound esp simple gfedcba [RouterB-ipsec-policy-manual-use1-10] sa string-key inbound esp simple abcdefg [RouterB-ipsec-policy-manual-use1-10] quit # Apply the IPsec policy use1 to interface GigabitEthernet 2/0/2.

  • Page 332: Configuring An Ike-based Ipsec Tunnel For Ipv4 Packets

    Configuring an IKE-based IPsec tunnel for IPv4 packets Network requirements As shown in Figure 103, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the IPsec tunnel as follows: •...

  • Page 333

    [RouterA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&! [RouterA-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1. [RouterA] ike profile profile1 [RouterA-ike-profile-profile1] keychain keychain1 [RouterA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0 [RouterA-ike-profile-profile1] quit # Create an IKE-based IPsec policy entry with the name map1 and the sequence number 10. [RouterA] ipsec policy map1 10 isakmp # Apply ACL 3101.

  • Page 334

    [RouterB] ike keychain keychain1 [RouterB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&! [RouterB-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1. [RouterB] ike profile profile1 [RouterB-ike-profile-profile1] keychain keychain1 [RouterB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0 [RouterB-ike-profile-profile1] quit # Create an IKE-based IPsec policy entry with the name use1 and the sequence number 10. [RouterB] ipsec policy use1 10 isakmp # Apply ACL 3101.

  • Page 335: Configuring An Ike-based Ipsec Tunnel For Ipv6 Packets

    remote address: 2.2.2.1 Flow: sour addr: 2.2.3.1/0.0.0.0 port: 0 protocol: ip dest addr: 2.2.2.1/0.0.0.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 3769702703 (0xe0b1192f) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797 Max received sequence-number: 1 Anti-replay check enable: N Anti-replay window size:...

  • Page 336

    Configuration procedure Configure Router A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure an ACL to identify data flows from subnet 333::/64 to subnet 555::/64. <RouterA> system-view [RouterA] acl ipv6 advanced 3101 [RouterA-acl-ipv6-adv-3101] rule permit ipv6 source 333::0 64 destination 555::0 64 [RouterA-acl-ipv6-adv-3101] quit # Configure a static route to Host B.

  • Page 337

    [RouterA-GigabitEthernet2/0/2] quit Configure Router B: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure an ACL to identify data flows from subnet 555::/64 to subnet 333::/64. <RouterB> system-view [RouterB] acl ipv6 advanced 3101 [RouterB-acl-ipv6-adv-3101] rule permit ipv6 source 555::/64 destination 333::/64 [RouterB-acl-ipv6-adv-3101] quit # Configure a static route to Host A.

  • Page 338

    [RouterB-GigabitEthernet2/0/2] quit Verifying the configuration # Initiate a connection from subnet 333::/64 to subnet 555::/64 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec protected. # Use the display ipsec sa command to display IPsec SAs on Router A and Router B. This example uses Router A to verify the configuration.

  • Page 339: Configuring Ipsec For Ripng

    Configuring IPsec for RIPng Network requirements As shown in Figure 105, Router A, Router B, and Router C learn IPv6 routes through RIPng. Establish an IPsec tunnel between the routers to protect the RIPng packets transmitted in between. Specify the security protocol as ESP, the encryption algorithm as 128-bit AES, and the authentication algorithm as HMAC-SHA1 for the IPsec tunnel.

  • Page 340

    [RouterA-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [RouterA-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [RouterA-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1. [RouterA] ripng 1 [RouterA-ripng-1] enable ipsec-profile profile001 [RouterA-ripng-1] quit Configure Router B: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng.

  • Page 341

    # Create and configure the IPsec transform set named tran1. [RouterC] ipsec transform-set tran1 [RouterC-ipsec-transform-set-tran1] encapsulation-mode transport [RouterC-ipsec-transform-set-tran1] protocol esp [RouterC-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterC-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterC-ipsec-transform-set-tran1] quit # Create and configure the IPsec profile named profile001. [RouterC] ipsec profile profile001 manual [RouterC-ipsec-profile-profile001] transform-set tran1 [RouterC-ipsec-profile-profile001] sa spi outbound esp 123456 [RouterC-ipsec-profile-profile001] sa spi inbound esp 123456...

  • Page 342

    [Inbound ESP SA] SPI: 123456 (0x3039) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA [Outbound ESP SA] SPI: 123456 (0x3039) Connection ID: 2 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA Configuring IPsec RRI Network requirements As shown in Figure...

  • Page 343

    [RouterA-ipsec-transform-set-tran1] protocol esp [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit # Create an IPsec policy template named temp1, referencing the transform set tran1. [RouterA] ipsec policy-template temp1 1 [RouterA-ipsec-policy-template-temp1-1] transform-set tran1 # Enable IPsec RRI, set the preference to 100 and the tag to 1000 for the static routes created by IPsec RRI.

  • Page 344

    [RouterB] ipsec policy map1 10 isakmp [RouterB-ipsec-policy-isakmp-map1-10] transform-set tran1 [RouterB-ipsec-policy-isakmp-map1-10] security acl 3000 [RouterB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1 [RouterB-ipsec-policy-isakmp-map1-10] quit # Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method. [RouterB] ike proposal 1 [RouterB-ike-proposal-1] encryption-algorithm 3des-cbc [RouterB-ike-proposal-1] authentication-algorithm sha...

  • Page 345

    dest addr: 5.5.5.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 1014286405 (0x3c74c845) Connection ID: 1 Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3590 Max received sequence-number: 4 Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: N Status: Active [Outbound ESP SAs]...

  • Page 346: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec. IKE provides the following benefits for IPsec: •...

  • Page 347: Ike Security Mechanism

    Figure 108 IKE exchange process in main mode As shown in Figure 108, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. • Key exchange—Used for exchanging the DH public value and other values, such as the random number.

  • Page 348: Ike Configuration Task List

    DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.

  • Page 349: Configuring An Ike Profile

    Tasks at a glance Remarks (Optional.) Configuring the IKE keepalive function (Optional.) Configuring the IKE NAT keepalive function (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation.

  • Page 350

    To configure an IKE profile: Step Command Remarks Enter system view. system-view Create an IKE profile and By default, no IKE profile is ike profile profile-name enter its view. configured. match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] By default, an IKE profile has | range low-ipv4-address no peer ID.

  • Page 351: Configuring An Ike Proposal

    Step Command Remarks (Optional.) Specify the local match local address { interface-type By default, an IKE profile can interface or IP address to interface-number | { ipv4-address | be applied to any local which the IKE profile can be ipv6 ipv6-address } [ vpn-instance interface or IP address.

  • Page 352: Configuring An Ike Keychain

    Step Command Remarks • In non-FIPS mode: By default: encryption-algorithm • { 3des-cbc | aes-cbc-128 | In non-FIPS mode, an IKE aes-cbc-192 | aes-cbc-256 | proposal uses the 56-bit des-cbc | sm1-cbc-128 | Specify an encryption DES encryption algorithm sm1-cbc-192 | sm1-cbc-256 | algorithm for the IKE in CBC mode.

  • Page 353: Configuring The Global Identity Information

    Step Command Remarks Create an IKE keychain ike keychain keychain-name By default, no IKE keychain and enter its view. [ vpn-instance vpn-name ] exists. By default, no pre-shared key is configured. pre-shared-key { address { ipv4-address [ mask | mask-length ] | For security purposes, all Configure a pre-shared ipv6 ipv6-address [ prefix-length ] } |...

  • Page 354: Configuring The Ike Keepalive Function

    Configuring the IKE keepalive function IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval on the local device. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.

  • Page 355: Enabling Invalid Spi Recovery

    The local device sends a DPD message to the peer, and waits for a response from the peer. If the peer does not respond within the retry interval specified by the retry seconds parameter, the local device resends the message. If still no response is received within the retry interval, the local end sends the DPD message again.

  • Page 356: Setting The Maximum Number Of Ike Sas

    Setting the maximum number of IKE SAs You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs. • The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.

  • Page 357: Displaying And Maintaining Ike

    Displaying and maintaining IKE Execute display commands in any view and reset commands in user view. Task Command Display configuration information about all IKE display ike proposal proposals. display ike sa [ verbose [ connection-id Display information about the current IKE SAs. connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-name ] ] ] Delete IKE SAs.

  • Page 358

    # Create an IPsec transform set named tran1. [DeviceA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceA-ipsec-transform-set-tran1] quit...

  • Page 359

    [DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [DeviceB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [DeviceB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [DeviceB-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms.

  • Page 360

    Verifying the configuration # Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two subnets is IPsec protected. # Display the IKE proposal configuration on Device A and Device B. Because no IKE proposal is configured, the command displays the default IKE proposal.

  • Page 361: Aggressive Mode With Rsa Signature Authentication Configuration Example

    Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 738451674 (0x2c03e0da) Connection ID: 2 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484...

  • Page 362

    Configuration procedure Configure Device A: # Assign an IP address to each interface. (Details not shown.) # Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <DeviceA> system-view [DeviceA] acl advanced 3101 [DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1.

  • Page 363

    # Specify PKI domain domain1 for the IKE profile. [DeviceA-ike-profile-profile1] certificate domain domain1 # Specify that IKE negotiation operates in aggressive mode. [DeviceA-ike-profile-profile1] exchange-mode aggressive # Set the local identity to the FQDN name www.routera.com. [DeviceA-ike-profile-profile1] local-identity fqdn www.routera.com # Configure a peer ID with the identity type of FQDN name and the value of www.routerb.com. [DeviceA-ike-profile-profile1] match remote identity fqdn www.routerb.com [DeviceA-ike-profile-profile1] quit # Create an IKE proposal named 10.

  • Page 364

    [DeviceB] pki entity entity2 # Set the common name as routerb for the PKI entity. [DeviceB-pki-entity-entity2] common-name routerb [DeviceA-pki-entity-entity1] quit # Create a PKI domain named domain2. [DeviceB] pki domain domain2 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [DeviceB-pki-domain-domain2] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate.

  • Page 365

    # Apply IPsec policy use1 to interface GigabitEthernet 2/0/1. [DeviceB-GigabitEthernet2/0/1] ipsec apply policy use1 [DeviceB-GigabitEthernet2/0/1] quit # Configure a static route to the subnet where Host A resides. [DeviceB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1 Verifying the configuration # Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two subnets is IPsec protected.

  • Page 366

    00:69:1c:4c:34:a4:5e:bb:30:97:45:2b:5e:52:43: c0:49:1f:e1:d8:0f:5c:48:c2:39:69:d1:84:e4:14: 70:3d:98:41:28:1c:20:a1:9a:3f:91:67:78:77:27: d9:08:5f:7a:c4:36:45:8b:f9:7b:e7:7d:6a:98:bb: 4e:a1:cb:2c:3d:92:66:bd:fb:80:35:16:c6:35:f0: ff:0b:b9:3c:f3:09:94:b7:d3:6f:50:8d:83:f1:66: 2f:91:0b:77:a5:98:22:b4:77:ac:84:1d:03:8e:33: 1b:31:03:78:4f:77:a0:db:af Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 9a:6d:8c:46:d3:18:8a:00:ce:12:ee:2b:b0:aa:39:5d:3f:90: 08:49:b9:a9:8f:0d:6e:7b:e1:00:fb:41:f5:d4:0c:e4:56:d8: 7a:a7:61:1d:2b:b6:72:e3:09:0b:13:9d:fa:c8:fc:c4:65:a7: f9:45:21:05:75:2c:bf:36:7b:48:b4:4a:b9:fe:87:b9:d8:cf: 55:16:87:ec:07:1d:55:5a:89:74:73:68:5e:f9:1d:30:55:d9: 8a:8f:c5:d4:20:7e:41:a9:37:57:ed:8e:83:a7:80:2f:b8:31: 57:3a:f2:1a:28:32:ea:ea:c5:9a:55:61:6a:bc:e5:6b:59:0d: 82:16 # Display the local certificate on Device A. [DeviceA] display pki certificate domain domain1 local Certificate: Data: Version: 3 (0x2) Serial Number: a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77 Signature Algorithm: sha1WithRSAEncryption...

  • Page 367

    Full Name: URI:http://xx.rsa.com:447/8088.crl Signature Algorithm: sha1WithRSAEncryption 73:ac:66:f9:b8:b5:39:e1:6a:17:e4:d0:72:3e:26:9e:12:61: 9e:c9:7a:86:6f:27:b0:b9:a3:5d:02:d9:5a:cb:79:0a:12:2e: cb:e7:24:57:e6:d9:77:12:6b:7a:cf:ee:d6:17:c5:5f:d2:98: 30:e0:ef:00:39:4a:da:ff:1c:29:bb:2a:5b:60:e9:33:8f:78: f9:15:dc:a5:a3:09:66:32:ce:36:cd:f0:fe:2f:67:e5:72:e5: 21:62:85:c4:07:92:c8:f1:d3:13:9c:2e:42:c1:5f:0e:8f:ff: 65:fb:de:7c:ed:53:ab:14:7a:cf:69:f2:42:a4:44:7c:6e:90: 7e:cd # Display the IPsec SA information on Device A. [DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet2/0/1 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel...

  • Page 368: Aggressive Mode With Nat Traversal Configuration Example

    Connection ID: 2 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: UDP encapsulation used for NAT traversal: N Status: Active # Display the information about the CA certificate, local certificate, IKE SA, and IPsec SA on Device [DeviceB] display ike sa [DeviceB] display pki certificate domain domain2 ca [DeviceB] display pki certificate domain domain2 local...

  • Page 369

    [DeviceA-ipsec-transform-set-transform1] protocol esp # Specify the encryption and authentication algorithms. [DeviceA-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceA-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceA-ipsec-transform-set-transform1] quit # Create an IKE keychain named keychain1. [DeviceA] ike keychain keychain1 # Specify plaintext 12345zxcvb!@#$%ZXCVB as the pre-shared key to be used with the remote peer at 2.2.2.2.

  • Page 370

    [DeviceB-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceB-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceB-ipsec-transform-set-transform1] quit # Create IKE keychain keychain1. [DeviceB]ike keychain keychain1 # Specify plaintext 12345zxcvb!@#$%ZXCVB as the pre-shared key to be used with the remote peer at 1.1.1.1. The source address of packets from 1.1.1.1 is translated into 3.3.3.1 by the NAT device, so specify the IP address of the remote peer as 3.3.3.1.

  • Page 371

    [DeviceA] display ike sa verbose ----------------------------------------------- Connection ID: 13 Outside VPN: Inside VPN: Profile: profile1 Transmitting entity: Initiator ----------------------------------------------- Local IP: 1.1.1.1 Local ID type: FQDN Local ID: www.devicea.com Remote IP: 2.2.2.2 Remote ID type: IPV4_ADDR Remote ID: 2.2.2.2 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400...

  • Page 372: Troubleshooting Ike

    SPI: 830667426 (0x3182faa2) Connection ID: 1 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: Y Status: Active [Outbound ESP SAs] SPI: 3516214669 (0xd1952d8d) Connection ID: 2 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5...

  • Page 373: Ike Negotiation Failed Because No Ike Proposals Or Ike Keychains Are Specified Correctly

    IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly Symptom The IKE SA is in Unknown state. <Sysname> display ike sa Connection-ID Remote Flag ------------------------------------------------------------------ 192.168.222.5 Unknown IPSEC Flags: RD--READY RL--REPLACED FD-FADING The following IKE event debugging or packet debugging message appeared: IKE event debugging message: Notification PAYLOAD_MALFORMED is received.

  • Page 374: Ipsec Sa Negotiation Failed Due To Invalid Identity Information

    Solution Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec SA negotiation failed due to invalid identity information Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not...

  • Page 375

    # Verify that the IPsec policy is referencing an IKE profile. [Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1 Interface: GigabitEthernet2/0/1 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: isakmp ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: 192.168.222.71 Transform set: transform1...

  • Page 376

    ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution If the IPsec policy specifies an IKE profile but no matching IKE profiles were found in IKE negotiation, perform one of the following operations on the responder: Remove the specified IKE profile from the IPsec policy.

  • Page 377: Configuring Ikev2

    Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs less message exchanges than IKEv1.

  • Page 378: New Features In Ikev2

    New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.

  • Page 379: Configuring An Ikev2 Profile

    • The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.

  • Page 380

    Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.

  • Page 381

    Step Command Remarks authentication-method { local | Configure the local and remote } { dsa-signature | By default, no local or remote identity remote identity ecdsa-signature | pre-share | authentication method is configured. authentication methods. rsa-signature } By default, no keychain is specified for an IKEv2 profile.

  • Page 382: Configuring An Ikev2 Policy

    Step Command Remarks 14. (Optional.) Set the By default, the global IKEv2 NAT IKEv2 NAT keepalive nat-keepalive seconds keepalive setting is used. interval. 15. (Optional.) Enable the config-exchange { request | set By default, all configuration configuration exchange { accept | send } } exchange options are disabled.

  • Page 383: Configuring An Ikev2 Proposal

    Configuring an IKEv2 proposal An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority. A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

  • Page 384: Configuring An Ikev2 Keychain

    Step Command Remarks In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } By default, an IKEv2 proposal does Specify the integrity not have any integrity protection protection algorithms. algorithms. In FIPS mode: integrity { sha1 | sha256 | sha384 | sha512 } * In non-FIPS mode:...

  • Page 385: Configure Global Ikev2 Parameters

    Step Command Remarks • To configure a host name for the peer: hostname host-name • To configure a host IP address or address range for the peer: By default, no hostname, host IP address { ipv4-address address, address range, or identity [ mask | mask-length ] | ipv6 information is configured for an Configure the information...

  • Page 386: Configuring The Ikev2 Nat Keepalive Feature

    Step Command Remarks Enter system view. system-view Configure global IKEv2 ikev2 dpd interval interval [ retry By default, global DPD is DPD. seconds ] { on-demand | periodic } disabled. Configuring the IKEv2 NAT keepalive feature Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.

  • Page 387: Ikev2 Configuration Examples

    Task Command Display the IKEv2 policy configuration. display ikev2 policy [ policy-name | default ] Display the IKEv2 profile configuration. display ikev2 profile [ profile-name ] display ikev2 sa [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance Display the IKEv2 SA information.

  • Page 388

    [DeviceA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceA-ipsec-transform-set-tran1] quit # Create an IKEv2 keychain named keychain1.

  • Page 389

    [DeviceA-GigabitEthernet1/0/1] quit # Configure a static route to the subnet where Host B resides. [DeviceA] ip route-static 10.1.2.0 255.255.255.0 2.2.2.2 Configure Device B: # Assign an IP address to each interface. (Details not shown.) # Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.

  • Page 390

    # Specify the remote IP address 1.1.1.1 for the IPsec tunnel. [DeviceB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1 # Specify ACL 3101 to identify the traffic to be protected. [DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101 # Specify the IPsec transform set tran1 for the IPsec policy. [DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1 # # Specify the IKEv2 profile profile1 for the IPsec policy.

  • Page 391: Ikev2 With Rsa Signature Authentication Configuration Example

    Tunnel id: 0 Encapsulation mode: tunnel Perfect forward secrecy: Path MTU: 1456 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: IP [Inbound ESP SAs] SPI: 3264152513 (0xc28f03c1) Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484...

  • Page 392

    Figure 114 Network diagram Configuration procedure Configure Device A: # Assign an IP address to each interface. (Details not shown.) # Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <DeviceA> system-view [DeviceA] acl advanced 3101 [DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit...

  • Page 393

    # Specify the trusted CA 8088. [DeviceA-pki-domain-domain1] ca identifier 8088 # Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses the URL of http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7. [DeviceA-pki-domain-domain1] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7 # Specify the CA to accept certificate requests. [DeviceA-pki-domain-domain1] certificate request from ca # Specify the PKI entity for certificate request as entity1.

  • Page 394

    [DeviceA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2 # Specify the IPsec transform set tran1 for the IPsec policy. [DeviceA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify ACL 3101 to identify the traffic to be protected. [DeviceA-ipsec-policy-isakmp-map1-10] security acl 3101 # Specify the IKEv2 profile profile1 for the IPsec policy. [DeviceA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1 [DeviceA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy map1 to interface GigabitEthernet 1/0/1.

  • Page 395

    # Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses the URL of http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7. [DeviceB-pki-domain-domain2] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7 # Specify the CA to accept certificate requests. [DeviceB-pki-domain-domain2] certificate request from ca # Specify the PKI entity for certificate request as entity2.

  • Page 396

    [DeviceB-ipsec-policy-template-template1-1] transform-set tran1 # Specify the IKEv2 profile profile2 for the IPsec policy template. [DeviceB-ipsec-policy-template-template1-1] ikev2-profile profile2 [DeviceB-ipsec-policy-template-template1-1] quit # Create an IKE-based IPsec policy entry with the name use1 and the sequence number 1 by using the IPsec policy template template1. [DeviceB] ipsec policy use1 1 isakmp template template1 # Apply IPsec policy use1 to interface GigabitEthernet 1/0/1.

  • Page 397

    IN-NEGO: Negotiating, EST: Establish, DEL:Deleting # Display information about the CA certificate on Device A. [DeviceA] display pki certificate domain domain1 ca Certificate: Data: Version: 1 (0x0) Serial Number: b9:14:fb:25:c9:08:2c:9d:f6:94:20:30:37:4e:00:00 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=rnd, OU=sec, CN=8088 Validity Not Before: Sep 6 01:53:58 2012 GMT Not After : Sep 8 01:50:58 2015 GMT...

  • Page 398

    Not After : Sep 26 02:06:43 2013 GMT Subject: CN=devicea Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b0:a1:cd:24:6e:1a:1d:51:79:f0:2a:3e:9f:e9: 84:07:16:78:49:1b:7d:0b:22:f0:0a:ed:75:91:a4: 17:fd:c7:ef:d0:66:5c:aa:e3:2a:d9:71:12:e4:c6: 25:77:f0:1d:97:bb:92:a8:bd:66:f8:f8:e8:d5:0d: d2:c8:01:dd:ea:e6:e0:80:ad:db:9d:c8:d9:5f:03: 2d:22:07:e3:ed:cc:88:1e:3f:0c:5e:b3:d8:0e:2d: ea:d6:c6:47:23:6a:11:ef:3c:0f:6b:61:f0:ca:a1: 79:a0:b1:02:1a:ae:8c:c9:44:e0:cf:d1:30:de:4c: f0:e5:62:e7:d0:81:5d:de:d3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: Full Name: URI:http://xx.rsa.com:447/8088.crl Signature Algorithm: sha1WithRSAEncryption...

  • Page 399: Ikev2 With Nat Traversal Configuration Example

    remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 3264152513 (0xc28f03c1) Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N...

  • Page 400

    Figure 115 Network diagram Configuration procedure Configure Device A: # Assign an IP address to each interface. (Details not shown.) # Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <DeviceA> system-view [DeviceA] acl advanced 3101 [DeviceA-acl-ipv4-adv-3101] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit...

  • Page 401

    [DeviceA-ikev2-profile-profile1] identity local fqdn www.devicea.com # Specify the peer ID that the IKEv2 profile matches. The peer ID is the IP address 2.2.2.2/24. [DeviceA-ikev2-profile-profile1] match remote identity address 2.2.2.2 255.255.255.0 [DeviceA-ikev2-profile-profile1] quit # Create an IKE-based IPsec policy entry with the name policy1 and the sequence number 1. [DeviceA] ipsec policy policy1 1 isakmp # Specify the remote IP address 2.2.2.2 for the IPsec tunnel.

  • Page 402

    # Specify the plaintext 123 as the pre-shared key to be used with the peer. [DeviceB-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext 123 [DeviceB-ikev2-keychain-keychain1-peer-peer1] quit [DeviceB-ikev2-keychain-keychain1] quit # Create an IKEv2 profile named profile1. [DeviceB] ikev2 profile profile1 # Specify the IKEv2 keychain keychain1. [DeviceB-ikev2-profile-profile1] keychain keychain1 # Specify the peer ID that the IKEv2 profile matches.

  • Page 403

    Inside VPN: Profile: profile1 Transmitting entity: Initiator ----------------------------------------------- Local IP: 1.1.1.1 Local ID type: FQDN Local ID: www.devicea.com Remote IP: 2.2.2.2 Remote ID type: IPV4_ADDR Remote ID: 2.2.2.2 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 84565 Exchange-mode: Aggressive Diffie-Hellman group: Group 1 NAT traversal: Detected...

  • Page 404: Troubleshooting Ikev2

    Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: Y Status: active [Outbound ESP SAs] SPI: 3516214669 (0xd1952d8d) Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: Y...

  • Page 405: Ipsec Tunnel Establishment Failed

    Analysis Certain IPsec policy settings are incorrect. Solution Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec tunnel establishment failed Symptom The ACLs and IKEv2 proposals are correctly configured on both ends.

  • Page 406: Configuring Ssh, How Ssh Works

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.

  • Page 407: Ssh Authentication Methods

    Stages Description Version negotiation The two parties determine a version to use. SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation • Encryption algorithm for encrypting data. •...

  • Page 408: Configuring The Device As An Ssh Server, Ssh Server Configuration Task List

    NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.

  • Page 409: Generating Local Dsa Or Rsa Key Pairs

    Tasks at a glance Remarks Required only for Stelnet and (Required.) Configuring the user lines for SSH login NETCONF-over-SSH servers. Required if the authentication method is (Required.) Configuring a client's host public key publickey, password-publickey, or any. "Configuring PKI." Required if the following conditions exist: The authentication method is publickey.

  • Page 410: Enabling The Sftp Server

    Configuration procedure To generate local DSA or RSA key pairs on the SSH server: Step Command Remarks Enter system view. system-view Generate local DSA or RSA public-key local create { dsa | By default, no DSA or RSA key key pairs. rsa } pairs exist on the server.

  • Page 411: Enabling Netconf Over Ssh

    Enabling NETCONF over SSH After you enable NETCONF over SSH on the device, a client can perform NETCONF operations on the device through a NETCONF-over-SSH connection. When acting as a server in the NETCONF-over-SSH connection, the device does not support connection requests initiated by SSH1 clients.

  • Page 412: Configuring An Ssh User

    You can enter the content of a client's host public key or import the client's host public key from the public key file. Hewlett Packard Enterprise recommends that you import the client's host public key. Entering a client's host public key Before you enter the client's host public key, you must use the display public-key local public command on the client to obtain the client's host public key.

  • Page 413

    • If the authentication method is password-publickey or any, you must create an SSH user on the SSH server and perform one of the following tasks: For local authentication, configure a local user on the SSH server. For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.

  • Page 414: Configuring The Ssh Management Parameters

    Configuring the SSH management parameters Step Command Remarks Enter system view. system-view By default, the SSH server does not support SSH1 clients. Enable the SSH server to ssh server compatible-ssh1x support SSH1 clients. enable This command is not available in FIPS mode.

  • Page 415: Configuring The Device As An Stelnet Client

    Step Command Remarks The default setting is 32. When the number of online SSH Specify the maximum users reaches the upper limit, the aaa session-limit ssh number of concurrent online system denies new SSH max-sessions SSH users. connection requests. Changing the upper limit does not affect online SSH users.

  • Page 416: Establishing A Connection To An Stelnet Server

    • Improving the manageability of Stelnet clients in authentication service. To specify the source IP address for SSH packets: Step Command Remarks Enter system view. system-view By default, the source IP address for SSH packets is not • Specify the source IPv4 address for configured.

  • Page 417

    Task Command Remarks • In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } |...

  • Page 418: Configuring The Device As An Sftp Client

    Configuring the device as an SFTP client SFTP client configuration task list Tasks at a glance Remarks Only required when the SFTP server uses (Required.) Generating local DSA or RSA key pairs the authentication method publickey, password-publickey, or any. (Optional.) Specifying the source IP address for SFTP packets (Required.) Establishing a connection to an SFTP server...

  • Page 419: Establishing A Connection To An Sftp Server

    Step Command Remarks Enter system view. system-view By default, the source IP address • Specify the source IPv4 address for SFTP packets is not for SFTP packets: configured. sftp client source { ip ip-address The IPv4 SFTP packets use the | interface interface-type Specify the source primary IP address of the output...

  • Page 420: Working With Sftp Files

    Task Command Remarks • In non-FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | rsa } | prefer- compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher...

  • Page 421: Displaying Help Information

    Task Command Remarks Download a file from the SFTP get remote-file [ local-file ] Available in SFTP client view. server and save it locally. Upload a local file to the SFTP put local-file [ remote-file ] Available in SFTP client view. server.

  • Page 422: Establishing A Connection To An Scp Server

    • SSH supports locally generated DSA and RSA key pairs only with default names. • The SCP client operating in FIPS mode supports only RSA key pairs. Do not generate local DSA key pairs when the device operates as an SCP client in FIPS mode. •...

  • Page 423: Displaying And Maintaining Ssh

    Task Command Remarks • In non-FIPS mode: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange |...

  • Page 424: Password Authentication Enabled Stelnet Server Configuration Example

    • When the device acts as an Stelnet server, only RSA key pairs are supported. Do not generate a DSA key pair on the Stelnet server. Password authentication enabled Stelnet server configuration example Network requirements As shown in Figure 116: •...

  • Page 425

    # Assign an IP address to GigabitEthernet 2/0/1. The Stelnet client uses this IP address as the destination for SSH connection. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] ip address 192.168.1.40 255.255.255.0 [Router-GigabitEthernet2/0/1] quit # Set the authentication mode to AAA for the user lines. [Router] line vty 0 15 [Router-line-vty0-15] authentication-mode scheme [Router-line-vty0-15] quit...

  • Page 426: Publickey Authentication Enabled Stelnet Server Configuration Example

    Figure 117 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server.

  • Page 427

    Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.

  • Page 428

    Figure 120 Generating process c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 121 Saving a key pair on the client d. Enter a file name (key.pub in this example), and click Save.

  • Page 429

    e. On the page as shown in Figure 121, click Save private key to save the private key. A confirmation dialog box appears. f. Click Yes. A file saving window appears. g. Enter a file name (private.ppk in this example), and click Save. h.

  • Page 430

    # Create a local device management user client002. [Router] local-user client002 class manage # Authorize the local user client002 to use the SSH service. [Router-luser-manage-client002] service-type ssh # Assign the user role network-admin to the user client002. [Router-luser-manage-client002] authorization-attribute user-role network-admin [Router-luser-manage-client002] quit Specify the private key file and establish a connection to the Stelnet server: a.

  • Page 431

    Figure 123 Specifying the preferred SSH version e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 124 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.

  • Page 432: Password Authentication Enabled Stelnet Client Configuration Example

    g. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in...

  • Page 433

    [RouterB] ssh server enable # Assign an IP address to GigabitEthernet 2/0/1. The Stelnet client uses this address as the destination address for SSH connection. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ip address 192.168.1.40 255.255.255.0 [RouterB-GigabitEthernet2/0/1] quit # Set the authentication mode to AAA for the user lines. [RouterB] line vty 0 15 [RouterB-line-vty0-15] authentication-mode scheme [RouterB-line-vty0-15] quit...

  • Page 434

    68950387811C7DA33021500C773218C [RouterA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009 14EC474BAF2932E69D3B1F18517AD95 [RouterA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D0 492B3959EC6499625BC4FA5082E22C5 [RouterA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2 88317C1BD8171D41ECB83E210C03CC9 [RouterA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C 9B09EEF0381840002818000AF995917 [RouterA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5 F257523777D033BEE77FC378145F2AD [RouterA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [RouterA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [RouterA-pkey-public-key-key1]485348 [RouterA-pkey-public-key-key1] peer-public-key end [RouterA] quit # Establish an SSH connection to the server, and specify the host public key of the server as key1. <RouterA>...

  • Page 435: Publickey Authentication Enabled Stelnet Client Configuration Example

    Do you want to save the server public key? [Y/N]:y client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** <RouterB>...

  • Page 436

    ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to the file key.pub. [RouterA] public-key local export dsa ssh2 key.pub [RouterA] quit # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate RSA key pairs.

  • Page 437: Sftp Configuration Examples

    # Create a local device management user client002. [RouterB] local-user client002 class manage # Authorize the local user client002 to use the SSH service. [RouterB-luser-manage-client002] service-type ssh # Assign the user role network-admin to the local user client002. [RouterB-luser-manage-client002] authorization-attribute user-role network-admin [RouterB-luser-manage-client002] quit Establish an SSH connection to the Stelnet server 192.168.1.40.

  • Page 438

    Figure 127 Network diagram Configuration procedure Configure the SFTP server: # Generate RSA key pairs. <Router> system-view [Router] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 439: Publickey Authentication Enabled Sftp Client Configuration Example

    [Router-luser-manage-client002] authorization-attribute user-role network-admin work-directory flash:/ [Router-luser-manage-client002] quit # Create an SSH user client002. Specify the authentication method as password and service type as sftp for the user. [Router] ssh user client002 service-type sftp authentication-type password Establish a connection to the SFTP server: The device supports different types of SFTP client software.

  • Page 440

    Figure 129 Network diagram Configuration procedure In the server configuration, the client's host public key is required. Generate RSA key pairs on the client before configuring the SFTP server. Configure the SFTP client: # Assign an IP address to GigabitEthernet 2/0/1. <RouterA>...

  • Page 441

    The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully.

  • Page 442

    sftp> delete z Removing /z sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup...

  • Page 443: Scp Configuration Example

    SCP configuration example Unless otherwise noted, devices in the configuration examples operate in non-FIPS mode. When you configure SCP on a device that operates in FIPS mode, follow these restrictions and guidelines: • The modulus length of the key pair must be 2048 bits. •...

  • Page 444: Netconf Over Ssh Configuration Example

    .++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+. Create the key pair successfully. # Enable the SCP server. [RouterB] scp server enable # Assign an IP address to GigabitEthernet 2/0/1. The client uses this address as the destination for SCP connection. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ip address 192.168.0.1 255.255.255.0 [RouterB-GigabitEthernet2/0/1] quit # Create a local device management user client001.

  • Page 445: Network Requirements

    • When the device acts as a NETCONF-over-SSH server, only RSA key pairs are supported. Do not generate a DSA key pair on the NETCONF-over-SSH server. Network requirements As shown in Figure 131: • The router uses local password authentication. •...

  • Page 446

    [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] ip address 192.168.1.40 255.255.255.0 [Router-GigabitEthernet2/0/1] quit # Set the authentication mode to AAA for the user lines. [Router] line vty 0 15 [Router-line-vty0-15] authentication-mode scheme [Router-line-vty0-15] quit # Create a local device management user client001. [Router] local-user client001 class manage # Set the password to aabbcc in plain text for the local user client001.

  • Page 447: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...

  • Page 448: Ssl Configuration Task List

    Figure 133 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.

  • Page 449: Configuring An Ssl Server Policy

    Configuring an SSL server policy An SSL server policy is a set of SSL parameters used by the SSL server. An SSL server policy takes effect only after it is associated with an application such as HTTPS. NOTE: SSL versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1). By default, the SSL server can communicate with clients running SSL 3.0 or TLS 1.0.

  • Page 450: Configuring An Ssl Client Policy

    Step Command Remarks By default, SSL client authentication is disabled. The SSL server does not perform digital certificate-based authentication on SSL clients. (Optional.) Enable mandatory When authenticating a client or optional SSL client client-verify { enable | optional } by using the digital certificate, authentication.

  • Page 451: Displaying And Maintaining Ssl, Ssl Server Policy Configuration Example

    Step Command Remarks • In non-FIPS mode: version { ssl3.0 | tls1.0 } Specify the SSL version By default, an SSL client policy • for the SSL client policy. uses TLS 1.0. In FIPS mode: version tls1.0 Enable the SSL client to authenticate servers By default, SSL server server-verify enable...

  • Page 452

    # Create a PKI entity named en. Set the common name to http-server1 and the FQDN to ssl.security.com for the entity. <Device> system-view [Device] pki entity en [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit # Create PKI domain 1 and specify the name of the trusted CA as CA server. Set the URL of the registration server to http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request to RA, and the entity for certificate request to en.

  • Page 453

    [Device-ssl-server-policy-myssl] quit # Configure the HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable the HTTPS service. [Device] ip https enable # Create a local user named usera. Set the password to 123, service type to https, and user role to network-admin.

  • Page 454: Configuring Aspf

    Configuring ASPF Overview Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall cannot solve. An ASPF provides the following main functions: • Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and inspects the application layer protocol status for each connection.

  • Page 455: Aspf Inspections

    • Destination zone—A security zone for which the first packet of a traffic flow is destined. For information about security zones, see Fundamentals Configuration Guide. ASPF inspections This section introduces the basic idea of ASPF inspection on application layer and transport layer protocols.

  • Page 456

    Figure 136 FTP inspection As shown in Figure 136, FTP connections are established and removed as follows: The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the client.

  • Page 457: Configuring An Aspf Policy

    Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH299A) Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. ASPF configuration task list Tasks at a glance Remarks (Required.)

  • Page 458: Applying An Aspf Policy To An Interface

    Step Command Remarks By default, TCP SYN check is disabled. ASPF does not drop the (Optional.) Enable TCP SYN tcp syn-check non-SYN packet when it is the first check. packet to establish a TCP connection. Applying an ASPF policy to an interface You can apply an ASPF policy to inspect incoming or outgoing traffic on an interface.

  • Page 459: Displaying And Maintaining Aspf

    • The packet filter allows only solicited access from the source zone to the network that the destination zone connects. • The ASPF policy compares the packets against session entries and allows matching packets from the source zone to the destination zone. The policy also allows return packets from the destination zone to the source zone.

  • Page 460: Aspf Configuration Examples

    ASPF configuration examples ASPF FTP application inspection configuration example Network requirements Configure an ASPF policy on Router A to inspect the FTP traffic flows passing through Router A. Only return packets for FTP connections initiated by users on the internal network are permitted to pass through Router A and get into the internal network.

  • Page 461: Aspf Tcp Application Inspection Configuration Example

    Protocol: TCP(6) Total sessions found: 1 # Verify that only the return packets of FTP connections can enter the internal network. (Details not shown.) ASPF TCP application inspection configuration example Network requirements Local users on the internal network need to access the external network. To protect the internal network against ICMP and SYN packet attacks from the external network, configure an ASPF policy on Router A.

  • Page 462: Aspf H.323 Application Inspection Configuration Example

    Verifying the configuration # Display the configuration of ASPF policy 1. <RouterA> display aspf policy 1 ASPF policy configuration: Policy number: 1 Enable ICMP error message check Enable TCP SYN packet check Detect these protocols: Router A can recognize faked ICMP error messages from external networks, and drop the non-SYN packets that are the first packets to establish TCP connections.

  • Page 463: Aspf Application To A Zone Pair Configuration Example

    # Apply ACL 3200 to filter incoming packets on interface GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] packet-filter 3200 inbound # Apply ASPF policy 1 to the inbound direction of interface GigabitEthernet 2/0/1. [RouterA-GigabitEthernet2/0/1] aspf apply policy 1 inbound [RouterA-GigabitEthernet2/0/1] quit Verifying the configuration # Verify that ASPF sessions have been created between Gateway B and Gatekeeper/Gateway A.

  • Page 464

    Hardware Configuration example compatibility MSR954(JH296A/JH297A/JH299A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 Network requirements Configure an ASPF policy on Router A to inspect FTP traffic that passes through Router A to implement the following filtering: • Permits only return packets for the FTP connections initiated by users on the internal network to pass through Router A.

  • Page 465

    [Router-zone-pair-security-Trust-Untrust] packet-filter 3500 # Apply the ASPF policy to the zone pair. [Router-zone-pair-security-Trust-Untrust] aspf apply policy 1 [Router-zone-pair-security-Trust-Untrust] quit Verifying the configuration # Verify that an ASPF session has been established for the FTP connection between the host and the server. <Router>...

  • Page 466: Configuring Apr

    Configuring APR Overview The application recognition (APR) feature enables QoS and ASPF to recognize application protocols of packets sent on ports that are not well known. APR separately counts the number of packets or bytes that an interface has received or sent based on application protocols. It also calculates the transmission rates of the interface at the same time.

  • Page 467

    The following types of application groups are available: • Predefined—The predefined application groups exist on the device by default, and you cannot modify or delete these application groups. To display the predefined application groups, use the display app-group pre-defined command. •...

  • Page 468: Configuring Application Groups

    Configuring application groups The device supports a maximum of 65536 applications groups, and each application group contains a maximum of 65536 user-defined application protocols. To configure an application group: Step Command Remarks Enter system view. system-view By default, predefined application Create an application groups exist on the device.

  • Page 469: Displaying And Maintaining Apr

    Step Command Remarks By default, this feature is disabled. You can enable the application Enable application statistics application statistics enable statistics feature on both the on an interface. [ inbound | outbound ] inbound and outbound directions of the interface. Displaying and maintaining APR Execute display commands in any view and reset commands in user view.

  • Page 470: Apr Configuration Example

    APR configuration example Network requirements As shown in Figure 141, configure APR on the router to recognize the HTTP packets sent by the host and destined for port 8080. The router drops the packets recognized by APR. Figure 141 Network diagram Configuration procedure # Create an application group named group1, and enter application group view.

  • Page 471: Managing Sessions

    Managing sessions Overview Session management is a common module, providing basic services for NAT, ASPF, and intrusion detection and protection to implement their session-based services. Session management can be applied for the follow purposes: • Fast match between packets and sessions. •...

  • Page 472

    • Sets aging time for sessions based on application layer protocols. • Supports ICMP/ICMPv6 error packet mapping, enabling the device to search for original sessions according to the payloads in the ICMP/ICMPv6 error packets. Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.

  • Page 473: Setting The Session Aging Time For Different Application Layer Protocols

    Step Command Remarks The default aging time for sessions in different protocol states is as follows: • FIN_WAIT: 30 seconds. • ICMP-REPLY: 30 seconds. • ICMP-REQUEST: 60 session aging-time state { fin | seconds. icmp-reply | icmp-request | • Set the session aging time RAWIP-OPEN: 30 seconds.

  • Page 474: Specifying Persistent Sessions

    Step Command Remarks • RTSP: 3600 seconds. • SCCP: 3600 seconds. • SIP: 300 seconds. • SQLNET: 600 seconds. • TFTP: 60 seconds. • XDMCP: 3600 seconds. Specifying persistent sessions This task is only for TCP sessions in ESTABLISHED state. You can specify TCP sessions that match the permit statements in the specified ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions.

  • Page 475: Displaying And Maintaining Session Management

    • Traffic-based logging—The device outputs a session log when the traffic amount of a session reaches a threshold. After outputting a session log, the device resets the traffic counter for the session. The traffic-based thresholds can be byte-based and packet-based. If you set both thresholds, the last configuration takes effect.

  • Page 476

    Task Command display session table ipv4 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] Display IPv4 session table entries (distributed devices in IRF mode). [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ] display session table ipv6 [ source-ip start-source-ip...

  • Page 477

    Task Command reset session table ipv6 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | Clear IPv6 session table entries raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port (centralized devices in standalone mode). source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] reset session table ipv6 [ slot slot-number ] [ source-ip...

  • Page 478: Configuring Connection Limits

    Configuring connection limits The connection limit feature enables the device to monitor and limit the number of established connections. As shown in Figure 142, the following problems might exist: • If Host B initiates a large number of connections in a short period of time, it might exhaust system resources and cause Host A to be unable to access the Internet.

  • Page 479: Creating A Connection Limit Policy

    Creating a connection limit policy A connection limit policy contains a set of connection limit rules, each of which defines a range of connections and the criteria for limiting the connections. To create a connection limit policy: Step Command Remarks Enter system view.

  • Page 480: Applying The Connection Limit Policy

    Step Command Remarks amount max-amount min-amount • IPv6 connection limit policy view: limit limit-id acl ipv6 { acl-number | name acl-name } [ per-destination | per-service | per-source ] * amount max-amount min-amount Applying the connection limit policy To make a connection limit policy take effect, apply it globally or to an interface. The connection limit policy applied to an interface takes effect only on the specified connections on the interface.

  • Page 481: Connection Limit Configuration Example

    Task Command information. Display the connection limit statistics display connection-limit statistics { global | interface globally or on an interface (centralized interface-type interface-number } devices in standalone mode). Display the connection limit statistics display connection-limit statistics { global | interface globally or on an interface (distributed devices in standalone mode/centralized interface-type interface-number } [ slot slot-number ]...

  • Page 482

    • All hosts on segment 192.168.0.0/24 can establish a maximum of 100000 connections to the external network. • Each host on segment 192.168.0.0/24 can establish a maximum of 100 connections to the external network. • A maximum of 10000 query requests from DNS clients to the DNS server are allowed at the same time.

  • Page 483

    [Router] connection-limit policy 2 # Configure connection limit rule 1 to permit a maximum of 100 connections from each host matching ACL 3000. When the number of connections exceeds 100, new connections cannot be established until the number drops below 90. [Router-connection-limit-policy-2] limit 1 acl 3000 per-source amount 100 90 [Router-connection-limit-policy-2] quit # Apply connection limit policy 1 globally.

  • Page 484

    [Router-acl-ipv4-basic-2001] quit [Router] acl basic 2002 [Router-acl-ipv4-basic-2002] rule permit source 192.168.0.100 0 [Router-acl-ipv4-basic-2002] quit [Router] connection-limit policy 1 [Router-connection-limit-policy-1] limit 1 acl 2001 per-destination amount 10 5 [Router-connection-limit-policy-1] limit 2 acl 2002 per-destination amount 100 10 As a result, the host at 192.168.0.100 can only initiate a maximum of 10 connections to the external network.

  • Page 485: Configuring Object Groups

    Configuring object groups Overview An object group is a group of objects that can be used by an object policy or object group to identify packets. Object groups are divided into the following types: • IPv4 address object group—A group of IPv4 address objects used to match the IPv4 address in a packet.

  • Page 486: Configuring An Ipv6 Address Object Group

    Configuring an IPv6 address object group Step Command Remarks Enter system view. system-view Configure an IPv6 address object-group ipv6 address The system has one default IPv6 object group and enter its object-group-name address object group. view. (Optional.) Configure a By default, an object group does description for the IPv6 description text not have a description.

  • Page 487: Displaying And Maintaining Object Groups

    Displaying and maintaining object groups Execute display commands in any view. Task Command display object-group [ { { ip | ipv6 } address | service | Display information about object groups. port } [ default ] [ name object-group-name ] | name object-group-name ]...

  • Page 488: Configuring Object Policies

    Configuring object policies Overview An object policy is a set of rules for security control over packets between a source and a destination security zone. These two zones define a zone pair. The object policy matches the first packet of a traffic flow against the rules.

  • Page 489: Rule Match Order

    system automatically assigns 60001. If the greatest ID is 65534, the system assigns the smallest unused rule ID to the rule. Rule match order The system matches packets against rules in the order the rules were configured. The match process stops when a match is found. You can use the display this command in zone pair view to check the rule configuration order.

  • Page 490: Creating An Ipv6 Object Policy

    Step Command Remarks (Optional.) Configure a By default, an object policy does not description for the description text have a description. object policy. Creating an IPv6 object policy Step Command Remarks Enter system view. system-view Create an IPv6 object object-policy ipv6 By default, no object policy exists.

  • Page 491: Configuring An Ipv6 Object Policy Rule

    Configuring an IPv6 object policy rule You can specify an existing object group in an IPv6 object policy rule for matching target IPv6 packets. If no object group is specified for a rule, the rule applies to all IPv6 packets. The following object groups can be referenced in a rule for packet matching: •...

  • Page 492: Changing The Rule Match Order

    Step Command Remarks • Apply an IPv4 object policy to the zone pair: object-policy apply ip object-policy-name By default, no object Apply an object policy • policy is applied to a zone Apply an IPv6 object policy to the zone pair: to the zone pair.

  • Page 493: Object Policy Configuration Example

    Task Command Display acceleration information for display object-policy accelerate { summary { ip | ipv6 } | object policies (distributed devices in verbose { ip object-policy-name | ipv6 object-policy-name } slot standalone mode/centralized devices slot-number } in IRF mode). Display acceleration information for display object-policy accelerate { summary { ip | ipv6 } | object policies (distributed devices in verbose { ip object-policy-name | ipv6 object-policy-name }...

  • Page 494

    Configuration procedure Create a time range named work to cover 8:00 to 18:00 on weekdays. <DeviceA> system-view [DeviceA] time-range work 08:00 to 18:00 working-day Create security zones: # Create a security zone named president, and add GigabitEthernet 2/0/2 to the zone. [DeviceA] security-zone name president [DeviceA-security-zone-president] import interface gigabitethernet 2/0/2 [DeviceA-security-zone-president] quit...

  • Page 495

    # Create an IPv4 object policy named president-database. Configure a rule that allows the president office to access the financial database server through HTTP at any time. [DeviceA] object-policy ip president-database [DeviceA-object-policy-ip-president-database] rule pass source-ip president destination-ip database service web [DeviceA-object-policy-ip-president-database] quit # Create an IPv4 object policy named finance-database.

  • Page 496: Configuring Attack Detection And Prevention

    Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, blacklisting, and client verification. Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: •...

  • Page 497

    Single-packet attack Description A receiver responds to an ICMP packet according to its type. An attacker ICMP type sends forged ICMP packets of a specific type to affect the packet processing of the victim. A receiver responds to an ICMPv6 packet according to its type. An attacker ICMPv6 type sends forged ICMPv6 packets of specific types to affect the packet processing of the victim.

  • Page 498: Scanning Attacks

    Single-packet attack Description An attacker sends a stream of overlapping fragments. The victim will crash Teardrop when it tries to reassemble the overlapping fragments. An attacker sends the victim an ICMP echo request larger than 65535 Ping of death bytes that violates the IP protocol. When the victim reassembles the packet, a buffer overflow can occur, which causes a system crash.

  • Page 499: Tcp Fragment Attacks

    An RST flood attacker sends a large number of forged RST packets to a server. The victim might shut down correct connections, or be unable to provide services because it is busy searching for matching connections. • DNS flood attack. The DNS server processes and replies all DNS queries that it receives.

  • Page 500: Client Verification

    Hardware Blacklist compatibility MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 The blacklist feature is an attack prevention method that filters packets by source IP addresses in blacklist entries. Compared with ACL-based packet filter, blacklist filtering is simpler and provides effective screening at a faster speed. Client verification TCP client verification The TCP client verification feature protects TCP servers against the following flood attacks:...

  • Page 501

    Figure 146 Safe reset/SYN cookie mode application TCP proxy in safe reset mode As shown in Figure 147, the safe reset mode functions as follows: After receiving a SYN packet destined for a protected server, the TCP proxy sends back a SYN ACK packet with an invalid sequence number.

  • Page 502: Dns Client Verification

    Figure 148 TCP proxy in SYN cookie mode DNS client verification The DNS client verification feature protects DNS servers against DNS flood attacks. It is configured on the device where packets from the DNS clients to the DNS servers pass through. The device with DNS client verification feature configured is called a DNS client authenticator.

  • Page 503: Http Client Verification

    HTTP client verification The HTTP client verification feature protects HTTP servers against HTTP flood attacks. It is configured on the device where packets from the HTTP clients to the HTTP servers pass through. A device with HTTP client verification feature configured is called an HTTP client authenticator. As shown in Figure 150, the HTTP client verification functions as follows:...

  • Page 504: Attack Detection And Prevention Configuration Task List

    Attack detection and prevention configuration task list Tasks at a glance (Required.) Configuring an attack defense policy: • (Required.) Creating an attack defense policy • (Required.) Perform at least one of the following tasks to configure attack detection: Configuring a single-packet attack defense policy Configuring a scanning attack defense policy Configuring a flood attack defense policy •...

  • Page 505

    You can also configure the device to not take any actions. To configure a single-packet attack defense policy: Step Command Remarks Enter system view. system-view Enter attack defense attack-defense policy policy-name policy view. • signature detect { fraggle | fragment | impossible | ip-option-abnormal | land | large-icmp | large-icmpv6 | ping-of-death | smurf | snork |...

  • Page 506: Configuring A Scanning Attack Defense Policy

    Step Command Remarks The default action is logging for single-packet attacks of the (Optional.) Specify the informational and low levels. signature level { high | info | low | actions against medium } action { { drop | logging } * | The default actions are single-packet attacks of a none }...

  • Page 507

    You can configure flood attack detection and prevention for a specific IP address. For non-specific IP addresses, the device uses the global attack prevention settings. Configuring a SYN flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view.

  • Page 508

    Step Command Remarks Enter attack defense policy attack-defense policy view. policy-name Enable SYN-ACK flood By default, SYN-ACK flood attack syn-ack-flood detect attack detection for detection is disabled for non-specific non-specific IP addresses. non-specific IP addresses. Set the global trigger By default, the global trigger syn-ack-flood threshold threshold for SYN-ACK threshold is 1000 for SYN-ACK...

  • Page 509

    Step Command Remarks Set the global trigger By default, the global trigger rst-flood threshold threshold for RST flood threshold is 1000 for RST flood threshold-value attack prevention. attack prevention. Specify global actions rst-flood action { client-verify | By default, no global action is against RST flood attacks.

  • Page 510

    Step Command Remarks icmpv6-flood detect ipv6 Configure IP-specific ipv6-address [ vpn-instance By default, ICMPv6 flood attack ICMPv6 flood attack vpn-instance-name ] [ threshold detection is not configured for any detection. threshold-value ] [ action { { drop IPv6 address. | logging } * | none } ] Configuring a UDP flood attack defense policy Step Command...

  • Page 511: Configuring Attack Detection Exemption

    Step Command Remarks dns-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance By default, DNS flood attack Configure IP-specific DNS vpn-instance-name ] [ port detection is not configured for any flood attack detection. port-list ] [ threshold IP address. threshold-value ] [ action { { client-verify | drop | logging } * | none } ]...

  • Page 512: Applying An Attack Defense Policy To An Interface

    • L3VPN instance. • fragment keyword for matching non-first fragments. To configure attack detection exemption: Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view. policy-name Configure attack detection exempt acl [ ipv6 ] { acl-number By default, the attack defense policy exemption.

  • Page 513: Disabling Log Aggregation For Single-packet Attack Events

    Disabling log aggregation for single-packet attack events Log aggregation aggregates all logs generated in a period and sends one log. The logs with the same attributes for the following items can be aggregated: • Interface where the attack is detected. •...

  • Page 514: Configuring Dns Client Verification

    IP addresses protected by TCP client verification can be manually added or automatically learned: • You can manually add protected IP addresses. The device performs client verification when it receives the first SYN packet destined for a protected IP address. •...

  • Page 515: Configuring Http Client Verification

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, DNS client verification is disabled on the interface. Enable DNS client client-verify dns enable DNS client verification can be verification on the interface. used alone or together with a DNS flood attack defense policy.

  • Page 516: Displaying And Maintaining Attack Detection And Prevention

    Hardware Blacklist compatibility MSR954(JH296A/JH297A/JH299A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 The blacklist feature filters packets sourced from IP addresses in blacklist entries. Blacklist entries can be manually added or dynamically learned: • You can manually add a blacklist entry by using the blacklist ip or blacklist ipv6 command. These entries do not age out by default.

  • Page 517

    Task Command Display attack detection and prevention statistics display attack-defense statistics interface on an interface (centralized devices in interface-type interface-number standalone mode). Display attack detection and prevention statistics display attack-defense statistics interface on an interface (distributed devices in standalone interface-type interface-number [ slot slot-number ] mode/centralized devices in IRF mode).

  • Page 518

    Task Command Display information about IPv6 scanning attack display attack-defense scan victim ipv6 [ interface interface-type interface-number [ slot slot-number ] | victims (distributed devices in standalone mode/centralized devices in IRF mode). local [ slot slot-number ] ] [ count ] display attack-defense scan victim ipv6 [ interface Display information about IPv6 scanning attack interface-type interface-number [ chassis...

  • Page 519

    Task Command display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | Display information about IPv4 addresses protected by flood attack detection and rst-flood | syn-ack-flood | syn-flood | udp-flood } ip prevention (distributed devices in IRF mode). [ ip-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ] display attack-defense policy policy-name { ack-flood...

  • Page 520

    Task Command display client-verify { dns | http | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port Display protected IPv6 addresses for client verification (distributed devices in IRF mode). port-number ] [ chassis chassis-number slot slot-number ] [ count ] Display trusted IPv4 addresses for client display client-verify { dns | http | tcp } trusted ip...

  • Page 521: Attack Detection And Prevention Configuration Examples

    Attack detection and prevention configuration examples Interface-based attack detection and prevention configuration example Network requirements As shown in Figure 151, Router is the gateway for the internal network. GigabitEthernet 2/0/2 connects to the external network, and GigabitEthernet 2/0/3 connects to an internal server. To protect the internal hosts and internal server against scanning attacks and smurf attacks, configure an attack defense policy to meet the following requirements: •...

  • Page 522

    [Router-attack-defense-policy-a1] scan detect level low action logging block-source timeout 10 # Configure SYN flood attack detection for 10.1.1.2. Set the threshold for triggering attack prevention to 5000. Specify the prevention actions as logging and drop. [Router-attack-defense-policy-a1] syn-flood detect ip 10.1.1.2 threshold 5000 action logging drop [Router-attack-defense-policy-a1] quit # Apply attack defense policy a1 to interface GigabitEthernet 2/0/2.

  • Page 523

    IP option record route Disabled info IP option internet timestamp Disabled info IP option security Disabled info IP option loose source routing Disabled info IP option stream ID Disabled info IP option strict source routing Disabled info IP option route alert Disabled info ICMP echo request...

  • Page 524: Blacklist Configuration Example

    Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 10.1.1.2 SYN-FLOOD 5000 # Verify that the attack detection and prevention takes effect on GigabitEthernet 2/0/2. [Router] display attack-defense statistics interface gigabitethernet 2/0/2 Attack policy name: a1 Scan attack defense statistics: AttackType AttackTimes Dropped...

  • Page 525: Tcp Client Verification Configuration Example

    [Router] blacklist ip 192.168.1.4 timeout 50 Verifying the configuration # Verify that the blacklist entries are successfully added. <Router> display blacklist ip IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped 5.5.5.5 Manual Never 192.168.1.4 Manual 2989 # Verify that the router drops packets from Host D. (Details not shown.) # Execute the undo blacklist ip 5.5.5.5 command and verify that the router forwards packets from Host D.

  • Page 526: Dns Client Verification Configuration Example

    [Router-GigabitEthernet2/0/1] quit # Enable TCP client verification in SYN cookie mode on interface GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] client-verify tcp enable mode syn-cookie [Router-GigabitEthernet2/0/1] quit Verifying the configuration # If a SYN flood attack occurs, verify that the victim's IP address is added to the protected IP list for TCP client verification.

  • Page 527: Http Client Verification Configuration Example

    # Enable DNS client verification on interface GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] client-verify dns enable [Router-GigabitEthernet2/0/1] quit Verifying the configuration # If a DNS flood attack occurs, verify that the victim's IP address is added to the protected IP list for DNS client verification.

  • Page 528

    [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] client-verify http enable [Router-GigabitEthernet2/0/1] quit Verifying the configuration # If an HTTP flood attack occurs, verify that the victim's IP address is added to the protected IP list for HTTP client verification. [Router] display client-verify http protected ip IP address VPN instance Port...

  • Page 529: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface. The IPSG bindings are interface-specific.

  • Page 530: Dynamic Ipsg Bindings

    Dynamic IPSG bindings IPSG automatically obtains user information from other modules to generate dynamic bindings. The source modules include 802.1X, DHCP relay, DHCP snooping, DHCPv6 snooping, and DHCP server. DHCP-based IPSG bindings are suitable for scenarios where hosts on a LAN obtain IP addresses through DHCP.

  • Page 531: Ipsg Configuration Task List

    • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH299A) Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. IPSG configuration task list To configure IPv4SG, perform the following tasks: Tasks at a glance (Required.) Enabling IPv4SG on an interface (Optional.) Configuring a static IPv4SG binding To configure IPv6SG, perform the following tasks: Tasks at a glance...

  • Page 532: Configuring A Static Ipv4sg Binding

    Configuring a static IPv4SG binding Step Command Remarks Enter system view. system-view The following interface types are supported: interface interface-type Enter interface view. • interface-number Layer 2 Ethernet port. • VLAN interface. By default, no static IPv4SG binding is ip source binding { ip-address configured on an interface.

  • Page 533: Displaying And Maintaining Ipsg

    Step Command Remarks The following interface types are supported: interface interface-type Enter interface view. • interface-number Layer 2 Ethernet port. • VLAN interface. By default, no static IPv6SG binding is ipv6 source binding configured on an interface. { ip-address ipv6-address | Configure a static ip-address ipv6-address The vlan vlan-id option is supported only in...

  • Page 534: Ipsg Configuration Examples

    IPSG configuration examples Static IPv4SG configuration example Network requirements As shown in Figure 157, all hosts use static IP addresses. Configure static IPv4SG bindings on Device A and Device B to meet the following requirements: • GigabitEthernet 2/0/2 of Device A allows only IP packets from Host C to pass. •...

  • Page 535: Dynamic Ipv4sg Using Dhcp Snooping Configuration Example

    [DeviceB-GigabitEthernet2/0/2] ip verify source ip-address mac-address [DeviceB-GigabitEthernet2/0/2] quit # Enable IPv4SG on GigabitEthernet 2/0/1. [DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] ip verify source ip-address mac-address # On GigabitEthernet 2/0/1, configure a static IPv4SG binding for Host B. [DeviceB-GigabitEthernet2/0/1] ip source binding mac-address 0001-0203-0407 [DeviceB-GigabitEthernet2/0/1] quit Verifying the configuration # Verify that the static IPv4SG bindings are configured successfully on Device A.

  • Page 536: Dynamic Ipv4sg Using Dhcp Relay Configuration Example

    [Device] dhcp snooping enable # Configure GigabitEthernet 2/0/2 as a trusted interface. [Device] interface gigabitethernet 2/0/2 [Device-GigabitEthernet2/0/2] dhcp snooping trust [Device-GigabitEthernet2/0/2] quit # Enable IPv4SG on GigabitEthernet 2/0/1 and verify the source IP address and MAC address for dynamic IPSG. [Device] interface gigabitethernet 2/0/1 [Device-GigabitEthernet2/0/1] ip verify source ip-address mac-address # Enable recording of client information in DHCP snooping entries on GigabitEthernet 2/0/1.

  • Page 537: Static Ipv6sg Configuration Example

    [Router-GigabitEthernet2/0/1] quit Enable IPv4SG on interface GigabitEthernet 2/0/1 and verify the source IP address and MAC address for dynamic IPSG. [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] ip verify source ip-address mac-address [Router-GigabitEthernet2/0/1] quit Verifying the configuration # Verify that a dynamic IPv4SG binding is generated based on a DHCP relay entry. [Router] display ip source binding dhcp-relay Total entries found: 1 IP Address...

  • Page 538

    • Enable DHCPv6 snooping on the device to record the IPv6 address and the MAC address of the host in a DHCPv6 snooping entry. • Enable dynamic IPv6SG on GigabitEthernet 2/0/1 to filter received packets based on DHCPv6 snooping entries. Only packets from the client that obtains an IP address from the DHCPv6 server are allowed to pass.

  • Page 539: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 540: Configuring Arp Source Suppression

    Configuring unresolvable IP attack protection If a device receives a large number of unresolvable IP packets from a host, the following situations can occur: • The device sends a large number of ARP requests, overloading the target subnets. • The device keeps trying to resolve the destination IP addresses, overloading its CPU. To protect the device from such IP attacks, you can configure the following features: •...

  • Page 541: Configuration Example

    Configuration example Network requirements As shown in Figure 162, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets.

  • Page 542: Configuring Source Mac-based Arp Attack Detection

    Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry.

  • Page 543

    Task Command Display ARP attack entries detected by source display arp source-mac { chassis chassis-number slot MAC-based ARP attack detection (distributed slot-number | interface interface-type interface-number } devices in IRF mode). Configuration example Network requirements As shown in Figure 163, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients.

  • Page 544: Configuring Authorized Arp

    # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection. [Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.

  • Page 545

    With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries. This feature prevents user spoofing and allows only authorized clients to access network resources. Configuration procedure To enable authorized ARP: Step Command Remarks Enter system view. system-view The following interface types are supported: •...

  • Page 546: Configuration Example (on A Dhcp Relay Agent)

    Configure Device B: <DeviceB> system-view [DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] ip address dhcp-alloc [DeviceB-GigabitEthernet2/0/1] quit Verifying the configuration # Display authorized ARP entry information on Device A. [DeviceA] display arp all Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid IP Address MAC Address VLAN Interface...

  • Page 547: Configuring Arp Detection

    Configure Device B: # Enable DHCP. <DeviceB> system-view [DeviceB] dhcp enable # Specify the IP addresses of GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. [DeviceB] interface gigabitethernet 2/0/1 [DeviceB-GigabitEthernet2/0/1] ip address 10.1.1.2 24 [DeviceB-GigabitEthernet2/0/1] quit [DeviceB] interface gigabitethernet 2/0/2 [DeviceB-GigabitEthernet2/0/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on GigabitEthernet 2/0/2.

  • Page 548: Configuring User Validity Check

    MSR954(JH296A/JH297A/JH299A). MSR1002-4/1003-8S. MSR2004-24/2004-48. ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection does not check ARP packets received from ARP trusted interfaces. ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding features.

  • Page 549: Configuring Arp Packet Validity Check

    Step Command Remarks excluded from ARP detection. Configuring ARP packet validity check Enable validity check for ARP packets received on untrusted interfaces and specify the following objects to be checked: • src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header.

  • Page 550: Displaying And Maintaining Arp Detection

    Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id arp restricted-forwarding By default, ARP restricted Enable ARP restricted forwarding. enable forwarding is disabled. Displaying and maintaining ARP detection Execute display commands in any view and reset commands in user view. Task Command display arp detection...

  • Page 551: Arp Restricted Forwarding Configuration Example

    <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure Host A (DHCP client) and Host B. (Details not shown.) Configure Router B: # Enable DHCP snooping. <RouterB> system-view [RouterB] dhcp snooping enable [RouterB] interface gigabitethernet 2/0/3 [RouterB-GigabitEthernet2/0/3] dhcp snooping trust [RouterB-GigabitEthernet2/0/3] quit # Enable recording of client information in DHCP snooping entries on GigabitEthernet 2/0/1.

  • Page 552

    Figure 167 Network diagram Configuration procedure Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of the VLAN interface. (Details not shown.) Configure the DHCP server on Switch A, and configure DHCP address pool 0. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0...

  • Page 553: Configuring Arp Scanning And Fixed Arp

    [RouterB] port-isolate group 1 [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] port-isolate enable group 1 [RouterB-GigabitEthernet2/0/1] quit [RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] port-isolate enable group 1 [RouterB-GigabitEthernet2/0/2] quit After the configurations are completed, Router B first checks the validity of ARP packets received on GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2.

  • Page 554: Configuring Arp Gateway Protection

    Step Command Enter system view. system-view Enter interface view. interface interface-type interface-number Enable ARP scanning. arp scan [ start-ip-address to end-ip-address ] Return to system view. quit Enable fixed ARP. arp fixup Configuring ARP gateway protection Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.

  • Page 555: Configuring Arp Filtering

    Figure 168 Network diagram Gateway Router A 10.1.1.1/24 GE2/0/3 Router B GE2/0/1 GE2/0/2 Host A Host B Configuration procedure # Configure ARP gateway protection on Router B. <RouterB> system-view [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] arp filter source 10.1.1.1 [RouterB-GigabitEthernet2/0/1] quit [RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] arp filter source 10.1.1.1 Verifying the configuration...

  • Page 556

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface or Layer 2 aggregate interface-number interface view. Enable ARP filtering and arp filter binding ip-address By default, ARP filtering is configure a permitted entry. mac-address disabled. Configuration example Network requirements As shown in...

  • Page 557: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 558: Urpf Operation

    Link layer check—Strict uRPF check can further perform link layer check on a packet. It uses the next hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes strict uRPF check.

  • Page 559

    Figure 171 uRPF work flow...

  • Page 560

    uRPF checks address validity: uRPF permits a packet with a multicast destination address. For a packet with an all-zero source address, uRPF permits the packet if it has a broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.) uRPF proceeds to step 7 if the packet has a non-broadcast destination address.

  • Page 561: Network Application

    Network application Figure 172 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User As shown in Figure 172, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs. For special packets or users, you can configure ACLs.

  • Page 562: Displaying And Maintaining Urpf

    • Do not configure the allow-default-route keyword for loose uRPF check. Otherwise, uRPF might fail to work. To enable uRPF on an interface: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number ip urpf { loose [ allow-default-route ] [ acl Enable uRPF on the acl-number ] | strict...

  • Page 563

    # Specify the IP address of GigabitEthernet 2/0/1. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ip address 1.1.1.2 255.255.255.0 # Configure strict uRPF check on GigabitEthernet 2/0/1. [RouterB-GigabitEthernet2/0/1] ip urpf strict acl 2010 Configure Router A: # Specify the IP address of GigabitEthernet 2/0/1. <RouterA>...

  • Page 564: Configuring Ipv6 Urpf

    Configuring IPv6 uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 565: Ipv6 Urpf Operation

    IPv6 ACLs—To identify specific packets as valid packets, you can use an IPv6 ACL to match these packets. Even if the packets do not pass IPv6 uRPF check, they are still forwarded. IPv6 uRPF operation IPv6 uRPF does not check multicast packets. Figure 175 shows how IPv6 uRPF works.

  • Page 566

    If no, IPv6 uRPF proceeds to step 2. IPv6 uRPF checks whether the source address matches a unicast route: If yes, IPv6 uRPF proceeds to step 3. If no, IPv6 uRPF proceeds to step 6. A non-unicast source address matches a non-unicast route.

  • Page 567

    Network application Figure 176 Network diagram ISP B IPv6 uRPF (loose) ISP A ISP C IPv6 uRPF (strict) User As shown in Figure 176, strict IPv6 uRPF check is configured between an ISP network and a customer network. Loose IPv6 uRPF check is configured between ISPs. For special packets or users, you can configure IPv6 ACLs.

  • Page 568: Displaying And Maintaining Ipv6 Urpf

    • Do not configure the allow-default-route keyword for loose IPv6 uRPF check. Otherwise, IPv6 uRPF might fail to work. To enable IPv6 uRPF on an interface: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number ipv6 urpf { loose | strict } Enable IPv6 uRPF on the [ allow-default-route ] [ acl By default, uRPF is disabled.

  • Page 569

    # Specify the IPv6 address of GigabitEthernet 2/0/1. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ipv6 address 1000::2/64 # Configure strict uRPF check on GigabitEthernet 2/0/1. [RouterB-GigabitEthernet2/0/1] ipv6 urpf strict acl 2010 Configure Router A: # Specify the IPv6 address of GigabitEthernet 2/0/1. <RouterA>...

  • Page 570: Configuring Crypto Engines

    Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.

  • Page 571: Displaying And Maintaining Crypto Engines

    Step Command Enter system view. system-view • To disable hardware crypto engines: crypto-engine accelerator disable Disable or enable hardware crypto engines. • To enable hardware crypto engines: undo crypto-engine accelerator disable Displaying and maintaining crypto engines Execute display commands in any view and reset commands in user view. Task Command Display crypto engine information.

  • Page 572: Configuring Fips

    Configuring FIPS The device that provides low encryption does not support FIPS. Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.

  • Page 573: Configuring Fips Mode

    b. Specify the current configuration file as the startup configuration file. c. Delete the startup configuration file in binary format. d. Reboot the device. Otherwise, the commands that are not supported by FIPS mode, if they are in the configuration file, might be restored.

  • Page 574: Configuration Changes In Fips Mode

    Configure a username and password to log in to the device in FIPS mode. The password must include at least 15 characters that contain uppercase and lowercase letters, digits, and special characters. The system automatically uses the startup configuration file to reboot the device and enter FIPS mode.

  • Page 575: Exiting Fips Mode

    When the device acts as a server to authenticate a client through the public key, the key pair for the client must also have a modulus length of 2048 bits. • SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5. •...

  • Page 576: Fips Self-tests

    To disable FIPS mode: Step Command Remarks Enter system view. system-view By default, the FIPS mode is Disable FIPS mode. undo fips mode enable disabled. FIPS self-tests To ensure the correct operation of cryptography modules, FIPS provides self-test mechanisms, including power-up self-test and conditional self-test. You can also trigger a self-test. If the power-up self-test fails, the card where the self-test process exists reboots.

  • Page 577: Conditional Self-tests

    Conditional self-tests A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following types: • Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text.

  • Page 578: Entering Fips Mode Through Manual Reboot

    The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically. Enter username(1-55 characters):root Enter password(15-63 characters): Confirm password: Waiting for reboot... After reboot, the device will enter FIPS mode. Verifying the configuration After the device reboots, enter the username root and the password 12345zxcvb!@#$%ZXCVB.

  • Page 579

    <Sysname> system-view [Sysname] password-control enable # Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.

  • Page 580: Exiting Fips Mode Through Automatic Reboot

    new password: confirm: Updating user information. Please wait ..… <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console/AUX/Async port. Use the automatic reboot method to exit FIPS mode.

  • Page 581

    # Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file.

  • Page 582: Configuring Dpi Engine

    Configuring DPI engine Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954(JH296A/JH297A/JH299A) Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. Overview DPI engine is an inspection module shared by DPI service modules, such as IPS, URL filtering, file filtering, data filtering, content filtering, and antivirus.

  • Page 583

    If a matching rule is found and the rule action is inspect, the device forwards the packet to the DPI engine. If a matching rule is found and the rule action is drop or pass, the device processes the packet according to the action. If no matching rule is found, the device drops the packet.

  • Page 584: Dpi Engine Configuration Task List

    Figure 178 DPI engine mechanism Start Match an object Drop policy rule? Rule action is Perform the rule action inspect? DPI engine Protocol parsing Inspection rule with AC patterns? Match AC pattern? Match option? DPI service modules Permit DPI engine configuration task list Task at a glance (Required.) Configure a DPI application profile...

  • Page 585: Configure A Dpi Application Profile

    Task at a glance (Optional.) Configuring action parameter profiles (Optional.) Optimizing the DPI engine (Optional.) Disabling inspection suspension upon excessive CPU usage Configure a DPI application profile The DPI application profile is a security service template that can include DPI service policies, such as IPS policy, content filtering policy, and URL filtering policy.

  • Page 586: Configuring Action Parameter Profiles

    Configuring action parameter profiles Configuring a block source parameter profile A block source parameter profile defines the block period for the block source action in DPI service modules. For the block period to take effect, make sure the blacklist feature is enabled. With the blacklist feature enabled, the device drops the packet that matches an inspection rule and adds the packet source IP address to the IP blacklist.

  • Page 587: Configuring A Logging Parameter Profile

    Step Command Remarks Specify the URL to which By default, no URL is specified for cached captured packets are export url url-string exporting the cached captured exported packets. Configuring a logging parameter profile A logging parameter profile defines the log storage method for the logging action in DPI service modules.

  • Page 588: Optimizing The Dpi Engine

    Step Command Remarks Create an email inspect email parameter-profile By default, no email parameter parameter profile and parameter-name profiles exist. enter its view. By default, no email server is Specify the email server. email-server addr-string specified. Specify the DNS server By default, no DNS server dns-server ip-address address.

  • Page 589: Disabling Inspection Suspension Upon Excessive Cpu Usage

    Disabling inspection suspension upon excessive CPU usage Packet inspection in the DPI engine is a complex and resource-consuming process. When the CPU usage is too high, the DPI engine by default suspends packet inspection to guarantee the device performance. You can also perform this task to configure the DPI engine to continue packet inspection even when the CPU usage is too high.

  • Page 590

    Task Command Display the memory usage of MiniAC pattern display inspect memory engine mn [ chassis chassis-number slot slot-number ] inspection engines (distributed devices–in IRF mode). Display the memory usage of DPI engine inspection display inspect memory rule rules (centralized devices in standalone mode). Display the memory usage of DPI engine inspection rules (distributed devices in standalone display inspect memory rule [ slot slot-number ]...

  • Page 591: Signature Actions

    Configuring IPS IPS requires a license to run on the device. If the license expires, you can still use the IPS functions but you can no longer update the IPS signature library on the device. Overview Intrusion prevention systems (IPS) are network security appliances that enable devices to monitor network traffic for malicious activity and to proactively take prevention actions.

  • Page 592: Ips Mechanism

    blacklist feature, see Security Configuration Guide. For information about configuring the block period, see the DPI engine commands in the DPI Command Reference. • Drop—Drops matching packets. • Permit—Permits matching packets to pass. • Capture—Captures matching packets. • Logging—Logs matching packets. IPS mechanism As shown in Figure...

  • Page 593: Ips Signature Library Management

    Figure 179 IPS mechanism IPS signature library management The device uses IPS signatures to inspect application layer traffic for malicious threats and attacks. You can update the device IPS signature library to the latest version or roll back the library to the previous.

  • Page 594: Ips Configuration Task List

    Use this method when the device cannot obtain the IPS signature file automatically. You must first download the most up to date IPS signature file manually. The device then obtains the downloaded file to update its local signature library. Rolling back the IPS signature library If filtering false alarms or filtering exceptions occur frequently, you can roll back the IPS signature library to the previous version.

  • Page 595: Specifying A Parameter Profile For An Ips Signature Action

    Specifying a parameter profile for an IPS signature action You can specify parameter profiles for IPS signature actions. A parameter profile is a set of parameters that determine how the action is executed. If you do not specify a parameter profile for an action, or if the specified profile does not exist, the default action parameter settings are used.

  • Page 596: Using A Dpi Application Profile In An Object Policy Rule

    Step Command Remarks Import user-defined By default, no user-defined IPS ips signature import snort file-path IPS signatures. signatures exist. Using a DPI application profile in an object policy rule Perform this task to use a DPI application profile in an IPv4 or IPv6 object policy rule. For information about object policy rules, see Security Configuration Guide.

  • Page 597: Managing The Ips Signature Library

    Step Command Remarks Enter system view. system-view The default security zones Any, Local, Trust, DMZ, Configure the security Management, and Untrust are security-zone name zone-name zones. automatically created when you create the first security zone on the device. zone-pair security source Create a zone pair and enter source-zone-name destination By default, no zone pairs exist.

  • Page 598: Triggering An Immediate Ips Signature Update

    Triggering an immediate IPS signature update Anytime you find a release of new signature version on the TippingPoint website, you can trigger the device to immediately update the local signature library. For a successful automatic update, make sure the device can resolve the IP address of the TippingPoint website through DNS, and the device can connect to the TippingPoint website.

  • Page 599: Rolling Back The Ips Signature Library

    Rolling back the IPS signature library If an IPS signature library update causes exceptions or a high false alarm rate, you can roll back the IPS signature library. Before rolling back the IPS signature library, the device backs up the current signature library as the previous version.

  • Page 600: Ips Configuration Examples

    Task Command Display IPS policy information. display ips policy policy-name IPS configuration examples Default IPS policy application example Network requirements As shown in Figure 180, the device connects to the LAN and Internet through security zones Trust and Untrust, respectively. Configure the device to use the default IPS policy for attack detection and prevention.

  • Page 601: User-defined Ips Policy Application Example

    [Device-app-profile-sec] quit Configure an object policy: # Create the IPv4 object policy ipsfilter, and enter its view. [Device] object-policy ip ipsfilter # Configure an object policy rule to apply the DPI application profile sec to packets that match the IP address object group urlfilter. [Device-object-policy-ip-ipsfilter] rule inspect sec source-ip ipsfilter destination-ip any [Device-object-policy-ip-ipsfilter] quit...

  • Page 602

    Configuration procedure Assign IP addresses to interfaces, as shown in Figure 181. (Details not shown.) Configure the security zones: # Assign GigabitEthernet 1/0/1 to security zone Trust. <Device> system-view [Device] security-zone name trust [Device-security-zone-Trust] import interface gigabitethernet 1/0/1 [Device-security-zone-Trust] quit # Assign GigabitEthernet 1/0/2 to security zone Untrust.

  • Page 603: Ips Signature Library Manual Update Configuration Example

    Activate DPI services. [Device] inspect activate Verifying the configuration # Verify that the IPS policy ips1 is successfully configured. <Device> display ips policy ips1 IPS signature library manual update configuration example Network requirements As shown in Figure 182, LAN users in the security zone trust can access the following resources: •...

  • Page 604

    # Create a zone pair between the source zone Local and the destination zone DMZ, and apply ACL 2001 to the zone pair for packet filtering. [Device] zone-pair security source local destination dmz [Device-zone-pair-security-Local-DMZ] packet-filter 2001 [Device-zone-pair-security-Local-DMZ] quit # Create a zone pair between the source zone DMZ and the destination zone Local, and apply ACL 2001 to the zone pair for packet filtering.

  • Page 605: Ips Signature Library Automatic Update Configuration Example

    Verifying the configuration # Verify that the device can use the default IPS policy to detect and prevent known network attacks. (Details not shown.) example, incoming attack packet predefined signature GNU_Bash_Local_Memory_Corruption_Vulnerability(CVE-2014-718), the device automatically executes the signature actions (reset and logging) on the packet. # Verify that the device IPS signature library is updated.

  • Page 606: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 607: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 608: Support And Other Resources

    Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.

  • Page 609: Documentation Feedback

    Websites Website Link Networking websites Hewlett Packard Enterprise Networking Information Library www.hpe.com/networking/resourcefinder Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise Networking My Support www.hpe.com/networking/support General websites Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs Hewlett Packard Enterprise Support Center www.hpe.com/support/hpesc Contact Hewlett Packard Enterprise Worldwide www.hpe.com/assistance Subscription Service/Support Alerts www.hpe.com/support/e-updates...

  • Page 610: Index

    Index EAP relay enable, Numerics EAP relay termination, 3DES EAP relay/termination authentication, IPsec encryption algorithm, EAP termination enable, 802.1X EAP-Message attribute, access control method, EAPOL packet format, ACL assignment, enable, ACL assignment configuration, feature cooperation, architecture, guest VLAN, authentication, guest VLAN assignment configuration, authentication (access device initiated), guest VLAN configuration, authentication (client initiated),...

  • Page 611

    RADIUS Message-Authentication attribute, ISP domain authentication method, related protocols, ISP domain authorization method, SmartOn configuration, ISP domain creation, SmartOn feature, ISP domain method, SmartOn feature configuration, ITA policy configuration, supported domain name delimiters, LDAP administrator attribute, troubleshooting, LDAP attribute map, user profile configuration, LDAP attribute map for authorization, VLAN manipulation,...

  • Page 612

    RADIUS request transmission attempts security portal authentication device access, max, account idle time (password control), RADIUS scheme, accounting RADIUS scheme creation, AAA configuration, 1, 18, RADIUS scheme VPN, AAA ISP domain accounting method, RADIUS security policy server IP address, AAA ITA policy configuration, RADIUS server SSH user AAA RADIUS accounting-on, authentication+authorization,...

  • Page 613

    interface NAS ID profile, address pool IPsec IKEv2 address pool, IPS object policies to zone pairs, IPS policy (DPI profile), Address Resolution Protocol. Use IPsec policy to interface, Advanced Stateful Packet Filter. See ASPF IPsec profile to tunnel interface (IKE-based), IPsec encryption algorithm, IPv4 object policy to zone pair, IPv6 object policy to zone pair,...

  • Page 614

    packet validity check configuration, blacklist configuration, 500, restricted forwarding, client verification, restricted forwarding configuration, client verification (DNS), 487, scanning configuration, client verification (HTTP), 488, source MAC-based attack detection, 527, client verification (TCP), 485, source MAC-based detection display, client verification configuration (DNS), unresolvable IP attack, 525, client verification configuration (HTTP), unresolvable IP attack blackhole routing,...

  • Page 615

    ASPF application inspection (H.323), 802.1X EAP relay enable, ASPF application inspection (TCP), 802.1X EAP relay/termination, ASPF configuration, 439, 442, 802.1X EAP termination, 802.1X EAP termination enable, attacking detection and prevention. See 802.1X initiation, attack D&P 802.1X mandatory port authentication attribute domain, 802.1X RADIUS EAP-Message, 802.1X overview,...

  • Page 616

    IPsec RRI configuration, 308, Auth-Fail VLAN IPsec tunnel for IPv4 packets (IKE-based), 802.1X authentication, IPsec tunnel for IPv4 packets (manual), 802.1X configuration, IPsec tunnel for IPv6 (IKE-based), authorization MAC authentication, 120, 123, IPsec IKEv2 address pool, MAC authentication (local), LDAP process, MAC authentication (RADIUS-based), authorization VLAN MAC authentication VLAN assignment,...

  • Page 617

    IPS signature library update configuration PKI certificate request, (automatic), PKI certificate request (automatic), PKI certificate request (automatic), PKI certificate request (manual), port security MAC address autoLearn, PKI certificate request abort, PKI certificate verification, PKI CRL, BAS-IP PKI domain configuration, security portal authentication BAS-IP, PKI entity configuration, binding PKI Keon CA server certificate request (NAT-PT...

  • Page 618

    direct/cross-subnet portal authentication attack D&P client verification (HTTP), process, attack D&P client verification (TCP), re-DHCP portal authentication process, security portal authentication, security portal authentication system checking IPsec ACL de-encapsulated packet check, components, IPv6 uRPF loose check mode, SSL client policy configuration, IPv6 uRPF strict check mode, command PKI certificate verification (CRL checking),...

  • Page 619

    AAA RADIUS server status detection test 802.1X EAD assistant, profile, 802.1X EAD assistant (DHCP relay agent), AAA scheme, 802.1X EAD assistant (DHCP server), AAA user group attributes, 802.1X guest VLAN, 90, APR, 451, 802.1X guest VLAN assignment, APR application groups, 802.1X online user handshake, APR PBAR, 802.1X SmartOn, 105,...

  • Page 620

    attack D&P defense policy (ACK flood), DPI engine application profile, attack D&P defense policy (DNS flood), FIPS, 557, attack D&P defense policy (FIN flood), FIPS mode, attack D&P defense policy (flood), fixed ARP, attack D&P defense policy (HTTP flood), IP source guard (IPSG), 514, 516, attack D&P defense policy (ICMP flood), IPS, 576, 579, attack D&P defense policy (ICMPv6...

  • Page 621

    IPsec IKEv2 NAT keepalive, MAC authentication (RADIUS-based), IPsec IKEv2 policy, MAC authentication ACL assignment, IPsec IKEv2 profile, MAC authentication delay, IPsec IKEv2 proposal, MAC authentication keep-online, IPsec IPv6 routing protocol profile MAC authentication timer, (manual), MAC authentication user account format, IPsec packet DF bit, NAS-ID profile, IPsec policy (IKE-based),...

  • Page 622

    preauthentication IP address pool for portal security portal authentication user user, synchronization, public peer key, security portal authentication Web server, Secure Telnet client user line, security portal authentication Web server detection, security portal authentication, 134, 139, service object group, security portal authentication (cross-subnet for MPLS L3VPN), session management, 456, security portal authentication...

  • Page 623

    configuration (interface-based), PKI architecture, display, PKI CA policy, maintain, PKI certificate export, policy application, PKI certificate removal, policy configuration, PKI certificate-based access control policy, policy creation, troubleshooting PKI CRL obtain failure, troubleshoot overlapping ACL segments, cross-subnet portal authentication, connection limits troubleshoot, portal authentication (MPLS L3VPN), portal authentication extended,...

  • Page 624

    attack D&P defense policy configuration security portal authentication detection (DNS flood), features, attack D&P defense policy configuration (FIN security portal authentication server, flood), security portal authentication server attack D&P defense policy configuration detection+user synchronization, (HTTP flood), security portal authentication user online attack D&P defense policy configuration detection, (ICMP flood),...

  • Page 625

    IPv4 source guard (IPv4SG) dynamic AAA LDAP authentication server, binding+DHCP relay configuration, AAA LDAP authorization server, MAC authentication, 120, 123, AAA LDAP implementation, MAC authentication (local), AAA LDAP scheme, MAC authentication (RADIUS-based), AAA LDAP server timeout period, MAC authentication ACL assignment, AAA local user, MAC authentication configuration, AAA MPLS L3VPN implementation,...

  • Page 626

    IPsec packet DF bit copy, PKI certificate obtain, IPsec packet DF bit set, PKI certificate removal, PKI certificate request, DH algorithm IPsec IKE, PKI certificate request (automatic), IPsec PFS, PKI certificate request (manual), PKI certificate request abort, DH guessing IPsec IKEv2, PKI certificate verification, PKI certificate-based access control policy, DHCP...

  • Page 627

    APR, attack D&P DNS client verification, 487, ARP attack detection (source attack D&P DNS client verification MAC-based), configuration, ARP attack protection (unresolvable IP domain attack), 802.1X mandatory port authentication ARP detection, domain, ASPF, 802.1X supported domain name delimiters, attack D&P, AAA ISP domain accounting method, connection limit, AAA ISP domain attribute,...

  • Page 628

    IPv4 source guard (IPv4SG) dynamic engine maintain, binding+DHCP relay configuration, engine optimization, IPv6 source guard (IPv6SG) dynamic engine service activation, binding+DHCPv6 snooping configuration, IPS configuration, 576, 579, IPS DPI application profile use in object policy rule, IPS object policy application to zone 802.1X EAD assistant, 93, pairs, 802.1X EAD assistant configuration (DHCP relay...

  • Page 629

    802.1X periodic online user IPsec configuration, 286, reauthentication, IPsec RIPng configuration, AAA RADIUS accounting-on, IPsec RRI configuration, 308, AAA RADIUS accounting-on (extended), IPsec transport mode, AAA RADIUS session-control, IPsec tunnel for IPv4 packets (IKE-based), AAA RADIUS SNMP notification, IPsec tunnel for IPv4 packets (manual), APR application statistics, IPsec tunnel for IPv6 packets (IKE-based), IPsec ACL de-encapsulated packet check,...

  • Page 630

    DPI engine application profile, Ethernet 802.1X overview, outgoing packets filtering on portal interface, ARP attack protection configuration, FIN flood, exempting attack D&P detection exemption, FIPS configuration, 557, exiting configuration restrictions, FIPS mode (automatic reboot), 560, display, FIPS mode (manual reboot), 560, feature and hardware compatibility, exporting mode configuration,...

  • Page 631

    attack D&P defense policy (DNS flood), fragment attack D&P defense policy (FIN flood), attack D&P TCP fragment attack prevention, attack D&P defense policy (HTTP flood), IPsec packet DF bit, attack D&P defense policy (ICMP flood), frame attack D&P defense policy (ICMPv6 port security configuration, 202, flood), attack D&P defense policy (RST flood),...

  • Page 632

    IPsec IKE global identity information, HW Terminal Access Controller Access Control System. Use HWTACACS global parameter IPsec IKEv2 global parameters, HWTACACS AAA configuration, 1, 18, group AAA for PPP user, APR (group-based), AAA for SSH user, APR application group configuration, AAA implementation, APR configuration, AAA local user configuration,...

  • Page 633

    port security server authorization troubleshoot negotiation failure (no proposal information, match), troubleshoot negotiation failure (no proposal or IKE, 331, See also ISAKMP keychain specified correctly), configuration, 331, 333, troubleshooting, configuration (aggressive mode+NAT traversal), IKEv2, 362, See also ISAKMP configuration (aggressive mode+RSA address pool, signature authentication), configuration, 362, 363,...

  • Page 634

    802.1X MAC-based access control, Internet 802.1X port-based access control, SSL configuration, 432, AAA for MPLS L3VPNs, Internet Key Exchange. Use IKEv2 AAA HWTACACS, interpreting AAA LDAP, AAA HUAWEI RADIUS attributes 26-1 and 26-4 (version 1.0), AAA on device, AAA HUAWEI RADIUS attributes 26-1 and 26-4 AAA RADIUS, (version 1.1), IPsec,...

  • Page 635

    signature action parameter profile ARP attack protection configuration, configuration, ARP detection restricted forwarding, signature actions, ARP detection user+packet validity check, signature library management, 578, ARP filtering configuration, signature library rollback, ARP gateway protection, signature library update configuration (automatic), attack D&P blacklist, 484, signature library update configuration authorized ARP (DHCP relay agent), (manual),...

  • Page 636

    IKE invalid SPI recovery, policy configuration (IKE-based), IKE keepalive function, policy configuration (IKE-based/direct), IKE keychain, policy configuration (IKE-based/template), IKE NAT keepalive function, policy configuration (manual), IKE negotiation, policy configuration restrictions, IKE negotiation mode, policy configuration restrictions (IKE-based), IKE profile configuration, profile configuration (IKE-based), IKE proposal, protocols and standards,...

  • Page 637

    SSH Secure Telnet server connection address object group configuration, establishment, IPsec tunnel for IPv4 packets (IKE-based), SSH SFTP server connection establishment, IPsec tunnel for IPv4 packets (manual), uRPF. See object policy creation, IPv6 uRPF object policy rule configuration, IPv6 IPsec routing protocol profile (manual), object policy rule match order change, routing protocols configuration,...

  • Page 638

    keyword AAA device implementation, IPsec ACL rule keywords, AAA ISP domain accounting method, AAA ISP domain attribute, AAA ISP domain authentication method, 802.1X overview, AAA ISP domain authorization method, Layer 3 AAA ISP domain creation, IPsec configuration, 286, AAA ISP domain method, IPsec RIPng configuration, IPsec RRI configuration, 308, AAA ITA policy configuration,...

  • Page 639

    troubleshooting PKI local certificate import troubleshooting user authentication fails, failure, user attribute, versions, log aggregation, logging library attack D&P log aggregation, IPS configuration, 576, 579, DPI engine action parameter profile IPS signature library management, 578, (logging), IPS signature library rollback, IPsec packet logging enable, IPS signature library update configuration password events,...

  • Page 640

    IPv4 source guard (IPv4SG) dynamic port security configuration, 202, 205, binding+DHCP relay configuration, port security features, IPv4 source guard (IPv4SG) static binding port security intrusion protection, configuration, port security MAC address autoLearn, IPv6 source guard (IPv6SG) dynamic port security MAC move, binding+DHCPv6 snooping port security MAC+802.1X authentication, configuration,...

  • Page 641

    IPsec ACL-based implementation standard, managing IPS signature library, 578, IPsec application-based implementation, public keys, 236, IPsec encapsulation transport, sessions. See IPsec encapsulation tunnel, session management IPsec IKE negotiation, manual FIPS mode (manual reboot), IPsec IKE negotiation (time-based lifetime), FIPS mode entry (manual reboot), IPsec IKE negotiation (traffic-based lifetime), FIPS mode exit (manual reboot), 560, IPv6 uRPF loose check,...

  • Page 642

    802.1X multicast trigger mode, 82, network 802.1X access control method, multichannel protocol (ASPF), 439, 802.1X architecture, 802.1X authentication, 82, 802.1X authentication request attempts max, AAA configuration, 802.1X authentication server timeout timer, AAA device implementation, 802.1X authentication trigger, AAA HWTACACS implementation, 802.1X Auth-Fail VLAN, 91, AAA LDAP implementation, 802.1X authorization state,...

  • Page 643

    AAA ISP domain accounting method, ARP detection user validity check, AAA ISP domain attribute, ARP detection user+packet validity check, AAA ISP domain authentication method, ARP filtering, 540, AAA ISP domain authorization method, ARP gateway protection, 539, AAA ISP domain creation, ARP packet source MAC consistency check, AAA ISP domain method, ARP scanning,...

  • Page 644

    DPI engine action parameter profile IPsec ACL de-encapsulated packet check, (logging), IPsec ACL-based implementation, 289, DPI engine action parameter profile IPsec anti-replay, (redirect), IPsec anti-replay redundancy, DPI engine application profile, IPsec application-based implementation, DPI engine inspection mechanism, IPsec crypto engine, DPI engine inspection rules, IPsec IKE configuration (aggressive mode+NAT DPI engine inspection suspension upon...

  • Page 645

    IPsec tunnel configuration, NETCONF-over-SSH client user line, IPsec tunnel establishment, NETCONF-over-SSH configuration, IPsec tunnel for IPv4 packets (IKE-based), NETCONF-over-SSH enable, IPsec tunnel for IPv4 packets (manual), password control parameters (global), IPsec tunnel for IPv6 packets (IKE-based), password control parameters (local user), IPv4 source guard (IPv4SG) configuration, password control parameters (super), IPv4 source guard (IPv4SG) dynamic binding...

  • Page 646

    SSH Secure Telnet server password port security NAS-ID profile, authentication, port security NTK, SSH Secure Telnet server publickey port security secure MAC address, authentication, port security secure MAC address port SSH server configuration, limit, SSH SFTP client device, public key import from file, SSH SFTP client publickey authentication, Secure Telnet client user line, SSH SFTP configuration,...

  • Page 647

    IP source guard (IPSG) IPsec IKE SA max, configuration, 514, 516, object policy rule numbering, IPS configuration, 576, 579, IPsec configuration, 286, object group IPsec IKE configuration, 331, 333, configuration, IPsec IKEv2 configuration, 362, 363, display, IPv6 uRPF configuration, 549, IPv4 address object group, MAC authentication, 123, IPv4 address object group configuration,...

  • Page 648

    802.1X online user handshake, attack D&P TCP fragment attack prevention, 802.1X periodic online user DPI engine configuration, 567, reauthentication, DPI engine inspection rules, MAC authentication keep-online, IPsec ACL de-encapsulated packet check, PKI online mode, IPsec anti-replay, security portal authentication user online IPsec crypto engine, detection, IPsec implementation,...

  • Page 649

    password control parameters (super), pattern password control parameters (user DPI engine configuration, group), PBAR APR configuration, password SSH password authentication, APR configuration (port-based), SSH password-publickey authentication, configuration, SSH Secure Telnet client password peer authentication, IPsec implementation, SSH Secure Telnet server password IPsec SA, authentication, IPsec source interface policy bind,...

  • Page 650

    configuration, 245, 248, ASPF policy application (zone pair), 443, CRL, attack D&P defense policy, display, attack D&P defense policy (flood), domain configuration, attack D&P defense policy (scanning), entity configuration, attack D&P defense policy (single-packet), FIPS compliance, connection limit policy application, local digital certificate, connection limit policy configuration, MPLS L3VPN support,...

  • Page 651

    APR configuration, 451, 802.1X+ACL assignment configuration, APR PBAR configuration, authentication modes, APR PBAR mapping, authorization-fail-offline, MAC authentication, 123, client macAddressElseUserLoginSecure, MAC authentication (local), client userLoginWithOUI, MAC authentication (RADIUS-based), configuration, 202, 205, MAC authentication concurrent port users display, max, enable, MAC authentication configuration, feature configuration, MAC authentication delay, features,...

  • Page 652

    client, troubleshooting, configuration, 134, 139, troubleshooting cannot log out users (access device), configuration restrictions, troubleshooting cannot log out users (RADIUS configuring preauthentication IP address server), pool, troubleshooting no page pushed for users, cross-subnet authentication, troubleshooting users logged out still exist on cross-subnet for MPLS L3VPN, server, detection features,...

  • Page 653

    applying IPsec profile to tunnel interface configuring AAA ISP domain accounting (IKE-based), method, applying IPv4 object policy to zone pair, configuring AAA ISP domain attribute, applying IPv6 object policy to zone pair, configuring AAA ISP domain authentication method, applying port security NAS-ID profile, configuring AAA ISP domain authorization authenticating with 802.1X EAP relay, method,...

  • Page 654

    configuring attack D&P client verification configuring APR PBAR, (HTTP), 500, configuring ARP active acknowledgement, configuring attack D&P client verification (TCP), 498, configuring ARP attack detection (source MAC-based), 527, configuring attack D&P defense policy, configuring ARP attack protection configuring attack D&P defense policy (ACK (unresolvable IP attack), 525, flood), configuring ARP attack protection blackhole...

  • Page 655

    configuring authorized ARP configuration configuring IPS signature library update (DHCP relay agent), (triggered), configuring authorized ARP configuration configuring IPS signature library update (DHCP server), configuration (automatic), configuring connection limit, configuring IPS signature library update configuration (manual), configuring connection limit (interface-based), configuring IPsec ACL, configuring connection limit policy, configuring IPsec ACL anti-replay,...

  • Page 656

    configuring IPsec IKEv2 proposal, configuring MAC authentication (local), configuring IPsec IPv6 routing protocol profile configuring MAC authentication (manual), (RADIUS-based), configuring IPsec packet DF bit, configuring MAC authentication ACL assignment, configuring IPsec policy (IKE-based), configuring MAC authentication delay, configuring IPsec policy (IKE-based/direct), configuring MAC authentication keep-online, configuring IPsec policy...

  • Page 657

    configuring port security client configuring security portal authentication userLoginWithOUI, re-DHCP with preauthentication domain, configuring port security features, configuring security portal authentication server, configuring port security intrusion protection, configuring security portal authentication server BAS-IP, configuring port security MAC address autoLearn, configuring security portal authentication server detection, configuring port security NTK, configuring security portal authentication server...

  • Page 658

    configuring SSH SFTP server password displaying connection limit, authentication, displaying crypto engine, configuring SSH user, displaying DPI engine, configuring SSL, displaying FIPS, configuring SSL client policy, displaying host public key, configuring SSL server policy, 434, displaying IP source guard (IPSG), configuring uRPF, 546, displaying IPS, configuring user profile, 223,...

  • Page 659

    enabling IPsec ACL de-encapsulated packet exiting FIPS mode, check, exiting FIPS mode (automatic reboot), enabling IPsec IKE invalid SPI recovery, exiting FIPS mode (manual reboot), enabling IPsec IKEv2 cookie challenging, exporting host public key, enabling IPsec packet logging, exporting PKI certificate, enabling IPsec QoS pre-classify, generating SCP client local DSA key pair, enabling IPv4 object policy rule matching...

  • Page 660

    setting password control parameters maintaining IPv6 source guard (IPv6SG), (global), maintaining MAC authentication, setting password control parameters (local maintaining security password control, user), maintaining security portal setting password control parameters (super), authentication, setting password control parameters (user maintaining session management, group), managing IPS signature library, setting port security mode,...

  • Page 661

    specifying an attribute version for AAA troubleshooting IPsec SA negotiation failure HUAWEI RADIUS attributes 26-1 and 26-4 (invalid identity info), interpretation, troubleshooting IPsec SA negotiation failure (no specifying IPS signature action parameter transform set match), 358, profile, troubleshooting IPsec SA negotiation failure specifying IPS signature auto update (tunnel failure), URL,...

  • Page 662

    verifying PKI certificate verification (CRL ARP attack protection configuration, 524 checking), ARP gateway protection, verifying PKI certificate verification (w/o CRL protocols and standards checking), 802.1X overview, working with SSH SFTP directories, 802.1X related protocols, working with SSH SFTP files, AAA, process AAA HWTACACS, 7, AAA LDAP authentication process,...

  • Page 663

    Hewlett Packard Enterprise proprietary SSH user configuration, attributes, Public Key Infrastructure. Use HUAWEI attributes 26-1 and 26-4 interpretation (version 1.0), HUAWEI attributes 26-1 and 26-4 interpretation APR configuration, (version 1.1), IPsec QoS pre-classify enable, HWTACACS/RADIUS differences, quiet information exchange security, 802.1X timer, Login-Service attribute check method, MAC authentication quiet timer,...

  • Page 664

    troubleshooting packet delivery failure, PKI certificate, troubleshooting security portal request authentication cannot log out users (RADIUS PKI certificate request abort, server), requesting user authentication methods, PKI certificate request, username format, resource access restriction (portal authentication), real-time restrictions AAA HWTACACS real-time accounting ARP detection restricted forwarding, 534, timer, ARP scanning configuration,...

  • Page 665

    802.1X authentication configuration, SSH client host public key configuration, 802.1X basic configuration, SSH management parameters, 802.1X configuration, 88, SSH Secure Telnet server publickey authentication, 802.1X EAD assistant configuration (DHCP relay agent), SSH server RSA host key pair, 802.1X EAD assistant configuration (DHCP SSH server RSA server key pair, server), SSH SFTP client publickey authentication,...

  • Page 666

    802.1X access control method, SA rekeying IPsec IKEv2, 802.1X authentication, 82, 802.1X authentication configuration, scanning attack attack D&P defense policy, 802.1X authentication request attempts max, attack D&P device-preventable 802.1X authentication server timeout timer, attacks, 481, 802.1X authentication trigger, 802.1X Auth-Fail VLAN, 91, scheduling IPS signature library update (automatic), 802.1X authorization VLAN,...

  • Page 667

    AAA device implementation, APR application statistics enable, AAA display, APR configuration, 451, AAA HWTACACS implementation, APR display, AAA HWTACACS scheme, 36, APR maintain, AAA HWTACACS server SSH users, ARP active acknowledgement, AAA ISP domain accounting method, ARP attack detection (source MAC-based), 527, AAA ISP domain attribute, ARP attack protection (unresolvable IP...

  • Page 668

    attack D&P client verification, crypto engine maintain, attack D&P client verification (DNS), enabling portal authorization strict-checking, attack D&P client verification (HTTP), expired password login, attack D&P client verification (TCP), FIPS configuration, 557, attack D&P client verification configuration FIPS configuration restrictions, (DNS), FIPS display, attack D&P client verification configuration...

  • Page 669

    IPS signature library update configuration IPsec RRI configuration, (automatic), IPsec security strength, IPS signature library update configuration IPsec SNMP notification, (manual), IPsec tunnel configuration, IPS signatures, IPv4 address object group configuration, IPS user-defined signature import, IPv4 source guard (IPv4SG) configuration, IPsec ACL anti-replay, IPv4 source guard (IPv4SG) dynamic binding IPsec ACL-based implementation,...

  • Page 670

    MAC authentication keep-online, password user first login, MAC authentication maintain, password user login control, MAC authentication methods, peer public key entry, 239, MAC authentication multi-VLAN mode, peer public key import from file, MAC authentication multi-VLAN mode periodic MAC reauthentication, configuration, PKI applications, MAC authentication timer, PKI architecture,...

  • Page 671

    PKI Windows 2003 CA server IKE portal authentication user online detection, negotiation+RSA digital signature, portal authentication user synchronization, port. See portal authentication Web server detection, port security port object group configuration, portal preauthentication domain, port security display, public key display, portal authentication, public key import from file, portal authentication (cross-subnet for MPLS...

  • Page 672

    SSH Secure Telnet client publickey troubleshooting AAA HWTACACS, authentication, troubleshooting AAA LDAP user authentication SSH Secure Telnet configuration, fails, SSH Secure Telnet packet source IP troubleshooting AAA RADIUS, address, troubleshooting AAA RADIUS accounting SSH Secure Telnet server connection error, establishment, troubleshooting AAA RADIUS authentication SSH Secure Telnet server enable, failure,...

  • Page 673

    802.1X EAD assistant configuration (DHCP SCP client DSA or RSA key pairs, server), SFTP client DSA or RSA key pairs, 802.1X guest VLAN assignment SSH server DSA or RSA key pairs, configuration, Stelnet client DSA or RSA key pairs, 802.1X SmartOn feature configuration, session management 802.1X+ACL assignment configuration, aging time (application layer protocol),...

  • Page 674

    IPS signature library update configuration password control parameters (global), (automatic), password control parameters (local user), IPS signature library update configuration password control parameters (super), (manual), password control parameters (user IPS user-defined, group), IPS user-defined signature import, port security mode, security portal authentication max number signature authentication (IKE), users, single-channel protocol (ASPF), 439,...

  • Page 675

    AAA RADIUS Login-Service attribute check AAA HWTACACS authentication server, method, AAA HWTACACS authorization server, AAA RADIUS server SSH user AAA HWTACACS outgoing packet source IP authentication+authorization, address, authentication methods, AAA HWTACACS scheme VPN, client host public key configuration, AAA HWTACACS shared keys, configuration, AAA LDAP attribute map for authorization, display,...

  • Page 676

    SFTP client device, APR application statistics enable, SFTP client publickey authentication, connection limit configuration, 463, SFTP configuration, connection limit configuration (interface-based), SFTP directories, session management statistics collection, SFTP files, SFTP help information display, sticky port security secure MAC address, SFTP packet source IP address, SFTP server connection establishment, storage PKI CA storage path,...

  • Page 677

    attack D&P client verification (DNS), IPsec IKEv2 global parameters, attack D&P client verification (HTTP), IPsec IKEv2 keychain, attack D&P client verification (TCP), IPsec IKEv2 proposal, attack D&P client verification configuration password control configuration, 225, 228, (DNS), SCP client local key pair generation, attack D&P client verification configuration SFTP client local key pair generation, (HTTP),...

  • Page 678

    SSH SFTP server connection, IPsec tunnel for IPv6 packets (IKE-based), session management traffic-based session testing logging, AAA RADIUS server status detection test profile, transform set (IPsec), FIPS conditional self-test, Transmission Control Protocol. Use FIPS power-up self-test, transporting FIPS triggered self-test, IPsec encapsulation transport mode, TFTP trapping...

  • Page 679

    AAA RADIUS request transmission attempts PKI certificate export failure, max, PKI configuration, AAA RADIUS session-control, PKI CRL obtain failure, attack D&P defense policy (UDP flood), PKI local certificate import failure, PKI local certificate obtain failure, uncontrolled port (802.1X), PKI local certificate request failure, unicast 802.1X unicast trigger mode, 82, PKI storage path set failure,...

  • Page 680

    security portal authentication extended user account cross-subnet configuration, MAC authentication user account format, security portal authentication extended direct MAC authentication user account policies, configuration, user authentication security portal authentication extended password control configuration, 225, 228, re-DHCP, password control parameters (global), security portal authentication logout, password control parameters (local user), security portal authentication max number...

  • Page 681

    IPS DPI application profile in IPv6 object IPv4 source guard (IPv4SG) static binding policy rule, configuration, IPv6 source guard (IPv6SG) dynamic binding+DHCPv6 snooping configuration, validity check IPv6 source guard (IPv6SG) static binding ARP detection packet, configuration, ARP detection user, MAC authentication VLAN assignment, ARP detection user+packet, port security secure MAC address, verifying...

  • Page 682

    security portal authentication direct port security MAC address autoLearn, configuration with preauthentication working with domain, SSH SFTP directories, security portal authentication extended SSH SFTP files, cross-subnet configuration, security portal authentication extended direct configuration, X.500 AAA LDAP implementation, security portal authentication extended functions, security portal authentication extended zone...

Comments to this Manuals