H3C S9500E Series Security Configuration Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Switch
  5. S9500E Series
  6. Security configuration manual
H3C S9500E Series Security Configuration Manual

H3C S9500E Series Security Configuration Manual

Routing switches
Hide thumbs Also See for S9500E Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual
H3C S9500E Series Routing Switches
Security Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S9500E Series and is the answer not in the manual?

Questions and answers

Related Manuals for H3C S9500E Series

Summary of Contents for H3C S9500E Series

  • Page 1 H3C S9500E Series Routing Switches Security Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.

  • Page 3: Preface

    The H3C S9500E documentation set includes 13 configuration guides, which describe the software features for the H3C S9500E Series 10G Core Routing Switches and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
  • Page 4 Convention Description vertical bars, from which you may select multiple choices or none. The argument or keyword and argument combination before the ampersand (&) &<1-n> sign can be entered 1 to n times. A line that starts with a pound (#) sign is comments. GUI conventions Convention Description...

  • Page 5: About The H3C S9500E Documentation Set

    Provides a complete guide to hardware installation Installation guide and hardware specifications. Card manuals Provide the hardware specifications of cards. H3C N68 Cabinet Guides you through installing and remodeling H3C Installation and Remodel N68 cabinets. Hardware specifications Introduction and installation...

  • Page 7: Obtaining Documentation

    Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...

  • Page 8: Table Of Contents

    Table of Contents Preface ·········································································································································································· 3 Audience ············································································································································································ 3 Conventions ······································································································································································· 3 About the H3C S9500E documentation set ··················································································································· 5 AAA configuration ····················································································································································· 14 Introduction to AAA ······················································································································································· 14 Introduction to RADIUS ·················································································································································· 15 Client/Server model ·············································································································································· 15 Security and authentication mechanisms ············································································································ 16 Basic message exchange process of RADIUS ····································································································...
  • Page 9 Setting the status of RADIUS servers ···················································································································· 43 Configuring attributes related to data to be sent to the RADIUS server ·························································· 44 Enabling the RADIUS trap function ······················································································································ 45 Specifying the source IP address for RADIUS packets to be sent ····································································· 45 Setting timers regarding RADIUS servers ············································································································...
  • Page 10 Configuring the online user handshake function ········································································································ 78 Enabling the multicast trigger function ························································································································· 79 Specifying a mandatory authentication domain for a port ······················································································· 79 Enabling the quiet timer················································································································································· 80 Enabling the re-authentication function ························································································································ 80 Configuring a guest VLAN ············································································································································ 80 Configuring an Auth-Fail VLAN ····································································································································...
  • Page 11 Troubleshooting the portal ·········································································································································· 108 Inconsistent keys on the access device and the portal server ········································································· 108 Incorrect server port number on the access device ·························································································· 108 Public key configuration ········································································································································· 110 Public key algorithm overview ···································································································································· 110 Basic concepts ····················································································································································· 110 Key algorithm types ·············································································································································...
  • Page 12 Enabling the SFTP server ···································································································································· 143 Configuring the SFTP connection idle timeout period ····················································································· 143 Configuring an SFTP client ·········································································································································· 144 Specifying a source IP address or interface for the SFTP client ······································································ 144 Establishing a connection to the SFTP server ···································································································· 144 Working with the SFTP directories ····················································································································...
  • Page 13 Access software downloads ········································································································································ 176 Telephone technical support and repair ···················································································································· 176 Contact us ····································································································································································· 176 Appendix A : RADIUS attributes ···························································································································· 177 Commonly used standard RADIUS attributes ············································································································ 177 Proprietary RADIUS sub-attributes of H3C ················································································································ 178 Acronyms ································································································································································· 180 Index ········································································································································································ 195...

  • Page 14: Aaa Configuration

    AAA configuration The switch operates in IRF mode or standalone, (the default), mode. For more information about the IRF mode, see IRF in the IRF Configuration Guide. Introduction to AAA Authentication, authorization, and accounting (AAA) provide a uniform framework for configuring these three security functions when implementing network security management.

  • Page 15: Introduction To Radius

    • Accounting: Records all network service usage information of users. This includes the service type, start and end time, and traffic. In this way, accounting can be used for charging and network security surveillance. You can use AAA to provide one or two security functions. For example, if your company only wants employees to be authenticated before they access specific resources, you only need to configure an authentication server.

  • Page 16: Security And Authentication Mechanisms

    Figure 2 RADIUS server components • Users: Stores user information such as the username, password, applied protocols, and IP address. • Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses. • Dictionary: Stores information about the meanings of RADIUS protocol attributes and their values.

  • Page 17: Radius Packet Format

    Figure 3 Basic message exchange process of RADIUS RADIUS operates in the following way: The host initiates a connection request carrying the username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
  • Page 18 mechanism, retransmission mechanism, and slave server mechanism. Figure 4 shows the RADIUS packet format. Figure 4 RADIUS packet format Descriptions of the fields are as follows: The Code field (1-byte long) indicates the type of the RADIUS packet. Table 1 shows potential values and their meanings.
  • Page 19 The Length field (2-byte long) indicates the length of the entire packet, including the Code, Identifier, Length, Authenticator, and Attribute fields. The value of the field ranges from 20 to 4096. Bytes beyond the length are considered padding and ignored. If the length of a received packet is less than that indicated by the Length field, the packet is dropped.
  • Page 20 Attribute Attribute Filter-ID Event-Timestamp Framed-MTU (unassigned) CHAP-Challenge Framed-Compression Login-IP-Host NAS-Port-Type Login-Service Port-Limit Login-TCP-Port Login-LAT-Port (unassigned) Tunnel-Type Reply-Message Tunnel-Medium-Type Callback-Number Tunnel-Client-Endpoint Callback-ID Tunnel-Server-Endpoint (unassigned) Acct-Tunnel-Connection Framed-Route Tunnel-Password Framed-IPX-Network ARAP-Password State ARAP-Features Class ARAP-Zone-Access Vendor-Specific ARAP-Security Session-Timeout ARAP-Security-Data...
  • Page 21 Attribute Attribute Idle-Timeout Password-Retry Termination-Action Prompt Called-Station-Id Connect-Info Calling-Station-Id Configuration-Token NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference ARAP-Challenge- Framed-AppleTalk-Link Response Framed-AppleTalk- Acct-Interim-Interval Network Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id The attribute types listed in Table 2 are defined by RFC 2865, RFC 2866, RFC 2867, and RFC 2568. •...

  • Page 22: Extended Radius Attributes

    Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC 1700. The vendor ID of H3C is 201 1. For details about the extended RADIUS attributes, see Proprietary RADIUS sub-attributes of H3C.

  • Page 23: Basic Message Exchange Process Of Hwtacacs

    Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP, providing more reliable network Uses UDP, providing higher transport efficiency. transmission. Encrypts the entire packet except for the HWTACACS Encrypts only the user password field in an header. authentication packet.
  • Page 24 Figure 6 Basic message exchange process of HWTACACS for a Telnet user A Telnet user sends an access request to the NAS. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server. The HWTACACS server sends back an authentication response requesting the username. Upon receiving the response, the HWTACACS client asks the user for the username.

  • Page 25: Domain-Based User Management

    Upon receipt of the response, the HWTACACS client asks the user for the login password. The user inputs the password. After receiving the login password, the HWTACACS client sends to the HWTACACS server a continue-authentication packet carrying the login password. The HWTACACS server sends back an authentication response indicating that the user has passed authentication.

  • Page 26: Aaa-Across-Vpns

    • LAN users: Users on a LAN who access through, 802.1X authentication or MAC address authentication, for example. • Login users: Users who log in using, SSH, Telnet, FTP, or HyperTerminal, for example. • Portal users: Users who access through a portal. •...

  • Page 27: Aaa Configuration Task List

    • RFC 2865: Remote Authentication Dial In User Service (RADIUS) • RFC 2866: RADIUS Accounting • RFC 2867: RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868: RADIUS Attributes for Tunnel Protocol Support • RFC 2869: RADIUS Extensions • RFC 1492: An Access Control Protocol, Sometimes Called TACACS AAA configuration task list The basic procedure to configure AAA is as follows:...

  • Page 28: Configuring Aaa

    Figure 9 AAA configuration procedure For login users, you must configure the authentication mode for logging into the user interface as scheme. For more information, see Logging In to the Device in the Fundamentals Configuration Guide. Configuring AAA By configuring AAA, you can provide network access service for legal users, protect the networking devices, and avoid unauthorized access.

  • Page 29: Configuring Isp Domain Attributes

    Follow these steps to create an ISP domain: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and domain Isp-name Required enter ISP domain view Return to system view quit — Optional domain default enable Specify the default ISP domain By default, the system has a default ISP Isp-name...

  • Page 30: Configuring Aaa Authentication Method For An Isp Domain

    Configuring AAA authentication method for an ISP domain In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the interactive authentication process of username/password/user information during an access or service request. The authentication process neither sends authorization information to a supplicant nor triggers any accounting.

  • Page 31: Configuring Aaa Authorization Methods For An Isp Domain

    To do… Use the command… Remarks authentication login { Optional hwtacacs-scheme hwtacacs- Specify the authentication scheme-name [ local ] | local | The default authentication • method for login users none | radius-scheme radius- method is used by default. scheme-name [ local ] } Optional authentication portal { local | Specify the authentication...
  • Page 32 users are console users who use the console, AUX, asynchronous serial port, Telnet, or SSH to connect to the switch.. The default setting for FTP users is to use the root directory of the switch. Before configuring authorization methods, complete these three tasks: For HWTACACS authorization, configure the HWTACACS scheme to be referenced first.

  • Page 33: Configuring Aaa Accounting Methods For An Isp Domain

    With the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name [ • local | none ] keyword and argument combination configured, local authorization (local) or no authentication (none) is the backup when the remote server is not available. If the primary authorization method is local or none, the system performs local authorization or does •...

  • Page 34: Configuring Local User Attributes

    To do… Use the command… Remarks Optional accounting lan-access { local Specify the accounting method | none | radius-scheme radius- The default accounting method is for LAN users scheme-name [ local ] } used by default. accounting login { hwtacacs- Optional scheme hwtacacs-scheme-name [ Specify the accounting method...
  • Page 35 Follow these steps to configure the attributes for a local user: To do… Use the command… Remarks Enter system view system-view — Optional auto by default, indicating that Set the password display mode local-user password-display- the password must be displayed for all local users mode { auto | cipher-force } in the mode specified during...

  • Page 36: Configuring User Group Attributes

    To do… Use the command… Remarks Optional By default, a local user account never expires. If some users need to access the Set the expiration time of the network temporarily, you can expiration-date time local user establish a guest account, and specify an expiration time for the account by using this command to control the availability of the...

  • Page 37: Disconnect User Connections

    To do… Use the command… Remarks Enter system view system-view — Create a user group and user-group group-name Required enter user group view authorization-attribute { acl acl-number | Optional callback-number By default, no Configure the authorization callback-number | idle-cut minute | level authorization attribute is attributes for the user group level | user-profile profile-name | vlan vlan-...

  • Page 38: Displaying And Maintaining Aaa

    Displaying and maintaining AAA To do… Use the command… Remarks Display the configuration information of a specified ISP display domain [ isp-name ] Available in any view domain or all ISP domains Display information about display connection [ domain isp-name | specified or all user ucibindex ucib-index | user-name user- Available in any view...

  • Page 39: Specifying The Vpn Instance

    To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme radius-scheme- enter RADIUS scheme view name Not defined by default A RADIUS scheme can be referenced by more than one ISP domain at the same time. Specifying the VPN instance After specify...

  • Page 40: Specifying The Radius Accounting Servers And Relevant Parameters

    HP recommends that you specify only the primary RADIUS authentication/authorization server if backup • is not required. If both the primary and secondary authentication/authorization servers are specified, the secondary one • is used when the primary one is unreachable. In practice, you may specify one RADIUS server as the primary authentication/authorization server and •...

  • Page 41: Specifying The Shared Keys For Radius Packets

    If both the primary and secondary accounting servers are specified, the secondary one is used when the • primary one is not reachable. In practice, you may specify one RADIUS server as the primary accounting server, and up to 16 RADIUS •...

  • Page 42: Setting The Upper Limit Of Radius Request Retransmission Attempts

    Setting the upper limit of RADIUS request retransmission attempts Because RADIUS uses UDP packets to transfer data, the communication process is not reliable. If a NAS receives no response from the RADIUS server before the response timeout timer expires, it can retransmit the RADIUS request.

  • Page 43: Setting The Status Of Radius Servers

    Setting the status of RADIUS servers By setting the status of RADIUS servers to block or active, you can control which servers the switch will communicate with for authentication, authorization, and accounting or turn to when the current servers are not available any more. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary ones as the backup of the primary one.

  • Page 44: Configuring Attributes Related To Data To Be Sent To The Radius Server

    To do… Use the command… Remarks active for every Set the status of the primary RADIUS state primary accounting { active | server configured accounting server block } with IP address in the Set the status of the secondary state secondary authentication [ ip RADIUS scheme RADIUS authentication/authorization ip-address | ipv6 ipv6-address ] { active...

  • Page 45: Enabling The Radius Trap Function

    The unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of the • RADIUS server. Otherwise, accounting cannot be performed correctly. Enabling the RADIUS trap function With the RADIUS trap function, a NAS sends a trap message in either of these situations: •...

  • Page 46: Setting Timers Regarding Radius Servers

    To do… Use the command… Remarks Required Specify the source IP radius nas-ip { ip-address [ address for RADIUS vpn-instance vpn-instance- By default, the IP address of the outbound packets to be sent name ] | ipv6 ipv6-address } interface is used as the source IP address. Follow these steps to specify a source IP address for a specific RADIUS scheme: To do…...

  • Page 47: Specifying Security Policy Servers

    To do… Use the command… Remarks Optional Set the real-time accounting timer realtime-accounting interval minutes 12 minutes by default The product of the maximum number of retransmission attempts of RADIUS packets and the RADIUS • server response timeout period must be less than 75 and the upper limit of this product is determined by the upper limit of the timeout periods of the access modules.

  • Page 48: Enabling The Listening Port Of The Radius Client

    To do… Use the command… Remarks Optional Specify a security policy security-policy-server ip-address server Not specified by default If more than one interface of the switch is configured with user access authentication functions, the • interfaces may use different security policy servers. You can specify up to eight security policy servers for a RADIUS scheme.

  • Page 49: Displaying And Maintaining Radius

    Displaying and maintaining RADIUS To do… Use the command… Remarks Display the configuration information of a specified display radius scheme [ radius-scheme- Available in any view RADIUS scheme or all RADIUS name ] [ slot slot-number ] schemes (standalone mode) Display the configuration display radius scheme [ radius-scheme- information of a specified...

  • Page 50: Creating An Hwtacacs Scheme

    Creating an HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view: To do… Use the command… Remarks Enter system view system-view —...

  • Page 51: Specifying The Hwtacacs Authorization Servers

    It is recommended to specify only the primary HWTACACS authentication server if backup is not • required. If both the primary and secondary authentication servers are specified, the secondary one is used when • the primary one is not reachable. The IP addresses of the primary and secondary authentication servers cannot be the same.

  • Page 52: Setting The Shared Key For Hwtacacs Packets

    To do… Use the command… Remarks primary accounting ip-address Specify the primary [ port-number | vpn-instance Required HWTACACS accounting server vpn-instance-name ] * Configure at least one of the commands secondary accounting ip- Specify the secondary address [ port-number | vpn- No accounting server by default HWTACACS accounting server instance vpn-instance-name ] *...

  • Page 53: Configuring Attributes Related To The Data Sent To Hwtacacs Server

    Configuring attributes related to the data sent to HWTACACS server Follow these steps to configure the attributes related to the data sent to the HWTACACS server: To do… Use the command… Remarks Enter system view system-view — hwtacacs scheme hwtacacs- Enter HWTACACS scheme view —...

  • Page 54: Setting Timers Regarding Hwtacacs Servers

    To do… Use the command… Remarks Required Specify the source IP hwtacacs nas-ip ip-address address for HWTACACS [ vpn-instance vpn-instance- By default, the IP address of the outbound packets to be sent name ] interface is used as the source IP address. Follow these steps to specify a source IP address for a specific HWTACACS scheme: To do…...

  • Page 55: Displaying And Maintaining Hwtacacs

    Displaying and maintaining HWTACACS To do… Use the command… Remarks Display configuration information or statistics of the display hwtacacs [ hwtacacs-server-name [ Available in any view specified or all HWTACACS statistics ] ] [ slot slot-number ] schemes (standalone mode) Display configuration display hwtacacs [ hwtacacs-scheme-name [ information or statistics of the...
  • Page 56 • Configure the switch to use the HWTACACS server to provide authentication, authorization, and accounting services for Telnet users. The IP address of the server is 10.1.1.1/24. • Set the shared keys for authentication, authorization, and accounting packets exchanged with the HWTACACS server to expert.

  • Page 57: Aaa For Telnet Users By Separate Servers

    [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login hwtacacs-scheme hwtac [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login hwtacacs-scheme hwtac [Switch-isp-bbb] quit You can achieve the same purpose by setting AAA methods for all types of users. [Switch] domain bbb [Switch-isp-bbb] authentication default hwtacacs-scheme hwtac [Switch-isp-bbb] authorization default hwtacacs-scheme hwtac...
  • Page 58 Figure 1 1 Configure AAA by separate servers for Telnet users Configuration procedure Configure the IP addresses of various interfaces (omitted). Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit...

  • Page 59: Aaa For Ssh Users By A Radius Server

    [Switch-isp-bbb] accounting login radius-scheme rd [Switch-isp-bbb] quit Configure the default AAA methods for all types of users. [Switch] domain bbb [Switch-isp-bbb] authentication default local [Switch-isp-bbb] authorization default hwtacacs-scheme hwtac [Switch-isp-bbb] accounting default radius-scheme rd When telneting into the switch, a user enters username telnet@bbb for authentication using domain bbb.
  • Page 60 Specify the ports for authentication and accounting as 1812 and 1813 respectively Select Device Management Service as the service type Select H3C as the access device type Select the access device from the device list or manually add the device with the IP address of 10.1.1.2...
  • Page 61 Figure 14 Add an account for device management Configure the switch Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 62: Troubleshooting Aaa

    Configure the RADIUS scheme. Create RADIUS scheme rad. [Switch] radius scheme rad Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 Specify the primary accounting server. [Switch-radius-rad] primary accounting 10.1.1.1 1813 Set the shared key for authentication packets to expert. [Switch-radius-rad] key authentication expert Set the shared key for accounting packets to expert.
  • Page 63 The password of the user is incorrect. The RADIUS server and the NAS are configured with different shared key. Solution: Check that: The NAS and the RADIUS server can ping each other. The username is in the userid@isp-name format and a default ISP domain is specified on the NAS.

  • Page 64: Troubleshooting Hwtacacs

    Troubleshooting HWTACACS Refer to Troubleshooting RADIUS if you encounter an HWTACACS fault.

  • Page 65: 802.1X Configuration

    802.1X configuration 802.1X overview The 802.1X protocol was proposed by IEEE 802 LAN/WAN committee for security of wireless LANs (WLANs). However, it has been widely used on Ethernet as a common port access control mechanism. As a port-based network access control protocol, 802.1X authenticates devices connected to the 802.1X-enabled LAN ports to control their access to the LAN.

  • Page 66: Basic Concepts Of 802.1X

    to the RADIUS packets either with the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) attribute, and then transferred to the RADIUS server. Basic concepts of 802.1X These basic concepts are involved in 802.1X: controlled port/uncontrolled port, authorized state/unauthorized state, and control direction.

  • Page 67: Eap Over Lan

    • auto: Places the port in the unauthorized state initially to allow only EAPOL packets to pass, and turns the port into the authorized state to allow access to the network after the users pass authentication. This is the most common choice. Control direction In the unauthorized state, the controlled port can be set to deny traffic to and from the client or just the traffic from the client.

  • Page 68: Eap Over Radius

    • Length: Length of the data, that is, length of the Packet body field, in bytes. If the value of this field is 0, no subsequent data field is present. • Packet body: Content of the packet. The format of this field varies with the value of the Type field.

  • Page 69: 802.1X Authentication Triggering

    Message-Authenticator Figure 20 shows the encapsulation format of the Message-Authenticator attribute. The Message- Authenticator attribute is used to prevent access requests from being snooped during EAP authentication. It must be included in any packet with the EAP-Message attribute; otherwise, the packet will be considered invalid and get discarded.
  • Page 70 Figure 21 802.1X authentication procedure in EAP relay mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity RADIUS Access-Request (EAP-Response / Identity) RADIUS Access-Challenge (EAP-Request / MD5 challenge) EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (EAP-Response / MD5 challenge) RADIUS Access-Accept...
  • Page 71 When receiving the EAP-Request/MD5 Challenge packet, the client uses the offered challenge to encrypt the password part (this process is not reversible), creates an EAP- Response/MD5 Challenge packet, and then sends the packet to the switch. After receiving the EAP-Response/MD5 Challenge packet, the switch relays the packet in a RADIUS Access-Request packet to the authentication server.

  • Page 72: 802.1X Access Control Method

    RADIUS server for authentication. 802.1X access control method H3C switches not only implement the port-based access control method defined in the 802.1X protocol, but also extend and optimize the protocol by supporting the MAC-based access control method.

  • Page 73: 802.1X Timers

    • MAC-based access control: With this method configured on a port, all users of the port must be authenticated separately, and when a user logs off, no other users are affected. 802.1X timers This section describes the timers used on an 802.1X switch to guarantee that the client, the switch, and the RADIUS server can interact with each other in a reasonable manner.
  • Page 74 • If the port link type is Hybrid, the assigned VLAN is allowed to pass the current port without carrying the tag. The default VLAN ID of the port is that of the assigned VLAN. The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after a user passes authentication.

  • Page 75: 802.1X Basic Configuration

    Auth-Fail VLAN The Auth-Fail VLAN feature allows users failing authentication to access a specified VLAN, which is called the Auth-Fail VLAN. Note that failing authentication means being denied by the authentication server due to reasons such as wrong password. Authentication failures caused by authentication timeout or network connection problems do not fall into this category.

  • Page 76: Configuring 802.1X Globally

    • For remote RADIUS authentication, the username and password information must be configured on the RADIUS server. • For local authentication, the username and password information must be configured on the switch and the service type must be set to lan-access. For configuration of the RADIUS client, see AAA in the Security Configuration Guide.

  • Page 77: Configuring 802.1X For A Port

    To do… Use the command… Remarks Optional The defaults are as follows: 15 seconds for the handshake dot1x timer { handshake- timer, period handshake-period-value | 60 seconds for the quiet timer, quiet-period quiet-period-value | 3600 seconds for the periodic re- reauth-period reauth-period- Set timers authentication timer,...

  • Page 78: Configuring The Online User Handshake Function

    To do… Use the command… Remarks view dot1x Configuring 802.1X parameters for a port Follow these steps to configure 802.1X parameters for a port: To do… Use the command… Remarks Enter system view system-view — interface interface-type interface- Enter Ethernet interface view —...

  • Page 79: Enabling The Multicast Trigger Function

    To do… Use the command… Remarks Optional Enable the online handshake dot1x handshake function Enabled by default Some 802.1X clients do not support exchanging handshake packets with the switch. In this case, you need to disable the online user handshake function on the switch; otherwise the switch will tear down the connections with such online users for not receiving handshake responses.

  • Page 80: Enabling The Quiet Timer

    Enabling the quiet timer After the quiet timer is enabled on the switch, when a client fails 802.1X authentication, the switch refuses further authentication requests from the client in a period of time, which is specified by the quiet timer (using the dot1x timer quiet-period command). Follow these steps to enable the quiet timer: To do…...

  • Page 81: Configuring An Auth-Fail Vlan

    A super VLAN cannot be set as the guest VLAN. Similarly, a guest VLAN cannot be set as the super • VLAN. For information about super VLAN, see VLAN in the Layer 2 – LAN Switching Configuration Guide. Configuration prerequisites •...

  • Page 82: Displaying And Maintaining 802.1X

    Configuration procedure Follow these steps to configure an Auth-Fail VLAN: To do… Use the command… Remarks Enter system view system-view — interface interface-type interface- Enter Ethernet interface view — number Required Configure the Auth-Fail VLAN dot1x auth-fail vlan authfail- By default, a port is configured for the port vlan-id with no Auth-Fail VLAN.
  • Page 83 • Specify the switch to try up to five times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server, and to send real time accounting packets to the accounting server every 15 minutes. •...
  • Page 84 [Device-radius-radius1] secondary accounting 10.1.1.2 Specify the shared key for the switch to exchange packets with the authentication server. [Device-radius-radius1] key authentication name Specify the shared key for the switch to exchange packets with the accounting server. [Device-radius-radius1] key accounting money Set the interval for the switch to retransmit packets to the RADIUS server and the maximum number of transmission attempts.

  • Page 85: Guest Vlan And Vlan Assignment Configuration Example

    command to view the connection information of the user. If the user fails the RADIUS authentication, local authentication of the user will be performed. Guest VLAN and VLAN assignment configuration example Network requirements See Figure 24: • A host is connected to port GigabitEthernet 3/0/2 of the switch and must pass 802.1X authentication to access the Internet.
  • Page 86 Figure 25 Network diagram with the port in the guest VLAN Figure 26 Network diagram after the client passes authentication Update server Authentication server VLAN 10 VLAN 2 GE3/0/1 GE3/0/4 VLAN 5 VLAN 5 GE3/0/2 GE3/0/3 Device Internet VLAN 5 Host Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands for the switch,...
  • Page 87 [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure authentication domain system and specify to use RADIUS scheme 2000 for users of the domain. [Device] domain system [Device-isp-system] authentication default radius-scheme 2000 [Device-isp-system] authorization default radius-scheme 2000 [Device-isp-system] accounting default radius-scheme 2000 [Device-isp-system] quit Enable 802.1X globally.

  • Page 88: Mac Authentication Configuration

    MAC authentication configuration MAC authentication overview MAC authentication provides a way for authenticating users based on ports and MAC addresses. Once detecting a new MAC address, the switch initiates the authentication process. MAC authentication does not require client software to be installed on the hosts, nor any username or password to be entered by users during authentication.

  • Page 89: Related Concepts

    Related concepts MAC authentication timers The following timers function in the process of MAC authentication: • Offline detect timer: At this interval, the switch checks whether there is traffic from a user. If detecting no traffic from a user within two intervals, the switch logs the user out and sends to the RADIUS server a stop accounting request.

  • Page 90: Displaying And Maintaining Mac Authentication

    To do… Use the command… Remarks Required Enable MAC mac-authentication authentication globally Disabled by default mac-authentication interface interface-list Required Enable MAC interface interface-type interface- authentication for specified Use either approach. number ports Disabled by default mac-authentication quit Optional Specify the ISP domain for mac-authentication domain isp- The default ISP domain is used by MAC authentication...

  • Page 91: Mac Authentication Configuration Examples

    MAC authentication configuration examples By default, Ethernet, VLAN, and aggregate interfaces are down. To configure these interfaces, use the undo shutdown command to bring them up first. Local MAC authentication configuration Network requirements A supplicant is connected to the device through port GigabitEthernet 3/0/1. See Figure 27. •...

  • Page 92: Radius-Based Mac Authentication Configuration

    [Device] mac-authentication domain aabbcc.net Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 Specify the MAC authentication username format as MAC address, that is, using the MAC address (with hyphens) of a user as the username and password for MAC authentication of the user. [Device] mac-authentication user-name-format mac-address with-hyphen Verify the configuration Display global MAC authentication information.
  • Page 93 • The username type of fixed username is used for authentication, with the username being aaa and password being 123456. Figure 28 Network diagram for MAC authentication using RADIUS Configuration procedure It is required that the RADIUS server and the device are reachable to each other and the username and password are configured on the server.

  • Page 94: Verify The Configuration

    [Device] mac-authentication timer quiet 180 Specify to use the username aaa and password 123456 for MAC authentication of all users. [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verify the configuration Display global MAC authentication information. <Device> display mac-authentication MAC address authentication is enabled.

  • Page 95: Portal Configuration

    Portal configuration Introduction to portal Portal authentication, as its name implies, helps control access to the Internet. Portal authentication is also called web authentication and a website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website;...
  • Page 96 Figure 29 Portal system components Authentication client The client system of a user to be authenticated. It can be a browser using the Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS), or a host running the portal client software.

  • Page 97: Portal Authentication Mode

    Currently, only a RADIUS server can serve as the remote authentication/accounting server in a portal • system. Currently, security checking requires the cooperation of the H3C iNode client. • Portal authentication mode Currently, the switch supports Layer 3 portal authentication.

  • Page 98: Portal Authentication Process

    Portal authentication process Figure 30 Layer 3 portal authentication process The Layer 3 authentication process is as follows: A portal user initiates an authentication request through HTTP. When the HTTP packet arrives at the access device, the access device allows it to pass if it is destined for the portal server or a predefined free website, or redirects it to the portal server if it is destined for other websites.

  • Page 99: Basic Portal Configuration

    If HTTPS is used, after the portal user initiates an authentication request through HTTPS, the authentication client and the access device will first perform SSL negotiation to establish a secure path that encrypts packets to be transferred. Basic portal configuration Configuration prerequisites The portal feature provides a solution for user authentication and security checking.

  • Page 100: Configuring A Portal-Free Rule

    To do… Use the command… Remarks Required Enable portal authentication on portal server server-name the interface method layer3 Disabled by default The destination port number that the switch uses for sending packets to the portal server unsolicitedly must • be the same as that the remote portal server actually uses. The portal server and its parameters can be deleted or modified only when the portal server is not •...

  • Page 101: Configuring An Authentication Subnet

    Configuring an authentication subnet By configuring authentication subnets, you can allow portal authentication to be triggered by only packets from users on the authentication subnets. If a user does not initiate portal authentication before accessing the external network and the user’s packets are neither matching the portal-free rules nor from authentication subnets, the user packets will be discarded by the access device.

  • Page 102: Specifying A Nas Id Profile For An Interface

    To do… Use the command… Remarks Required Specify an authentication portal domain domain-name By default, no authentication domain is domain for the interface specified for an interface. The switch selects the authentication domain for a portal user on an interface in this order: the ISP domain specified for the interface, the ISP domain carried in the username, and the system default ISP domain.

  • Page 103: Setting The Maximum Number Of Online Portal Users

    To do… Use the command… Remarks Required Specify a NAS ID profile for portal nas-id-profile profile- By default, an interface is specified the interface name with no NAS ID profile. Setting the maximum number of online portal users You can use this feature to control the total number of online portal users in the system. Follow these steps to set the maximum number of portal users allowed in the system: To do…...

  • Page 104: Portal Configuration Examples

    To do… Use the command… Remarks Display TCP spoofing statistics display portal tcp-cheat statistics Available in any view Display information about display portal user { all | interface portal users on a specified Available in any view interface-type interface-number } interface or all interfaces Clear portal connection reset portal connection statistics {all...
  • Page 105 You need to configure IP addresses for the host, switches, and servers as shown in Figure 31, and ensure • that they are reachable to each other. Perform configurations on the RADIUS server to ensure that the user authentication and accounting •...

  • Page 106: Configuring Layer 3 Portal Authentication With Extended Functions

    • URL: http://192.168.0.1 1 1/portal. [SwitchA] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111/portal Enable portal authentication on the interface connecting Switch B. [SwitchA] interface vlan-interface 4 [SwitchA–Vlan-interface4] portal server newpt method layer3 [SwitchA–Vlan-interface4] quit Configuring Layer 3 portal authentication with extended functions Network requirements •...
  • Page 107 Create a RADIUS scheme named rs1 and enter its view. <SwitchA> system-view [SwitchA] radius scheme rs1 Set the server type for the RADIUS scheme. When using the CAMS or iMC server, you need set the server type to extended. [SwitchA-radius-rs1] server-type extended Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 108: Troubleshooting The Portal

    • Name: newpt • IP address: 192.168.0.1 1 1 • Key: portal • Port number: 50100 • URL: http://192.168.0.1 1 1/portal. [SwitchA] portal server newpt 192.168.0.111 portal port 50100 http://192.168.0.111/portal Enable portal authentication on the interface connecting Switch B. [SwitchA] interface vlan-interface 4 [SwitchA–Vlan-interface4] portal server newpt method layer3 [SwitchA–Vlan-interface4] quit Troubleshooting the portal...
  • Page 109 access device is not 50100, the destination port of the REQ_LOGOUT message is not the actual listening port on the server. Thus, the portal server cannot receive the REQ_LOGOUT message. As a result, you cannot force the user to log out the portal server. When the user uses the disconnect attribute on the client to log out, the portal server actively sends a REQ_LOGOUT message to the access device.

  • Page 110: Public Key Configuration

    Public key configuration Public key algorithm overview Basic concepts • Algorithm: A set of transformation rules for encryption and decryption. • Plain text: Information without being encrypted. • Cipher text: Encrypted information. • Key: A string of characters that controls the transformation between plain text and cipher text. It is used in both encryption and decryption.

  • Page 111: Asymmetric Key Algorithm Applications

    Asymmetric key algorithm applications Asymmetric key algorithms can be used for encryption and digital signature: • Encryption: The sender uses the public key of the intended receiver to encrypt the information to be sent. Only the intended receiver, the holder of the paired private key, can decrypt the information.

  • Page 112: Displaying Or Exporting The Local Rsa Or Dsa Host Public Key

    The length of a DSA key modulus is in the range 512 to 2048 bits. After entering the public-key local • create dsa command, you will be required to specify the modulus length. For security, a modulus of at least 768 bits is recommended. Displaying or exporting the local RSA or DSA host public Display the local RSA or DSA host public key on the screen or export it to a specified file.

  • Page 113: Displaying And Maintaining Public Keys

    • Import it from the public key file: The system automatically converts the public key to a string coded using the PKCS (Public Key Cryptography Standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through FTP or TFTP. HP recommends that you configure the public key of the peer by importing it from a public key file.

  • Page 114: Public Key Configuration Examples

    To do… Use the command… Remarks Display the public keys of the display public-key peer [ peers brief | name publickey-name ] Public key configuration examples By default, Ethernet, VLAN, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first.
  • Page 115 Display the public keys of the created RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:0613:07:11 2007/08/0710/29 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100B581FB3DCD8158A0F95E627B4 E79EE 127CD4479EA30EC87B4639DBF248CD4A29EA0490308B7383917729BF9C11FF3620CCCD39BD22EE903CA 6B7F3 1159C728E276A8A02522E329E7273C9583162BDD653DC21A4C0146E194CC8F1A5323E140A05E11EB29E E2E0D ECC63B38807B9EED783AE38920D963A385DC25263825EC67310203010001 =====================================================...

  • Page 116: Importing The Public Key Of A Peer From A Public Key File

    [DeviceB-pkey-key- code]5323E140A05E11EB29EE2E0DECC63B38807B9EED783AE38920D963A385DC25263 825EC6731020301 [DeviceB-pkey-key-code]0001 [DeviceB-pkey-key-code] public-key-code end [DeviceB-pkey-public-key] peer-public-key end Display the host public key of Device A saved on Device B. [DeviceB] display public-key peer name devicea ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F81...
  • Page 117 The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++...
  • Page 118 Enable the FTP server function, create an FTP user with the username ftp and password 123. <DeviceB> system-view [DeviceB] ftp server enable [DeviceB] local-user ftp [DeviceB-luser-ftp] password simple passwordtest [DeviceB-luser-ftp] service-type ftp [DeviceB-luser-ftp] authorization-attribute level 3 [DeviceB-luser-ftp] quit Upload the public key file of Device A to Device B FTP the public key file devicea.pub to Device B with the file transfer mode of binary.
  • Page 119 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3B C3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001...

  • Page 120: Ssh2.0 Configuration

    SSH2.0 configuration SSH2.0 overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to securely logging into a remote device. By encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
  • Page 121 protocol version number>-<software version number>”. The primary and secondary protocol version numbers constitute the protocol version number, while the software version number is used for debugging. The client receives and resolves the packet. If the protocol version of the server is lower but supportable, the client uses the protocol version of the server;...
  • Page 122 • Publickey authentication: The server authenticates the client by the digital signature. During publickey authentication, the client sends to the server a publickey authentication request that contains its username, public key, and publickey algorithm information. The server checks whether the public key is valid. If the public key is invalid, the authentication fails; otherwise, the server authenticates the client by the digital signature.

  • Page 123: Configuring The Device As An Ssh Server

    If the command text exceeds 2000 bytes, you can execute the commands by saving the text as a • configuration file, uploading the configuration file to the server through SFTP, and then using the configuration file to restart the server. Configuring the device as an SSH server To ensure that all SSH clients can log into the SSH server successfully, you are recommended to generate both DSA and RSA key pairs on the SSH server.

  • Page 124: Configuring A Client Public Key

    If you configure a user interface to support SSH, be sure to configure the authentication method as AAA • by using the authentication-mode scheme command. For a user interface configured to support SSH, you cannot change the authentication mode. To change •...

  • Page 125: Configuring An Ssh User

    When inputting or copying the content of the public key, be sure that the content is in H3C public key format, that is, you need to input or copy it exactly as it is displayed by the display public-key local command.

  • Page 126: Setting The Ssh Management Parameters

    For successful login through SFTP, you must set the user service type to sftp or all. If SFTP service is not • needed, set the user service type to stelnet or all. As SSH1 does not support service type sftp, if the client uses SSH1 to log into the server, you must set •...

  • Page 127: Configuring The Device As An Ssh Client

    To do… Use the command… Remarks Optional Set the maximum number of ssh server authentication- SSH authentication attempts retries times 3 by default Authentication will fail if the number of authentication attempts (including both publickey and password authentication) exceeds that specified in the ssh server authentication-retries command. Configuring the device as an SSH client Specifying a source IP address/interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to...

  • Page 128: Establishing A Connection Between The Ssh Client And The Server

    To do... Use the command… Remarks Optional Enable the switch to support ssh client first-time enable By default, first-time authentication first-time authentication is supported on a client. Disable first-time authentication For successful authentication of an SSH client not supporting first-time authentication, the server host public key must be configured on the client and the public key name must be specified.

  • Page 129: Displaying And Maintaining Ssh

    To do... Use the command… Remarks encryption ssh2 ipv6 server [ port-number ] [ identity-key { algorithms, dsa | rsa } | prefer-ctos-cipher { 3des | aes128 preferred HMAC | des } | prefer-ctos-hmac { md5 | md5-96 | algorithms and For an sha1 | sha1-96 } | prefer-kex { dh-group- preferred key...

  • Page 130: When Switch Acts As Server For Password Authentication

    When switch acts as server for password authentication Network requirements • A local SSH connection is established between the host (the SSH client) and the switch (the SSH server) for secure data exchange. See Figure 37. • Password authentication is required. Figure 37 Switch acts as server for password authentication Configuration procedure...

  • Page 131: When Switch Acts As Server For Public Key Authentication

    There are many kinds of SSH client software, such as PuTTY, and OpenSSH. The following is an example of configuring SSH client using Putty Version 0.58. Establish a connection with the SSH server Launch PuTTY.exe to enter the following interface. In the Host Name (or IP address) text box, enter the IP address of the server (192.168.1.40).
  • Page 132 Figure 39 Switch acts as server for publickey authentication SSH client SSH server Vlan-int1 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure Configure the SSH server Generate RSA and DSA key pairs and enable SSH server. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable Configure an IP address for VLAN interface 1.
  • Page 133 Figure 40 Generate a client key pair 1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar. See Figure 41. Otherwise, the process bar stops moving and the key pair generating process will be stopped.
  • Page 134 Figure 41 Generate a client key pair 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key.
  • Page 135 Figure 42 Generate a client key pair 3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private in this case).
  • Page 136 Figure 44 SSH client configuration interface 1) Select Connection/SSH/Auth from the navigation tree. The following window appears. Click Browse… to bring up the file selection window, navigate to the private key file and click OK.

  • Page 137: Ssh Client Configuration Examples

    Figure 45 SSH client configuration interface 2) Click Open. If the connection is normal, you will be prompted to enter the username. After entering the correct username (client002), you can enter the configuration interface. See Figure SSH client configuration examples By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the state of DOWN.
  • Page 138 Figure 46 Switch acts as client for password authentication Configuration procedure Configure the SSH server Create RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable Create an IP address for VLAN interface 1, which the SSH client will use as the destination for SSH connection.
  • Page 139 Do you want to save the server public key? [Y/N]:n Enter password: ****************************************************************************** * Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.

  • Page 140: When Switch Acts As Client For Public Key Authentication

    F257523777D033BEE77FC378145F2AD [SwitchA-pkey-key-code]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server (10.165.87.136) as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit Establish an SSH connection to server 10.165.87.136. <SwitchA>...
  • Page 141 [SwitchB] ssh server enable Configure an IP address for VLAN interface 1, which the SSH client will use as the destination for SSH connection. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Set the authentication mode for the user interfaces to AAA. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode scheme Enable the user interfaces to support SSH.
  • Page 142 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n ****************************************************************************** * All rights reserved (2004-2006) * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.

  • Page 143: Sftp Service

    SFTP service SFTP overview The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log into the SFTP server for secure file management and transfer. The switch can also server as an SFTP client, enabling a user to login from the switch to a remote device for secure file transfer.

  • Page 144: Configuring An Sftp Client

    Follow these steps to configure the SFTP connection idle timeout period: To do… Use the command… Remarks Enter system view system-view — Optional Configure the SFTP connection sftp server idle-timeout time- idle timeout period out-value 10 minutes by default Configuring an SFTP client Specifying a source IP address or interface for the SFTP client You can configure a client to use only a specified source IP address or interface to access the SFTP...

  • Page 145: Working With The Sftp Directories

    To do… Use the command… Remarks sftp ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | Establish a aes128 | des } | prefer-ctos-hmac { md5 | connection to the remote IPv6 md5-96 | sha1 | sha1-96 } | prefer-kex { dh- SFTP server and group-exchange | dh-group1 | dh-group14 }...

  • Page 146: Working With Sftp Files

    To do… Use the command… Remarks Create a new directory on the mkdir remote-path Optional remote SFTP server Delete a directory from the rmdir remote-path&<1-10> Optional SFTP server Working with SFTP files SFTP file operations include: • Changing the name of a file •...

  • Page 147: Displaying Help Information

    Displaying help information This configuration task is to display a list of all commands or the help information of an SFTP client command, such as the command format and parameters. Follow these steps to display a list of all commands or the help information of an SFTP client command: To do…...

  • Page 148: Network Requirements

    By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first. Network requirements An SSH connection is established between Switch A and Switch B. See Figure 48. Switch A, an SFTP client, logs in to Switch B for file management and file transfer.
  • Page 149 For user client001, set the service type as SFTP, authentication type as publickey, public key as Switch001, and working folder as cfa0:/ [SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey Switch001 work-directory cfa0:/ Configure the SFTP client (Switch A) Configure an IP address for VLAN interface 1.
  • Page 150 File successfully Removed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup...

  • Page 151: Sftp Server Configuration Example

    -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk sftp-client> Terminate the connection to the remote SFTP server. sftp-client> quit Connection closed. <SwitchA> SFTP server configuration example By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first.
  • Page 152 [Switch-ui-vty0-4] authentication-mode scheme Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit Configure a local user named client002 with the password being aabbcc and the service type being SSH. [Switch] local-user client002 [Switch-luser-client002] password simple aabbcc [Switch-luser-client002] service-type ssh [Switch-luser-client002] quit Configure the user authentication type as password and service type as SFTP.

  • Page 153: Ip Source Guard Configuration

    IP source guard configuration The switch operates in IRF or standalone (the default) mode. For information about the IRF mode, see IRF in the IRF Configuration Guide. IP source guard overview IP source guard is intended to work on a port connecting users. It filters received packets to block illegal access to network resources, improving the network security.

  • Page 154: Configuring A Static Ip Source Guard Binding Entry

    • A dynamic binding is implemented in cooperation with DHCP snooping or DHCP Relay. It is suitable when there are many hosts in a LAN, and DHCP is used to allocate IP addresses to the hosts. Once DHCP allocates an IP address for a user, the IP source guard function will automatically add a binding entry based on the DHCP entry to allow the user to access the network.

  • Page 155: Configuring The Dynamic Ip Source Guard Binding Function

    Configuring the dynamic IP source guard binding function After the dynamic IP source guard binding function is enabled on a port, IP source guard will obtain binding entries dynamically through cooperation with DHCP protocols. • Cooperating with DHCP snooping, IP source guard will automatically obtain the DHCP snooping entries that are generated during dynamic IP address allocation on an Ethernet port.

  • Page 156: Ip Source Guard Configuration Examples

    IP source guard configuration examples By default, Ethernet, VLAN, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first. Static IP source guard binding entry configuration example Network requirements As shown in Figure 52, Host A and Host B are connected to ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/1 of Switch B respectively, Host C is connected to port GigabitEthernet...

  • Page 157: Dynamic Ip Source Guard Binding Function Configuration Example I

    Configure port GigabitEthernet 3/0/1 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass. [SwitchA] interface gigabitethernet 3/0/1 [SwitchA-GigabitEthernet3/0/1] user-bind ip-address 192.168.0.1 mac-address 0001- 0203-0406 Configure Switch B Configure the IP addresses of various interfaces (omitted).
  • Page 158 • On Switch A, create a DHCP snooping entry for Client A. • On port GigabitEthernet 3/0/1 of Switch A, enable dynamic binding function to prevent attackers from using forged IP addresses to attack the server. For detailed configuration of a DHCP server, see DHCP in the Layer 3 – IP Services Configuration Guide. Figure 53 Network diagram for configuring dynamic binding function Configuration procedure...

  • Page 159: Dynamic Ip Source Guard Binding Function Configuration Example Ii

    As you see, port GigabitEthernet 3/0/1 has obtained the dynamic entries generated by DHCP snooping after it is configured with dynamic binding function. Dynamic IP source guard binding function configuration example II Network requirements As shown in Figure 54, Switch A connects to Client A and the DHCP server through VLAN- interface 100 and VLAN-interface 200 respectively.

  • Page 160: Troubleshooting Ip Source Guard

    [SwitchA-Vlan-interface100] dhcp select relay Correlate VLAN-interface 100 with DHCP server group 1. [SwitchA-Vlan-interface100] dhcp relay server-select 1 Verify the configuration Display the dynamic IP source guard binding entries. [SwitchA] display ip check source Total entries found: 1 Vlan Port Status 0001-0203-0406 192.168.0.1 Vlan-interface100...

  • Page 161: Ip Source Guard Configuration

    IP source guard configuration The switch operates in IRF or standalone (the default) mode. For information about the IRF mode, see IRF in the IRF Configuration Guide. IP source guard overview IP source guard is intended to work on a port connecting users. It filters received packets to block illegal access to network resources, improving the network security.

  • Page 162: Configuring A Static Ip Source Guard Binding Entry

    • A dynamic binding is implemented in cooperation with DHCP snooping or DHCP Relay. It is suitable when there are many hosts in a LAN, and DHCP is used to allocate IP addresses to the hosts. Once DHCP allocates an IP address for a user, the IP source guard function will automatically add a binding entry based on the DHCP entry to allow the user to access the network.

  • Page 163: Configuring The Dynamic Ip Source Guard Binding Function

    Configuring the dynamic IP source guard binding function After the dynamic IP source guard binding function is enabled on a port, IP source guard will obtain binding entries dynamically through cooperation with DHCP protocols. • Cooperating with DHCP snooping, IP source guard will automatically obtain the DHCP snooping entries that are generated during dynamic IP address allocation on an Ethernet port.

  • Page 164: Ip Source Guard Configuration Examples

    IP source guard configuration examples By default, Ethernet, VLAN, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first. Static IP source guard binding entry configuration example Network requirements As shown in Figure 56, Host A and Host B are connected to ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/1 of Switch B respectively, Host C is connected to port GigabitEthernet...

  • Page 165: Dynamic Ip Source Guard Binding Function Configuration Example I

    Configure port GigabitEthernet 3/0/1 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass. [SwitchA] interface gigabitethernet 3/0/1 [SwitchA-GigabitEthernet3/0/1] user-bind ip-address 192.168.0.1 mac-address 0001- 0203-0406 Configure Switch B Configure the IP addresses of various interfaces (omitted).
  • Page 166 • On Switch A, create a DHCP snooping entry for Client A. • On port GigabitEthernet 3/0/1 of Switch A, enable dynamic binding function to prevent attackers from using forged IP addresses to attack the server. For detailed configuration of a DHCP server, see DHCP in the Layer 3 – IP Services Configuration Guide. Figure 57 Network diagram for configuring dynamic binding function Configuration procedure...

  • Page 167: Dynamic Ip Source Guard Binding Function Configuration Example Ii

    As you see, port GigabitEthernet 3/0/1 has obtained the dynamic entries generated by DHCP snooping after it is configured with dynamic binding function. Dynamic IP source guard binding function configuration example II Network requirements As shown in Figure 58, Switch A connects to Client A and the DHCP server through VLAN- interface 100 and VLAN-interface 200 respectively.

  • Page 168: Troubleshooting Ip Source Guard

    [SwitchA-Vlan-interface100] dhcp select relay Correlate VLAN-interface 100 with DHCP server group 1. [SwitchA-Vlan-interface100] dhcp relay server-select 1 Verify the configuration Display the dynamic IP source guard binding entries. [SwitchA] display ip check source Total entries found: 1 Vlan Port Status 0001-0203-0406 192.168.0.1 Vlan-interface100...

  • Page 169: Urpf Configuration

    URPF configuration URPF overview What is URPF Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks. Attackers launch attacks by creating a series of packets with forged source addresses. For applications using IP-address-based authentication, this type of attacks allows unauthorized users to access the system in the name of authorized users, or even access the system as the administrator.

  • Page 170: Configuring Urpf

    If the packet has its source IP address found in the FIB table and passes the check, URPF starts the link layer check. • If the link-check keyword is not configured, the packet passes the check and is forwarded normally. •...

  • Page 171: Urpf Configuration Example

    URPF configuration example By default, Ethernet, VLAN, and aggregate interfaces are down. Use the undo shutdown command to bring them up before configuring them. Network requirements A client (Switch A) directly connects to the ISP switch (Switch B). Enable strict URPF check on VLAN-interface 10 of Switch B to allow packets whose source addresses match ACL 2010 to pass.

  • Page 172: Urpf Configuration

    URPF configuration URPF overview What is URPF Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks. Attackers launch attacks by creating a series of packets with forged source addresses. For applications using IP-address-based authentication, this type of attacks allows unauthorized users to access the system in the name of authorized users, or even access the system as the administrator.

  • Page 173: Configuring Urpf

    If the packet has its source IP address found in the FIB table and passes the check, URPF starts the link layer check. • If the link-check keyword is not configured, the packet passes the check and is forwarded normally. •...

  • Page 174: Urpf Configuration Example

    URPF configuration example By default, Ethernet, VLAN, and aggregate interfaces are down. Use the undo shutdown command to bring them up before configuring them. Network requirements A client (Switch A) directly connects to the ISP switch (Switch B). Enable strict URPF check on VLAN-interface 10 of Switch B to allow packets whose source addresses match ACL 2010 to pass.

  • Page 175: Obtaining Support For Your Product

    Contact your authorized reseller or 3Com for a complete list of the value-added services available in your area. Troubleshoot online You will find support tools posted on the web site at http://www.h3cnetworks.com/ under Support, Knowledgebase. The Knowledgebase helps you troubleshoot H3C products. This query-based interactive tool contains thousands of technical solutions.

  • Page 176: Access Software Downloads

    Access software downloads Software Updates are the bug fix / maintenance releases for the version of software initially purchased with the product. In order to access these Software Updates you must first register your product on the web site at http://www.h3cnetworks.com, go to Support, Product Registration.

  • Page 177: Appendix A : Radius Attributes

    Maximum idle time permitted for the user before termination of the session Identification of the user that the NAS sends to the server. With the LAN access Calling-Station-Id service provided by an H3C device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier...

  • Page 178: Proprietary Radius Sub-Attributes Of H3C

    Access-Requests. This attribute is used when RADIUS supports EAP Authenticator authentication. NAS-Port-Id String for describing the port of the NAS that is authenticating the user Proprietary RADIUS sub-attributes of H3C Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
  • Page 179 Sub-attribute Description Remaining, available total traffic of the connection, in different units for different Remanent_Volume server types. Operation for the session, used for session control. It can be: 1: Trigger-Request • 2: Terminate-Request • Command 3: SetPolicy • 4: Result •...

  • Page 180: Acronyms

    Acronyms # A B C D E F G H I K L M N O P Q R S T U V W X Z Acronym Full spelling Return 10GE Ten-GigabitEthernet Return Authentication, Authorization and Accounting Activity Based Costing Area Border Router Alternating Current Acknowledgement...
  • Page 181 Acronym Full spelling Asynchronous Transfer Mode Auxiliary (port) Active Virtual Forwarder Return Bearer Control Backup Designated Router Best Effort Bidirectional Forwarding Detection Border Gateway Protocol BIMS Branch Intelligent Management System BOOTP Bootstrap Protocol BPDU Bridge Protocol Data Unit Basic Rate Interface Bootstrap Router BitTorrent BSR State...
  • Page 182 Acronym Full spelling CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter-Domain Routing Committed Information Rate CIST Common and Internal Spanning Tree Command Line Interface Code/Length/Value CLNP Connectionless Network Protocol Customer Premise Equipment CPOS Channelized POS Central Processing Unit Custom Queuing Carriage Return Cyclic Redundancy Check CR-LSP...
  • Page 183 Acronym Full spelling Downstream on Demand Denial of Service Designated Router DSCP Differentiated Services Code point Priority Digital Signal Processor Data Terminal Equipment Downstream Unsolicited DUID DHCP Unique Identifier DUID-LL DUID based Link Layer address Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavelength Division Multiplexing...
  • Page 184 Acronym Full spelling FIFO First In First Out FQDN Full Qualified Domain Name Frame Relay Fast Reroute FRTT Fairness Round Trip Time Finite State Machine Functional Test File Transfer Protocol Return GARP Generic Attribute Registration Protocol Gigabit Ethernet Graceful Restart Generic Routing Encapsulation Generic Traffic Shaping GVRP...
  • Page 185 Acronym Full spelling ICMP Internet Control Message Protocol ICPIF Calculated Planning Impairment Factor ICMPv6 Internet Control Message Protocol for IPv6 Identification/Identity IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGMP Internet Group Management Protocol IGMP-Snooping Internet Group Management Protocol Snooping Interior Gateway Protocol Incoming Label Map Internet Locator Service...
  • Page 186 Acronym Full spelling Key-encrypting key Return L2TP Layer 2 Tunneling Protocol L2VPN Layer 2 Virtual Private Network L3VPN Layer 3 Virtual Private Network LACP Link Aggregation Control Protocol LACPDU Link Aggregation Control Protocol Data Unit Local Area Network Link Control Protocol LDAP Lightweight Directory Access Protocol Label Distribution Protocol...
  • Page 187 Acronym Full spelling Return Media Access Control Multi-Active Detection Metropolitan Area Network MaxBC Max Bandwidth Constraints MBGP Multicast Border Gateway Protocol Multi-VPN instance Customer Edge Multicast Domain Medium Dependent Interface Message-Digest Algorithm 5 Multicast Distribution Tree Multi-Exit Discriminator MAC Forced Forwarding Management Information Base Multicast Listener Discovery Protocol MLD-Snooping...
  • Page 188 Acronym Full spelling MTTR Mean Time To Repair Maximum Transmission Unit MVRF Multicast VPN Routing and Forwarding Return NAPT Network Address Port Translation NAPT-PT Network Address Port Translation – Protocol Translation Network Access Server Net Address Translation NBMA Non Broadcast Multi-Access NetBIOS over TCP/IP Network Control Protocol Neighborhood discovery...
  • Page 189 Acronym Full spelling Operation Administration and Maintenance OAMPDU OAM Protocol Data Units OC-3 OC-3 Object Identifier Optical Line Open Systems Interconnection Outbound Route Filter OSPF Open Shortest Path First Return Provider P2MP Point to MultiPoint Point To Point Password Authentication Protocol Policy-based Route Printed Circuit Board Pulse Code Modulation...
  • Page 190 Acronym Full spelling Priority Queuing Primary Reference Clock Primary Rate Interface Protection Switching Power Sourcing Equipment PSNP Partial SNP PTMP or P2MP Point-to-Multipoint PTP or P2P Point-to-Point Permanent Virtual Channel Pseudo wires Pre-boot Execution Environment Return QACL QoS/ACL QinQ 802.1Q in 802.1Q Quality of Service QQIC Querier's Query Interval Code...
  • Page 191 Acronym Full spelling Rendezvous Point Tree RRPP Rapid Ring Protection Protocol Router Solicitation Reservation State Block RSOH Regenerator Section Overhead RSTP Rapid Spanning Tree Protocol RSVP Resource Reservation Protocol RSVP-TE Resource Reservation Protocol – Traffic Engineering Route Target RTCP Real-time Transport Control Protocol Route Table Entry Real-time Transport Protocol Real-time Transport Protocol...
  • Page 192 Acronym Full spelling Section Overhead SONET Synchronous Optical Network Site-of-Origin Strict Priority Queuing Superstratum PE/Sevice Provider-end PE Shortest Path First Shortest Path Tree SRPT Sub-ring Packet Tunnel Secure Shell Synchronization Status Marker Source-Specific Multicast Shared Tree STM-1 SDH Transport Module -1 STM-16 SDH Transport Module -16 STM-16c...
  • Page 193 Acronym Full spelling TPID Tag Protocol Identifier TRIP Trigger RIP Traffic Shaping Time to Live True Type Terminal Return Universal/Local User Datagram Protocol Under-layer PE or User-end PE Uniform Resource Locators URPF Unicast Reverse Path Forwarding User-Based Security Model Return Variable Bit Rate Virtual Channel Identifier Virtual Ethernet...
  • Page 194 Acronym Full spelling Wide Area Network Weighted Fair Queuing WINS Windows Internet Naming Service WLAN wireless local area network WRED Weighted Random Early Detection Weighted Round Robin Wait-to-Restore World Wide Web Return Ten-GigabitEthernet Return Zone Border Router...

  • Page 195: Index

    Index 802.1X features working together ......73 access control method ........ 72 guest VLAN ..........74 architecture ..........65 maintaining ..........82 authentication mode ........65 mandatory authentication domain for specified port ............. 75 authentication process ........ 69 Message-Authenticator attribute ....69 Auth-Fail VLAN .........
  • Page 196 (SSH2.0) ..........137 Message-Authenticator (802.1X) ....69 configuring switch for public key authentication (SSH2.0) ..........140 proprietary sub-attributes of H3C (RADIUS) . 178 configuring user interface (SSH2.0) ... 123 RADIUS (AAA) ........177 establishing server connection (SSH2.0) ..128 RADIUS extended (AAA) ......22 specifying IP address/interface (SSH2.0) ...
  • Page 197 system (portal) ........... 95 local asymmetric pair (public key) ....1 1 1 concept local user attribute (AAA) ......34 802.1X ............. 66 MAC authentication ....... 88, 89, 91 MAC authentication ........89 NAS ID-VLAN binding (AAA) ..... 37 public key ..........1 10 online user handshake function (802.1X) ..
  • Page 198 HWTACACS scheme (AAA) ......50 EAP-Message attribute (802.1X) ....68 ISP domain (AAA) ........28 EAPOL (802.1X) ........67 ISP domain attribute (AAA) ......29 EAPOL packet format (802.1X) ....67 RADIUS scheme (AAA) ....... 38 Message-Authenticator attribute (802.1X) ..69 destroying over RADIUS (802.1X) .......
  • Page 199 extended (portal) ........95 specifying client (SFTP) ......144 RADIUS trap (AAA) ........45 specifying NAS ID profile (portal) ....102 help information (SFTP) ........ 147 specifying SSH client (SSH2.0) ....127 HW Terminal Access Controller Access Control IP address System ........
  • Page 200 displaying ..........90 802.1X configuration ......... 82 local ..........88, 91 asymmetric application (public key) .... 1 1 1 maintaining ..........90 asymmetric pair destruction (public key) ..1 12 quiet MAC address ........89 authentication subnet configuration (portal) .101 RADIUS-based ........88, 92 client configuration (SFTP) ......
  • Page 201 packet Layer 3 configuration ....... 104 EAP format (802.1X) ........68 Layer 3 configuration with extended functions ............106 EAP relay (802.1X) ........69 logging out user ........101 EAPOL format (802.1X) ......67 maintaining ..........103 RADIUS format (AAA) ........ 17 security policy server .........
  • Page 202 configuring Layer 3 portal authentication with creating RADIUS scheme (AAA) ....38 extended functions ....... 106 destroying local asymmetric pair (public key)1 12 configuring local asymmetric pair (public key) disabling first-time authentication (SSH2.0) . 128 ............1 1 1 disconnecting user (AAA) ......37 configuring local MAC authentication ..
  • Page 203 setting RADIUS server timer (AAA) ....46 HWTACACS message exchange ....23 setting supported RADIUS server type (AAA) . 42 RADIUS message exchange (AAA) ....16 specifying client interface (SFTP) ....144 protocol specifying client IP address (SFTP) ....144 AAA ............26 specifying HWTACACS accounting...
  • Page 204 Message-Authenticator attribute (802.1X) ..69 security packet format (AAA) ........17 asymmetric application (public key) .... 1 1 1 proprietary sub-attributes of H3C ....178 configuring local asymmetric pair (public key) ............1 1 1 security mechanisms (AAA) ......16 destroying asymmetric pair (public key) ..
  • Page 205 configuring switch for public key authentication enabling server ........143 (SSH2.0) ..........131 establishing server connection ....144 enabling (SFTP) ........143 specifying client interface ......144 enabling SSH (SSH2.0) ......123 specifying client IP address ....... 144 establishing client connection (SSH2.0) ..128 terminating remote server connection ..
  • Page 206 algorithm negotiation ....... 121 switching authentication ......... 121 configuring switch as client for password authentication (SSH2.0) ......137 client configuration ........137 configuring switch as client for public key configuration .......... 120 authentication (SSH2.0) ......140 configuring client public key ..... 124 configuring switch as server for password configuring device as SSH client ....
  • Page 207 Unicast Reverse Path ForwardingSee configuring attribute (AAA) ......36 URPF, URPF version negotiation (SSH2.0) ......120 URPF VLAN configuration ..169, 170, 171, 172, 173, 174 assignment (802.1X) ........73 defined ........... 169, 172 Auth-Fail (802.1X)........ 75, 81 how it works ........169, 172 guest (802.1X) ........

Table of Contents