HPE FlexNetwork 7500 Series Security Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Network Router
  5. FlexNetwork 7500 Series
  6. Security configuration manual

HPE FlexNetwork 7500 Series Security Configuration Manual

Hide thumbs Also See for FlexNetwork 7500 Series:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual
HPE FlexNetwork 7500 Switch Series
Security Configuration Guide
Part number: 5200-1952
Software version: 7500-CMW710-R7524
Document version: 6W100-20161230

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FlexNetwork 7500 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for HPE FlexNetwork 7500 Series

Summary of Contents for HPE FlexNetwork 7500 Series

  • Page 1 HPE FlexNetwork 7500 Switch Series Security Configuration Guide Part number: 5200-1952 Software version: 7500-CMW710-R7524 Document version: 6W100-20161230...
  • Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring AAA ····························································································· 1 Overview ···························································································································································· 1 RADIUS ······················································································································································ 2 HWTACACS ··············································································································································· 6 LDAP ·························································································································································· 9 AAA implementation on the device ·········································································································· 12 AAA for MPLS L3VPNs ···························································································································· 14 RADIUS server feature of the device ······································································································· 14 Protocols and standards ·························································································································· 15 RADIUS attributes ····································································································································...
  • Page 4 802.1X-related protocols ·································································································································· 84 Packet formats ········································································································································· 84 EAP over RADIUS ··································································································································· 85 802.1X authentication initiation ························································································································ 86 802.1X client as the initiator ····················································································································· 86 Access device as the initiator ··················································································································· 86 802.1X authentication procedures ··················································································································· 87 Comparing EAP relay and EAP termination ····························································································· 87 EAP relay ·················································································································································...
  • Page 5 Configuration prerequisites ···················································································································· 112 Configuration procedure ························································································································· 112 Specifying supported domain name delimiters ······························································································ 112 Enabling 802.1X user IP freezing ·················································································································· 113 Sending 802.1X protocol packets out of a port without VLAN tags ······························································· 113 Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ··················· 114 Configuring the EAD assistant feature ···········································································································...
  • Page 6 Portal system components ····················································································································· 151 Portal system using the local portal Web server ···················································································· 153 Interaction between portal system components ····················································································· 153 Portal authentication modes ··················································································································· 154 Portal support for EAP ··························································································································· 154 Portal authentication process ················································································································· 155 Portal filtering rules ································································································································ 157 MAC-based quick portal authentication ·································································································...
  • Page 7 No portal authentication page is pushed for users ················································································· 221 Cannot log out portal users on the access device ················································································· 222 Cannot log out portal users on the RADIUS server ··············································································· 222 Users logged out by the access device still exist on the portal authentication server···························· 222 Re-DHCP portal authenticated users cannot log in successfully ···························································...
  • Page 8 Managing public keys ················································································· 263 Overview ························································································································································ 263 FIPS compliance ············································································································································ 263 Creating a local key pair ································································································································ 263 Distributing a local host public key ················································································································· 265 Exporting a host public key ···················································································································· 265 Displaying a host public key ··················································································································· 265 Destroying a local key pair ·····························································································································...
  • Page 9 Configuring SSH ························································································· 307 Overview ························································································································································ 307 How SSH works ····································································································································· 307 SSH authentication methods ·················································································································· 308 SSH support for Suite B ························································································································· 309 FIPS compliance ············································································································································ 309 Configuring the device as an SSH server ······································································································ 310 SSH server configuration task list ·········································································································· 310 Generating local key pairs ······················································································································...
  • Page 10 Configuration procedure ························································································································· 367 Verifying the configuration ······················································································································ 368 Configuring SSL ·························································································· 369 Overview ························································································································································ 369 SSL security services ····························································································································· 369 SSL protocol stack ································································································································· 369 FIPS compliance ············································································································································ 370 SSL configuration task list ······························································································································ 370 Configuring an SSL server policy ··················································································································· 370 Configuring an SSL client policy ····················································································································...
  • Page 11 Enabling IPv6SG on an interface ··········································································································· 406 Configuring a static IPv6SG binding ······································································································ 407 Displaying and maintaining IPSG ·················································································································· 407 IPSG configuration examples ························································································································ 408 Static IPv4SG configuration example ····································································································· 408 Dynamic IPv4SG using DHCP snooping configuration example ··························································· 410 Dynamic IPv4SG using DHCP relay agent configuration example ························································...
  • Page 12 Configuring RA guard ···································································································································· 440 About RA guard ······································································································································ 440 Specifying the role of the attached device ····························································································· 440 Configuring an RA guard policy ············································································································· 441 Enabling the RA guard logging feature ·································································································· 441 Displaying and maintaining RA guard ···································································································· 442 RA guard configuration example ············································································································...
  • Page 13 Exiting FIPS mode through manual reboot ···························································································· 474 Configuring MACsec ··················································································· 476 Overview ························································································································································ 476 Basic concepts ······································································································································· 476 MACsec services ··································································································································· 476 MACsec applications ······························································································································ 477 MACsec operating mechanism ·············································································································· 477 Protocols and standards ························································································································ 479 Feature and hardware compatibility ··············································································································· 479 General restrictions and guidelines ················································································································...
  • Page 14 Troubleshooting Web authentication ············································································································· 511 Failure to come line (Web authentication configuration correct) ···························································· 511 Failure to come online (local authentication interface using the default ISP domain) ···························· 511 Failure to come line (VLAN configured on interface) ············································································· 512 Configuring triple authentication ································································· 513 Overview ························································································································································...

  • Page 15: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.

  • Page 16: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
  • Page 17 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host access the resources...
  • Page 18 Figure 4 RADIUS packet format Code Identifier Length Authenticator (16bytes) Attributes Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Code Packet type...
  • Page 19 Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. For more information, see "Commonly used standard RADIUS attributes." Table 2 Commonly used RADIUS attributes Attribute Attribute User-Name Acct-Authentic User-Password Acct-Session-Time CHAP-Password Acct-Input-Packets NAS-IP-Address Acct-Output-Packets NAS-Port Acct-Terminate-Cause...

  • Page 20: Hwtacacs

    Attribute Attribute Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes. The extended attributes can implement functions that the standard RADIUS protocol does not provide.
  • Page 21 passing authentication and obtaining authorized rights, a user logs in to the device and performs operations. The HWTACACS server records the operations that each user performs. Differences between HWTACACS and RADIUS HWTACACS and RADIUS have many features in common, such as using a client/server model, using shared keys for data encryption, and providing flexibility and scalability.
  • Page 22 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 23: Ldap

    10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
  • Page 24 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
  • Page 25 The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound.

  • Page 26: Aaa Implementation On The Device

    The LDAP client sends an authorization search request with the username of the Telnet user to the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes.
  • Page 27 • No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method. • Local authentication—The NAS authenticates users by itself, based on the locally configured user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.

  • Page 28: Aaa For Mpls L3Vpns

    AAA for MPLS L3VPNs You can deploy AAA across VPNs in an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated. The deployment enables forwarding of RADIUS and HWTACACS packets across MPLS VPNs. For example, as shown in Figure 10, you can deploy AAA across the VPNs.

  • Page 29: Protocols And Standards

    The RADIUS server feature supports the following operations: • Manages RADIUS user data, which is generated from local user information and includes user name, password, description, authorization ACL, authorization VLAN, and expiration time. • Allows you to add, modify, and delete RADIUS clients. A RADIUS client is identified by the IP address and includes attribute information such as the shared key.
  • Page 30 User identification that the NAS sends to the server. For the LAN Calling-Station-Id access service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
  • Page 31 Attribute Description • 17—Cable. (With cable for cable TV.) • 19—WLAN-IEEE 802.11. • 201—VLAN. • 202—ATM. If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201. Tunnel-Type Tunneling protocols used. The value 13 represents VLAN. Transport medium type to use for creating a tunnel.
  • Page 32 Subattribute Description When the RADIUS client acts as the FTP, SFTP, or SCP server, this attribute is used to set the working directory for an FTP, SFTP, or SCP user on the RADIUS client. Exec_Privilege EXEC user priority. Startup time of the NAS in seconds, which is represented by the time NAS_Startup_Timestamp elapsed after 00:00:00 on Jan.

  • Page 33: Fips Compliance

    Subattribute Description device-traffic-class=voice. • Server-assigned user role in the format of shell:role=xxx. • Server-assigned ACL in the format of url-redirect-acl=xxx. • Server-assigned Web redirect URL in the format of url-redirect=xxx. Nas-Port Interface through which the user is connected to the NAS. Accounting details.
  • Page 34 Configure AAA methods for the users' ISP domains. Remote AAA methods need to use the configured RADIUS, HWTACACS, and LDAP schemes. Figure 12 AAA configuration procedure Local AAA Configure AAA methods for different types of users or/and Configure local users and related the default methods for all attributes types of users...

  • Page 35: Configuring Aaa Schemes

    Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes, and LDAP schemes. Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device.
  • Page 36 information about password management and global password configuration, see "Configuring password control." • Validity period—Time period in which a network access user is considered valid for authentication. Local user configuration task list Tasks at a glance (Required.) Configure local user attributes based on the user type: •...
  • Page 37 Step Command Remarks • For a network access user: service-type { lan-access | portal } • For a device management user: Assign services to the By default, no services are authorized to In non-FIPS mode:  local user. a local user. service-type { ftp | { http | https | ssh | telnet | terminal } * }...
  • Page 38 Step Command Remarks password-control complexity { same-character | user-name } check • Configure the maximum login attempts and the action to take if there is a login failure: password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] 11.
  • Page 39 Step Command Remarks address for the local guest. address is specified for a local guest. The device sends email notifications to this address to inform the sponsor of the guest information. validity-datetime { from By default, a local guest does not start-date start-time to expire.
  • Page 40 Step Command Remarks { same-character | user-name } check • Configure the maximum login attempts and the action to take for login failures: password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] Managing local guests The local guest management features are for maintenance and access control of local guests.

  • Page 41: Configuring Radius Schemes

    Step Command Remarks start-time to expiration-date expiration-time (Optional.) Export local guest local-user-export class network account information to a .csv guest url url-string file in the specified path. Return to user view. quit (Optional.) Send email local-guest send-email The email contents include the notifications to the local user-name user-name to { guest user name, password, and validity...
  • Page 42 Tasks at a glance (Optional.) Configuring a test profile for RADIUS server status detection (Required.) Creating a RADIUS scheme (Required.) Specifying the RADIUS authentication servers (Optional.) Specifying the RADIUS accounting servers and the relevant parameters (Optional.) Specifying the shared keys for secure RADIUS communication (Optional.) Specifying an MPLS L3VPN instance for the scheme (Optional.)
  • Page 43 Step Command Remarks Enter system view. system-view Configure a test profile for By default, no test profiles exist. radius-server test-profile detecting the status of profile-name username name You can configure multiple test RADIUS authentication [ interval interval ] profiles in the system. servers.
  • Page 44 Step Command Remarks ipv6-address } [ port-number | The weight keyword takes effect key { cipher | simple } string | only when the RADIUS server load test-profile profile-name | sharing feature is enabled for the vpn-instance RADIUS scheme. vpn-instance-name | weight weight-value ] * Specifying the RADIUS accounting servers and the relevant parameters You can specify one primary accounting server and a maximum of 16 secondary accounting servers...
  • Page 45 Step Command Remarks number of real-time accounting attempts. (Optional.) Enable buffering of RADIUS stop-accounting By default, the buffering requests to which no stop-accounting-buffer enable feature is enabled. responses have been received. (Optional.) Set the maximum number of transmission attempts for individual retry stop-accounting retries The default setting is 500.
  • Page 46 RADIUS servers might not recognize usernames that contain the ISP domain names. In this case, you can configure the device to remove the domain name of each username to be sent. If two or more ISP domains use the same RADIUS scheme, configure the RADIUS scheme to keep the ISP domain name in usernames for domain identification.
  • Page 47 • If the primary server fails, the device performs the following operations: Changes the server status to blocked.  Starts a quiet timer for the server.  Tries to communicate with a secondary server in active state that has the highest priority. ...
  • Page 48 Step Command Remarks RADIUS accounting server: only be viewed by using the state primary accounting { active display radius scheme | block } command. After the device • restarts, all servers are Set the status of a secondary restored to the active state. RADIUS authentication server: state secondary authentication [ { ipv4-address | ipv6...
  • Page 49 the source IP address. For example, when VRRP is configured for stateful failover, configure the virtual IP of the uplink VRRP group as the source address. You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view or in system view.
  • Page 50 RADIUS scheme includes many secondary servers, the retransmission process might be too long and the client connection in the access module, such as Telnet, can time out. • When the client connections have a short timeout period, a large number of secondary servers can cause the initial authentication or accounting attempt to fail.
  • Page 51 Step Command Remarks accounting-on enable [ interval By default, the accounting-on Enable accounting-on. interval | send send-times ] * feature is disabled. (Optional.) Enable extended By default, extended accounting-on extended accounting-on. accounting-on is disabled. Interpreting the RADIUS class attribute as CAR parameters A RADIUS server may deliver CAR parameters for user-based traffic monitoring and control by using the RADIUS class attribute (attribute 25) in RADIUS packets.
  • Page 52 Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name By default, a MAC address is in attribute 31 mac-format section the format of Configure the MAC address { six | three } separator HH-HH-HH-HH-HH-HH. The format for RADIUS attribute separator-character { lowercase | MAC address is separated by...

  • Page 53: Configuring Hwtacacs Schemes

    Step Command Remarks authentication-server-up ] * Displaying and maintaining RADIUS Execute display commands in any view and reset commands in user view. Task Command Display the RADIUS scheme display radius scheme [ radius-scheme-name ] configuration. Display RADIUS packet statistics. display radius statistics Display information about buffered display stop-accounting-buffer { radius-scheme RADIUS stop-accounting requests to...
  • Page 54 Specifying the HWTACACS authentication servers You can specify one primary authentication server and a maximum of 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
  • Page 55 Step Command Remarks • Specify a secondary HWTACACS authorization server: secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * Specifying the HWTACACS accounting servers You can specify one primary accounting server and a maximum of 16 secondary accounting servers for an HWTACACS scheme.
  • Page 56 Step Command Remarks stop-accounting requests to which no responses have been received. (Optional.) Set the maximum number of transmission attempts for individual retry stop-accounting retries The default setting is 100. HWTACACS stop-accounting requests. Specifying the shared keys for secure HWTACACS communication The HWTACACS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption.
  • Page 57 HWTACACS servers do not recognize usernames that contain ISP domain names, you can configure the device to send usernames without domain names to the servers. If two or more ISP domains use the same HWTACACS scheme, configure the HWTACACS scheme to keep the ISP domain name in usernames for domain identification.
  • Page 58 Step Command Remarks packets. [ vpn-instance outbound interface is used as the vpn-instance-name ] source IP address. To specify a source IP address for an HWTACACS scheme: Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, the source IP address specified by the hwtacacs nas-ip...

  • Page 59: Configuring Ldap Schemes

    • When you remove a server in use, communication with the server times out. The device looks for a server in active state by first checking the primary server, and then checking secondary servers in the order they are configured. •...
  • Page 60 Tasks at a glance • (Required.) Creating an LDAP server • (Required.) Configuring the IP address of the LDAP server • (Optional.) Specifying the LDAP version • (Optional.) Setting the LDAP server timeout period • (Required.) Configuring administrator attributes • (Required.) Configuring LDAP user attributes (Optional.)
  • Page 61 Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server's response within the server timeout period, the authentication or authorization request times out. Then, the device tries the backup authentication or authorization method. If no backup method is configured in the ISP domain, the device considers the authentication or authorization attempt a failure.
  • Page 62 To configure LDAP user attributes: Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name Specify the user search base By default, no user search base search-base-dn base-dn DN is specified. (Optional.) Specify the user search-scope { all-level | By default, the user search scope search scope.

  • Page 63: Configuring Aaa Methods For Isp Domains

    Step Command Remarks Enter system view. system-view Create an LDAP scheme ldap scheme and enter LDAP scheme By default, no LDAP schemes exist. ldap-scheme-name view. Specifying the LDAP authentication server Step Command Remarks Enter system view. system-view Enter LDAP scheme view. ldap scheme ldap-scheme-name Specify the LDAP authentication-server...

  • Page 64: Configuration Prerequisites

    AAA is available to login users after you enable scheme authentication for the users. For more information about the login authentication modes, see Fundamentals Configuration Guide. Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device first.

  • Page 65: Configuring Isp Domain Attributes

    Step Command Remarks (Optional.) Specify the ISP By default, no ISP domain is specified to domain to accommodate domain if-unknown accommodate users who are assigned users who are assigned to isp-domain-name to nonexistent domains. nonexistent domains. Configuring ISP domain attributes In an ISP domain, you can configure the following attributes: •...

  • Page 66: Configuring Authentication Methods For An Isp Domain

    Step Command Remarks { both | inbound | outbound } ] | ip-pool pool-name | ipv6-pool ipv6-pool-name | user-group user-group-name } user-address-type { ds-lite | Specify the user address ipv6 | nat64 | private-ds | By default, no user address type is type in the ISP domain.

  • Page 67: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks supported in FIPS mode. authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default radius-scheme-name ] [ local ] [ none ] | authentication method is Specify authentication ldap-scheme ldap-scheme-name [ local ] used for login users. methods for login users.

  • Page 68: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks [ none ] } By default, the default authorization command authorization method is used Specify command { hwtacacs-scheme for command authorization. authorization methods. hwtacacs-scheme-name [ local ] [ none ] | The none keyword is not local [ none ] | none } supported in FIPS mode.

  • Page 69: Configuring The Radius Session-Control Feature

    Step Command Remarks users. [ radius-scheme radius-scheme-name ] The none keyword is not [ local ] [ none ] | local [ none ] | none | supported in FIPS mode. radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } accounting command By default, the default...

  • Page 70: Configuring The Radius Das Feature

    You can specify multiple session-control clients on the device. The device matches a session-control packet to a session-control client based on IP and VPN instance settings, and then uses the shared key of the matched client to validate the packet. The device searches the session-control client settings prior to searching all RADIUS settings for finding a server whose IP and VPN instance settings match the session-control packet.

  • Page 71: Changing The Dscp Priority For Radius Packets

    Step Command Remarks DAS view. feature is disabled. client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | By default, no RADIUS DACs are Specify a RADIUS DAC. simple } string | vpn-instance specified. vpn-instance-name ] * Specify the RADIUS DAS By default, the RADIUS DAS port is port port-number...
  • Page 72 Step Command Remarks Enter system view. system-view By default, no user-defined radius attribute extended extended RADIUS attributes exist. (Optional.) Define an attribute-name [ vendor vendor-id ] extended RADIUS code attribute-code type { binary | Repeat this command to define attribute. date | integer | interface-id | ip | multiple extended RADIUS ipv6 | ipv6-prefix | octets | string }...

  • Page 73: Setting The Maximum Number Of Concurrent Login Users

    Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users who can log on to the device through a specific protocol, regardless of their authentication methods. The authentication methods include no authentication, local authentication, and remote authentication. To set the maximum number of concurrent login users: Step Command...

  • Page 74: Configuring The Radius Server Feature

    Step Command Remarks Enter system view. system-view Configure the device ID. aaa device-id device-id By default, the device ID is 0. Configuring the RADIUS server feature Restrictions and guidelines When you configure the RADIUS server feature, follow these restrictions and guidelines: •...

  • Page 75: Activating The Radius Server Configuration

    Step Command Remarks radius-server client ip ipv4-address By default, no RADIUS clients Specify a RADIUS client. key { cipher | simple } string are specified. Activating the RADIUS server configuration At the device startup, the RADIUS server configuration is automatically activated, including RADIUS users and RADIUS clients.
  • Page 76 • Use expert as the shared keys for secure HWTACACS communication. Figure 13 Network diagram HWTACACS server 10.1.1.1/24 Vlan-int3 10.1.1.2/24 Vlan-int2 192.168.1.70/24 Internet SSH user Switch Configuration procedure Configure the HWTACACS server: # Set the shared keys to expert for secure communication with the switch. (Details not shown.) # Add an account for the SSH user and specify the password.

  • Page 77: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users

    # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator. [Switch] role default-role enable Verifying the configuration # Initiate an SSH connection to the switch, and enter the correct username and password.
  • Page 78 [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Configure an HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 [Switch-hwtacacs-hwtac] key authorization simple expert...

  • Page 79: Authentication And Authorization For Ssh Users By A Radius Server

    Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 15, configure the switch to meet the following requirements: • Use the RADIUS server for SSH user authentication and authorization. • Include domain names in the usernames sent to the RADIUS server. •...
  • Page 80 IP address of the outbound interface (the default).  Figure 16 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree.
  • Page 81 Figure 17 Adding an account for device management Configure the switch: # Configure IP addresses for interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service.

  • Page 82: Authentication For Ssh Users By An Ldap Server

    # Create an ISP domain named bbb and configure authentication, authorization, and accounting methods for login users. [Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] accounting login none [Switch-isp-bbb] quit Verifying the configuration # Initiate an SSH connection to the switch, and enter username hello@bbb and the correct password.
  • Page 83 e. Enter logon name aaa and click Next. Figure 19 Adding user aaa f. In the dialog box, enter password ldap!123456, select options as needed, and click Next. Figure 20 Setting the user's password g. Click OK. # Add user aaa to group Users. h.
  • Page 84 Figure 21 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 22 Adding user aaa to group Users # Set the administrator password to admin!123456.

  • Page 85: Aaa For 802.1X Users By A Radius Server

    # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...
  • Page 86 • Use MAC-based access control on GigabitEthernet 1/0/1 to authenticate all 802.1X users on the port separately. • Include domain names in the usernames sent to the RADIUS server. On the RADIUS server, perform the following tasks: • Add a service that assigns authenticated users to VLAN 4. •...
  • Page 87 Figure 24 Adding the switch as an access device # Add a service. Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree. Then, click Add to configure a service as follows: a. Add a service named Dot1x auth, and set the service suffix to bbb, the authentication domain for the 802.1X user.
  • Page 88 # Add a user. Click the User tab, and select Access User View > All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to configure a user as follows: a. Select the user or add a user named hello. b.

  • Page 89: Local Guest Configuration And Management Example

    [Switch-isp-bbb] quit c. Configure 802.1X authentication: # Enable 802.1X globally. [Switch] dot1x # Enable 802.1X for GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] dot1x [Switch-GigabitEthernet1/0/1] quit # Configure the access control method. By default, an 802.1X-enabled port uses the MAC-based access control. [Switch] dot1x port-method macbased interface gigabitethernet 1/0/1 Verifying the configuration On the host, use account dot1x@bbb to pass 802.1X authentication:...
  • Page 90 Figure 27 Network diagram Internet Guest Switch Configuration procedure Configure 802.1X settings. Make sure the guest can pass 802.1X authentication to access the network. (Details not shown.) Manage local guests: # Enable the local user auto-delete feature for expired local guests. <Switch>...

  • Page 91: Authentication And Authorization Of 802.1X Users By The Device As A Radius Server

    [Switch-luser-network(guest)-user1] validity-datetime from 2015/4/1 08:00:00 to 2015/4/3 18:00:00 # Specify the guest sponsor name as Sam. [Switch-luser-network(guest)-user1] sponsor-full-name Sam # Configure the email address of the guest sponsor. [Switch-luser-network(guest)-user1] sponsor-email Sam@aa.com # Configure the department of the guest sponsor as security. [Switch-luser-network(guest)-user1] sponsor-department security [Switch-luser-network(guest)-user1] quit [Switch] quit...
  • Page 92 • The shared key is expert and the authentication port is 1812. • Exclude domain names from the usernames sent to the RADIUS server. • The user name for 802.1X authentication is dot1x. • After the user passes authentication, the RADIUS server authorizes VLAN 4 to the NAS port that the user is connecting to.
  • Page 93 # Enable 802.1X globally. [SwitchA] dot1x Configure the RADIUS server: # Create a network access user named dot1x. <SwitchB> system-view [SwitchB] local-user dot1x class network # Configure the password as 123456 in plaintext form. [SwitchB-luser-network-dot1x] password simple 123456 # Configure VLAN 4 as the authorization VLAN. [SwitchB-luser-network-dot1x] authorization-attribute vlan 4 [SwitchB-luser-network-dot1x] quit # Configure the IP address of the RADIUS client as 10.1.1.2 and the shared key as expert in...

  • Page 94: Troubleshooting Radius

    Troubleshooting RADIUS RADIUS authentication failure Symptom User authentication always fails. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The username is not in the userid@isp-name format, or the ISP domain is not correctly configured on the NAS.

  • Page 95: Radius Accounting Error

    The authentication and accounting UDP port numbers configured on the NAS are the same  as those of the RADIUS server. The RADIUS server's authentication and accounting port numbers are available.  If the problem persists, contact Hewlett Packard Enterprise Support. RADIUS accounting error Symptom A user is authenticated and authorized, but accounting for the user is not normal.
  • Page 96 Solution To resolve the problem: Verify the following items: The NAS and the LDAP server can ping each other.  The IP address and port number of the LDAP server configured on the NAS match those of  the server. The username is in the correct format and the ISP domain for the user authentication is ...

  • Page 97: 802.1X Overview

    The port controls traffic by using one of the following methods: − Performs bidirectional traffic control to deny traffic to and from the client. − Performs unidirectional traffic control to deny traffic from the client. The HPE devices support only unidirectional traffic control.

  • Page 98: 802.1X-Related Protocols

    Figure 30 Authorization state of a controlled port Authenticator system 1 Authenticator system 2 Controlled port Uncontrolled port Controlled port Uncontrolled port Port authorized Port unauthorized 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server.

  • Page 99: Eap Over Radius

    • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field. EAPOL packet format Figure 32 shows the EAPOL packet format.

  • Page 100: 802.1X Authentication Initiation

    Figure 33 EAP-Message attribute format Length Value Type=79 EAP packets Message-Authenticator As shown in Figure 34, RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message-Authenticator attribute value.

  • Page 101: 802.1X Authentication Procedures

    802.1X authentication procedures 802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode depending on support of the RADIUS server for EAP packets and EAP authentication methods. • EAP relay mode. EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure Figure 35 EAP relay...

  • Page 102: Eap Relay

    Packet exchange Benefits Limitations method • The processing is complex on the access device. EAP relay Figure 37 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used. Figure 37 802.1X authentication procedure in EAP relay mode Client Device Authentication server...

  • Page 103: Eap Termination

    challenge (EAP-Request/MD5-Challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the access device. The access device transmits the EAP-Request/MD5-Challenge packet to the client. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5-Challenge packet to the access device.
  • Page 104 Figure 38 802.1X authentication procedure in EAP termination mode Client Device Authentication server RADIUS EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) EAP-Request/MD5-Challenge (5) EAP-Response/MD5-Challenge (6) RADIUS Access-Request (CHAP-Response/MD5-Challenge) (7) RADIUS Access-Accept (CHAP-Success) (8) EAP-Success Port authorized (9) EAP-Request/Identity (10) EAP-Response/Identity (11) EAPOL-Logoff Port unauthorized (12) EAP-Failure...

  • Page 105: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port.
  • Page 106 VLAN ID with suffix.  The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members. NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.

  • Page 107: Guest Vlan

    Table 7 VLAN manipulation Port access control VLAN manipulation method The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. Port-based If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID.

  • Page 108: Auth-Fail Vlan

    Authentication status VLAN manipulation 802.1X authentication. 802.1X users on this port can access only resources in the guest VLAN. If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation. If an 802.1X Auth-Fail VLAN (see "Auth-Fail VLAN") is available, the device assigns the Auth-Fail VLAN to the port as the PVID.

  • Page 109: Critical Vlan

    The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation The device assigns the Auth-Fail VLAN to the port as the PVID. All A user fails 802.1X 802.1X users on this port can access only resources in the Auth-Fail authentication.
  • Page 110 not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA." The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation A user that has not been assigned to any...

  • Page 111: Critical Voice Vlan

    Authentication status VLAN manipulation device remaps the MAC address of the user to the initial PVID. The device remaps the MAC address of the user to the authorization VLAN. A user in the 802.1X critical VLAN passes If the authentication server (either the local access 802.1X authentication.

  • Page 112: Using 802.1X Authentication With Other Features

    Using 802.1X authentication with other features ACL assignment You can specify an ACL for an 802.1X user to control the user's access to network resources. After the user passes 802.1X authentication, the authentication server assigns the ACL to the access port to filter traffic from this user.

  • Page 113: Smarton

    EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user passes authentication, the rule is removed. If users fail to download EAD client or fail to pass authentication before the timer expires, they must reconnect to the network to access the free IP. SmartOn The SmartOn feature was developed to support the NEC 802.1X client.

  • Page 114: 802.1X Configuration Task List

    • If local authentication is used, create local user accounts on the access device and set the service type to lan-access. 802.1X configuration task list Tasks at a glance (Required.) Enabling 802.1X (Required.) Enabling EAP relay or EAP termination (Optional.) Setting the port authorization state (Optional.) Specifying an access control method...

  • Page 115: Enabling Eap Relay Or Eap Termination

    Step Command Remarks By default, 802.1X is disabled Enable 802.1X globally. dot1x globally. Enter Ethernet interface interface interface-type view. interface-number By default, 802.1X is disabled Enable 802.1X on a port. dot1x on a port. Enabling EAP relay or EAP termination When configuring EAP relay or EAP termination, consider the following factors: •...

  • Page 116: Specifying An Access Control Method

    • authorized-force—Places the port in the authorized state, enabling users on the port to access the network without authentication. • unauthorized-force—Places the port in the unauthorized state, denying any access requests from users on the port. • auto—Places the port initially in unauthorized state to allow only EAPOL packets to pass. After a user passes authentication, sets the port in the authorized state to allow access to the network.

  • Page 117: Setting The Maximum Number Of Authentication Request Attempts

    Setting the maximum number of authentication request attempts The access device retransmits an authentication request if it does not receive any responses to the request from the client within a period of time. To set the time, use the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command.

  • Page 118: Configuration Restrictions And Guidelines

    Typically, the device does not reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets. Some 802.1X clients will go offline if they do not receive the EAP-Success packets for handshake. To avoid this problem, enable the online user handshake reply feature. If iNode clients are deployed, you can also enable the online user handshake security feature to check authentication information in the handshake packets from clients.

  • Page 119: Configuration Restrictions And Guidelines

    This feature provides the multicast trigger and unicast trigger (see 802.1X authentication initiation in "802.1X overview"). Configuration restrictions and guidelines When you configure the authentication trigger feature, follow these restrictions and guidelines: • Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication.

  • Page 120: Setting The Quiet Timer

    Setting the quiet timer The quiet timer enables the access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can edit the quiet timer, depending on the network conditions. •...

  • Page 121: Configuring 802.1X Periodic Reauthentication

    • You can set the periodic reauthentication timer either in system view or in interface view by using the dot1x timer reauth-period command. A change to the periodic reauthentication timer applies to online users only after the old timer expires. The device selects a periodic reauthentication timer for 802.1X reauthentication in the following order: a.

  • Page 122: Configuring An 802.1X Guest Vlan

    Step Command Remarks feature for 802.1X users. server-unreachable The device logs off online 802.1X keep-online users if no authentication server is reachable for 802.1X reauthentication, either manually or periodically. Use the keep-online feature according to the actual network condition. In a fast-recovery network, you can use the keep-online feature to prevent 802.1X users from coming online and going offline...

  • Page 123: Configuration Procedure

    Configure the port as a hybrid port.  Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see  Layer 2—LAN Switching Configuration Guide. Assign the port to the 802.1X guest VLAN as an untagged member.  Configuration procedure To configure an 802.1X guest VLAN: Step...

  • Page 124: Configuration Prerequisites

    • Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X Auth-Fail VLAN on a port. The assignment makes sure the port can correctly process VLAN-tagged incoming traffic. • You can configure only one 802.1X Auth-Fail VLAN on a port. The 802.1X Auth-Fail VLANs on different ports can be different.

  • Page 125: Configuration Restrictions And Guidelines

    cannot respond to the EAP-Request/Identity packets of the device if they have received an EAP-Failure packet. As a result, reauthentication fails for these clients when an authentication server is reachable. To solve this problem, configure the device to send EAP-Success packets instead of EAP-Failure packets for 802.1X user assignment to the 802.1X critical VLAN.

  • Page 126: Enabling The 802.1X Critical Voice Vlan

    Enabling the 802.1X critical voice VLAN Configuration restrictions and guidelines The feature does not take effect if the voice user has been in the 802.1X Auth-Fail VLAN. Configuration prerequisites Before you enable the 802.1X critical voice VLAN on a port, complete the following tasks: •...

  • Page 127: Enabling 802.1X User Ip Freezing

    NOTE: If you configure the access device to send usernames with domain names to the RADIUS server, make sure the domain delimiter can be recognized by the RADIUS server. For username format configuration, see the user-name-format command in Security Command Reference. Enabling 802.1X user IP freezing This feature works with the IP source guard feature.

  • Page 128: Setting The Maximum Number Of 802.1X Authentication Attempts For Mac Authenticated Users

    Setting the maximum number of 802.1X authentication attempts for MAC authenticated users When a port uses both 802.1X authentication and MAC authentication, the device accepts 802.1X authentication requests from MAC authenticated users. If a MAC authenticated user passes 802.1X authentication, the user will come online as an 802.1X user. If the user fails 802.1X authentication, the user continues to make 802.1X authentication attempts depending on client configuration.

  • Page 129: Configuring 802.1X Smarton

    Step Command Remarks ip-address { mask-length | mask-address } By default, no redirect URL exists. (Optional.) Configure the dot1x ead-assistant url Configure the redirect URL if users will redirect URL. url-string use Web browsers to access the network. (Optional.) Set the EAD dot1x timer ead-timeout The default setting is 30 minutes.

  • Page 130: Displaying And Maintaining 802.1X

    Displaying and maintaining 802.1X Execute display commands in any view and reset commands in user view. Task Command Display 802.1X session information, display dot1x [ sessions | statistics ] [ interface interface-type statistics, or configuration information of interface-number ] specified or all ports. display dot1x connection [ interface interface-type (In standalone mode.) Display online interface-number | slot slot-number | user-mac mac-address |...
  • Page 131 Configuration procedure Configure the 802.1X client. If an iNode client is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

  • Page 132: Guest Vlan And Authorization Vlan Configuration Example

    Configure 802.1X: # Enable 802.1X on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x # Enable MAC-based access control on the port. By default, the port uses MAC-based access control. [Device-GigabitEthernet1/0/1] dot1x port-method macbased # Specify ISP domain bbb as the mandatory domain. [Device-GigabitEthernet1/0/1] dot1x mandatory-domain bbb [Device-GigabitEthernet1/0/1] quit # Enable 802.1X globally.
  • Page 133 Figure 41 Network diagram Update server Authentication server VLAN 10 VLAN 2 GE1/0/1 GE1/0/4 VLAN 1 VLAN 5 GE1/0/2 GE1/0/3 Device Internet Host Port assigned to guest VLAN Update server Authentication server Update server Authentication server VLAN 10 VLAN 2 VLAN 10 VLAN 2 GE1/0/1...
  • Page 134 [Device-radius-2000] primary authentication 10.11.1.1 1812 # Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.11.1.1 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device.

  • Page 135: 802.1X With Acl Assignment Configuration Example

    802.1X with ACL assignment configuration example Network requirements As shown in Figure 42, the host that connects to GigabitEthernet 1/0/1 must pass 802.1X authentication to access the Internet. Perform 802.1X authentication on GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server, and the RADIUS server at 10.1.1.2 as the accounting server.

  • Page 136: With Ead Assistant Configuration Example (With Dhcp Relay Agent)

    [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure an ISP domain: # Create ISP domain bbb and enter ISP domain view. [Device] domain bbb # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting. [Device-isp-bbb] authentication lan-access radius-scheme 2000 [Device-isp-bbb] authorization lan-access radius-scheme 2000 [Device-isp-bbb] accounting lan-access radius-scheme 2000 [Device-isp-bbb] quit...
  • Page 137 • The intranet 192.168.1.0/24 is attached to GigabitEthernet 1/0/1 of the access device. • The hosts use DHCP to obtain IP addresses. • A DHCP server and a Web server are deployed on the 192.168.2.0/24 subnet for users to obtain IP addresses and download client software. Deploy an EAD solution for the intranet to meet the following requirements: •...
  • Page 138 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812. [Device-radius-2000] primary authentication 10.1.1.1 1812 # Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813.

  • Page 139: With Ead Assistant Configuration Example (With Dhcp Server)

    Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access the free IP subnet before passing 802.1X authentication.
  • Page 140 Configure an IP address for each interface. (Details not shown.) Configure the DHCP server: # Enable DHCP. <Device> system-view [Device] dhcp enable # Enable the DHCP server on VLAN-interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select server [Device-Vlan-interface2] quit # Create DHCP address pool 0.

  • Page 141: 802.1X Smarton Configuration Example

    [Device] dot1x ead-assistant url http://192.168.2.3 # Enable the EAD assistant feature. [Device] dot1x ead-assistant enable # Enable 802.1X on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x [Device-GigabitEthernet1/0/1] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify the 802.1X configuration. [Device] display dot1x # Verify that you can ping an IP address on the free IP subnet from a host.
  • Page 142 Figure 45 Network diagram RADIUS server Auth: 10.1.1.1 Acct: 10.1.1.2 GE1/0/2 GE1/0/3 GE1/0/1 Internet Vlan-int2 192.168.1.1/24 Device Host 192.168.1.10/24 Configuration procedure Configure a RADIUS scheme: # Create RADIUS scheme 2000 and enter RADIUS scheme view. <Device> system-view [Device] radius scheme 2000 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.

  • Page 143: Troubleshooting 802.1X

    [Device-GigabitEthernet1/0/1] quit # Set the SmartOn password to 1234 in plain text and the switch ID to XYZ. [Device] dot1x smarton password simple 1234 [Device] dot1x smarton switchid XYZ # Set the SmartOn client timeout timer to 40 seconds. [Device] smarton timer supp-timeout 40 # Enable 802.1X globally.

  • Page 144: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.

  • Page 145: Vlan Assignment

    VLAN assignment Authorization VLAN The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources. The device supports the following VLAN authorization methods: • Remote VLAN authorization—The authorization VLAN information of a MAC authentication user is assigned by a remote server.

  • Page 146: Acl Assignment

    Table 11 shows the way that the network access device handles guest VLANs for MAC authentication users. Table 11 VLAN manipulation Authentication status VLAN manipulation A user in the MAC authentication guest VLAN fails MAC The user is still in the MAC authentication guest VLAN. authentication for any reasons other than server unreachable.

  • Page 147: Redirect Url Assignment

    The ACL will filter traffic for this user. You must configure ACL rules for the authorization ACL on the access device for the ACL assignment feature. To ensure a successful ACL assignment, make sure the ACL does not contain rules that match source MAC addresses.

  • Page 148: Enabling Mac Authentication

    Tasks at a glance (Optional.) Configuring MAC authentication timers (Optional.) Setting the maximum number of concurrent MAC authentication users on a port (Optional.) Enabling MAC authentication multi-VLAN mode on a port (Optional.) Configuring MAC authentication delay (Optional.) Enabling parallel processing of MAC authentication and 802.1X authentication (Optional.) Configuring a MAC authentication guest VLAN (Optional.) Configuring a MAC authentication critical VLAN...

  • Page 149: Configuring The User Account Format

    Step Command Remarks • In system view: mac-authentication domain domain-name Specify an authentication • By default, the system default In interface view: domain for MAC authentication domain is used for a. interface interface-type authentication users. MAC authentication users. interface-number b. mac-authentication domain domain-name Configuring the user account format Step...

  • Page 150: Setting The Maximum Number Of Concurrent Mac Authentication Users On A Port

    Setting the maximum number of concurrent MAC authentication users on a port Perform this task to prevent the system resources from being overused. To set the maximum number of concurrent MAC authentication users on a port: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view.

  • Page 151: Enabling Parallel Processing Of Mac Authentication And 802.1X Authentication

    port security mode mac-else-userlogin-secure mac-else-userlogin-secure-ext when you use MAC authentication delay. The delay does not take effect on a port in either of the two modes. For more information about port security modes, see "Configuring port security." To configure MAC authentication delay: Step Command Remarks...

  • Page 152: Configuration Procedure

    For information about port security mode configuration, see "Configuring port security." Configuration procedure To enable parallel processing of MAC authentication and 802.1X authentication on a port: Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number Enable parallel processing of MAC mac-authentication...

  • Page 153: Configuration Procedure

    Configuration procedure To configure the MAC authentication guest VLAN on a port: Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number By default, no MAC authentication guest Specify the MAC VLAN exists. mac-authentication authentication guest guest-vlan guest-vlan-id You can configure only one MAC VLAN on the port.

  • Page 154: Enabling The Mac Authentication Critical Voice Vlan

    Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number By default, no MAC authentication critical VLAN exists. Specify the MAC mac-authentication critical vlan authentication critical You can configure only one MAC critical-vlan-id VLAN on the port. authentication critical VLAN on a port.

  • Page 155: Configuration Restrictions And Guidelines

    status of online users and updates the authorization attributes assigned by the server. The attributes include the ACL and VLAN. By default, the device logs off online MAC authentication users if no server is reachable for MAC reauthentication. The keep-online feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication.

  • Page 156: Including User Ip Addresses In Mac Authentication Requests

    Step Command Remarks By default, no periodic (Optional.) Set the periodic mac-authentication timer reauthentication timer is set on reauthentication timer on the reauth-period a port. The port uses the global port. reauth-period-value periodic MAC reauthentication timer. (Optional.) Enable the keep-online feature for mac-authentication By default, the keep-online authenticated MAC...

  • Page 157: Displaying And Maintaining Mac Authentication

    time. For more information about the offline detect timer, see "Configuring MAC authentication timers." Disabling this feature disables the device from inspecting the online user status. To enable MAC authentication offline detection: Step Command Remarks Enter system view. system-view interface interface-type Enter Ethernet interface view.
  • Page 158 • Deny a user for 180 seconds if the user fails MAC authentication. • Authenticate all users in ISP domain bbb. • Use the MAC address of each user as the username and password for authentication. A MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. Figure 46 Network diagram Host A GE1/0/1...

  • Page 159: Radius-Based Mac Authentication Configuration Example

    Username : mac Password : Not configured Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s Reauth period : 3600 s Authentication domain : bbb Online MAC-auth users Silent MAC users: MAC address VLAN ID From port Port index...
  • Page 160 Figure 47 Network diagram RADIUS servers Auth:10.1.1.1 Acct:10.1.1.2 GE1/0/1 IP network Host Device Configuration procedure Make sure the RADIUS server and the access device can reach each other. (Details not shown.) Configure the RADIUS servers: # Create a shared account for MAC authentication users. (Details not shown.) # Set username aaa and password 123456 for the account.

  • Page 161: Acl Assignment Configuration Example

    [Device] mac-authentication Verifying the configuration # Verify the MAC authentication configuration. [Device] display mac-authentication Global MAC authentication parameters: MAC authentication : Enabled Username format : Fixed account Username : aaa Password : ****** Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s...
  • Page 162 • Use MAC-based user accounts for MAC authentication users. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. • Use an ACL to deny authenticated users to access the FTP server at 10.0.0.1. Figure 48 Network diagram RADIUS servers Auth:10.1.1.1...
  • Page 163 [Device-GigabitEthernet1/0/1] quit # Enable MAC authentication globally. [Device] mac-authentication Configure the RADIUS servers: # Add a user account with 00-e0-fc-12-34-56 as both the username and password on each RADIUS server. (Details not shown.) # Specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) Verifying the configuration # Verify the MAC authentication configuration.
  • Page 164 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has been assigned to GigabitEthernet 1/0/1 to deny access to the FTP server.

  • Page 165: Configuring Portal Authentication

    Users can access more network resources after passing security check. Security check must cooperate with the HPE IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device,...
  • Page 166 Figure 49 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.

  • Page 167: Portal System Using The Local Portal Web Server

    Web browser. When receiving the HTTP or HTTPS request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HPE iNode client for extended portal functions.

  • Page 168: Portal Authentication Modes

    Re-DHCP authentication saves public IP addresses. For example, an ISP can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. Only the HPE iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device.

  • Page 169: Portal Authentication Process

    EAP authentication. NOTE: • To use portal authentication that supports EAP, the portal authentication server and client must be the HPE IMC portal server and the HPE iNode portal client. • Local portal authentication does not support EAP authentication.
  • Page 170 The portal Web server submits the user authentication information to the portal authentication server. The portal authentication server and the access device exchange CHAP messages. This step is skipped for PAP authentication. The portal authentication server decides the method (CHAP or PAP) to use.

  • Page 171: Portal Filtering Rules

    After receiving the authentication success packet, the client obtains a public IP address through DHCP. The client then notifies the portal authentication server that it has a public IP address. The portal authentication server notifies the access device that the client has obtained a public IP address.

  • Page 172: Portal Configuration Task List

    The access device sends a MAC binding query to the MAC binding server. The MAC binding server checks whether the MAC address of the user is bound with a portal user account. If yes, the MAC binding server sends the user authentication information to the access ...

  • Page 173: Configuration Prerequisites

    Tasks at a glance Web redirect does not work when both Web redirect and portal authentication are enabled. (Optional.) Applying a NAS-ID profile to an interface (Optional.) Configuring the local portal Web server feature (Optional.) Enabling ARP or ND entry conversion for portal clients (Optional.) Configuring HTTPS redirect (Optional.)

  • Page 174: Configuring A Portal Web Server

    Do not delete a portal authentication server in use. Otherwise, users authenticated by that server cannot log out normally. To configure a portal authentication server: Step Command Remarks Enter system view. system-view Create a portal By default, no portal authentication server, and portal server server-name authentication servers exist.

  • Page 175: Enabling Portal Authentication

    To configure a portal Web server: Step Command Remarks Enter system view. system-view Create a portal Web server By default, no portal Web servers portal web-server server-name and enter its view. exist. Specify the VPN instance to By default, the portal Web server which the portal Web server vpn-instance vpn-instance-name belongs to the public network.

  • Page 176: Configuration Procedure

    • Cross-subnet authentication mode (layer3) does not require Layer 3 forwarding devices between the access device and the portal authentication clients. However, if a Layer 3 forwarding device exists between the authentication client and the access device, you must use the cross-subnet portal authentication mode.

  • Page 177: Controlling Portal User Access

    Controlling portal user access Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. The matching items for a portal-free rule include the host name, source/destination IP address, TCP/UDP port number, source MAC address, access interface, and VLAN. Packets matching a portal-free rule will not trigger portal authentication, so users sending the packets can directly access the specified external websites.

  • Page 178: Configuring An Authentication Source Subnet

    To configure a destination-based portal-free rule: Step Command Remarks Enter system view. system-view Configure a portal free-rule rule-number By default, no destination-based destination-based destination host-name portal-free rule exists. portal-free rule. Configuring an authentication source subnet By configuring authentication source subnets, you specify that only HTTP packets from users on the authentication source subnets can trigger portal authentication.

  • Page 179: Configuring An Authentication Destination Subnet

    Step Command Remarks subnet. prefix-length configured, and IPv6 users from any subnets must pass portal authentication. Configuring an authentication destination subnet By configuring authentication destination subnets, you specify that users trigger portal authentication only when they accessing the specified subnets (excluding the destination IP addresses and subnets specified in portal-free rules).

  • Page 180: Specifying A Portal Authentication Domain

    Make sure the maximum combined number of IPv4 and IPv6 portal users specified on all interfaces does not exceed the system-allowed maximum number. Otherwise, the exceeding number of portal users will not be able to log in to the device. To set the maximum number of total portal users allowed in the system: Step Command...

  • Page 181: Specifying A Preauthentication Domain

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no ISP domain is Specify an IPv6 portal portal ipv6 domain specified for IPv6 portal users on authentication domain. domain-name the interface. Specifying a preauthentication domain The preauthentication domain takes effect only on portal users with IP addresses obtained through DHCP or DHCPv6.

  • Page 182: Enabling Strict-Checking On Portal Authorization Information

    • Portal users access the network through a subinterface of the portal-enabled interface. • The subinterface does not have an IP address. • Portal users need to obtain IP addresses through DHCP. After a user connects to a portal-enabled interface, the user uses an IP address for portal authentication according to the following rules: •...

  • Page 183: Enabling Portal Authentication Only For Dhcp Users

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the strict checking mode is disabled. In this case, the portal users stay online even when the Enable strict checking authorized ACLs do not exist or fail mode on portal portal authorization { acl | to be deployed.

  • Page 184: Configuring Portal Detection Features

    Step Command Remarks By default, outgoing packets filtering Enable outgoing packets portal [ ipv6 ] outbound-filter is disabled. The interface can send filtering. enable any packets. Configuring portal detection features Configuring online detection of portal users Configure online detection to quickly detect abnormal logouts of portal users. •...

  • Page 185: Configuring Portal Authentication Server Detection

    Step Command Remarks Configure online portal ipv6 user-detect type { icmpv6 | By default, this feature is disabled detection of IPv6 nd } [ retry retries ] [ interval interval ] on the interface. portal users. [ idle time ] Configuring portal authentication server detection During portal authentication, if the communication between the access device and portal authentication server is broken, both of the following occur:...

  • Page 186: Configuring Portal Web Server Detection

    Configuring portal Web server detection A portal authentication process cannot complete if the communication between the access device and the portal Web server is broken. To address this problem, you can enable portal Web server detection on the access device. With the portal Web server detection feature, the access device simulates a Web access process to initiate a TCP connection to the portal Web server.

  • Page 187: Configuring The Portal Fail-Permit Feature

    If a user contained in the packet does not exist on the access device, the access device  informs the portal authentication server to delete the user. The access device starts the synchronization detection timer (timeout timeout) immediately when a user logs in. If the user does not appear in any synchronization packet within a synchronization detection ...

  • Page 188: Configuring Bas-Ip For Unsolicited Portal Packets Sent To The Portal Authentication Server

    Configuring BAS-IP for unsolicited portal packets sent to the portal authentication server If the device runs Portal 2.0, the unsolicited packets sent to the portal authentication server must carry the BAS-IP attribute. If the device runs Portal 3.0, the unsolicited packets sent to the portal authentication server must carry the BAS-IP or BAS-IPv6 attribute.

  • Page 189: Specifying A Format For The Nas-Port-Id Attribute

    If portal roaming is disabled, to access external network resources from a Layer 2 port different from the current access port in the VLAN, the user must do the following: • First log out from the current port. • Then re-authenticate on the new Layer 2 port. To enable portal roaming: Step Command...

  • Page 190: Configuring Web Redirect

    Step Command Enter system view. system-view portal delete-user { ipv4-address | all | interface interface-type Log out IPv4 online portal users. interface-number } portal delete-user { all | interface interface-type interface-number | Log out IPv6 online portal users. ipv6 ipv6-address } Configuring Web redirect Web redirect is a simplified portal feature.

  • Page 191: Configuring The Local Portal Web Server Feature

    You can apply a NAS-ID profile to a portal-enabled interface. If no NAS-ID profile is specified on the interface or no matching NAS-ID is found in the specified profile, the device uses the device name as the interface NAS-ID. To apply a NAS-ID profile to an interface: Step Command Remarks...
  • Page 192 File name rules The names of the main authentication page files are fixed (see Table 14). You can define the names of the files other than the main authentication page files. File names and directory names are case insensitive. Table 14 Main authentication page file names Main authentication page File name Logon page...

  • Page 193: Configuring A Local Portal Web Server

    <p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;"> </form> Page file compression and saving rules You must compress the authentication pages and their page elements into a standard zip file. • The name of a zip file can contain only letters, numbers, and underscores. •...

  • Page 194: Enabling Arp Or Nd Entry Conversion For Portal Clients

    Step Command Remarks portal local-web-server { http | Create a local portal Web By default, no local portal Web https ssl-server-policy server and enter its view. servers exist. policy-name } By default, no default Specify the default authentication page file is authentication page file for default-logon-page filename specified for the local portal Web...

  • Page 195: Configuring Mac-Based Quick Portal Authentication

    Step Command Remarks Enter system view. system-view By default, no SSL server policies exist on the device. The name of the SSL server policy Create an SSL server policy for HTTPS redirect must be ssl server-policy policy-name and enter its view. https_redirect.

  • Page 196: Specifying A Mac Binding Server On An Interface

    Step Command Remarks (Optional.) Specify the By default, the version of the version version-number version of the portal protocol. portal protocol is 1. (Optional.) Specify the timeout the device waits for By default, the portal portal authentication to authentication-timeout minutes authentication timeout time is 3 complete after receiving the minutes.

  • Page 197: Portal Configuration Examples

    Task Command display portal rule { all | dynamic | static } (In standalone mode.) Display portal filtering rules. interface interface-type interface-number [ slot slot-number ] display portal rule { all | dynamic | static } (In IRF mode.) Display portal filtering rules. interface interface-type interface-number [ chassis chassis-number slot slot-number ] Display portal configuration and portal running state...
  • Page 198 Figure 54 Network diagram Portal server Vlan-int100 Vlan-int2 192.168.0.111/24 2.2.2.1/24 192.168.0.100/24 Host Switch 2.2.2.2/24 Gateway: 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration prerequisites • Configure IP addresses for the host, switch, and servers as shown in Figure 54 and make sure they can reach each other. •...
  • Page 199 a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c. Enter the IP group name. d.
  • Page 200 Figure 57 Adding a portal device Associate the portal device with the IP address group: a. As shown in Figure 58, click the icon in the Port Group Information Management column of device NAS to open the port group configuration page. b.
  • Page 201 Figure 59 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...
  • Page 202 # Configure a portal authentication server. [Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method direct # Reference the portal Web server newpt on VLAN-interface 100.

  • Page 203: Configuring Re-Dhcp Portal Authentication

    IP address Prefix length A user can perform portal authentication by using the HPE iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
  • Page 204 Figure 60 Network diagram Portal Server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 10.0.0.1/24 sub 192.168.0.100/24 DHCP server Host Switch 192.168.0.112/24 automatically obtains an IP address RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 60 and make sure the host, switch, and servers can reach each other.
  • Page 205 [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
  • Page 206 IP address Prefix length Before passing the authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other...

  • Page 207: Configuring Cross-Subnet Portal Authentication

    # After the user passes authentication, use the following command to display information about the portal user. [Switch] display portal user interface vlan-interface 100 Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0015-e9a6-7cfe 20.20.20.2 Vlan-interface100...
  • Page 208 <SwitchA> system-view [SwitchA] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.112 [SwitchA-radius-rs1] primary accounting 192.168.0.112 [SwitchA-radius-rs1] key authentication simple radius [SwitchA-radius-rs1] key accounting simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.
  • Page 209 Verifying the configuration # Verify that the portal configuration has taken effect. [SwitchA] display portal interface vlan-interface 4 Portal information of Vlan-interface4 NAS-ID profile: Not configured VSRP instance : Not configured VSRP state : N/A Authorization : Strict checking : Disabled User profile : Disabled IPv4:...

  • Page 210: Configuring Extended Direct Portal Authentication

    A user can perform portal authentication by using the HPE iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
  • Page 211 Configuration procedure Perform the following tasks on the switch. Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
  • Page 212 [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method direct # Reference the portal Web server newpt on VLAN-interface 100.

  • Page 213: Configuring Extended Re-Dhcp Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 214 Figure 63 Network diagram Portal server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 DHCP server 10.0.0.1/24 sub 192.168.0.100/24 192.168.0.112/24 Host Switch automatically obtains an IP address RADIUS server 192.168.0.113/24 Security policy server 192.168.0.114/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 63 and make sure the host, switch, and servers can reach each other.
  • Page 215 [Switch-radius-rs1] security-policy-server 192.168.0.114 [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...
  • Page 216 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method redhcp # Reference the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

  • Page 217: Configuring Extended Cross-Subnet Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 218 Figure 64 Network diagram Switch A Vlan-int2 Portal server 192.168.0.100/24 192.168.0.111/24 Vlan-int4 20.20.20.1/24 Vlan-int4 RADIUS server 20.20.20.2/24 Vlan-int2 192.168.0.112/24 8.8.8.1/24 Switch B Host 8.8.8.2/24 Security policy server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 64 and make sure the host, switch, and servers can reach each other.
  • Page 219 [SwitchA-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
  • Page 220 Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...

  • Page 221: Configuring Portal Server Detection And Portal User Synchronization

    # After the user passes identity authentication and security check, use the following command to display information about the portal user. [SwitchA] display portal user interface vlan-interface 4 Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0000-0000-0000...
  • Page 222 • Configure the switch (access device) as follows: Configure direct portal authentication on VLAN-interface 100, the interface to which the host  is connected. Configure portal authentication server detection, so that the switch can detect the  reachability of the portal authentication server by cooperating with the portal server heartbeat function.
  • Page 223 f. Select the action Normal. g. Click OK. Figure 67 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b.
  • Page 224 a. As shown in Figure 69, click the icon in the Port Group Information Management column of device NAS to open the port group configuration page. b. Click Add to open the page as shown in Figure c. Enter the port group name. d.
  • Page 225 [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...

  • Page 226: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns

    [Switch–Vlan-interface100] portal bas-ip 2.2.2.1 [Switch–Vlan-interface100] quit Verifying the configuration # Use the following command to display information about the portal authentication server. [Switch] display portal server newpt Portal server: newpt : 192.168.0.111 VPN instance : Not configured Port : 50100 Server Detection : Timeout 40s Action: log...
  • Page 227 <SwitchA> system-view [SwitchA] radius scheme rs1 # For the RADIUS scheme, specify the VPN instance that is bound to the interface connected to the portal/RADIUS server. This example uses VPN instance vpn3. (For information about the VPN instance, see the MPLS L3VPN configuration on Switch A.) [SwitchA-radius-rs1] vpn-instance vpn3 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 228: Configuring Direct Portal Authentication With A Preauthentication Domain

    [SwitchA–Vlan-interface3] portal apply web-server newpt # Configure the BAS-IP as 3.3.0.3 for portal packets sent from VLAN-interface 3 to the portal authentication server. [SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3 [SwitchA–Vlan-interface3] quit Verifying the configuration # Verify the portal configuration by executing the display portal interface command. (Details not shown.) # After the user passes authentication, execute the display portal user command to display the portal user information.
  • Page 229 • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on the switch. Configure a preauthentication IP address pool: # Configure DHCP address pool pre to assign IP addresses and other configuration parameters to clients on subnet 2.2.2.0/24.

  • Page 230: Configuring Re-Dhcp Portal Authentication With A Preauthentication Domain

    [Switch–Vlan-interface100] quit Verifying the configuration # Verify the portal configuration by executing the display portal interface command. (Details not shown.) # Display information about preauthentication portal users. [Switch] display portal user pre-authenticate interface vlan-interface 100 VLAN Interface 0015-e9a6-7cfe 10.10.10.4 Vlan-interface100 State: Online VPN instance: -- Authorization information:...
  • Page 231 • For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24) and a private address pool (10.0.0.0/24) on the DHCP server. (Details not shown.) • For re-DHCP portal authentication: The switch must be configured as a DHCP relay agent.  The portal-enabled interface must be configured with a primary IP address (a public IP ...

  • Page 232: Configuring Direct Portal Authentication Using Local Portal Web Server

    [Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] portal enable method redhcp # Reference the portal Web server newpt on VLAN-interface 100.
  • Page 233 Figure 74 Network diagram Vlan-int100 Vlan-int2 2.2.2.1/24 192.168.0.100/24 Switch Host RADIUS server 2.2.2.2/24 192.168.0.112/24 Gateway: 2.2.2.1 Configuration prerequisites and guidelines • Configure IP addresses for the host, switch, and server as shown in Figure 74 and make sure they can reach each other. •...
  • Page 234 [Switch–portal-local-websvr-http] default-logon-page abc.zip # Set the HTTP service listening port number to 2331 for the local portal Web server. [Switch–portal-local-webserver-http] tcp-port 2331 [Switch–portal-local-websvr-http] quit # Configure the portal Web server name as newpt and URL as the IP address of the portal authentication-enabled interface or a loopback interface (except 127.0.0.1).

  • Page 235: Troubleshooting Portal

    Pre-auth domain: Not configured User-dhcp-only: Disabled Pre-auth IP pool: Not configured Max Portal users: Not configured Bas-ipv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication through a Web page.

  • Page 236: Cannot Log Out Portal Users On The Access Device

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.

  • Page 237: Re-Dhcp Portal Authenticated Users Cannot Log In Successfully

    Analysis When you execute the portal delete-user command on the access device to log out a user, the access device sends an unsolicited logout notification to the portal authentication server. If the BAS-IP or BAS-IPv6 address carried in the logout notification is different from the portal device IP address specified on the portal authentication server, the portal authentication server discards the logout notification.

  • Page 238: Configuring Port Security

    Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port. Port security provides the following functions: •...
  • Page 239 Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action, or sends SNMP notifications.
  • Page 240 A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 241: Configuration Task List

    In this mode, the port performs 802.1X authentication first. By default, if 802.1X authentication fails, MAC authentication is performed. However, the port in this mode processes authentication differently when the following conditions exist: The port is enabled with parallel processing of MAC authentication and 802.1X ...

  • Page 242: Enabling Port Security

    Enabling port security Before you enable port security, disable 802.1X and MAC authentication globally. When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. Port security automatically modifies these settings in different security modes.

  • Page 243: Setting The Port Security Mode

    Step Command Remarks allowed on a port. max-count [ vlan [ vlan-id-list ] ] addresses on a port. Setting the port security mode Before you set a port security mode for a port, complete the following tasks: • Disable 802.1X and MAC authentication. •...

  • Page 244: Configuring Port Security Features

    Step Command Remarks • To specify the userLoginWithOUI mode, you must enter Layer 2 Ethernet interface view. By default, a port operates in noRestrictions mode. port-security port-mode { autolearn | mac-authentication After enabling port security, you | mac-else-userlogin-secure | can change the port security mac-else-userlogin-secure-ext | mode of a port only when the port secure | userlogin |...

  • Page 245: Configuring Secure Mac Addresses

    dropped. A blocked MAC address is restored to normal state after being blocked for 3 minutes. The interval is fixed and cannot be changed. • disableport—Disables the port until you bring it up manually. • disableport-temporarily—Disables the port for a period of time. The period can be configured with the port-security timer disableport command.

  • Page 246: Configuration Prerequisites

    Can be saved and Type Address sources Aging mechanism survive a device reboot? dynamic secure MAC configured, the aging timer counts addresses. up regardless of whether traffic • data has been sent from the sticky Automatically learned MAC addresses. when the dynamic •...

  • Page 247: Ignoring Authorization Information From The Server

    Step Command Remarks vlan vlan-id c. quit interface interface-type Enter interface view. interface-number (Optional.) Enable port-security mac-address By default, the inactivity aging inactivity aging. aging-type inactivity feature is disabled. By default, the dynamic secure (Optional.) Enable the MAC feature is disabled. Sticky dynamic secure MAC port-security mac-address dynamic MAC addresses can be saved to...

  • Page 248: Applying A Nas-Id Profile To Port Security

    A user fails ACL authorization in the following situations: • The device fails to authorize the specified ACL to the user. • The server assigns a nonexistent ACL to the user. This feature does not apply to users who fail VLAN authorization. The device logs off these users directly.

  • Page 249: Enabling Snmp Notifications For Port Security

    Enabling SNMP notifications for port security Use this feature to report critical port security events to an NMS. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.
  • Page 250 Figure 75 Network diagram GE1/0//1 Internet Device Host Configuration procedure # Enable port security. <Device> system-view [Device] port-security enable # Set the secure MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Set port security's limit on the number of secure MAC addresses to 64 on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn.

  • Page 251: Userloginwithoui Configuration Example

    NeedToKnow mode : Disabled Intrusion protection mode : DisablePortTemporarily Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses Authorization : Permitted NAS-ID profile : Not configured The port allows for MAC address learning, and you can view the number of learned MAC addresses in the Current secure MAC addresses field.
  • Page 252 • The RADIUS server response timeout time is 5 seconds. The maximum number of RADIUS packet retransmission attempts is 5. The device sends real-time accounting packets to the RADIUS server at 15-minute intervals, and sends usernames without domain names to the RADIUS server.
  • Page 253 [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x mandatory-domain sun [Device-GigabitEthernet1/0/1] quit Configure port security: # Enable port security. [Device] port-security enable # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address 1234-0100-1111 [Device] port-security oui index 2 mac-address 1234-0200-1111 [Device] port-security oui index 3 mac-address 1234-0300-1111...

  • Page 254: Macaddresselseuserloginsecure Configuration Example

    Aging type : Periodical Max secure MAC addresses : Not configured Current secure MAC addresses Authorization :Permitted NAS-ID profile : Not configured # Display information about the online 802.1X user to verify 802.1X configuration. [Device] display dot1x # Verify that the port also allows one user whose MAC address has an OUI among the specified OUIs to pass authentication.
  • Page 255 # Use MAC-based accounts for MAC authentication. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case. [Device] mac-authentication user-name-format mac-address with-hyphen uppercase # Specify the MAC authentication domain. [Device] mac-authentication domain sun # Set the 802.1X authentication method to CHAP.
  • Page 256 NAS-ID profile : Not configured # After users pass authentication, display MAC authentication information. Verify that GigabitEthernet 1/0/1 allows multiple MAC authentication users to be authenticated. [Device] display mac-authentication interface gigabitethernet 1/0/1 Global MAC authentication parameters: MAC authentication : Enabled User name format : MAC address in uppercase(XX-XX-XX-XX-XX-XX) Username...
  • Page 257 Handshake period : 15 s Quiet timer : Disabled Quiet period : 60 s Supp timeout : 30 s Server timeout : 100 s Reauth period : 3600 s Max auth requests SmartOn supp timeout : 30 s SmartOn retry counts EAD assistant function : Disabled EAD timeout : 30 min...

  • Page 258: Troubleshooting Port Security

    Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode for a port. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command. Solution To resolve the problem: Set the port security mode to noRestrictions.

  • Page 259: Configuring Password Control

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.

  • Page 260: Password Updating And Expiration

    Character name Symbol Character name Symbol Slash Tilde Underscore Vertical bar Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in Table Table 18 Password composition policy Password combination...

  • Page 261: User Login Control

    Telnet users, SSH users, and console users can change their own passwords. The administrator must change passwords for FTP users. Early notice on pending password expiration When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified notification period.

  • Page 262: Password Not Displayed In Any Form

    • Disables the user account for a period of time. The user can use the account to log in when either of the following conditions exists: The locking timer expires.  The account is manually removed from the password control blacklist before the locking ...

  • Page 263: Enabling Password Control

    Tasks at a glance (Optional.) Setting local user password control parameters (Optional.) Setting super password control parameters Enabling password control To successfully enable the global password control feature and allow device management users to log in to the device, the device must have sufficient storage space. Enabling the global password control feature is the prerequisite for all password control configurations to take effect.

  • Page 264: Setting User Group Password Control Parameters

    Step Command Remarks Enter system view. system-view Set the password expiration password-control aging The default setting is 90 days. time. aging-time Set the minimum password password-control update The default setting is 24 hours. update interval. interval interval • In non-FIPS mode, the default setting is 10 Set the minimum password characters.

  • Page 265: Setting Local User Password Control Parameters

    Step Command Remarks configure a user group, see "Configuring AAA." By default, the password Configure the password password-control aging expiration time of the user group expiration time for the user aging-time equals the global password group. expiration time. By default, the minimum Configure the minimum password length of the user group password length for the user...

  • Page 266: Setting Super Password Control Parameters

    Step Command Remarks global settings apply to the local user. By default, the settings equal those for the user group to which Configure the password password-control complexity the local user belongs. If no complexity checking policy { same-character | user-name } password complexity checking for the local user.

  • Page 267: Password Control Configuration Example

    Task Command Display information about users in the display password-control blacklist [ user-name password control blacklist. user-name | ip ipv4-address | ipv6 ipv6-address ] Delete users from the password control reset password-control blacklist [ user-name blacklist. user-name ] reset password-control history-record [ user-name Clear history password records.
  • Page 268 # Disable a user account permanently if a user fails two consecutive login attempts on the user account. [Sysname] password-control login-attempt 2 exceed lock # Set all passwords to expire after 30 days. [Sysname] password-control aging 30 # Globally set the minimum password length to 16 characters. [Sysname] password-control length 16 # Set the minimum password update interval to 36 hours.

  • Page 269: Verifying The Configuration

    Verifying the configuration # Display the global password control configuration. <Sysname> display password-control Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (16 characters) Password composition: Enabled (4 types, 4 characters per type) Password history: Enabled (max history record:4) Early notice on password expiration: 7 days...

  • Page 270: Configuring Keychains

    Configuring keychains Overview A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption. Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime.

  • Page 271: Displaying And Maintaining Keychain

    Step Command Remarks By default, the algorithm ID is 3 for the MD5 authentication algorithm, and is 5 for the HMAC-MD5 authentication algorithm. When the local device uses TCP (Optional.) Set an tcp-algorithm-id { hmac-md5 | md5 } to communicate with a peer algorithm ID for a TCP algorithm-id device from another vendor,...

  • Page 272: Configuration Procedure

    Figure 78 Network diagram Vlan-int100 Vlan-int100 192.1.1.1/24 192.1.1.2/24 Switch A Switch B Configuration procedure Configuring Switch A # Configure IP addresses for interfaces. (Details not shown.) # Configure OSPF. <SwitchA> system-view [SwitchA] ospf 1 router-id 1.1.1.1 [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1] quit # Create a keychain named abc, and specify the absolute time mode for it.

  • Page 273: Verifying The Configuration

    [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] quit # Create a keychain named abc, and specify the absolute time mode for it. [SwitchB] keychain abc mode absolute # Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
  • Page 274 Key ID Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg== Algorithm : md5 Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Send status : Active Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Active Key ID Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06...
  • Page 275 [SwitchA]display keychain Keychain name : abc Mode : absolute Accept tolerance TCP kind value : 254 TCP algorithm value HMAC-MD5 Default send key ID : None Active send key ID Active accept key IDs: 2 Key ID Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg== Algorithm : md5 Send lifetime...
  • Page 276 Accept status : Inactive Key ID Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Active Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Active...

  • Page 277: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 79.
  • Page 278 • When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, the longer the key generation time. When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve determines the ECDSA key length.

  • Page 279: Distributing A Local Host Public Key

    Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...

  • Page 280: Destroying A Local Key Pair

    Task Command Display local DSA public keys. display public-key local dsa public [ name key-name ] NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs: •...

  • Page 281: Entering A Peer Host Public Key

    Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key." Use the display public-key local public command to display the public key on the peer device.
  • Page 282 Figure 80 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).

  • Page 283: Example For Importing A Public Key From A Public Key File

    [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the peer host public key configured on Device B is the same as the key displayed on Device A.
  • Page 284 # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 285 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred...

  • Page 286: Configuring Pki

    Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.

  • Page 287: Pki Architecture

    • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.

  • Page 288: Pki Applications

    The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.

  • Page 289: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)

  • Page 290: Configuring A Pki Domain

    Step Command Remarks By default, no PKI entities exist. Create a PKI entity and pki entity entity-name To create multiple PKI entities, repeat enter its view. this step. Set a common name for the common-name By default, the common name is not entity.
  • Page 291 Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. The trusted CA name Specify the trusted ca identifier name uniquely identifies the CA to be used if multiple CAs exist on the same CA server.

  • Page 292: Requesting A Certificate

    Step Command Remarks By default, the certificate can be used by all supported applications, including,SSL client, and SSL server. 11. (Optional.) Specify the intended use for usage { ssl-client | ssl-server } * The extension options contained the certificate. in an issued certificate depend on the CA policy, and they might be different from those specified in the PKI domain.

  • Page 293: Configuring Automatic Certificate Request

    Do not use the public-key local create command to create a key pair with the same name  as the name of the key pair contained in the certificate. Do not use the public-key local destroy command to destroy the key pair contained in the ...

  • Page 294: Aborting A Certificate Request

    Step Command Remarks Return to system view. quit Obtain a CA certificate. "Obtaining certificates." This command is not saved in the configuration file. This command triggers the PKI Submit a certificate entity to automatically generate pki request-certificate domain request or generate a a key pair if the key pair domain-name [ password password ] certificate request in...

  • Page 295: Configuration Guidelines

    Configuration guidelines • To import a local certificate containing an encrypted key pair, you must provide the challenge password. Contact the CA administrator to obtain the password. • If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first.

  • Page 296: Verifying Certificates With Crl Checking

    Repeats the previous steps for upper-level certificates in the CA certificate chain until the root CA certificate is reached. Verifies that each CA certificate in the certificate chain is issued by the named parent CA, starting from the root CA. Verifying certificates with CRL checking CRL checking checks whether a certificate is in the CRL.

  • Page 297: Specifying The Storage Path For The Certificates And Crls

    Step Command Remarks By default, CRL checking is Disable CRL checking. undo crl check enable enabled. Return to system view. quit Obtain the CA certificate. "Obtaining certificates." Manually verify the validity of pki validate-certificate domain This command is not saved in the the certificates.

  • Page 298: Removing A Certificate

    Step Command Remarks If you do not specify a file name when you export a certificate in PEM format, this • Export certificates in DER format: command displays the pki export domain domain-name der { all certificate content on the | ca | local } filename filename terminal.

  • Page 299: Displaying And Maintaining Pki

    attribute rules, each defining a matching criterion for an attribute in the certificate issuer name, subject name, or alternative subject name field. If a certificate matches all attribute rules in a certificate attribute group associated with an access control rule, the system determines that the certificate matches the access control rule. In this scenario, the match process stops, and the system performs the access control action defined in the access control rule.

  • Page 300: Pki Configuration Examples

    Task Command Display certificate attribute group display pki certificate attribute-group [ group-name ] information. Display certificate-based access control display pki certificate access-control-policy [ policy-name ] policy information. PKI configuration examples You can use different software applications, such as Windows server, RSA Keon, and OpenCA, to act as the CA server.
  • Page 301 <Device> system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name Device [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named torsa and enter its view. [Device] pki domain torsa # Specify the name of the trusted CA. The setting must be the same as CA name configured on the CA server.
  • Page 302 Verifying the configuration # Display information about the local certificate in PKI domain torsa. [Device] display pki certificate domain torsa local Certificate: Data: Version: 3 (0x2) Serial Number: 15:79:75:ec:d2:33:af:5e:46:35:83:bc:bd:6e:e3:b8 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=myca Validity Not Before: Jan 6 03:10:58 2013 GMT Not After : Jan 6 03:10:58 2014 GMT Subject: CN=Device...

  • Page 303: Requesting A Certificate From A Windows Server 2003 Ca Server

    Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA server. Figure 85 Network diagram PKI entity Internet Host Device CA server Configuring the Windows Server 2003 CA server Install the certificate service component: a.
  • Page 304 [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named winserver and enter its view. [Device] pki domain winserver # Set the name of the trusted CA to myca. [Device-pki-domain-winserver] ca identifier myca # Configure the certificate request URL. The URL format is http://host:port/certsrv/mscep/mscep.dll, where host:port is the host IP address and port number of the CA server.
  • Page 305 Serial Number: (Negative)01:03:99:ff:ff:ff:ff:fd:11 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=sec Validity Not Before: Dec 24 07:09:42 2012 GMT Not After : Dec 24 07:19:42 2013 GMT Subject: CN=test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:b5:23:a0:2d:46:0b:68:2f:71:d2:14:e1:5a: 55:6e:c5:5e:26:86:c1:5a:d6:24:68:02:bf:29:ac: dc:31:41:3f:5d:5b:36:9e:53:dc:3a:bc:0d:11:fb: d6:7d:4f:94:3c:c1:90:4a:50:ce:db:54:e0:b3:27: a9:6a:8e:97:fb:20:c7:44:70:8f:f0:b9:ca:5b:94:...

  • Page 306: Requesting A Certificate From An Openca Server

    CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03: bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27: 90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a: 00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47: 6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06: 7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14: 02:09:ad:08 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server.
  • Page 307 [Device-pki-entity-aaa] organization test [Device-pki-entity-aaa] organization-unit software [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named openca and enter its view. [Device] pki domain openca # Set the name of the trusted CA to myca. [Device-pki-domain-openca] ca identifier myca # Configure the certificate request URL.
  • Page 308 Version: 3 (0x2) Serial Number: 21:1d:b8:d2:e4:a9:21:28:e4:de Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=mysubUnit, CN=sub-ca, DC=pki-subdomain, DC=mydomain-sub, DC=com Validity Not Before: Jun 30 09:09:09 2011 GMT Not After : May 1 09:09:09 2012 GMT Subject: CN=rnd, O=test, OU=software, C=CN Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)

  • Page 309: Certificate-Based Access Control Policy Configuration Example

    X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 5c:4c:ba:d0:a1:35:79:e6:e5:98:69:91:f6:66:2a:4f:7f:8b: 0e:80:de:79:45:b9:d9:12:5e:13:28:17:36:42:d5:ae:fc:4e: ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57: 8f:d4:3e:4f:51:c1:34:e6:c1:1e:71:b5:0d:85:86:a5:ed:63: 1e:08:7f:d2:50:ac:a0:a3:9e:88:48:10:0b:4a:7d:ed:c1:03: 9f:87:97:a3:5e:7d:75:1d:ac:7b:6f:bb:43:4d:12:17:9a:76: b0:bf:2f:6a:cc:4b:cd:3d:a1:dd:e0:dc:5a:f3:7c:fb:c3:29: b0:12:49:5c:12:4c:51:6e:62:43:8b:73:b9:26:2a:f9:3d:a4: 81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. Certificate-based access control policy configuration example Network requirements...
  • Page 310 <Device> system-view [Device] ssl server-policy abc [Device-ssl-server-policy-abc] pki-domain domain1 [Device-ssl-server-policy-abc] client-verify enable [Device-ssl-server-policy-abc] quit # Apply SSL server policy abc to the HTTPS server. [Device] ip https ssl-server-policy abc # Enable the HTTPS server. <Device> system-view [Device] ip https enable Configure certificate attribute groups: # Create a certificate attribute group named mygroup1 and add two attribute rules.

  • Page 311: Certificate Import And Export Configuration Example

    Certificate import and export configuration example Network requirements As shown in Figure 88, Device B will replace Device A in the network. PKI domain exportdomain on Device A has two local certificates containing the private key and one CA certificate. To make sure the certificates are still valid after Device B replaces Device A, copy the certificates on Device A to Device B as follows: Export the certificates in PKI domain exportdomain on Device A to .pem certificate files.
  • Page 312 MIIEgjCCA2qgAwIBAgILAJgsebpejZc5UwAwDQYJKoZIhvcNAQELBQAwZjELMAkG … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89 Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZtjSjfslJCoCAggA … -----END ENCRYPTED PRIVATE KEY----- # Display the local certificate file pkilocal.pem-encryption.
  • Page 313 [DeviceB] pki import domain importdomain pem local filename pkilocal.pem-signature Please input the password:****** # Import the local certificate file pkilocal.pem-encryption in PEM format to the PKI domain. The certificate file contains a key pair. [DeviceB] pki import domain importdomain pem local filename pkilocal.pem-encryption Please input the password:****** # Display the imported local certificate information on Device B.
  • Page 314 X509v3 Subject Alternative Name: email:subsign@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9:...
  • Page 315 48:50:4e:0f:7d:54:76:ed:50:28:c6:71:d4:48:ae: 4d:e7:3d:23:78:70:63:18:33:f6:94:98:aa:fa:f6: 62:ed:8a:50:c6:fd:2e:f4:20:0c:14:f7:54:88:36: 2f:e6:e2:88:3f:c2:88:1d:bf:8d:9f:45:6c:5a:f5: 94:71:f3:10:e9:ec:81:00:28:60:a9:02:bb:35:8b: bf:85:75:6f:24:ab:26:de:47:6c:ba:1d:ee:0d:35: 75:58:10:e5:e8:55:d1:43:ae:85:f8:ff:75:81:03: 8c:2e:00:d1:e9:a4:5b:18:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD...

  • Page 316: Troubleshooting Pki Configuration

    86:d2:4f:61:4c:20:38:1c:f4:a1:0b:ea:65:87:7d:1c:22:be: b6:17:17:8a:5a:0f:35:4c:b8:b3:73:03:03:63:b1:fc:c4:f5: e9:6e:7c:11:e8:17:5a:fb:39:e7:33:93:5b:2b:54:72:57:72: 5e:78:d6:97:ef:b8:d8:6d:0c:05:28:ea:81:3a:06:a0:2e:c3: 79:05:cd:c3 To display detailed information about the CA certificate, use the display pki certificate domain command. Troubleshooting PKI configuration This section provides troubleshooting information for common problems with PKI. Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained.

  • Page 317: Failed To Request Local Certificates

    • The PKI domain does not reference the PKI entity configuration, or the PKI entity configuration is incorrect. • CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained. • The CA server does not accept the source IP address specified in the PKI domain, or the source IP address is incorrect.

  • Page 318: Failed To Obtain Crls

    Specify the key pair used for certificate request in the PKI domain, or remove the key pair specified in the PKI and submit a certificate request again. Use pki abort-certificate-request domain to abort the certificate request. Specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator.

  • Page 319: Failed To Import The Ca Certificate

    Failed to import the CA certificate Symptom The CA certificate cannot be imported. Analysis • CRL checking is enabled, but the device does not have a locally stored CRL and cannot obtain one. • The specified format does not match the actual format of the file to be imported. Solution Use undo crl check enable to disable CRL checking.

  • Page 320: Failed To Set The Storage Path

    Analysis • The PKI domain does not have local certificates when you export all certificates in PKCS12 format. • The specified export path does not exist. • The specified export path is illegal. • The public key of the local certificate to be exported does not match the public key in the key pair of the PKI domain.

  • Page 321: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.

  • Page 322: Ssh Authentication Methods

    Stages Description two parties negotiate the following algorithms: • Key exchange algorithm for generating session keys. • Encryption algorithm for encrypting data. • Public key algorithm for the digital signature and authentication. • HMAC algorithm for protecting data integrity. The two parties use the DH exchange algorithm to dynamically generate the session keys and session ID.

  • Page 323: Ssh Support For Suite B

    Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name. If the digital certificate of the client is required in authentication, the client also encapsulates the digital certificate in the authentication request.

  • Page 324: Configuring The Device As An Ssh Server

    Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks (Required.) Generating local key pairs (Required.) Enabling the Stelnet server Required only for Stelnet servers. (Required.) Enabling the SFTP server Required only for SFTP servers. (Required.) Enabling the SCP server Required only for SCP servers.

  • Page 325: Enabling The Stelnet Server

    • To support SSH clients that use different types of key pairs, generate DSA, ECDSA, and RSA key pairs on the SSH server. • The SSH server operating in FIPS mode supports only ECDSA and RSA key pairs. Do not generate a DSA key pair on the SSH server.

  • Page 326: Enabling The Scp Server

    Enabling the SCP server After you enable the SCP server on the device, a client can log in to the device through SCP. When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients. To enable the SCP server: Step Command...

  • Page 327: Configuring A Client's Host Public Key

    Configuring a client's host public key In publickey authentication, the server compares the SSH username and the client's host public key received from the client with the locally saved SSH username and the client's host public key. If they are the same, the server checks the digital signature that the client sends. The client generates the digital signature by using the private key that is paired with the client's host public key.

  • Page 328: Configuring An Ssh User

    Configuring an SSH user Configure an SSH user and a local user depending on the authentication method. • If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.

  • Page 329: Configuring The Ssh Management Parameters

    Configuration procedure To configure an SSH user, and specify the service type and authentication method: Step Command Enter system view. system-view • In non-FIPS mode: ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } [ assign { pki-domain Create an SSH user, and domain-name | publickey keyname } ] }...

  • Page 330: Specifying A Pki Domain For The Ssh Server

    Step Command Remarks • Set the DSCP value in IPv4 The default setting is 48. packets: The DSCP value of a packet ssh server dscp dscp-value Set the DSCP value in the defines the priority of the packet • packets that the SSH server Set the DSCP value in IPv6 and affects the transmission sends to the SSH clients.

  • Page 331: Configuring The Device As An Stelnet Client

    Configuring the device as an Stelnet client Stelnet client configuration task list Tasks at a glance Remarks Only required when the Stelnet server uses (Required.) Generating local key pairs the authentication method publickey, password-publickey, or any. (Optional.) Specifying the source IP address for SSH packets (Required.) Establishing a connection to an Stelnet server (Optional.)

  • Page 332: Establishing A Connection To An Stelnet Server

    Step Command Remarks By default, the source IP address for SSH packets is not • Specify the source IPv4 address for configured. For IPv4 SSH SSH packets: packets, the device uses the ssh client source { interface primary IPv4 address of the interface-type interface-number | ip output interface specified in ip-address }...
  • Page 333 Task Command Remarks | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { aes128-cbc | aes128-ctr |...

  • Page 334: Establishing A Connection To An Stelnet Server Based On Suite B

    Task Command Remarks | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { aes128-cbc | aes128-ctr |...

  • Page 335: Configuring The Device As An Sftp Client

    Configuring the device as an SFTP client SFTP client configuration task list Tasks at a glance Remarks Only required when the SFTP server uses (Required.) Generating local key pairs the authentication method publickey, password-publickey, or any. (Optional.) Specifying the source IP address for SFTP packets (Required.) Establishing a connection to an SFTP server (Optional.)

  • Page 336: Establishing A Connection To An Sftp Server

    Step Command Remarks Enter system view. system-view By default, the source IP address for SFTP packets is not • Specify the source IPv4 address configured. For IPv4 SFTP for SFTP packets: packets, the device uses the sftp client source { ip ip-address primary IPv4 address of the | interface interface-type Specify the source...
  • Page 337 Task Command Remarks sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 |...

  • Page 338: Establishing A Connection To An Sftp Server Based On Suite B

    Task Command Remarks aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ipv6 ipv6-addres} ] * Establishing a connection to an SFTP server based on Suite After the connection is established, you are in SFTP client view of the server and can perform file or...

  • Page 339: Working With Sftp Files

    Task Command Remarks from the SFTP server. Working with SFTP files Task Command Remarks Change the name of a file on the rename old-name new-name Available in SFTP client view. SFTP server. Download a file from the SFTP get remote-file [ local-file ] Available in SFTP client view.

  • Page 340: Generating Local Key Pairs

    Tasks at a glance Remarks (Required.) Establishing a connection to an SCP server Generating local key pairs Generate local key pairs on the SCP client when the SCP server uses the authentication method publickey, password-publickey, or any. Configuration restrictions and guidelines When you generate local key pairs on an SCP client, follow these restrictions and guidelines: •...
  • Page 341 Task Command Remarks sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain...

  • Page 342: Establishing A Connection To An Scp Server Based On Suite B

    Task Command Remarks domain-name } | source { interface interface-type interface-number | ipv6 ipv6-address } ] * • In FIPS mode: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 |...

  • Page 343: Specifying Key Exchange Algorithms For Ssh2

    • Key exchange algorithms. • Public key algorithms. • Encryption algorithms. • MAC algorithms. If you specify algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The client uses the specified algorithms to initiate the negotiation, and the server uses the matching algorithms to negotiate with the client.

  • Page 344: Specifying Encryption Algorithms For Ssh2

    Step Command Remarks ecdsa-sha2-nistp384, and rsa in descending order of priority for algorithm negotiation. Specifying encryption algorithms for SSH2 Step Command Remarks Enter system view. system-view • In non-FIPS mode: By default, SSH2 uses the encryption algorithms • In non-FIPS mode: aes128-ctr, aes192-ctr, ssh2 algorithm cipher aes256-ctr, aes128-gcm,...

  • Page 345: Stelnet Configuration Examples

    Task Command Display the source IP address configured for display sftp client source the SFTP client. Display the source IP address configured for display ssh client source the Stelnet client. Display SSH server status or sessions. display ssh server { session | status } Display SSH user information on the SSH display ssh user-information [ username ] server.
  • Page 346 Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 347: Publickey Authentication Enabled Stelnet Server Configuration Example

    To establish a connection to the Stelnet server: a. Launch PuTTY.exe to enter the interface shown in Figure b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. Figure 90 Specifying the host name (or IP address) c.
  • Page 348 Figure 91 Network diagram Stelnet client Stelnet server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH.
  • Page 349 Figure 93 Generating process a. After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 94 Saving a key pair on the client d. Enter a file name (key.pub in this example), and click Save.
  • Page 350 e. On the page shown in Figure 94, click Save private key to save the private key. A confirmation dialog box appears. f. Click Yes. A file saving window appears. g. Enter a file name (private.ppk in this example), and click Save. h.
  • Page 351 # Import the client's public key from the public key file key.pub and name it switchkey. [Switch] public-key peer switchkey import sshkey key.pub # Create an SSH user named client002. Specify the authentication method as publickey for the user, and assign the public key switchkey to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user named client002.
  • Page 352 Figure 96 Specifying the preferred SSH version e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 97 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.

  • Page 353: Password Authentication Enabled Stelnet Client Configuration Example

    g. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in...
  • Page 354 # Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the Stelnet server. [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the destination address of the SSH connection.
  • Page 355 65BE6C265854889DC1EDBD13EC8B274 [SwitchA-pkey-public-key-key1]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B 6FD60FE01941DDD77FE6B12893DA76E [SwitchA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B 68950387811C7DA33021500C773218C [SwitchA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009 14EC474BAF2932E69D3B1F18517AD95 [SwitchA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D0 492B3959EC6499625BC4FA5082E22C5 [SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C 9B09EEF0381840002818000AF995917 [SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5 F257523777D033BEE77FC378145F2AD [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA>...

  • Page 356: Publickey Authentication Enabled Stelnet Client Configuration Example

    <SwitchA> ssh2 192.168.1.40 Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:y client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent,...
  • Page 357 Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to a public key file named key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP.

  • Page 358: Stelnet Configuration Example Based On 128-Bit Suite B Algorithms

    # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 63 [SwitchB-line-vty0-63] authentication-mode scheme [SwitchB-line-vty0-63] quit # Import the peer public key from the public key file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user named client002.
  • Page 359 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an Stelnet Suite B client. # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file ssh-client-ecdsa256.p12 to the Stelnet client through FTP or TFTP.
  • Page 360 04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52: 6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef: 0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81: 3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e: c7:61:4a:52:51 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b # Create a PKI domain named client256 for the client's certificate and enter its view.
  • Page 361 Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5: 96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39: b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34: 29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16: 12:d0:b4:8a:92 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1:...

  • Page 362: Sftp Configuration Examples

    [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Create a local device management user named client001.
  • Page 363 • The switch acts as the SFTP server and uses password authentication. • The username and password of the client are saved on the switch. Establish an SFTP connection between the host and the switch, so that you can log in to the switch to manage and transfer files.
  • Page 364 [Switch-Vlan-interface2] quit # Create a local device management user named client002. [Switch] local-user client002 class manage # Set the password to aabbcc in plain text for local user client002. [Switch-luser-manage-client002] password simple aabbcc # Authorize local user client002 to use the SSH service. [Switch-luser-manage-client002] service-type ssh # Assign the network-admin user role and working directory flash:/ to local user client002.

  • Page 365: Publickey Authentication Enabled Sftp Client Configuration Example

    Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 103, Switch B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm. Establish an SFTP connection between Switch A and Switch B, so that you can log in to Switch B to manage and transfer files.
  • Page 366 Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 367 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n sftp> # Display files under the current directory of the server, delete file z, and verify the result. sftp>...

  • Page 368: Sftp Configuration Example Based On 192-Bit Suite B Algorithms

    NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SFTP client. # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server384 for verifying the server's certificate and enter its view.
  • Page 369 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: server384]: # Display information about local certificates in PKI domain server384.
  • Page 370 # Disable CRL checking. [SwitchA-pki-domain-client384] undo crl check enable [SwitchA-pki-domain-client384] quit # Import local certificate file ssh-client-ecdsa384.p12 to PKI domain client384. [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters.
  • Page 371 33:71:75:5e:11:c9:a6:51:4b:3e:7c:eb:2a:4d:87:2b:71:7c: 30:64:fe:14:ce:06:d5:0a:e2:cf:9a:69:19:ff # Assign an IP address to VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit Configure the SFTP server: # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP server through FTP or TFTP. (Details not shown.) # Create a PKI domain named client384 for verifying the client's certificate and import the file of the client's certificate to this domain.

  • Page 372: Scp Configuration Examples

    Connecting to 192.168.0.1 port 22. sftp> SCP configuration examples Unless otherwise noted, devices in the configuration examples operate in non-FIPS mode. When the device acts as an SCP server and is operating in FIPS mode, only ECDSA and RSA key pairs are supported.
  • Page 373 ..+..+..+........+ ...+....+..+...+. Create the key pair successfully. # Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the SCP server. [SwitchB] scp server enable # Configure an IP address for VLAN-interface 2. The client uses this address as the destination for SCP connection.

  • Page 374: Scp Configuration Example Based On Suite B Algorithms

    NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client. # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP.
  • Page 375 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=Abc, L=Abc, O=abc, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:39:51 2015 GMT Not After : Aug 20 08:39:51 2016 GMT Subject: C=CN, ST=Abc, O=abc, OU=Software, CN=SSH Server secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52:...
  • Page 376 Certificate: Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=Abc, L=Abc, O=abc, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:41:09 2015 GMT Not After : Aug 20 08:41:09 2016 GMT Subject: C=CN, ST=Abc, O=abc, OU=Software, CN=SSH Client secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit)
  • Page 377 Please enter the key pair name[default name: server384]: # Display information about local certificates in PKI domain server384. [SwitchA] display pki certificate domain server384 local Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=Abc, L=Abc, O=abc, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:08:41 2015 GMT Not After : Aug 19 10:08:41 2016 GMT...
  • Page 378 [SwitchA-pki-domain-client384] quit # Import local certificate file ssh-client-ecdsa384.p12 to PKI domain client384. [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
  • Page 379 # Assign an IP address to VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit Configure the SCP server: # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP server through FTP or TFTP. (Details not shown.) # Create a PKI domain named client256 for verifying the client's certificate ecdsa256 and import the file of this certificate to this domain.

  • Page 380: Netconf Over Ssh Configuration Example With Password Authentication

    # Create an SSH user client001. Specify the publickey authentication method for the user and specify client256 as the PKI domain for verifying the client's certificate. [Switch] ssh user client001 service-type scp authentication-type publickey assign pki-domain client256 # Establish an SCP connection to the SCP server at 192.168.0.1 based on the 128-bit Suite B algorithms.

  • Page 381: Configuration Procedure

    Figure 107 Network diagram NETCONF-over-SSH NETCONF-over-SSH client server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 382: Verifying The Configuration

    [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Create a local device management user named client001. [Switch] local-user client001 class manage # Set the password to aabbcc in plain text for local user client001. [Switch-luser-manage-client001] password simple aabbcc # Authorize local user client001 to use the SSH service. [Switch-luser-manage-client001] service-type ssh # Assign the network-admin user role to local user client001.

  • Page 383: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...

  • Page 384: Fips Compliance

    Figure 109 SSL protocol stack Application layer protocol (e.g. HTTP) SSL handshake protocol SSL change cipher spec protocol SSL alert protocol SSL record protocol The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data.
  • Page 385 Step Command Remarks By default: • In non-FIPS mode, the • In non-FIPS mode: SSL server supports ssl version { ssl3.0 | tls1.0 | (Optional.) Disable the SSL SSL 3.0, TLS 1.0, TLS tls1.1 } * disable server from using specific SSL 1.1, and TLS 1.2.
  • Page 386 Step Command Remarks • In non-FIPS mode: ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha2 56 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha2 56 | ecdhe_ecdsa_aes_128_cbc_ sha256 | ecdhe_ecdsa_aes_128_gcm_ sha256 | ecdhe_ecdsa_aes_256_cbc_ sha384 | ecdhe_ecdsa_aes_256_gcm_ sha384 | ecdhe_rsa_aes_128_cbc_sh a256 | ecdhe_rsa_aes_128_gcm_sh a256 | ecdhe_rsa_aes_256_cbc_sh a384 | ecdhe_rsa_aes_256_gcm_sh a384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 |...

  • Page 387: Configuring An Ssl Client Policy

    Step Command Remarks By default, SSL client authentication is disabled. The SSL server does not perform digital certificate-based authentication on SSL clients. (Optional.) Enable mandatory When authenticating a client or optional SSL client client-verify { enable | optional } by using the digital authentication.
  • Page 388 Step Command Remarks • In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_s ha | dhe_rsa_aes_128_cbc_sh a256 | dhe_rsa_aes_256_cbc_sh dhe_rsa_aes_256_cbc_sh a256 | ecdhe_ecdsa_aes_128_c bc_sha256 | ecdhe_ecdsa_aes_128_g cm_sha256 | ecdhe_ecdsa_aes_256_c bc_sha384 | ecdhe_ecdsa_aes_256_g cm_sha384 | ecdhe_rsa_aes_128_cbc_ sha256 | ecdhe_rsa_aes_128_gcm _sha256 | ecdhe_rsa_aes_256_cbc_ sha384 | ecdhe_rsa_aes_256_gcm _sha384 | •...

  • Page 389: Displaying And Maintaining Ssl

    Step Command Remarks • In non-FIPS mode: By default, an SSL client policy version { ssl3.0 | tls1.0 | uses TLS 1.0. Specify the SSL protocol tls1.1 | tls1.2 } version for the SSL client To ensure security, do not •...
  • Page 390 Configuration procedure Make sure the device, the host, and the CA server can reach each other. (Details not shown.) Configure the HTTPS server on the device: # Create a PKI entity named en. Set the common name and FQDN for the entity. <Device>...
  • Page 391 [Device-ssl-server-policy-myssl] pki-domain 1 # Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure the HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable the HTTPS service. [Device] ip https enable # Create a local user named usera. Set the password to 123, service type to https, and user role to network-admin.

  • Page 392: Configuring Attack Detection And Prevention

    Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, and blacklisting. Attacks that the device can prevent This section describes the attacks that the device can detect and prevent.

  • Page 393: Scanning Attacks

    Single-packet attack Description An attacker sends IP datagrams in which the IP options are abnormal. This IP options attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets. An attacker sends the victim an IP datagram with an offset smaller than 5, IP fragment which causes the victim to malfunction or crash.

  • Page 394: Flood Attacks

    Flood attacks An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time. The victim is too busy responding to these forged requests to provide services for legal users, and a DoS attack occurs. The device can detect and prevent the following types of flood attacks: •...

  • Page 395: Tcp Fragment Attack

    An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services. • UDP flood attack. A UDP flood attacker sends UDP packets to a host at a fast rate. These packets consume a large amount of the target host's bandwidth, so the host cannot provide other services.

  • Page 396: User Blacklist

    User blacklist The user blacklist feature is an attack prevention method that filters packets by source users in blacklist entries. Compared with IP blacklist filtering, user blacklist filtering performs access control on the user level and improves the filtering usability. The user blacklist feature must be used together with the user identification feature.

  • Page 397: Configuring A Single-Packet Attack Defense Policy

    Configuring a single-packet attack defense policy Apply the single-packet attack defense policy to the interface that is connected to the external network. Single-packet attack detection inspects incoming packets based on the packet signature. If an attack packet is detected, the device can take the following actions: •...

  • Page 398: Configuring A Scanning Attack Defense Policy

    Step Command Remarks • signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ] By default, the maximum length of safe ICMP or ICMPv6 packets is 4000 bytes. (Optional.) Set the signature { large-icmp | maximum length of safe A large ICMP or ICMPv6 large-icmpv6 } max-length length...

  • Page 399: Configuring A Flood Attack Defense Policy

    Configuring a flood attack defense policy Apply a flood attack defense policy to the interface that is connected to the external network to protect internal servers. Flood attack detection monitors the rate at which connections are initiated to the internal servers. With flood attack detection enabled, the device is in attack detection state.
  • Page 400 Step Command Remarks vpn-instance-name ] [ threshold configured. threshold-value ] [ action { { drop | logging } * | none } ] Configuring a SYN-ACK flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view.
  • Page 401 Step Command Remarks Enter attack defense policy attack-defense policy view. policy-name Enable global RST flood By default, global RST flood attack rst-flood detect non-specific attack detection. detection is disabled. Set the global trigger rst-flood threshold threshold for RST flood The default setting is 1000. threshold-value attack prevention.
  • Page 402 Step Command Remarks icmpv6-flood detect ipv6 Configure IP ipv6-address [ vpn-instance By default, IP address-specific address-specific ICMPv6 vpn-instance-name ] [ threshold ICMPv6 flood attack detection is not flood attack detection. threshold-value ] [ action { { drop configured. | logging } * | none } ] Configuring a UDP flood attack defense policy Step Command...

  • Page 403: Configuring Attack Detection Exemption

    Configuring an HTTP flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view. policy-name Enable global HTTP flood By default, global HTTP flood attack http-flood detect non-specific attack detection. detection is disabled. Set the global trigger http-flood threshold threshold for HTTP flood...

  • Page 404: Applying An Attack Defense Policy To An Interface

    Step Command Remarks | name acl-name } exemption is not configured. Applying an attack defense policy to an interface An attack defense policy does not take effect unless you apply it to an interface. If you apply an attack defense policy to a global interface, specify a traffic processing slot for the interface.

  • Page 405: Enabling Log Non-Aggregation For Single-Packet Attack Events

    Enabling log non-aggregation for single-packet attack events Log aggregation aggregates multiple logs generated during a period of time and sends one log. Logs that are aggregated must have the following attributes in common: • Attacks are detected on the same interface or destined for the device. •...

  • Page 406: Configuring The User Blacklist Feature

    To configure the IP blacklist feature: Step Command Remarks Enter system view. system-view By default, the global blacklist feature is disabled. (Optional.) Enable the blacklist global enable If the global blacklist feature is global blacklist feature. enabled, the blacklist feature is enabled on all interfaces.

  • Page 407: Enabling The Login Delay

    Step Command Remarks Enter system view. system-view Enable login attack By default, login attack prevention attack-defense login enable prevention. is disabled. Set the maximum number attack-defense login max-attempt of successive login The default value is three. max-attempt failures. Set the block period attack-defense login during which a login The default value is 60 minutes.
  • Page 408 Task Command display attack-defense scan attacker ip [ interface (In standalone mode.) Display information about interface-type interface-number [ slot slot-number ] | IPv4 scanning attackers. local [ slot slot-number ] ] [ count ] display attack-defense scan attacker ip [ interface (In IRF mode.) Display information about IPv4 interface-type interface-number [ chassis scanning attackers.

  • Page 409: Attack Detection And Prevention Configuration Examples

    Task Command display attack-defense policy policy-name { ack-flood (In standalone mode.) Display information about | dns-flood | fin-flood | flood | http-flood | icmp-flood | IPv4 addresses protected by flood attack rst-flood | syn-ack-flood | syn-flood | udp-flood } ip detection and prevention.
  • Page 410 • Provide low-level scanning attack detection for internal hosts and servers. If a scanning attack is detected, log the attack and keep the attacker on the blacklist for 10 minutes. • Protect internal hosts and servers against smurf attacks. If a smurf attack is detected, log the attack.
  • Page 411 -------------------------------------------------------------------------- Policy name : a1 Applied list : GE1/0/2 -------------------------------------------------------------------------- Exempt IPv4 ACL : Not configured Exempt IPv6 ACL : Not configured -------------------------------------------------------------------------- Actions: BS-Block source L-Logging D-Drop N-None Signature attack defense configuration: Signature name Defense Level Actions Fragment Disabled Impossible Disabled medium...
  • Page 412 ICMP timestamp reply Disabled info ICMP information request Disabled info ICMP information reply Disabled info ICMP address mask request Disabled info ICMP address mask reply Disabled info ICMPv6 echo request Disabled info ICMPv6 echo reply Disabled info ICMPv6 group membership query Disabled info ICMPv6 group membership report...

  • Page 413: Ip Blacklist Configuration Example

    AttackType AttackTimes Dropped Smurf # Verify that the IPv4 blacklist feature collaborates with the scanning attack detection. [Device] display blacklist ip IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped 5.5.5.5 Dynamic 600 353452 IP blacklist configuration example Network requirements As shown in Figure 112, configure the IP blacklist feature on the device to block packets from the...

  • Page 414: User Blacklist Configuration Example

    User blacklist configuration example Network requirements As shown in Figure 113, configure the user blacklist feature on the device to block packets from User C for 50 minutes. The IP address of User C is 1.2.3.4 and the MAC address of User C is 0001-0001-0001.

  • Page 415: Configuring Tcp Attack Prevention

    Configuring TCP attack prevention Overview TCP attack prevention can detect and prevent attacks that exploit the TCP connection establishment process. Configuring Naptha attack prevention Naptha is a DDoS attack that targets operating systems. It exploits the resources consuming vulnerability in TCP/IP stack and network application process. The attacker establishes a large number of TCP connections in a short period of time and leaves them in certain states without requesting any data.

  • Page 416: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface. The IPSG binding table can include global and interface-specific bindings.

  • Page 417: Dynamic Ipsg Bindings

    For information about ARP attack detection, see "Configuring ARP attack protection." For information about ND attack detection, see "Configuring ND attack defense." Static IPSG bindings can be global or interface-specific. • Global static binding—Binds the IP address and MAC address in system view. The binding takes effect on all interfaces to filter packets for user spoofing attack prevention.

  • Page 418: Configuration Restrictions And Guidelines

    Configuration restrictions and guidelines Layer 3 Ethernet subinterfaces do not support enabling the IPSG feature or configuring static IPSG bindings. IPSG configuration task list To configure IPv4SG, perform the following tasks: Tasks at a glance (Required.) Enabling IPv4SG on an interface (Optional.) Configuring a static IPv4SG binding (Optional.)

  • Page 419: Configuring A Static Ipv4Sg Binding

    Step Command Remarks By default, the IPv4SG feature is disabled ip verify source on an interface. Enable the IPv4SG { ip-address | ip-address If you configure this command on an feature. mac-address | interface multiple times, the most recent mac-address } configuration takes effect.

  • Page 420: Excluding Ipv4 Packets From Ipsg Filtering

    Excluding IPv4 packets from IPSG filtering Typically, IPv4SG processes all incoming IPv4 packets and discards the packets that do not match IPSG bindings on an interface. This task excludes IPv4 packets with specific source items from IPSG filtering. You can specify source VLANs for IPSG filtering exemption in the current software version. All IPv4 packets from the specified VLANs are forwarded without being processed by IPSG.

  • Page 421: Configuring A Static Ipv6Sg Binding

    Configuring a static IPv6SG binding You can configure global static and interface-specific static IPv6SG bindings. Global static bindings take effect on all interfaces. Interface-specific static bindings take priority over global static bindings. An interface first uses the static bindings on the interface to match packets. If no match is found, the interface uses the global bindings.

  • Page 422: Ipsg Configuration Examples

    Task Command (In standalone mode.) Display source items that display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] [ slot have been configured to slot-number ] be excluded from IPSG filtering. (In IRF mode.) Display source items that have display ip verify source excluded [ vlan start-vlan-id [ to end-vlan-id ] ] been configured to be [ chassis chassis-number slot slot-number ]...
  • Page 423 <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] ip verify source ip-address mac-address # On GigabitEthernet 1/0/2, configure a static IPv4SG binding for Host C. [DeviceA-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [DeviceA-GigabitEthernet1/0/2] quit # Enable IPv4SG on GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] ip verify source ip-address mac-address # On GigabitEthernet 1/0/1, configure a static IPv4SG binding for Host A.

  • Page 424: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example

    Dynamic IPv4SG using DHCP snooping configuration example Network requirements As shown in Figure 116, the host (the DHCP client) obtains an IP address from the DHCP server. Perform the following tasks: • Enable DHCP snooping on the device to make sure the DHCP client obtains an IP address from the authorized DHCP server.

  • Page 425: Dynamic Ipv4Sg Using Dhcp Relay Agent Configuration Example

    Dynamic IPv4SG using DHCP relay agent configuration example Network requirements As shown in Figure 117, DHCP relay agent is enabled on the switch. The host obtains an IP address from the DHCP server through the DHCP relay agent. Enable dynamic IPv4SG on VLAN-interface 100 to filter incoming packets by using the IPv4SG bindings generated based on DHCP relay entries.

  • Page 426: Static Ipv6Sg Configuration Example

    Static IPv6SG configuration example Network requirements As shown in Figure 118, configure a static IPv6SG binding on GigabitEthernet 1/0/1 of the device to allow only IPv6 packets from the host to pass. Figure 118 Network diagram GE1/0/1 Internet Device Host IP: 2001::1 MAC: 0001-0202-0202 Configuration procedure...

  • Page 427: Dynamic Ipv6Sg Using Dhcpv6 Relay Agent Configuration Example

    Configuration procedure Configure DHCPv6 snooping: # Enable DHCPv6 snooping globally. <Device> system-view [Device] ipv6 dhcp snooping enable # Configure GigabitEthernet 1/0/2 as a trusted interface. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Device-GigabitEthernet1/0/2] quit Enable IPv6SG: # Enable IPv6SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address for dynamic IPv6SG.
  • Page 428 Configuration procedure Configure the DHCPv6 relay agent: # Create VLAN 2 and VLAN 3, assign interfaces to the VLANs, and specify IP addresses for VLAN-interface 2 and VLAN-interface 3. (Details not shown.) # Enable the DHCPv6 relay agent on VLAN-interface 3. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ipv6 dhcp select relay # Enable recording of DHCPv6 relay entries on the interface.

  • Page 429: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 430: Configuring Arp Source Suppression

    After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request. If the resolution fails, the device continues probing according to the probe settings. If the IP address resolution succeeds in a probe, the device converts the blackhole route to a normal route.

  • Page 431: Configuring Arp Packet Rate Limit

    A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets. To prevent the attack, configure ARP source suppression or ARP blackhole routing. Figure 121 Network diagram IP network ARP attack protection Gateway Device...

  • Page 432: Configuration Procedure

    Configuration procedure This task sets a rate limit for ARP packets received on an interface. When the receiving rate of ARP packets on the interface exceeds the rate limit, those packets are discarded. You can enable sending notifications to the SNMP module or enable logging for ARP packet rate limit.

  • Page 433: Configuration Procedure

    entry for the MAC address. Before the entry ages out, the device handles the attack by using either of the following methods: • Monitor—Only generates log messages. • Filter—Generates log messages and filters out subsequent ARP packets from the MAC address.

  • Page 434: Configuration Example

    Task Command (In IRF mode.) Display ARP attack entries display arp source-mac { chassis chassis-number slot detected by source MAC-based ARP attack slot-number | interface interface-type interface-number } detection. Configuration example Network requirements As shown in Figure 122, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients.

  • Page 435: Configuring Arp Packet Source Mac Consistency Check

    # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection. [Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.

  • Page 436: Configuring Authorized Arp

    Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide. With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries.

  • Page 437: Configuration Example (On A Dhcp Relay Agent)

    # Enter Layer 3 Ethernet interface view. [DeviceA] interface gigabitethernet 1/0/1 # Enable authorized ARP. [DeviceA-GigabitEthernet1/0/1] port link-mode route [DeviceA-GigabitEthernet1/0/1] arp authorized enable [DeviceA-GigabitEthernet1/0/1] quit Configure Device B: <DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address dhcp-alloc [DeviceB-GigabitEthernet1/0/1] quit Verifying the configuration # Display authorized ARP entry information on Device A.

  • Page 438: Configuring Arp Attack Detection

    [DeviceA] dhcp enable [DeviceA] dhcp server ip-pool 1 [DeviceA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0 [DeviceA-dhcp-pool-1] gateway-list 10.10.1.1 [DeviceA-dhcp-pool-1] quit [DeviceA] ip route-static 10.10.1.0 24 10.1.1.2 Configure Device B: # Enable DHCP. <DeviceB> system-view [DeviceB] dhcp enable # Specify the IP addresses of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [DeviceB-GigabitEthernet1/0/1] quit...

  • Page 439: Configuring User Validity Check

    ARP attack detection provides the following features: • User validity check. • ARP packet validity check. • ARP restricted forwarding. • ARP attack detection logging. If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies.

  • Page 440: Configuring Arp Packet Validity Check

    Step Command Remarks any } [ vlan vlan-id ] Enter VLAN view. vlan vlan-id By default, ARP attack detection is Enable ARP attack detection. arp detection enable disabled. Return to system view. quit Enter Layer 2 Ethernet interface interface-type interface view or Layer 2 interface-number aggregate interface view.

  • Page 441: Configuring Arp Restricted Forwarding

    Configuring ARP restricted forwarding NOTE: ARP restricted forwarding does not apply to ARP packets with multiport MAC as their destination MAC addresses. ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted interfaces and have passed user validity check as follows: •...

  • Page 442: User Validity Check And Arp Packet Validity Check Configuration Example

    Task Command statistics. interface-number ] User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 125, configure Device B to perform ARP packet validity check and user validity check based on static IP source guard bindings and DHCP snooping entries for connected hosts. Figure 125 Network diagram Gateway DHCP server...

  • Page 443: Arp Restricted Forwarding Configuration Example

    # Enable ARP attack detection for VLAN 10. [DeviceB] vlan 10 [DeviceB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface. [DeviceB-vlan10] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] arp detection trust [DeviceB-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.
  • Page 444 Configure the DHCP server on Device A, and configure DHCP address pool 0. <DeviceA> system-view [DeviceA] dhcp enable [DeviceA] dhcp server ip-pool 0 [DeviceA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure Host A (DHCP client) and Host B. (Details not shown.) Configure Device B: # Enable DHCP snooping, and configure GigabitEthernet 1/0/3 as a DHCP trusted interface.

  • Page 445: Configuring Arp Scanning And Fixed Arp

    Configuring ARP scanning and fixed ARP ARP scanning is typically used together with the fixed ARP feature in small-scale networks. ARP scanning automatically creates ARP entries for devices in an address range. The device performs ARP scanning in the following steps: Sends ARP requests for each IP address in the address range.

  • Page 446: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you configure ARP gateway protection: • You can enable ARP gateway protection for a maximum of eight gateways on an interface. • Do not configure both the arp filter source and arp filter binding commands on an interface. •...

  • Page 447: Configuring Arp Filtering

    [DeviceB-GigabitEthernet1/0/1] arp filter source 10.1.1.1 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] arp filter source 10.1.1.1 Verifying the configuration # Verify that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway. Configuring ARP filtering The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.

  • Page 448: Configuring Arp Sender Ip Address Checking

    Figure 128 Network diagram Device A GE1/0/3 Device B GE1/0/1 GE1/0/2 Host A Host B Configuration procedure # Configure ARP filtering on Device B. <DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 Verifying the configuration # Verify that GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP...
  • Page 449 Step Command Remarks Enter VLAN view. vlan vlan-id Enable the ARP sender IP By default, the ARP sender IP address checking feature arp sender-ip-range address checking feature is and specify the IP address start-ip-address end-ip-address disabled. range.

  • Page 450: Configuring Nd Attack Defense

    Configuring ND attack defense Overview IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks. The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An attacker can send the following forged ICMPv6 messages to perform ND attacks: •...

  • Page 451: Configuring Nd Attack Detection

    The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

  • Page 452: Configuration Procedure

    To make the bindings effective for ND attack detection, you must specify the vlan vlan-id option in the ipv6 source binding command, and enable ND attack detection for the same VLAN. • DHCPv6 snooping. • ND snooping. Configuration procedure To configure ND attack detection: Step Command Remarks...
  • Page 453 Figure 129 Network diagram Internet Gateway Device A GE1/0/3 Vlan-int10 10::1/64 VLAN 10 ND snooping GE1/0/3 Device B GE1/01 GE1/0/2 Host A Host B 10::5/64 10::6/64 0001-0203-0405 0001-0203-0607 Configuration procedure Configure Device A: # Create VLAN 10. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit # Configure GigabitEthernet 1/0/3 to trunk VLAN 10.

  • Page 454: Configuring Ra Guard

    [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type access [DeviceB-GigabitEthernet1/0/2] port access vlan 10 [DeviceB-GigabitEthernet1/0/2] quit [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] port link-type trunk [DeviceB-GigabitEthernet1/0/3] port trunk permit vlan 10 [DeviceB-GigabitEthernet1/0/3] quit # Enable ND attack detection for VLAN 10. [DeviceB] vlan 10 [DeviceB-vlan10] ipv6 nd detection enable # Enable ND snooping for IPv6 global unicast addresses and ND snooping for IPv6 link-local addresses in VLAN 10.

  • Page 455: Configuring An Ra Guard Policy

    Step Command Remarks Make sure your setting is consistent with the device type. Configuring an RA guard policy Configure an RA guard policy if you do not specify a role for the attached device or if you want to filter the RA messages sent by a router.

  • Page 456: Displaying And Maintaining Ra Guard

    more information about the information center, see Network Management and Monitoring Configuration Guide. To enable the RA guard logging feature: Step Command Remarks Enter system view. system-view Enable the RA guard logging By default, the RA guard logging ipv6 nd raguard log enable feature.
  • Page 457 Configuration procedure # Create an RA guard policy named policy1. <DeviceB> system-view [DeviceB] ipv6 nd raguard policy policy1 # Set the maximum router preference to high for the RA guard policy. [DeviceB-raguard-policy-policy1] if-match router-preference maximum high # Specify on as the M flag match criterion for the RA guard policy. [DeviceB-raguard-policy-policy1] if-match autoconfig managed-address-flag on # Specify on as the O flag match criterion for the RA guard policy.
  • Page 458 # Verify that the device forwards RA messages received on GigabitEthernet 1/0/3 to other ports in VLAN 10. (Details not shown.)

  • Page 459: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 460: Urpf Operation

    uRPF operation Figure 132 shows how uRPF works. Figure 132 uRPF work flow Checks the received packet Multicast destination address? Broadcast All-zero source destination address? address? Uses source address to look up the FIB table Matching FIB entry found? InLoop interface InLoop receiving found? interface?

  • Page 461: Network Application

    255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.) The packet is discarded if it has a non-broadcast destination address. uRPF proceeds to step 2 for other packets.  uRPF checks whether the source address matches a unicast route: If yes, uRPF proceeds to step 3.

  • Page 462: Enabling Urpf

    Enabling uRPF uRPF checks only incoming packets on interfaces. You can enable uRPF globally. Global uRPF takes effect on all interfaces of the device. Follow these guidelines when you enable uRPF: • uRPF does not check tunneled packets. For more information about tunneling, see Layer 3—IP Services Configuration Guide.
  • Page 463 Configure strict uRPF check on Switch A and allow using the default route for uRPF check. <SwitchA> system-view [SwitchA] ip urpf strict allow-default-route...

  • Page 464: Configuring Ipv6 Urpf

    Configuring IPv6 uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 465: Ipv6 Urpf Operation

    IPv6 uRPF operation Figure 136 shows how IPv6 uRPF works. Figure 136 IPv6 uRPF work flow Checks the received packet Multicast destination address? Uses source address to look up the IPv6 FIB table Matching IPv6 FIB entry found? InLoop interface InLoop receiving found? interface?

  • Page 466: Network Application

    If no, IPv6 uRPF discards the packet. A non-unicast source address matches a non-unicast  route. IPv6 uRPF checks whether the matching route is to the host itself: If yes, the output interface of the matching route is an InLoop interface. IPv6 uRPF checks ...

  • Page 467: Enabling Ipv6 Urpf

    Enabling IPv6 uRPF IPv6 uRPF checks only incoming packets on interfaces. You can enable IPv6 uRPF globally. Global IPv6 uRPF takes effect on all interfaces of the device. Follow these guidelines when you enable IPv6 uRPF: • IPv6 uRPF does not check packets received on the SA interface modules if the source IPv6 addresses of the packets have a prefix length longer than 64.
  • Page 468 [SwitchB] ipv6 urpf strict Configure strict uRPF check on Switch A and allow using the default route for IPv6 uRPF check. <SwitchA> system-view [SwitchA] ipv6 urpf strict allow-default-route...

  • Page 469: Configuring Mff

    Configuring MFF Overview MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain. An MFF-enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.

  • Page 470: Basic Concepts

    Basic concepts An MFF-enabled device has two types of ports: user port and network port. User port An MFF user port is directly connected to a host and processes the following packets differently: • Allows DHCP packets and multicast packets to pass. •...

  • Page 471: Mff Working Mechanism

    Automatic mode The automatic mode applies to networks that allocate IP addresses to hosts through DHCP. In automatic mode, the device configured with DHCP snooping resolves Option 3 (Router IP option) in the received DHCP ACK message to obtain a gateway for the DHCP snooping entry. If the DHCP ACK message contains multiple gateway addresses, only the first one is recorded for the entry.

  • Page 472: Configuring A Network Port

    Step Command Remarks mac-forced-forwarding auto • Enable manual mode: mac-forced-forwarding default-gateway gateway-ip Configuring a network port Step Command Remarks Enter system view. system-view • Enter Layer 2 Ethernet interface view: interface interface-type interface-number Enter Layer 2 Ethernet • interface view or Layer 2 Enter Layer 2 aggregate aggregate interface view.

  • Page 473: Displaying And Maintaining Mff

    As a result, packets from a host to a server are forwarded by the gateway. However, packets from a server to a host are not forwarded by the gateway. MFF does not check whether the IP address of a server is on the same network segment as that of a gateway.
  • Page 474 Figure 140 Network diagram Switch C Switch A Gateway GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1 10.1.1.100/24 GE1/0/3 GE1/0/3 Host A DHCP server Device 10.1.1.50/24 Host B GE1/0/1 GE1/0/2 Switch B Host C Configuration procedure Configure the IP addresses of the gateway and the DHCP server, as shown in Figure 140.

  • Page 475: Auto-Mode Mff Configuration Example In A Ring Network

    Auto-mode MFF configuration example in a ring network Network requirements As shown in Figure 141, all the devices are in VLAN 100, and the switches form a ring. Hosts A, B, and C obtain IP addresses from the DHCP server. Configure MFF to isolate the hosts at Layer 2 and allow them to communicate with each other through the gateway at Layer 3.

  • Page 476: Manual-Mode Mff Configuration Example In A Tree Network

    Configure Switch B: # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp-snooping # Enable STP globally to make sure STP is enabled on interfaces. [SwitchB] stp global enable # Enable MFF in automatic mode on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding auto [SwitchB-vlan100] quit # Configure IP address 10.1.1.50 for the DHCP server.

  • Page 477: Manual-Mode Mff Configuration Example In A Ring Network

    Figure 142 Network diagram Switch C Switch A Gateway GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1 10.1.1.100/24 Host A GE1/0/3 GE1/0/3 10.1.1.1/24 Host B 10.1.1.2/24 GE1/0/1 GE1/0/2 Host C Server Switch B 10.1.1.3/24 10.1.1.200/24 Configuration procedure Configure the IP addresses of the hosts and the gateway, as shown in Figure 142.
  • Page 478 Configure MFF to isolate the hosts at Layer 2 and allow them to communicate with each other through the gateway at Layer 3. Figure 143 Network diagram Switch A Switch C Gateway GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2 10.1.1.100/24 GE1/0/3 GE1/0/3 Host A 10.1.1.1/24 GE1/0/1 GE1/0/3...
  • Page 479 [SwitchB-vlan100] quit # Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3 as network ports. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] mac-forced-forwarding network-port [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] mac-forced-forwarding network-port Enable STP on Switch C globally to make sure STP is enabled on interfaces. <SwitchC>...

  • Page 480: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.

  • Page 481: Configuring Fips Mode

    e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.

  • Page 482: Configuration Changes In Fips Mode

    A username.  A password that complies with the password control policies as described in step 2 and step  A user role of network-admin or mdc-admin.  A service type of terminal.  Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode.

  • Page 483: Exiting Fips Mode

    The password for a device management local user and password for switching user roles depend on password control policies. By default, the passwords must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters.

  • Page 484: Power-Up Self-Tests

    NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests The power-up self-test examines the availability of FIPS-allowed cryptographic algorithms. The device supports the following types of power-up self-tests: • Known-answer test (KAT) A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer.

  • Page 485: Triggering Self-Tests

    • Continuous random number generator test—This test is run when a random number is generated. Each subsequent generation of a random number will be compared with the previously generated number. The test fails if any two compared numbers are the same. This test can also be run when a DSA/RSA asymmetrical key-pair is generated.

  • Page 486: Entering Fips Mode Through Manual Reboot

    Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters.
  • Page 487 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal. [Sysname] local-user test class manage [Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB [Sysname-luser-manage-test] authorization-attribute user-role network-admin...

  • Page 488: Exiting Fips Mode Through Automatic Reboot

    Updating user information. Please wait ..… <Sysname> # Display the FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode.
  • Page 489 [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to mainboard device successfully. Slot 1: Save next configuration file successfully.

  • Page 490: Configuring Macsec

    Configuring MACsec Overview Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec provides services such as data encryption, frame integrity check, and data origin validation for frames on the MAC sublayer of the Data Link Layer. Basic concepts Connectivity association (CA) is a group of participants that use the same key and key algorithm.

  • Page 491: Macsec Applications

    MACsec applications MACsec supports the following application modes: • Client-oriented mode—Secures data transmission between the client and the access device. The client can be a user terminal seeking access to the LAN or a device that supports the 802.1X client feature. In this mode, the authentication server generates and distributes the CAK to the client and the access device.
  • Page 492 Figure 146 MACsec interactive process in client-oriented mode Client Device Authentication server RADIUS EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity Identity RADIUS Access-Request authentication RADIUS Access-Accept EAP-Success EAPOL-MKA: key server EAPOL-MKA: MACsec capable Session negotiation EAPOL-MKA: key name, SAK EAPOL-MKA: SAK installed Secured frames Secure...

  • Page 493: Protocols And Standards

    Operating mechanism for device-oriented mode As shown in Figure 147, the devices use the configured preshared keys to start the session negotiation. In this mode, the session negotiation, secure communication, and session termination processes are the same as the processes in client-oriented mode. However, MACsec performs a key server selection in this mode.

  • Page 494: Macsec Configuration Task List

    MACsec configuration task list In device-oriented mode, the MACsec configuration takes effect on Layer 2 and Layer 3 Ethernet ports. In client-oriented mode, the MACsec configuration takes effect only on 802.1X-enabled ports. To configure MACsec, perform the following tasks: Tasks at a glance Remarks (Required.) Enabling MKA...

  • Page 495: Configuring A Preshared Key

    • A minimum of one participant is enabled with MACsec desire. To enable MACsec desire: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the port does not Enable MACsec desire. macsec desire expect MACsec protection for outbound frames.

  • Page 496: Configuring Macsec Protection Parameters In Interface View

    In device-oriented mode, the port that has higher priority becomes the key server. If a port and its peers have the same priority, MACsec compares the secure channel identifier (SCI) values on the ports. The port with the lowest SCI value (a combination of MAC address and port ID) becomes the key server.

  • Page 497: Configuring The Macsec Validation Mode

    To configure MACsec replay protection: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable MACsec replay macsec replay-protection By default, MACsec replay protection. enable protection is enabled on the port. The default setting is 0, and Set the MACsec replay macsec replay-protection frames are accepted only in the...

  • Page 498: Applying An Mka Policy

    Step Command Remarks You cannot delete or modify the default MKA policy. You can create multiple MKA policies. The default setting is 0. (Optional.) Set the MACsec macsec confidentiality-offset MACsec uses the confidentiality confidentiality offset. offset-value offset propagated by the key server.

  • Page 499: Macsec Configuration Examples

    Task Command interface-number | local-sci sci-id ] [ verbose ] display mka { default-policy | policy [ name Display MKA policy information. policy-name ] } display mka statistics [ interface interface-type Display MKA statistics on ports. interface-number ] reset mka session [ interface interface-type Reset MKA sessions on ports.
  • Page 500 # Configure RADIUS scheme radius1. [Device] radius scheme radius1 [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 [Device-radius-radius1] key authentication simple name [Device-radius-radius1] key accounting simple money [Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit # Configure authentication domain bbb for 802.1X users. [Device] domain bbb [Device-isp-bbb] authentication lan-access radius-scheme radius1 [Device-isp-bbb] authorization lan-access radius-scheme radius1...
  • Page 501 Verifying the configuration # Display MACsec information on GigabitEthernet 1/0/1. [Device] display macsec interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Protect frames : Yes Active MKA policy : pls Replay protection : Enabled Replay window size : 100 frames Confidentiality offset : 30 bytes Validation mode : Strict Included SCI...

  • Page 502: Client-Oriented Macsec Configuration Example (Device As Client)

    Client-oriented MACsec configuration example (device as client) Network requirements As shown in Figure 149: • The switch connects to the device through trunk ports GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. • The device acts as an access device. You cannot configure a preshared key on the device for MKA negotiation and packet encryption.
  • Page 503 [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk permit vlan 2 # Configure the 802.1X client username as aaaa, and set the password to 123456 in plaintext form on GigabitEthernet 1/0/2. [Switch-GigabitEthernet1/0/2] dot1x supplicant username aaaa [Switch-GigabitEthernet1/0/2] dot1x supplicant password simple 123456 # Specify TTLS-GTC as the 802.1X client EAP authentication method on GigabitEthernet 1/0/2.
  • Page 504 SCI conflict : No Cipher suite : GCM-AES-128 Transmit secure channel: : 00E00100000A0006 Elapsed time: 00h:02m:07s Current SA : AN 0 PN 1 Receive secure channels: : 00E0020000000106 Elapsed time: 00h:02m:03s Current SA : AN 0 LPN 1 Previous SA : AN N/A LPN N/A # Display MACsec information on GigabitEthernet 1/0/3.

  • Page 505: Device-Oriented Macsec Configuration Example

    Current SAK KI (KN) : A1E0D2897596817209CD230700000002 (2) Previous SAK status : N/A Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list: Priority Capability Rx-SCI B2CAF896C9BFE2ABFB135E63 2512 00E0020000000106 # Display MKA session information on GigabitEthernet 1/0/3 after 802.1X client user bbbb comes online.
  • Page 506 Configuration procedure Configure Device A: # Enter system view. <DeviceA> system-view # Enter GigabitEthernet 1/0/1 interface view. [DeviceA] interface gigabitethernet 1/0/1 # Enable MACsec desire on GigabitEthernet 1/0/1. [DeviceA-GigabitEthernet1/0/1] macsec desire # Set the MKA key server priority to 5. [DeviceA-GigabitEthernet1/0/1] mka priority 5 # Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.
  • Page 507 Verifying the configuration # Display MACsec information on GigabitEthernet 1/0/1 of Device A. [DeviceA] display macsec interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Protect frames : Yes Replay protection : Enabled Replay window size : 100 frames Confidentiality offset : 30 bytes Validation mode : Strict Included SCI...

  • Page 508: Troubleshooting Macsec

    Replay protection : Enabled Replay window size : 100 frames Confidentiality offset : 30 bytes Validation mode : Strict Included SCI : No SCI conflict : No Cipher suite : GCM-AES-128 Transmit secure channel: : 00E0020000000106 Elapsed time: 00h:05m:36s Current SA : AN 0 PN 1 Receive secure channels:...
  • Page 509 • The ports at the ends of the link are MACsec capable. Analysis The symptom might occur for the following reasons: • The ports at the link are not enabled with MKA. • A port at the link is not configured with a preshared key or configured with a preshared key different from the peer.

  • Page 510: Configuring 802.1X Client

    Configuring 802.1X client As shown in Figure 151, the 802.1X client feature allows the access device to act as the supplicant in the 802.1X architecture. For information about the 802.1X architecture, see "802.1X overview." Figure 151 802.1X client network diagram Authentication server Supplicant Authenticator...

  • Page 511: Configuring An 802.1X Client Username And Password

    Configuring an 802.1X client username and password An 802.1X client-enabled device uses the configured username and password for 802.1X authentication. Make sure the username and password configured on the device is consistent with the username and password configured on the authentication server. If any inconsistency occurs, the device cannot pass 802.1X authentication to access the network.

  • Page 512: Specifying An 802.1X Client Eap Authentication Method

    Specifying an 802.1X client EAP authentication method An 802.1X client-enabled device supports the following EAP authentication methods: • MD5-Challenge. • PEAP-MSCHAPv2. • PEAP-GTC. • TTLS-MSCHAPv2. • TTLS-GTC. An 802.1X authenticator supports both the EAP relay and EAP termination modes. Support of the EAP authentication methods for the two modes varies.

  • Page 513: Specifying An Ssl Client Policy

    Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers. To configure an 802.1X client anonymous identifier on an interface: Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number Configure an 802.1X dot1x supplicant anonymous...

  • Page 514: Configuring Web Authentication

    Configuring Web authentication Overview Web authentication is deployed on Layer 2 Ethernet interfaces of the access device to control user access to networks. The access device redirects unauthenticated users to the website provided by the local portal Web server. The users can access the resources on the website without authentication.

  • Page 515: Web Authentication Process

    Local portal Web server The access device acts as the local portal Web server. The local portal Web server pushes the Web authentication page to authentication clients and forwards user authentication information (username and password) to the AAA module of the access device. For more information about AAA, see "Configuring AAA."...

  • Page 516: Web Authentication Task List

    and anti-virus software server to the users. The users can use these resources to upgrade their client software or other programs. Web authentication supports Auth-Fail VLAN on an interface that performs MAC-based access control. If a user on the interface fails authentication, the access devices creates a MAC VLAN entry based on the MAC address of the user and adds the user to the Auth-Fail VLAN.

  • Page 517: Configuring The Web Authentication Server

    • The RADIUS server has been installed and configured properly. • The authentication client, access device, and RADIUS server can reach each other. • The local portal Web server has been configured and can provide Web authentication pages. For more information about the local portal Web server configuration, see "Configuring portal authentication".

  • Page 518: Specifying A Web Authentication Domain

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable Web authentication web-auth enable apply server By default, Web authentication is and specify the Web server-name disabled. authentication server Specifying a Web authentication domain This feature allows you to specify different authentication domains for Web authentication users on different interfaces.

  • Page 519: Configuring A Web Authentication-Free Subnet

    Configuring a Web authentication-free subnet You can configure a Web authentication-free subnet so that users can freely access the network resources in the subnet without being authenticated. To configure a Web authentication-free subnet: Step Command Remarks Enter system view. system-view By default, no Web Configure a Web web-auth free-ip ip-address...

  • Page 520: Configuring An Auth-Fail Vlan

    Step Command Remarks interface-number Enable online Web By default, online Web web-auth offline-detect interval authentication user authentication user detection is interval detection. disabled. Configuring an Auth-Fail VLAN Perform this task to allow authentication failed Web authentication users to access resources in the Auth-Fail VLAN.

  • Page 521: Displaying And Maintaining Web Authentication

    To configure Web authentication to support a Web proxy: Step Command Remarks Enter system view. system-view By default, no Web proxy server Add a Web proxy server port web-auth proxy port port number is configured and number. port-number proxied HTTP requests cannot trigger Web authentication.
  • Page 522 Configuration prerequisites • Assign IP addresses to the host and the device as shown in Figure 154, and make sure the host and the device can reach each other. • Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch.

  • Page 523: Web Authentication Using The Radius Authentication Server

    # Specify ISP domain local as the Web authentication domain. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] web-auth domain local # Enable Web authentication by using Web authentication server user. [Device-GigabitEthernet1/0/1] web-auth enable apply server user [Device-GigabitEthernet1/0/1] quit Verifying the configuration # Display online Web authentication user information after user localuser passes Web authentication.
  • Page 524 • Configure the RADIUS server properly to provide authentication and accounting functions for users. In this example, the username is configured as user1 on the RADIUS server. • Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch.

  • Page 525: Troubleshooting Web Authentication

    # Specify domain dml as the Web authentication domain. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] web-auth domain dm1 # Enable Web authentication by using Web authentication server user. [Device-GigabitEthernet1/0/1] web-auth enable apply server user [Device-GigabitEthernet1/0/1] quit Verifying the configuration # Display Web authentication user information after user user1 passes Web authentication. <Device>...

  • Page 526: Failure To Come Line (Vlan Configured On Interface)

    Analysis If no Web authentication domain is specified, the system default ISP domain (domain system) is used for Web authentication. The system default domain uses the local authentication method by default. Using these default domain settings, the local authentication should have operated correctly. The local authentication fails might because that the authentication method of the system default domain is changed or the system default domain is changed.

  • Page 527: Configuring Triple Authentication

    Configuring triple authentication Overview Triple authentication enables an access port to perform Web, MAC, and 802.1X authentication. A terminal can access the network if it passes one type of authentication. Triple authentication is suitable for a LAN that comprises terminals that require different authentication services, as shown in Figure 156.

  • Page 528: Extended Triple Authentication Features

    terminal. If the terminal fails 802.1X authentication, the user stays online as a MAC authentication user, and only 802.1X authentication can be triggered again. • If the terminal first passes 802.1X or Web authentication, the other types of authentication are terminated immediately and cannot be triggered again.

  • Page 529: Configuration Restrictions And Guidelines

    Authorization ACL After a user passes authentication, the authentication server assigns an authorization ACL to the access port for the user. The access port uses the ACL to filter traffic for the user. To use ACL assignment, you must specify authorization ACLs on the authentication server and configure the ACLs on the access device.
  • Page 530 • Use the remote RADIUS server to perform authentication, authorization, and accounting. Configure the device to send usernames carrying no ISP domain names to the RADIUS server. • Configure the local Web authentication server on the device to use listening IP address 4.4.4.4. Configure the device to send a default authentication page to the Web user and forward authentication data by using HTTP.
  • Page 531 # Configure the redirection URL for the Web authentication server as http://4.4.4.4/portal/. [Device-web-auth-server-webserver] url http://4.4.4.4/portal/ # Set the IP address and port number of Web authentication server to 4.4.4.4 and 80. [Device-web-auth-server-webserver] ip 4.4.4.4 port 80 [Device-web-auth-server-webserver] quit # Enable Web authentication on GigabitEthernet 1/0/1, and specify the Web authentication server webserver for the port.
  • Page 532 # Configure domain triple as the default domain. If a username entered by a user includes no ISP domain name, the AAA method of the default domain is used. [Device] domain default enable triple Verifying the configuration Verify that the Web user can pass Web authentication. # On the Web user terminal, use a Web browser to access an external network and then enter the correct username and password on the authentication page http://4.4.4.4/portal/logon.html.

  • Page 533: Triple Authentication Supporting Authorization Vlan And Authentication Failure Vlan Configuration

    Authentication domain: triple Authentication method: CHAP Initial VLAN: 14 Authorization untagged VLAN: 14 Authorization tagged VLAN list: N/A Authorization ACL ID: N/A Authorization user profile: N/A Authorization URL: N/A Termination action: N/A Session timeout period: N/A Online from: 2015/01/04 18:13:01 Online duration: 0h 0m 14s Total 1 connection(s) matched.
  • Page 534 Figure 158 Network diagram Loop0 4.4.4.4/32 802.1X client GE1/0/1 Vlan-int8 Vlan-int3 3.3.3.1/24 192.168.1.1/24 IP network Device Vlan-int2 Vlan-int1 2.2.2.1/24 Printer 1.1.1.1/24 Web user Update server RADIUS server 2.2.2.2/24 1.1.1.2/24 Configuration prerequisites and guidelines • Make sure the terminals, the servers, and the device can reach each other. •...
  • Page 535 [Device-dhcp-pool-1] quit # Configure DHCP address pool 2 to assign IP address and other configuration parameters to clients on subnet 2.2.2.0. [Device] dhcp server ip-pool 2 [Device-dhcp-pool-2] network 2.2.2.0 mask 255.255.255.0 [Device-dhcp-pool-2] expired day 0 hour 0 minute 1 [Device-dhcp-pool-2] gateway-list 2.2.2.1 [Device-dhcp-pool-2] quit # Configure DHCP address pool 3 to assign IP address and other configuration parameters to clients on subnet 3.3.3.0.
  • Page 536 [Device–GigabitEthernet1/0/1] quit Configure 802.1X authentication: # Enable 802.1X authentication globally. [Device] dot1x # Enable 802.1X authentication (MAC-based access control required) on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN. [Device] interface gigabitethernet 1/0/1 [Device–GigabitEthernet1/0/1] dot1x port-method macbased [Device–GigabitEthernet1/0/1] dot1x [Device–GigabitEthernet1/0/1] dot1x auth-fail vlan 2 [Device–GigabitEthernet1/0/1] quit Configure MAC authentication:...
  • Page 537 # Use the display web-auth user command to display information about online users. [Device] display web-auth user User Name: userpt MAC address: 6805-ca17-4a0b Access interface: GigabitEthernet1/0/1 Initial VLAN: 14 Authorization VLAN: 3 Authorization ACL ID: N/A Authorization user profile: N/A Total 1 users matched.
  • Page 538 Authorization URL: N/A Termination action: N/A Session timeout period: N/A Online from: 2015/01/04 18:13:01 Online duration: 0h 0m 14s Total 1 connection(s) matched. Verify that users that pass authentication have been assigned authorization VLANs. # Display MAC-VLAN entries of online users. [Device] display mac-vlan all The following MAC VLAN addresses exist: S:Static...

  • Page 539: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 540: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 541: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 542: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 543 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 544: Index

    Index Numerics EAD assistant configuration (DHCP server), EAP over RADIUS, EAP packet format, MACsec configuration, 476, 480, EAP relay authentication, 802.1X, 83, See also under 802 EAP relay enable, 802.1X protocol packet sending rule, EAP relay/termination authentication, AAA RADIUS server 802.1X user, EAP termination enable, AAA RADIUS server 802.1X user by device, EAP terminationmode authentication,...
  • Page 545 user IP freezing enable, LDAP server SSH user authentication, VLAN manipulation, LDAP user attribute, 802.1X authentication LDAP versions, triple authentication configuration, local guest attributes, 802.1X client local guest configuration, configuration, 496, local guest management, 26, local user auto-delete, local user configuration, methods, concurrent login user max, MPLS L3VPN implementation,...
  • Page 546 troubleshoot RADIUS packet delivery failure, MAC authentication ACL assignment, 132, SSH management parameters, user group attribute, activating user management by ISP domains, AAA RADIUS server configuration, user management by user access types, active access control ARP active acknowledgement, cross-subnet portal authentication portal authentication type, configuration, Web authentication type,...
  • Page 547 MFF configuration (manual-mode in tree ARP attack protection configuration, network), TCP attack prevention configuration, portal authentication client ARP entry attack D&P conversion, blacklist, scanning configuration restrictions, configuration, 378, 382, ARP attack protection configuration (interface-based), active acknowledgement, defense policy configuration, ARP attack detection display, defense policy configuration (ACK flood attack), ARP attack detection maintain, ARP sender IP address checking...
  • Page 548 user blacklist, 802.1X EAP termination mode authentication, 错误!未定义书签。 user blacklist configuration, 392, 802.1X initiation, attack detection and prevention. See attack D&P 802.1X mandatory port authentication domain, attacking 802.1X overview, detection and prevention. See attack D&P 802.1X RADIUS Message-Authentication attribute attribute, 802.1X RADIUS EAP-Message, 802.1X reauthentication, 802.1X RADIUS Message-Authentication,...
  • Page 549 SSH Secure Telnet server configuration FIPS mode (automatic reboot), (publickey authentication-enabled), FIPS mode entry (automatic reboot), SSH server configuration, FIPS mode exit (automatic reboot), 469, SSH SFTP client configuration (publickey MFF configuration (auto-mode in ring network), authentication-enabled), SSH SFTP server configuration (password MFF configuration (auto-mode in tree network), authentication-enabled), SSL services,...
  • Page 550 troubleshooting PKI CA certificate import 802.1X client anonymous identifier configuration, failure, troubleshooting PKI CA certificate obtain 802.1X client configuration, 496, failure, 802.1X client MAC address configuration, CA (MACsec), 802.1X client SSL client policy, 错误!未定义书签。 CAK (MACsec), 802.1X client username+password configuration, 错误!未定义书签。...
  • Page 551 802.1X protocol packet sending rule, ARP active acknowledgement, 802.1X reauthentication, ARP attack detection, 802.1X SmartOn, ARP attack detection (source MAC-based), 418, 802.1X+ACL assignment, ARP attack detection (user+packet validity check), 802.1X+EAD assistant (DHCP relay agent), ARP attack detection packet validity check, 802.1X+EAD assistant (DHCP server), ARP attack detection restricted forwarding, 427, 802.1X+SmartOn,...
  • Page 552 attack D&P TCP fragment attack prevention, MACsec, 476, 480, MACsec (device client-oriented), attack D&P user blacklist, 392, MACsec (device-oriented), authorized ARP, MACsec (host client-oriented), authorized ARP (DHCP relay agent), MACsec confidentiality offset, authorized ARP (DHCP server), MACsec MKA key server priority, cross-subnet portal authentication, MACsec MKA policy, cross-subnet portal authentication...
  • Page 553 portal authentication fail-permit, SSH SFTP server (password authentication-enabled), portal authentication HTTPS redirect, SSH user, portal authentication local portal Web server, 177, SSH2 algorithms (encryption ), portal authentication MAC binding server, SSH2 algorithms (key exchange), portal authentication portal-free rule, SSH2 algorithms (MAC), portal authentication server, SSH2 algorithms (public key), portal authentication server BAS-IP,...
  • Page 554 critical voice VLAN attack D&P defense policy (scanning attack), 802.1X authentication, attack D&P defense policy (single-packet attack), 802.1X enable, attack D&P defense policy (UDP flood attack), MAC authentication enable, attack D&P defense policy configuration (ACK PKI, flood attack), PKI architecture, attack D&P defense policy configuration (DNS PKI CA policy, flood attack),...
  • Page 555 802.1X authorization VLAN configuration, AAA scheme, 802.1X basic configuration, AAA SSH user local authentication+HWTACACS authorization+RADIUS accounting, 802.1X client configuration, 496, attack D&P configuration, 378, 382, 错误!未定义书签。 802.1X configuration, 91, attack D&P configuration (interface-based), 802.1X EAD assistant, attack D&P defense policy, 802.1X guest VLAN configuration, attack D&P device-preventable attacks, 802.1X SmartOn,...
  • Page 556 portal authentication Web server, dynamic IPv6 source guard (IPv6SG)+DHCPv6 relay agent configuration, re-DHCP portal authentication configuration, dynamic IPv6 source guard (IPv6SG)+DHCPv6 snooping configuration, re-DHCP portal authentication+preauthentication domain extended re-DHCP portal authentication configuration, configuration, SSH SCP client, portal authentication mode (re-DHCP), SSH SCP configuration, portal authentication modes, SSH SCP file transfer+password...
  • Page 557 portal authentication Web redirect, AAA ISP domain accounting method, directory AAA ISP domain attribute, AAA LDAP directory service, AAA ISP domain authentication method, SSH SFTP, AAA ISP domain authorization method, displaying MAC authentication, 802.1X, PKI domain configuration, 802.1X client, portal authentication domain, AAA, portal preauthentication domain, AAA HWTACACS,...
  • Page 558 802.1X relay authentication, port security MAC move, 802.1X relay termination mode authentication, port security SNMP notifications, portal authentication, 802.1X relay/termination authentication, portal authentication client ARP entry conversion, portal support, EAP authentication portal authentication client ND entry conversion, 802.1X client EAP authentication method, portal authentication outgoing packet filtering, EAPOL portal authentication roaming,...
  • Page 559 exporting PKI, host public key, public key, PKI certificate, SSH, PKI certificate import/export configuration, SSL, fixed ARP troubleshooting PKI certificate export failure, configuration, configuration restrictions, extending flood attack extended cross-subnet portal authentication attack D&P defense policy, configuration, attack D&P defense policy (ACK flood attack), extended direct portal authentication configuration, attack D&P defense policy (DNS flood attack),...
  • Page 560 dynamic IPv6 source guard general restrictions (IPv6SG)+DHCPv6 relay agent configuration, 错误!未定义书 MAC authentication configuration, 签。 dynamic IPv6 source guard general restrictions and guidelines (IPv6SG)+DHCPv6 snooping configuration, MACsec, generating IP source guard (IPSG) configuration, 402, Secure Telnet client local key pair, 404, SSH SCP client local key pair, IPv6 ND attack defense configuration,...
  • Page 561 AAA local user configuration, public key from file, AAA MPLS L3VPN implementation, SSH client host public key, AAA scheme, troubleshooting PKI CA certificate import failure, accounting server, troubleshooting PKI local certificate import failure, authentication server, authorization server, including display, IP address in MAC authentication request, HWTACACS/RADIUS differences, initiating maintain,...
  • Page 562 portal user preauthentication IP address pool, portal authentication Web server, source guard. See IPv6 source guard SSH Secure Telnet packet source IP address, SSH SCP client device, SSH SCP server connection establishment, SSH SFTP packet source IP address, SSH SCP server connection establishment based uRPF configuration, 错误!未定义书签。...
  • Page 563 MACsec preshared key, scheme creation, PKI configuration, 272, 275, server creation, key pair server IP address, Secure Telnet client server key pair, server SSH user authentication, SSH SCP client server key pair, server timeout period, SSH server generation, troubleshooting, SSH SFTP client server key pair, troubleshooting authentication failure, keychain user attribute,...
  • Page 564 AAA concurrent login user max, MFF configuration (auto-mode in ring network), attack D&P login attack prevention configuration, MFF configuration (auto-mode in tree network), attack D&P login delay, MFF configuration (manual-mode in ring network), attack D&P login dictionary attack, attack D&P login DoS attack, MFF configuration (manual-mode in tree network), password expired login, password user first login,...
  • Page 565 port security intrusion protection, validation mode configuration, port security MAC address autoLearn, maintaining port security MAC move, 802.1X, port security MAC+802.1X authentication, AAA HWTACACS, port security mode, AAA RADIUS, port security NTK, ARP attack detection, RADIUS-based, attack D&P, redirect URL assignment, IP source guard (IPSG), timer configuration, IPv4 source guard (IPv4SG),...
  • Page 566 multicast MACsec enable, 802.1X multicast trigger mode, 86, MACsec MKA key server priority, policy application, Naptha policy configuration, TCP attack prevention, troubleshooting MACsec device cannot establish MKA session, AAA configuration, mode AAA device implementation, 802.1X EAP relay/termination comparison, AAA HWTACACS implementation, 802.1X multicast trigger, 86, AAA LDAP implementation, 802.1X unicast trigger, 86,...
  • Page 567 802.1X critical VLAN, 95, AAA RADIUS server 802.1X user by device, 802.1X critical voice VLAN, 97, AAA RADIUS server feature, 802.1X EAD assistant, AAA RADIUS server SSH user authentication+authorization, 802.1X EAP over RADIUS, AAA scheme, 802.1X EAP relay authentication, AAA SSH user local authentication+HWTACACS 802.1X EAP relay enable, authorization+RADIUS accounting, 802.1X EAP relay/termination,...
  • Page 568 excluding IPv4 packets from IP source guard MAC-based quick portal authentication, (IPSG) filtering, MACsec application mode, FIPS mode entry (automatic reboot), MACsec configuration (device client-oriented), FIPS mode entry (manual reboot), FIPS mode exit (automatic reboot), MACsec configuration (device-oriented), FIPS mode exit (manual reboot), MACsec configuration (host client-oriented), fixed ARP configuration, MACsec desire enable,...
  • Page 569 PKI storage path, portal authentication user online detection, PKI Windows 2003 CA server certificate portal authentication user setting max, request, portal authentication Web redirect, port security authorization-fail-offline, portal authentication Web server, 160, port security client portal authentication Web server detection, macAddressElseUserLoginSecure, portal authorization (DHCP users only), port security client userLoginWithOUI,...
  • Page 570 SSH SFTP files, FIPS configuration, 466, SSH SFTP packet source IP address, IP source guard (IPSG) configuration, 402, 404, SSH SFTP server configuration (password authentication-enabled), IPv6 ND attack defense configuration, SSH SFTP server connection establishment, IPv6 uRPF configuration, keychain configuration, 256, SSH SFTP server connection establishment MAC authentication, 133, 错误!未定义书签。...
  • Page 571 MACsec confidentiality offset, uRPF enable, online packet filtering 802.1X online user handshake, dynamic IPv4 source guard (IPv4SG)+DHCP relay agent configuration, PKI online mode, dynamic IPv4 source guard (IPv4SG)+DHCP portal authentication user online detection, snooping configuration, dynamic IPv6 source guard (IPv6SG)+DHCPv6 Web authentication user online detection, relay agent configuration, OpenCA...
  • Page 572 display, CRL, enable, display, event logging, domain configuration, expired password login, entity configuration, FIPS compliance, FIPS compliance, maintain, local digital certificate, max user account idle time, MPLS L3VPN support, parameters (global), OpenCA server certificate request, parameters (local user), operation, parameters (super), peer digital certificate, parameters (user group), peer host public key entry,...
  • Page 573 错误!未定义书签。 802.1X Auth-Fail VLAN, 802.1X configuration, 91, 802.1X critical VLAN, 802.1X controlled/uncontrolled port, 802.1X critical voice VLAN, 802.1X guest VLAN configuration, 802.1X guest VLAN, 802.1X mandatory port authentication domain, cross-subnet portal authentication configuration, 802.1X overview, direct portal authentication configuration, 802.1X+ACL assignment configuration, direct portal authentication configuration (local 802.1X+EAD assistant configuration (DHCP relay portal Web server),...
  • Page 574 cross-subnet configuration, re-DHCP configuration, cross-subnet for MPLS L3VPN configuration, re-DHCP+preauthentication domain configuration, detection, roaming enable, DHCP users only, server configuration, direct authentication+preauthentication server detection, domain configuration, server detection+user synchronization direct configuration, configuration, direct configuration (local portal Web server), system component interaction, system components, direct configuration (local portal Web troubleshoot,...
  • Page 575 configuring 802.1X authentication trigger, configuring AAA RADIUS accounting-on, configuring 802.1X Auth-Fail VLAN, configuring AAA RADIUS attribute 31 MAC address format, configuring 802.1X authorization VLAN, configuring AAA RADIUS attribute translation, configuring 802.1X basics, configuring AAA RADIUS DAE server, configuring 802.1X client, configuring AAA RADIUS Login-Service attribute configuring 802.1X client anonymous identifier, check method,...
  • Page 576 configuring attack D&P defense policy (DNS configuring dynamic IPv6 source guard flood attack), (IPv6SG)+DHCPv6 snooping, configuring attack D&P defense policy (FIN configuring extended cross-subnet portal flood attack), authentication, configuring attack D&P defense policy (flood configuring extended direct portal authentication, attack), configuring attack D&P defense policy (HTTP configuring extended re-DHCP portal flood attack),...
  • Page 577 configuring MACsec protection parameters configuring port security secure MAC addresses, (MKA policy), configuring MACsec replay protection, configuring portal authentication, configuring MACsec validation mode, configuring portal authentication destination subnet, configuring MFF, configuring portal authentication detection, configuring MFF (auto-mode in ring network), configuring portal authentication fail-permit, configuring MFF (auto-mode in tree network), configuring portal authentication HTTPS redirect,...
  • Page 578 configuring SSH Secure Telnet client displaying AAA HWTACACS, (password authentication-enabled), displaying AAA LDAP, configuring SSH Secure Telnet client displaying AAA local users/user groups, (publickey authentication-enabled), displaying AAA RADIUS, configuring SSH Secure Telnet server displaying AAA RADIUS users/clients, (password authentication-enabled), displaying ARP attack detection, configuring SSH Secure Telnet server displaying ARP attack detection (source (publickey authentication-enabled),...
  • Page 579 enabling IPv6 source guard (IPv6SG) on establishing SSH Secure Telnet server 错误!未定义书签。 interface, connection based on Suite B, enabling IPv6 uRPF, establishing SSH SFTP server connection, enabling MAC authentication, establishing SSH SFTP server connection based 错误!未定义书签。 enabling MAC authentication critical voice on Suite B, VLAN, excluding IPv4 packets from IP source guard...
  • Page 580 setting 802.1X authentication request specifying AAA HWTACACS scheme VPN attempts max, instance, setting 802.1X authentication timeout timers, specifying AAA HWTACACS shared keys, specifying AAA LDAP attribute map for setting 802.1X concurrent port users max, authorization, setting 802.1X port authorization state, specifying AAA LDAP authentication server, setting 802.1X quiet timer, specifying AAA LDAP authorization server,...
  • Page 581 troubleshooting failure to come online (local protecting authentication interface using the default ISP ARP attack protection configuration, domain), ARP gateway protection, troubleshooting MACsec device cannot MACsec protection parameter (MKA policy), establish MKA session, MACsec replay protection, 476, troubleshooting PKI CA certificate import protocol failure, 802.1X protocol packet sending rule,...
  • Page 582 IPv6 ND attack defense device role, portal authentication NAS-Port-ID attribute format, IPv6 ND attack defense RA guard configuration, 440, proprietary attributes (vendor ID 25506), IPv6 ND attack defense RA guard logging protocols and standards, enable, Remanent_Volume attribute data measurement IPv6 ND attack defense RA guard policy, unit, PKI architecture, request transmission attempts max,...
  • Page 583 portal authentication Web redirect, IPv6 ND attack defense device role, registration authority. Use router relay agent direct portal authentication configuration (local 错误!未定义书签。 portal Web server), 802.1X+EAD assistant configuration (DHCP relay agent), routing authorized ARP configuration (DHCP relay 802.1X authentication configuration, agent), 802.1X basic configuration, dynamic IPv4 source guard (IPv4SG)+DHCP...
  • Page 584 security 802.1X access control method, S/MIME (PKI secure email), 802.1X authentication, 错误!未定义书签。, SA (MACsec), 802.1X authentication attempts max number for 错误!未定义书签。 SAK (MACsec), MAC authenticated users, scanning attack 802.1X authentication configuration, attack D&P defense policy, 802.1X authentication request attempts max, attack D&P device-preventable attacks, 802.1X authentication server timeout timer, scheme...
  • Page 585 AAA concurrent login user max, ARP attack detection display, AAA configuration, 1, 19, ARP attack detection logging enable, AAA device implementation, ARP attack detection maintain, AAA display, ARP attack detection packet validity check, AAA HWTACACS implementation, ARP attack detection restricted forwarding, AAA HWTACACS protocols and standards, ARP attack detection restricted forwarding configuration,...
  • Page 586 dynamic IPv4 source guard (IPv4SG)+DHCP IPv6 source guard (IPv6SG) configuration, relay agent configuration, IPv6 source guard (IPv6SG) enable on interface, dynamic IPv4 source guard (IPv4SG)+DHCP snooping configuration, IPv6 source guard (IPv6SG) static binding dynamic IPv6 source guard configuration, (IPv6SG)+DHCPv6 relay agent configuration, IPv6 uRPF configuration, 450, IPv6 uRPF display, dynamic IPv6 source guard...
  • Page 587 MACsec preshared key, peer host public key import from file, MACsec protection parameter (interface view), periodic MAC reauthentication, PKI applications, MACsec protocols and standards, PKI architecture, MACsec secure association (SA), PKI CA policy, MACsec secure association key (SAK), PKI certificate export, MACsec services, PKI certificate import/export configuration, MFF basic concepts,...
  • Page 588 portal authentication local portal Web server SSH client host public key configuration, configuration, SSH configuration, portal authentication MAC binding server, SSH display, portal authentication maintain, SSH local key pair configuration restrictions, portal authentication online user logout, SSH management parameters, portal authentication outgoing packet filtering, SSH SCP client device, SSH SCP client local key pair generation, portal authentication packet filtering rules,...
  • Page 589 SSH SFTP server connection establishment troubleshooting PKI local certificate import failure, 错误!未定义书签。 based on Suite B, troubleshooting PKI local certificate request SSH SFTP server connection termination, failure, SSH SFTP server enable, troubleshooting PKI storage path set failure, SSH user configuration, uRPF configuration, 445, SSH user configuration restrictions, uRPF display,...
  • Page 590 MAC authentication server timeout timer, AAA RADIUS server status, MACsec MKA key server priority, AAA RADIUS timer, MFF server IP address, AAA RADIUS traffic statistics unit, PKI OpenCA server certificate request, AAA RADIUS username format, PKI Windows 2003 CA server certificate MAC authentication concurrent port users max, request, port security authorization information,...
  • Page 591 ARP attack detection (source MAC-based), SSH2 algorithms, 418, Web authentication domain, ARP attack detection src-mac validity check, spoofing IPv6 uRPF configuration, 450, portal authentication portal-free rule, IPv6 uRPF enable, portal authentication subnet, uRPF configuration, 445, source MAC consistency check uRPF enable, configuration, specifying AAA HWTACACS server SSH user,...
  • Page 592 Secure Telnet configuration, 802.1X client SSL client policy, Secure Telnet configuration (128-bit Suite B), client policy configuration, 错误!未定义书签。 configuration, 369, Secure Telnet packet source IP address, display, Secure Telnet server configuration (password FIPS compliance, authentication-enabled), peer host public key entry, Secure Telnet server configuration (publickey PKI configuration, 272, 275, authentication-enabled),...
  • Page 593 direct portal authentication configuration, SSH authentication methods, direct portal authentication+preauthentication SSH configuration, domain configuration, SSH SCP client local key pair generation, extended cross-subnet portal authentication SSH server local key pair generation, configuration, SSH SFTP client local key pair generation, extended direct portal authentication triple authentication configuration, configuration, Web authentication configuration,...
  • Page 594 802.1X authentication timeout, online user detection, MAC authentication server timeout, restrictions, timer server-unreachable VLAN, 802.1X authentication timeout, supporting authorizaiton and Auth-Fail VLAN configuration, 802.1X quiet, troubleshooting AAA HWTACACS real-time accounting, AAA HWTACACS, AAA HWTACACS server quiet, AAA LDAP, AAA HWTACACS server response timeout, AAA LDAP authentication failure, AAA RADIUS real-time accounting, AAA RADIUS,...
  • Page 595 AAA RADIUS request transmission attempts re-DHCP portal authentication+preauthentication max, domain configuration, AAA RADIUS session-control, SSH user configuration, attack D&P defense policy (UDP flood attack), userLogin 802.1X authentication mode, userLoginSecure 802.1X authentication mode, uncontrolled port (802.1X), unicast userLoginSecureExt 802.1X authentication mode, 802.1X unicast trigger mode, 86, userLoginWithOUI 802.1X authentication mode, Unicast Reverse Path Forwarding.
  • Page 596 802.1X client username+password MFF configuration (manual-mode in ring network), configuration, AAA HWTACACS format, MFF configuration (manual-mode in tree network), AAA RADIUS format, ND attack detection, port security secure MAC address, validating portal authentication roaming, MACsec validation mode, static IPv4 source guard (IPv4SG) configuration, validity check ARP attack detection configuration static IPv6 source guard (IPv6SG) configuration,...
  • Page 597 portal authentication Web server detection, 2000 PKI CA server SCEP add-on, 2000 PKI entity configuration, re-DHCP portal authentication configuration, 2003 PKI CA server certificate request, WLAN re-DHCP portal 802.1X overview, authentication+preauthentication domain port security client configuration, macAddressElseUserLoginSecure, triple authentication configuration, port security client userLoginWithOUI, troubleshooting 802.1X EAD assistant URL port security configuration, 224, 227,...

Table of Contents