Page 1 H3C S5830V2 & S5820V2 Switch Series Security Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 22xx Document version: 6W100-20131105...
Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice.
Page 3 The H3C S5830V2 & S5820V2 documentation set includes 14 configuration guides, which describe the software features for the H3C S5830V2 & S5820V2 Switch Series and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
Page 4 Configuration guide Added and modified features Added features: • Configuring a local user to use the LAN access service. • Configuring AAA methods for LAN users. • Setting the traffic statistics unit for a RADIUS or HWTACACS server. • Configuring the IPv6 address and port number of an LDAP server. •...
Page 5: Command Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 6: Documentation Set
Command references commands. Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...
Page 7: Technical Support
Technical support service@h3c.com http://www.h3c.com Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Page 8: Table Of Contents
Contents Configuring AAA ························································································································································· 1 Overview ············································································································································································ 1 RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 LDAP ·········································································································································································· 9 AAA implementation on the device ····················································································································· 11 AAA for MPLS L3VPNs ········································································································································· 13 Protocols and standards ······································································································································· 13 ...
Page 9 EAP termination ····················································································································································· 66 Configuring 802.1X ·················································································································································· 68 H3C implementation of 802.1X ··································································································································· 68 Configuration prerequisites ··········································································································································· 68 802.1X configuration task list ······································································································································· 68 Enabling 802.1X ···························································································································································· 69 Enabling EAP relay or EAP termination ······················································································································· 69 ...
Page 10 Ignoring authorization information from the server ···································································································· 94 Displaying and maintaining port security ···················································································································· 94 Port security configuration examples ··························································································································· 95 autoLearn configuration example ························································································································ 95 userLoginWithOUI configuration example ········································································································· 96 macAddressElseUserLoginSecure configuration example ················································································· 99 ...
Page 11 FIPS compliance ··························································································································································· 128 PKI configuration task list ············································································································································ 128 Configuring a PKI entity ·············································································································································· 128 Configuring a PKI domain ··········································································································································· 129 Requesting a certificate ··············································································································································· 131 Configuring automatic certificate request ········································································································· 132 Manually requesting a certificate ······················································································································ 133 ...
Page 12 Specifying a source IP address or source interface for the SFTP client ························································· 171 Establishing a connection to an SFTP server ···································································································· 171 Working with SFTP directories ··························································································································· 173 Working with SFTP files ······································································································································ 173 Displaying help information ······························································································································· 173 ...
Page 13 Configuration guidelines ···································································································································· 215 Configuration procedure ···································································································································· 215 Configuring source MAC-based ARP attack detection ···························································································· 215 Configuration procedure ···································································································································· 215 Displaying and maintaining source MAC-based ARP attack detection ························································· 216 Configuration example ······································································································································· 216 Configuring ARP packet source MAC consistency check ························································································...
Page 14 IPsec implementation ··········································································································································· 243 Protocols and standards ····································································································································· 244 FIPS compliance ··························································································································································· 244 IPsec tunnel establishment ··········································································································································· 244 Implementing ACL-based IPsec ··································································································································· 244 Feature restrictions and guidelines ···················································································································· 244 ACL-based IPsec configuration task list ············································································································· 245 ...
Page 15: Configuring Aaa
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It specifies the following security functions: • Authentication—Identifies users and verifies their validity. Authorization—Grants different users different rights and controls their access to resources and •...
Page 16: Radius
The device performs dynamic password authentication. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. The RADIUS authorization process is combined with the RADIUS authentication process, and user authorization information is piggybacked in authentication responses.
Page 17 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS operates in the following manner: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 18 RADIUS packet format RADIUS uses UDP to transmit packets. To ensure smooth packet exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
Page 19 The Authenticator field (16 bytes long) is used to authenticate responses from the RADIUS server and • to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. • The Attributes field (variable in length) includes specific authentication, authorization, and accounting information.
Page 20 Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code • compliant to RFC 1700. Vendor-Type—Type of the sub-attribute. • Vendor-Length—Length of the sub-attribute. • Vendor-Data—Contents of the sub-attribute. • For more information about the proprietary RADIUS sub-attributes of H3C, see "H3C proprietary sub-attributes." RADIUS...
Page 21: Hwtacacs
Figure 5 Format of attribute 26 HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP, VPDN, and terminal users.
Page 22 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
Page 23: Ldap
The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends a user authorization request packet to the HWTACACS server.
Page 24 An LDAP client uses the LDAP server administrator DN to bind with the LDAP server, establishes a connection to the server, and obtains the right to search. The LDAP client uses the username in the authentication information of a user to construct search conditions, searches for the user in the specified root directory of the server, and obtains a user DN list.
Page 25: Aaa Implementation On The Device
The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an acknowledgement to the LDAP client. The LDAP client sends a user DN search request with the username of the Telnet user to the LDAP server.
Page 26 NOTE: The device also provides authentication modules (such as 802.1X) for implementation of user authentication management policies. If you configure these authentication modules, the ISP domains for users of the access types depend on the configuration of the authentication modules. AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain.
Page 27: Aaa For Mpls L3Vpns
authorized commands. For more information about command authorization, see Fundamentals Configuration Guide. Command accounting—When command authorization is disabled, command accounting enables • the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands.
Page 28: Radius Attributes
Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an H3C device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier...
Page 29 Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. H3C proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
Page 30 Sub-attribute Description Operation for the session, used for session control. Possible values include: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value. For retransmitted packets of different sessions, this attribute can take the same value.
Page 31: Fips Compliance
Sub-attribute Description Amount of bytes output within an accounting interval, in units of 4G Output-Interval-Gigawords bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
Page 32: Configuring Aaa Schemes
Tasks at a glance (Required.) Perform at least one of the following tasks to configure local users or AAA schemes: • Configuring local users • Configuring RADIUS schemes • Configuring HWTACACS schemes • Configuring LDAP schemes (Required.) Configure AAA methods for ISP domains: (Required.) Creating an ISP domain (Optional.)
Page 33 Authorization attributes—Authorization attributes indicate the rights that a user has after passing • local authentication. Authorization attributes include the ACL, idle cut function, user role, VLAN, and FTP/SFTP work directory. For support information about authorization attributes, see "Configuring local user attributes."...
Page 34 Step Command Remarks Network access user passwords are • For a network access user: encrypted with the encryption password { cipher | simple } algorithm and saved in ciphertext. password Device management user passwords are encrypted with the hash • For a device management user (Optional.) Configure a algorithm and saved in ciphertext.
Page 35 Step Command Remarks • Set the password aging time: password-control aging Optional. aging-time By default, the local user uses • Set the minimum password password control attributes of the (Optional.) Configure length: user group to which the local user password control attributes password-control length length belongs.
Page 36: Configuring Radius Schemes
Displaying and maintaining local users and local user groups Execute display commands in any view. Task Command Display the local user display local-user [ class { manage | network } | idle-cut { disable | enable } configuration and online user | service-type { ftp | lan-access | ssh | telnet | terminal } | state { active | statistics.
Page 37 Specifying the RADIUS authentication servers A RADIUS authentication server completes authentication and authorization together, because authorization information is piggybacked in authentication responses sent to RADIUS clients. You can specify one primary authentication server and up to 16 secondary authentication servers for a RADIUS scheme.
Page 38 Step Command Remarks • Specify the primary RADIUS accounting server: Configure at least one primary accounting { ipv4-address | command. ipv6 ipv6-address } [ port-number | By default, no accounting key { cipher | simple } string | server is specified. vpn-instance vpn-instance-name ] * Specify RADIUS accounting Two accounting servers in a...
Page 39 Step Command Remarks Specify a VPN for the RADIUS By default, a RADIUS scheme vpn-instance vpn-instance-name scheme. belongs to the public network. Setting the username format and traffic statistics units A username is typically in the format userid@isp-name, where isp-name represents the user's ISP domain name.
Page 40 Setting the status of RADIUS servers By setting the status of RADIUS servers to blocked or active, you can control the RADIUS servers with which the device communicates when the current servers are no longer available. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers.
Page 41 Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } Configure at least one • Set the status of the primary RADIUS command. accounting server: By default, every server state primary accounting { active | specified in a RADIUS scheme block }...
Page 42 Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name By default, the source IP address specified by the radius nas-ip command in the system view is Specify a source IP address nas-ip { ipv4-address | ipv6 used.
Page 43 NAS. The security policy server is the management and control center of the H3C EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.
Page 44: Configuring Hwtacacs Schemes
Step Command Remarks By default, no security policy server security-policy-server { ipv4-address is specified for a scheme. Specify a security policy | ipv6 ipv6-address } [ vpn-instance server. You can specify up to eight security vpn-instance-name ] policy servers for a RADIUS scheme. Displaying and maintaining RADIUS Execute display commands in any view and reset commands in user view.
Page 45 Specifying the HWTACACS authentication servers You can specify one primary authentication server and up to 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the device tries to communicate with the secondary servers in the order they are configured, and communicates with the first secondary server in active state.
Page 46 Step Command Remarks • Specify the primary HWTACACS authorization server: primary authorization Configure at least one command. { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | By default, no authorization server simple } string | vpn-instance is specified.
Page 47 Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, no shared key is Specify a shared key for specified. secure HWTACACS key { accounting | authentication | The shared key configured on the authentication, authorization, authorization } { cipher | simple } device must be the same as that...
Page 48 Step Command Remarks By default, traffic is counted in bytes and packets. data-flow-format { data { byte | (Optional.) Set the data flow giga-byte | kilo-byte | mega-byte } The command does not apply to and packet measurement | packet { giga-packet | kilo-packet 802.1X and MAC users, for units for traffic statistics.
Page 49 Step Command Remarks By default, the device uses the IP address specified by the hwtacacs nas-ip Specify a source IP command in system view as the source IP nas-ip { ipv4-address | ipv6 address for outgoing address. If no IP address is specified, the ipv6-address } HWTACACS packets.
Page 50: Configuring Ldap Schemes
If the status of an HWTACACS server changes automatically, the device changes the status of this • server accordingly in all HWTACACS schemes in which this server is specified. To set HWTACACS timers: Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view.
Page 51 Tasks at a glance (Required.) Specifying the LDAP authentication server (Optional.) Displaying and maintaining LDAP Creating an LDAP server Step Command Remarks Enter system view. system-view Create an LDAP server and ldap server server-name By default, no LDAP server exists. enter its view.
Page 52 Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name Set the LDAP server timeout By default, the LDAP server timeout server-timeout time-interval period. period is 10 seconds. Configuring administrator attributes To configure the administrator DN and password for binding with the LDAP server during LDAP authentication: Step Command...
Page 53: Configuring Aaa Methods For Isp Domains
Step Command Remarks (Optional.) Specify the user search-scope { all-level | By default, the user search scope is search scope. single-level } all-level. user-parameters (Optional.) Specify the By default, the username attribute user-name-attribute username attribute. is cn. { name-attribute | cn | uid } user-parameters (Optional.) Specify the By default, the username format is...
Page 54: Configuration Prerequisites
Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device first. "Configuring local user attributes." To use remote authentication, authorization, and accounting, create the required RADIUS, HWTACACS, and LDAP schemes as described in "Configuring RADIUS schemes,"...
Page 55: Configuring Authentication Methods For An Isp Domain
Configuring authentication methods for an ISP domain Configuration prerequisites Before configuring authentication methods, complete the following tasks: Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type. Determine whether to configure the default authentication method for all access types or service types.
Page 56: Configuring Authorization Methods For An Isp Domain
Step Command Remarks By default, the default Specify the authentication authentication super { hwtacacs-scheme authentication method is method for obtaining a hwtacacs-scheme-name | radius-scheme used for obtaining a temporary user role. radius-scheme-name } * temporary user role. Configuring authorization methods for an ISP domain Configuration prerequisites Before configuring authorization methods, complete the following tasks: Determine the access type or service type to be configured.
Page 57: Configuring Accounting Methods For An Isp Domain
Step Command Remarks authorization login { hwtacacs-scheme By default, the default hwtacacs-scheme-name [ radius-scheme authorization method is used Specify the authorization radius-scheme-name ] [ local ] [ none ] | for login users. method for login users. local [ none ] | none | radius-scheme The none keyword is not radius-scheme-name [ hwtacacs-scheme supported in FIPS mode.
Page 58: Enabling The Session-Control Feature
Step Command Remarks accounting login { hwtacacs-scheme By default, the default hwtacacs-scheme-name [ radius-scheme accounting method is used Specify the accounting radius-scheme-name ] [ local ] [ none ] | for login users. method for login users. local [ none ] | none | radius-scheme The none keyword is not radius-scheme-name [ hwtacacs-scheme supported in FIPS mode.
Page 59 Figure 11 Network diagram Configuration procedure Configure the HWTACACS server: # On the HWTACACS server, set the shared keys for secure communication with the switch to expert, add an account for the SSH user, and specify the password. (Details not shown.) Configure the switch: # Assign IP addresses to the interfaces.
Page 60: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users
[Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme [Switch-ui-vty0-15] quit # Enable the default-user-role authorization function, so that an SSH user gets the default user role network-operator after passing authentication. [Switch] role default-role enable Verifying the configuration When the user initiates an SSH connection to the switch and enter the correct username and password, the user successfully logs in and can use the commands for the network-operator user role.
Page 61: Authentication And Authorization For Ssh Users By A Radius Server
# Enable scheme authentication for user interfaces VTY 0 through VTY 15. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme [Switch-ui-vty0-15] quit # Configure an HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 [Switch-hwtacacs-hwtac] key authorization simple expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure a RADIUS scheme.
Page 62 Set the ports for authentication and accounting to 1812 and 1813, respectively. Select the service type Device Management Service. Select the access device type H3C. Select the access device from the device list or manually add the access device (with the IP address 10.1.1.2).
Page 63 Figure 14 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows: Enter the account name hello@bbb and specify the password.
Page 64 Figure 15 Adding an account for device management Configure the switch: # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
Page 65: Authentication For Ssh Users By An Ldap Server
# Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include the domain names in usernames sent to the RADIUS server.
Page 66 NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. On the LDAP server, select Start > Control Panel > Administrative Tools, and double-click Active Directory Users and Computers to display the Active Directory Users and Computers window.
Page 67 Figure 18 Setting the user's password Click OK. # Add user aaa to group Users. From the navigation tree, click Users under the ldap.com node. On the right pane, right-click aaa and select Properties. In the dialog box, click the Member Of tab and click Add.
Page 68 Figure 19 Modifying user properties In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.
Page 69 # Assign an IP address to VLAN-interface 2, the SSH user access interface. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Assign an IP address to VLAN-interface 3, through which the switch communicates with the server.
Page 70: Troubleshooting Radius
Verifying the configuration When the user initiates an SSH connection to the switch and enter the username aaa@bbb and password ldap!123456, the user successfully logs in and can use the commands for the network-operator user role. Troubleshooting RADIUS RADIUS authentication failure Symptom User authentication always fails.
Page 71: Radius Accounting Error
Solution Check that: • The link between the NAS and the RADIUS server work well at both the physical and data link layers. The IP address of the RADIUS server is correctly configured on the NAS. • The authentication and accounting UDP port numbers configured on the NAS are the same as those •...
Page 72 The administrator DN or password is not configured. • • Some user attributes (for example, the username attribute) configured on the NAS are not consistent with those configured on the server. No user search base DN is specified for the LDAP scheme. •...
Page 73: 802.1X Overview
802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs, and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
Page 74: 802.1X-Related Protocols
• Performs unidirectional traffic control to deny traffic from the client. • The H3C devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.
Page 75: Packet Formats
• • Protocol version—The EAPOL protocol version used by the EAPOL packet sender. Type—Type of the EAPOL packet. Table 4 lists the types of EAPOL packets supported by H3C • implementation of 802.1X. Table 4 Types of EAPOL packets Value...
Page 76: Eap Over Radius
Value Type Description The client sends an EAPOL-Logoff message to tell the network access 0x02 EAPOL-Logoff device that it is logging off. Length—Data length in bytes, or length of the Packet body. If packet type is EAPOL-Start or • EAPOL-Logoff, this field is set to 0, and no Packet body field follows. Packet body—Content of the packet.
Page 77: Access Device As The Initiator
802.1X client (for example, the H3C iNode 802.1X client) that can send broadcast EAPOL-Start packets. Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets. One example is the 802.1X client available with Windows XP.
Page 78: Comparing Eap Relay And Eap Termination
• Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication Works with any RADIUS server that initiated by an H3C iNode 802.1X EAP termination supports PAP or CHAP client. authentication. • The processing is complex on the network access device.
Page 79 Figure 29 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge (EAP-Request/MD5 challenge) (6) EAP-Request/MD5 challenge (7) EAP-Response/MD5 challenge (8) RADIUS Access-Request (EAP-Response/MD5 challenge) (9) RADIUS Access-Accept (EAP-Success) (10) EAP-Success...
Page 80: Eap Termination
The authentication server compares the received encrypted password with the one it generated at step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network.
Page 81 Figure 30 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption. The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Page 82: Configuring 802.1X
Configuring 802.1X This chapter describes how to configure 802.1X on an H3C device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port.
Page 83: Enabling 802.1X
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "Comparing EAP relay and EAP...
Page 84: Setting The Port Authorization State
NOTE: If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The access device sends the authentication data from the client to the server without any modification. Setting the port authorization state The port authorization state determines whether the client is granted access to the network.
Page 85: Setting The Maximum Number Of Authentication Request Attempts
Step Command Remarks Enter system view. system-view interface interface-type Enter Ethernet interface view. interface-number Set the maximum number of The default maximum number dot1x max-user user-number concurrent 802.1X users on a of concurrent 802.1X users on [ interface interface-list ] port.
Page 86: Configuring The Online User Handshake Function
Step Command Remarks Set the server timeout dot1x timer server-timeout The default is 100 seconds. timer. server-timeout-value Configuring the online user handshake function The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the dot1x timer handshake-period command.
Page 87: Configuration Guidelines
Configuration guidelines Follow these guidelines when you configure the authentication trigger function: • Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication. Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these •...
Page 88: Configuring The Quiet Timer
Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response.
Page 89: 802.1X Authentication Configuration Example
192.168.1.2/24 Configuration procedure Configure the 802.1X client. If H3C iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.
Page 90 Configure user accounts for the 802.1X users on the access device: # Add a local network access user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS server.) <Device>...
Page 91: Verifying The Configuration
[Device] dot1x # Enable 802.1X on port Ten-GigabitEthernet 1/0/1. [Device] interface ten-gigabitethernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1] dot1x [Device-Ten-GigabitEthernet1/0/1] quit # Enable MAC-based access control on the port. (Optional. MAC-based access control is the default setting.) [Device] interface ten-gigabitethernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1] dot1x port-method macbased # Specify aabbcc.net as the mandatory domain.
Page 92: Configuring Mac Authentication
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
Page 93: Configuration Prerequisites
For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." Configuration prerequisites Before you configure MAC authentication, complete the following tasks: Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA." For local authentication, you must also create local user accounts (including usernames and passwords), and specify the lan-access service for local users.
Page 94: Specifying A Mac Authentication Domain
Step Command Remarks Enable MAC authentication on By default, MAC authentication is mac-authentication the port. disabled on a port. Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: Specify a global authentication domain in system view.
Page 95: Configuring Mac Authentication Timers
Step Command Remarks • Use one MAC-based user account for each user: mac-authentication Use either method. user-name-format mac-address By default, the device uses the [ { with-hyphen | without-hyphen } Configure the MAC MAC address of a user as the [ lowercase | uppercase ] ] authentication user username and password for...
Page 96: Displaying And Maintaining Mac Authentication
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Set the maximum number of By default, the maximum number mac-authentication max-user concurrent MAC authentication of concurrent MAC user-number users on the port authentication users is 256. Displaying and maintaining MAC authentication Execute display commands in any view and reset commands in user view.
Page 97 [Device] local-user 00-e0-fc-12-34-56 class network [Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc to perform local authentication for LAN users. [Device] domain aabbcc [Device-isp-aabbcc] authentication lan-access local [Device-isp-aabbcc] quit # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication on port Ten-GigabitEthernet 1/0/1.
Page 98: Radius-Based Mac Authentication Configuration Example
MAC Addr Auth state 00e0-fc12-3456 authenticated RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 33, a host is connected to port Ten-GigabitEthernet 1/0/1 of the device. The device uses RADIUS servers for authentication, authorization, and accounting. To control user access to the Internet, configure MAC authentication on port Ten-GigabitEthernet 1/0/1, as follows: Configure the device to detect whether a user has gone offline every 180 seconds, and if a user fails •...
Page 99 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication on port Ten-GigabitEthernet 1/0/1. [Device] interface ten-gigabitethernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1] mac-authentication [Device-Ten-GigabitEthernet1/0/1] quit # Specify the MAC authentication domain as the ISP domain 2000. [Device] mac-authentication domain 2000 # Set MAC authentication timers.
Page 100: Configuring Port Security
This automatic mechanism enhances network security, and reduces human intervention. NOTE: For scenarios that require only 802.1X authentication or MAC authentication, H3C recommends you use the 802.1X authentication or MAC authentication feature rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
Page 101 Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode.
Page 102 TIP: userLogin specifies 802.1X authentication and port-based access control. userLogin with Secure • specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.
Page 103: Configuration Task List
For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. NOTE: An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI. Performing MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication, and services multiple users.
Page 104: Setting Port Security's Limit On The Number Of Secure Mac Addresses On A Port
When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes. To enable port security: Step Command Remarks Enter system view.
Page 105: Setting The Port Security Mode
Setting the port security mode Before you set a port security mode for a port, complete the following tasks: • Disable 802.1X and MAC authentication. Verify that the port does not belong to any aggregation group or service loopback group. •...
Page 106: Configuring Port Security Features
Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices. The NTK feature supports the following modes: ntkonly—Forwards only unicast frames with authenticated destination MAC addresses. •...
Page 107: Configuring Secure Mac Addresses
Step Command Remarks port-security intrusion-mode Configure the intrusion By default, intrusion protection is { blockmac | disableport | protection feature. disabled. disableport-temporarily } Return to system view. quit (Optional.) Set the silence port-security timer disableport By default, the port silence timeout timeout period during which a time-value is 20 seconds.
Page 108: Configuration Procedure
Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. • Make sure the VLAN already exists. Configuration procedure To configure a secure MAC address: Step Command Remarks Enter system view. system-view (Optional.) Set the port-security timer autolearn aging...
Page 109: Port Security Configuration Examples
Task Command Display information about secure MAC display port-security mac-address security [ interface addresses. interface-type interface-number ] [ vlan vlan-id ] [ count ] Display information about blocked MAC display port-security mac-address block [ interface interface-type addresses. interface-number ] [ vlan vlan-id ] [ count ] Port security configuration examples autoLearn configuration example Network requirements...
Page 110: Userloginwithoui Configuration Example
Verifying the configuration # Display the port security configuration. [Device] display port-security interface ten-gigabitethernet 1/0/1 Port security is enabled globally AutoLearn aging time is 30 minutes Disableport Timeout: 30s OUI value: Ten-GigabitEthernet1/0/1 is link-up Port mode: autoLearn NeedToKnow mode: Disabled Intrusion protection mode: DisablePortTemporarily Max number of secure MAC addresses: 64 Current number of secure MAC addresses: 5...
Page 111 The RADIUS server at 192.168.1.2 functions as the primary authentication server and the secondary • accounting server, and the RADIUS server at 192.168.1.3 functions as the secondary authentication server and the primary accounting server. The shared key for authentication is name, and that for accounting is money.
Page 112 Configure 802.1X: # Set the 802.1X authentication method to CHAP. (This step is optional. By default, the authentication method is CHAP for 802.1X.) [Device] dot1x authentication-method chap Configure port security: # Enable port security. [Device] port-security enable # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address 1234-0100-1111 [Device] port-security oui index 2 mac-address 1234-0200-1111...
Page 113: Macaddresselseuserloginsecure Configuration Example
# Display the configuration of the ISP domain sun. [Device] display domain sun Domain:sun State: Active Access-limit: Disabled Access-Count: 0 lan-access Authentication Scheme: radius: radsun lan-access Authorization Scheme: radius: radsun lan-access Accounting Scheme: radius: radsun default Authentication Scheme: local default Authorization Scheme: local default Accounting...
Page 114 Restrict port Ten-GigabitEthernet 1/0/1 of the device as follows: • Allow more than one MAC authenticated user to log on. For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X • authentication. Allow only one 802.1X user to log on. Use a fixed username and password for MAC authentication of all users.
Page 115 Port security is enabled globally AutoLearn aging time is 0 minutes Disableport Timeout: 20s OUI value: Ten-GigabitEthernet1/0/1 is link-up Port mode: macAddressElseUserLoginSecure NeedToKnow mode: NeedToKnowOnly Intrusion protection mode: NoAction Max number of secure MAC addresses: 64 Current number of secure MAC addresses: 0 Authorization is permitted After users pass authentication, you can use the following commands to display the user authentication information on the port:...
Page 116: Troubleshooting Port Security
Reauth Period 3600 s Max attempts for sending an auth request Max number of 802.1X users is 1024 per slot Current number of online 802.1X users is 1 Ten-GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled 802.1X unicast-trigger is disabled Periodic reauthentication is disabled The port is an authenticator Authentication mode is Auto...
Page 117: Cannot Configure Secure Mac Addresses
Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses. Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn. Solution Set the port security mode to autoLearn. [Device-Ten-GigabitEthernet1/0/1] undo port-security port-mode [Device-Ten-GigabitEthernet1/0/1] port-security max-mac-count 64 [Device-Ten-GigabitEthernet1/0/1] port-security port-mode autolearn [Device-Ten-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1...
Page 118: Configuring Password Control
Configuring password control Overview Password control refers to a set of functions provided by the device to manage login and super password setup, expirations, and updates for device management users, and to control user login status based on predefined policies. Local users are divided into two types: device management users and network access users.
Page 119: Password Updating And Expiration
Password complexity checking policy A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password.
Page 120: User Login Control
Password history With this feature enabled, the system stores passwords that a user has used. When a user changes the password, the system checks the new password against the current password and those stored in the password history records. The new password must be different from the current one and those stored in the history records by at least four characters and the four characters must be different from one another.
Page 121: Logging
Logging The system logs all successful password changing events and user adding events to the password control blacklist. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
Page 122: Setting Global Password Control Parameters
To enable password control: Step Command Remarks Enter system view. system-view Enable the global password By default, the global password password-control enable control feature. control feature is disabled. password-control { aging | (Optional.) Enable a specific By default, all four password composition | history | length } password control function.
Page 123: Setting User Group Password Control Parameters
Step Command Remarks Specify the maximum number By default, the maximum number of login attempts and the password-control login-attempt of login attempts is 3 and a user action to be taken when a login-times [ exceed { lock | failing to log in after the specified user fails to log in after the lock-time time | unlock } ] number of attempts must wait for 1...
Page 124: Setting Super Password Control Parameters
Step Command Remarks By default, no local user exists. Local user password control applies to device management Create a device management users instead of network access local-user user-name class manage user and enter local user view. users. For information about how to configure a local user, see "Configuring AAA."...
Page 125: Displaying And Maintaining Password Control
Step Command Remarks • In non-FIPS mode, a default super password must contain at least one character type and at password-control super least one character for each Configure the password composition type-number type. composition policy for super type-number [ type-length passwords.
Page 126: Configuration Procedure
No character appears consecutively three or more times in a password. • • A password must contain at least four character types and at least four characters for each type. Configure a super password control policy for user role network-operator to meet the following requirements: A super password must contain at least 24 characters.
Page 127: Verifying The Configuration
# Configure a super password as 123456789ABGFTweuix@#$%! in plain text, which is used for changing the user role to network-operator. [Sysname] super password network-operator simple 123456789ABGFTweuix@#$%! Updating user information. Please wait ..# Create a device management user named test. [Sysname] local-user test class manage # Set the service type of the user to Telnet.
Page 128 # Display the password control configuration for local user test. <Sysname> system-view [Sysname] local-user test class manage [Sysname-luser-manage-test] display this local-user test class manage service-type telnet authorization-attribute user-role network-operator password-control aging 20 password-control length 24 password-control composition type-number 4 type-length 5 return...
Page 129: Managing Public Keys
Managing public keys Overview This chapter describes public key management for the asymmetric key algorithms including the Revest-Shamir-Adleman Algorithm (RSA), the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 37.
Page 130: Creating A Local Key Pair
Creating a local key pair Configuration guidelines When you create a local key pair, follow these guidelines: The key algorithm must be the same as required by the security application. • The key modulus length must be appropriate (see Table 8).
Page 131: Distributing A Local Host Public Key
Step Command Remarks public-key local create { dsa | Create local key pairs. By default, no local key pair exists. ecdsa | rsa } [ name key-name ] Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can use the public key to encrypt information sent to the local device or authenticate the digital signature signed by the local device.
Page 132: Displaying A Host Public Key In A Specific Format And Saving It To A File
Displaying a host public key in a specific format and saving it to a file After you display a host public key in a specific format, save the key to a file and transfer the file to the peer device. To display a local host public key in a specific format: Step Command...
Page 133: Configuring A Peer Public Key
For information about displaying or exporting host public keys, see "Distributing a local host public key." H3C recommends that you configure no more than 20 peer public keys on the device. Importing a peer host public key from a public key file Step...
Page 134: Displaying And Maintaining Public Keys
Step Command Remarks When you exit public key view, the Return to system view. peer-public-key end system automatically saves the public key. Displaying and maintaining public keys Execute display commands in any view. Task Command display public-key local { dsa | ecdsa | rsa } public [ name Display local public keys.
Page 135 ....++++++ ........++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Display all local RSA public keys. [DeviceA] display public-key local rsa public ============================================= Key name: hostkey (default) Key type: RSA Time when key pair created: 16:48:31 2012/06/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788...
Page 136: Example For Importing A Public Key From A Public Key File
Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA Key modulus: 1024 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 Example for importing a public key from a public key file Unless otherwise noted, devices in the configuration example are operating in non-FIPS mode.
Page 137 [DeviceA] display public-key local rsa public ============================================= Key name: hostkey (default) Key type: RSA Time when key pair created: 16:48:31 2012/06/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001 ============================================= Key name: serverkey (default) Key type: RSA Time when key pair created: 16:48:31 2012/06/12 Key code: 307C300D06092A864886F70D0101010500036B003068026100C9451A80F7F0A9BA1A90C7BC 1C02522D194A2B19F19A75D9EF02219068BD7FD90FCC2AF3634EEB9FA060478DD0A1A49ACE...
Page 138 301 bytes received in 0.003 seconds (98.0 kbyte/s) ftp> quit 221-Goodbye. You uploaded 0 and downloaded 1 kbytes. 221 Logout. # Import the host public key from the key file devicea.pub. <DeviceB> system-view [DeviceB] public-key peer devicea import sshkey devicea.pub Verifying the configuration # Verify that the host public key is the same as it is on Device A.
Page 139: Configuring Pki
PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity. H3C's PKI system provides certificate management for IPsec and SSL. PKI terminology Digital certificate A digital certificate is a document signed by a certificate authority (CA).
Page 140: Pki Architecture
CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in a certification practice statement (CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make sure you understand the CA policy before you select a trusted CA for certificate request because different CAs might use different policies.
Page 141: Pki Operation
PKI operation The following describes how a PKI entity requests a local certificate from a CA, and how an RA is involved in entity enrollment: A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA.
Page 142: Fips Compliance
Figure 41 PKI across VPNs FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity...
Page 143: Configuring A Pki Domain
Distinguished name (DN) of the entity, which further includes the common name, county code, • locality, organization, unit in the organization, and state. If you configure the DN for an entity, a common name is required. • FQDN of the entity. IP address of the entity.
Page 144 After receiving a CA root certificate that does not exist locally, the PKI entity verifies the fingerprint of the root certificate in the following cases: For an obtained or imported CA root certificate, if its fingerprint does not match the one configured •...
Page 145: Requesting A Certificate
Step Command Remarks Optional if you manually request local certificates. • In non-FIPS mode: root-certificate fingerprint { md5 | Specify the fingerprint If you want to verify the fingerprint sha1 } string for root certificate manually, do not configure this verification.
Page 146: Configuring Automatic Certificate Request
Use pki request-certificate domain pkcs10 to print the request information on the terminal or use pki request-certificate domain pkcs10 filename to save the request information to a local file. Send the printed information or the saved file to the CA by an out-of-band means to submit the request.
Page 147: Manually Requesting A Certificate
Manually requesting a certificate IMPORTANT: Before you manually request a certificate, make sure the system time of the device is synchronized with the CA server. Otherwise, the device might fail to request the certificate because it regards the certificate out Fundamentals of the validity period.
Page 148: Aborting A Certificate Request
Step Command Remarks This command is not saved in the configuration file. Executing the command triggers Submit a certificate pki request-certificate domain the PKI entity to automatically request or generate a domain-name [ password password ] generate a key pair according to certificate request in [ pkcs10 [ filename filename ] ] the key name, algorithm and...
Page 149: Configuration Guidelines
To import a local certificate containing an encrypted key pair, you must provide the challenge • password. Contact the CA server administrator, if necessary. Configuration guidelines If a CA certificate already exists locally, you cannot obtain it again in online mode. To obtain a new •...
Page 150: Verifying Certificates Without Crl Checking
To use SCEP to obtain the CRL, the CA certificate and the local certificates must be present. To verify certificates with CRL checking: Step Command Remarks Enter system view. system-view Enter PKI domain view. pki domain domain-name (Optional.) Specify the URL crl url url-string [ vpn-instance By default, the URL of the CRL of the CRL repository.
Page 151: Exporting Certificates
CAUTION: If you change the storage path, save the configuration before you reboot or shut down the device to avoid loss of the certificates or the CRLs. The device has a default storage path for the obtained local certificates and CRLs. You can change the storage path and specify different paths for the certificates and CRLs.
Page 152: Removing A Certificate
Removing a certificate CAUTION: When you remove the CA certificate in a domain, the system also removes the local certificates, peer certificates, and CRLs in the same PKI domain. Each certificate issued by a CA has a validity period. If the certificate is about to expire or your private key is compromised, do the following tasks: Remove the local certificate.
Page 153: Displaying And Maintaining Pki
Step Command Remarks Enter system view. system-view Create a certificate attribute pki certificate attribute-group By default, no certificate attribute group and enter its view. group-name group exists. attribute id { alt-subject-name (Optional.) Configure an { fqdn | ip } | { issuer-name | attribute rule for issuer name, By default, not attribute rule is subject-name } { dn | fqdn | ip } }...
Page 154: Certificate Request From An Rsa Keon Ca Server
If you use RSA Keon, the SCEP add-on is not required. When you configure a PKI domain, you must use the certificate request from ca command to specify the CA to accept certificate requests for PKI entity enrollment to a CA. Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode.
Page 155 # Configure the URL of the registration server in the form of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server. [Device-pki-domain-torsa] certificate request url http://1.1.2.22:446/80f6214aa8865301d07929ae481c7ceed99f95bd # Specify the CA for accepting certificate requests. [Device-pki-domain-torsa] certificate request from ca # Specify the PKI entity name as aaa.
Page 156: Certificate Request From A Windows 2003 Ca Server
Issuer: CN=myca Validity Not Before: Jan 6 03:10:58 2013 GMT Not After : Jan 6 03:10:58 2014 GMT Subject: CN=Device Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ab:45:64:a8:6c:10:70:3b:b9:46:34:8d:eb:1a: a1:b3:64:b2:37:27:37:9d:15:bd:1a:69:1d:22:0f: 3a:5a:64:0c:8f:93:e5:f0:70:67:dc:cd:c1:6f:7a: 0c:b1:57:48:55:81:35:d7:36:d5:3c:37:1f:ce:16: 7e:f8:18:30:f6:6b:00:d6:50:48:23:5c:8c:05:30: 6f:35:04:37:1a:95:56:96:21:95:85:53:6f:f2:5a: dc:f8:ec:42:4a:6d:5c:c8:43:08:bb:f1:f7:46:d5: f1:9c:22:be:f3:1b:37:73:44:f5:2d:2c:5e:8f:40: 3e:36:36:0d:c8:33:90:f3:9b Exponent: 65537 (0x10001) X509v3 extensions:...
Page 157 Figure 43 Network diagram Configuring the CA server Install the certificate service component: Select Control Panel > Add or Remove Programs from the start menu. Select Add/Remove Windows Components > Certificate Services. Click Next to begin the installation. Set the CA name. In this example, set the CA name to myca. Install the SCEP add-on: The Windows 2003 server does not support SCEP by default.
Page 158 [Device] pki domain winserver # Specify the name of the trusted CA as myca. [Device-pki-domain-winserver] ca identifier myca # Configure the URL of the registration server in the form of http://host:port/certsrv/mscep/mscep.dll, where host:port is the host IP address and port number of the CA server.
Page 159 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=h3c Validity Not Before: Dec 24 07:09:42 2012 GMT Not After : Dec 24 07:19:42 2013 GMT Subject: CN=test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:b5:23:a0:2d:46:0b:68:2f:71:d2:14:e1:5a: 55:6e:c5:5e:26:86:c1:5a:d6:24:68:02:bf:29:ac: dc:31:41:3f:5d:5b:36:9e:53:dc:3a:bc:0d:11:fb: d6:7d:4f:94:3c:c1:90:4a:50:ce:db:54:e0:b3:27: a9:6a:8e:97:fb:20:c7:44:70:8f:f0:b9:ca:5b:94:...
Page 160: Certificate Request From An Openca Server
1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03: bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27: 90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a: 00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47: 6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06: 7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14: 02:09:ad:08 To display detailed information about the CA certificate, use the display pki certificate domain command. Certificate request from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server.
Page 161 [Device-pki-entity-aaa] country CN [Device-pki-entity-aaa] organization test [Device-pki-entity-aaa] organization-unit software [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named openca and enter its view. [Device] pki domain openca # Specify the name of the trusted CA as myca. [Device-pki-domain-openca] ca identifier myca # Configure the URL of the registration server in the form of http://host/cgi-bin/pki/scep, where host is the host IP address of the OpenCA server.
Page 162 [Device] display pki certificate domain openca local Certificate: Data: Version: 3 (0x2) Serial Number: 21:1d:b8:d2:e4:a9:21:28:e4:de Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shanghai , ST=beijing, O=OpenCA Labs, OU=mysubUnit, CN=sub-ca, DC=pki-subdomain, DC=mydomain-sub, DC=com Validity Not Before: Jun 30 09:09:09 2011 GMT Not After : May 1 09:09:09 2012 GMT Subject: CN=rnd, O=test, OU=software, C=CN Subject Public Key Info:...
Page 163: Certificate Import And Export Configuration Example
OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 5c:4c:ba:d0:a1:35:79:e6:e5:98:69:91:f6:66:2a:4f:7f:8b: 0e:80:de:79:45:b9:d9:12:5e:13:28:17:36:42:d5:ae:fc:4e: ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57: 8f:d4:3e:4f:51:c1:34:e6:c1:1e:71:b5:0d:85:86:a5:ed:63: 1e:08:7f:d2:50:ac:a0:a3:9e:88:48:10:0b:4a:7d:ed:c1:03: 9f:87:97:a3:5e:7d:75:1d:ac:7b:6f:bb:43:4d:12:17:9a:76: b0:bf:2f:6a:cc:4b:cd:3d:a1:dd:e0:dc:5a:f3:7c:fb:c3:29: b0:12:49:5c:12:4c:51:6e:62:43:8b:73:b9:26:2a:f9:3d:a4: 81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command.
Page 164 Figure 45 Network diagram Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a file named pkicachain.pem in PEM format. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
Page 165 Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=beijing/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...
Page 166 Serial Number: 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus:...
Page 167 Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=beijing, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT...
Page 168 CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/...
Page 169: Troubleshooting Pki Configuration
Troubleshooting PKI configuration This section describes common PKI problems and how to troubleshoot them. Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the •...
Page 170: Failed To Request Local Certificates
Solution Make sure the network connection is physically proper. Obtain or import the CA certificate. Configure the correct LDAP server. Specify the key pair used for certificate request in the PKI domain, generate the proper key pair, and make sure it matches the local certificates to the obtained. Reference the proper PKI entity in the PKI domain, and correctly configure the PKI entity.
Page 171: Failed To Obtain Crls
Synchronize the system time of the device with the CA server. Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis The network connection is down because, for example, the network cable is damaged or the • connectors have bad contact. •...
Page 172: Failed To Import A Local Certificate
Solution Use undo crl check enable to disable CRL checking. Make sure the format of the imported file is proper. Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis The PKI domain has no CA certificate, and the certificate file to be imported does not contain the •...
Page 173: Failed To Set The Storage Path
Use mkdir to create the required path. Specify a correct export path. Configure the proper key pair in the PKI domain. Clear up the disk space of the device. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis The specified storage path does not exist.
Page 174: Configuring Ssh
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.
Page 175: Ssh Authentication Methods
In this stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be no more than 2000 bytes. H3C recommends that you paste commands in the same view. Interaction Otherwise, the server might not be able to correctly execute the commands.
Page 176: Fips Compliance
Password-publickey authentication—The server requires SSH2 clients to pass both password • authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the server. • Any authentication—The server requires clients to pass either password authentication or publickey authentication.
Page 177: Enabling The Ssh Server Function
The DSA or RSA key pairs are required for generating the session key and session ID in the key exchange stage, and can also be used by a client to authenticate the server. When a client tries to authenticate the server, it compares the public key that it receives from the server with the server public key that it saved locally.
Page 178: Enabling The Sftp Server Function
Enabling the SFTP server function This SFTP server function enables clients to log in to the device through SFTP. To enable the SFTP server function: Step Command Remarks Enter system view. system-view Enable the SFTP server By default, the SFTP server function sftp server enable function.
Page 179: Configuring An Ssh User
PKCS format. H3C recommends that you configure no more than 20 SSH client host public keys on an SSH server. To manually configure a client's host public key:...
Page 180 If the authentication method is password, you do not need to perform the procedure in this section to configure them unless you want to use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
Page 181: Setting The Ssh Management Parameters
Setting the SSH management parameters Setting the SSH management parameters can improve the security of SSH connections. The SSH management parameters include: • Whether the SSH server is compatible with SSH1 clients. RSA server key pair update interval, applicable to users using SSH1 clients. •...
Page 182: Configuring The Device As An Stelnet Client
Stelnet clients in the authentication service, H3C recommends that you specify a loopback interface as the source interface. To specify a source IP address or source interface for the Stelnet client:...
Page 183 When an Stelnet client accesses an Stelnet server, it uses the locally saved host public key of the server to authenticate the server. When acting as an Stelnet client, the device supports the first authentication by default. When the device accesses an Stelnet server for the first time but it is not configured with the host public key of the SSH server, it can access the server and locally save the server's host public key for future use.
Page 184 Task Command Remarks • Establish a connection to an IPv4 Stelnet server: In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer- compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des |...
Page 185: Configuring The Device As An Sftp Client
SFTP clients in the authentication service, H3C recommends that you specify a loopback interface as the source interface. To specify a source IP address or source interface for the SFTP client:...
Page 186 When an SFTP client accesses an SFTP server, it uses the locally saved host public key of the server to authenticate the server. When acting as an SFTP client, the device supports the first authentication by default. When the device accesses an SFTP server for the first time but it is not configured with the host public key of the SFTP server, it can access the server and locally save the server's host public key for future use.
Page 187: Working With Sftp Directories
Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return to the upper-level directory. cdup Available in SFTP client view. Display the current working Available in SFTP client view. directory on the SFTP server.
Page 188: Terminating The Connection With The Sftp Server
Task Command Remarks Use either command. • help Display the help information of an Available in SFTP client view. SFTP client command. • These two commands function in the same way. Terminating the connection with the SFTP server Task Command Remarks Use one of the commands.
Page 189 Task Command Remarks • Connect to the IPv4 SCP server, and transfer files with this server: In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...
Page 190: Displaying And Maintaining Ssh
Displaying and maintaining SSH Execute display commands in any view. Task Command Display the source IP address or source interface information configured for the SFTP display sftp client source client. Display the source IP address or source interface information configured for the Stelnet display ssh client source client.
Page 191 The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully.
Page 192 Launch PuTTY.exe to enter the interface shown in Figure In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. Figure 47 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password.
Page 193: Publickey Authentication Enabled Stelnet Server Configuration Example
Publickey authentication enabled Stelnet server configuration example Network requirements As shown in Figure 48, you can log in to the switch through the Stelnet client (SSH2) that runs on the host and are assigned the user role network-admin for configuration management. The switch acts as the Stelnet server and uses publickey authentication and the RSA public key algorithm.
Page 194 Continuously move the mouse and do not place the mouse over the green progress bar shown Figure 50. Otherwise, the progress bar stops moving and the key pair generating progress stops. Figure 50 Generating process After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save.
Page 195 Figure 51 Saving a key pair on the client Click Save private key to save the private key. A confirmation dialog box appears. Click Yes, enter a file name (private.ppk in this example), and click Save. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.
Page 196 Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Enable the SSH server function. [Switch] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client will use this address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit...
Page 197 Figure 52 Specifying the host name (or IP address) Select Connection > SSH from the navigation tree. The window shown in Figure 53 appears. Select 2 for the Preferred SSH protocol version. Figure 53 Specifying SSH version...
Page 198: Password Authentication Enabled Stelnet Client Configuration Example
Select Connection > SSH > Auth from the navigation tree. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example) and click OK. The window shown in Figure 54 appears. Figure 54 Specifying the private key file Click Open to connect to the server.
Page 199 Configuration procedure Configure the Stelnet server: # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 200 [SwitchB] ssh user client001 service-type stelnet authentication-type password Establish a connection to the Stelnet server: # Assign an IP address to VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit You can determine whether to configure the host public key of the server on the client before establishing a connection to the server: If you do not configure the host public key of the server on the client, select Yes to access the server without authenticating the server, and locally save the host public key of the server.
Page 201: Publickey Authentication Enabled Stelnet Client Configuration Example
[SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C 9B09EEF0381840002818000AF995917 [SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5 F257523777D033BEE77FC378145F2AD [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server 192.168.1.40 and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you successfully log in to Switch B.
Page 202 [SwitchA] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 203: Sftp Configuration Examples
[SwitchB] user-interface vty 0 15 [SwitchB-ui-vty0-15] authentication-mode scheme [SwitchB-ui-vty0-15] quit # Import the peer public key from the file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user client002 with the authentication method publickey, and assign the public key switchkey to the user.
Page 204 # Generate the RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 205: Publickey Authentication Enabled Sftp Client Configuration Example
NOTE: PSFTP supports only password authentication. To establish a connection to the SFTP server: Run the psftp.exe to launch the client interface shown in Figure 58, and enter the following command: open 192.168.1.45 Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 58 SFTP client interface Publickey authentication enabled SFTP client configuration example...
Page 206 Configure the SFTP client: # Assign an IP address to VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit # Generate the RSA key pairs. [SwitchA] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.
Page 207 # Enable the SSH server function. [SwitchB] ssh server enable # Enable the SFTP server function. [SwitchB] sftp server enable # Assign an IP address to VLAN-interface 2. The SSH client will use this address as the destination for SSH connection. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit...
Page 208: Scp File Transfer With Password Authentication
# Add a directory named new1 and verify that it has been successfully created. sftp> mkdir new1 sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx...
Page 209: Configuration Procedure
uses the password authentication method and the client 's username and password are saved on Switch Figure 60 Network diagram Configuration procedure Configure the SCP server: # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.
Page 210 [SwitchB-luser-manage-client001] service-type ssh [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Create an SSH user client001 with service type scp and authentication method password. (Optional. If an SSH user is not created, password authentication is used by default.) [SwitchB] ssh user client001 service-type scp authentication-type password Configure an IP address for VLAN-interface 2 on the SCP client.
Page 211: Configuring Ssl
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security mechanism SSL provides the following security services: Privacy—SSL uses a symmetric encryption algorithm to encrypt data and uses an asymmetric key...
Page 212: Fips Compliance
Figure 62 SSL protocol stack The following describes the major functions of SSL protocols: SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to • the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), authenticates the server and client, and securely exchanges the key between the server and client.
Page 213: Configuring An Ssl Client Policy
To configure an SSL server policy: Step Command Remarks Enter system view. system-view Create an SSL server policy and By default, no SSL server policy ssl server-policy policy-name enter its view. exists on the device. By default, no PKI domain is specified for an SSL server policy.
Page 214: Displaying And Maintaining Ssl
To configure an SSL client policy: Step Command Remarks Enter system view. system-view Create an SSL client policy and By default, no SSL client policy exists ssl client-policy policy-name enter its view. on the device. By default, no PKI domain is specified for an SSL client policy.
Page 215 Task Command Display SSL server policy information. display ssl server-policy [ policy-name ] Display SSL client policy information. display ssl client-policy [ policy-name ]...
Page 216: Configuring Ip Source Guard
Configuring IP source guard Overview IP source guard is a security feature. It is usually configured on a user access interface to help prevent spoofing attacks, in which an attacker uses, for example, the IP address of a valid host, to access the network.
Page 217: Dynamic Ipv4 Source Binding Entries
For information about ARP detection, see "Configuring ARP attack protection." Dynamic IPv4 source binding entries IP source guard can automatically obtain user information from other modules to generate IPv4 binding entries. On interfaces configured with the dynamic IPv4 source guard function, IP source guard cooperates with different modules to generate IPv4 binding entries dynamically: On an Ethernet port, IP source guard can cooperate with DHCP snooping, obtain the DHCP •...
Page 218: Configuring A Static Ipv4 Source Guard Binding Entry On An Interface
All the fields in a static IPv4 binding entry are used by IP source guard to filter packets. For information about how to configure a static IPv4 binding entry, see "Configuring a static IPv4 source guard binding entry on an interface."...
Page 219: Configuring The Ipv6 Source Guard Function
NOTE: You cannot configure the same static binding entry on one interface, but you can configure the same • static binding entry on different interfaces. For packet filtering on an interface, IP source guard ignores the VLAN information (if specified) in static •...
Page 220: Displaying And Maintaining Ip Source Guard
Step Command Remarks By default, no static IPv6 binding entry is configured on an interface. IP source guard does not use the VLAN ipv6 source binding ip-address information (if specified) in static IPv6 Configure a static IPv6 ipv6-address [ mac-address source guard binding entries to filter binding entry.
Page 221 1/0/2 of Switch A. Switch B is connected to port Ten-GigabitEthernet 1/0/1 of Switch A. All hosts use static IP addresses. Configure static IPv4 source guard binding entries on Switch A and Switch B to meet the following requirements: On port Ten-GigabitEthernet 1/0/2 of Switch A, only IP packets from Host C can pass. •...
Page 222: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example
<SwitchB> system-view [SwitchB] interface ten-gigabitEthernet 1/0/2 [SwitchB-Ten-GigabitEthernet1/0/2] ip verify source ip-address mac-address # On Ten-GigabitEthernet 1/0/2, configure a static IPv4 source guard binding entry to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.
Page 223 Enable dynamic IPv4 source guard on port Ten-GigabitEthernet 1/0/1 to filter received packets based on DHCP snooping entries, allowing only packets from a client that obtains an IP address from the DHCP server to pass. Figure 65 Network diagram Configuration procedure Configure the DHCP server: For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Page 224: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example
Dynamic IPv4 source guard using DHCP relay configuration example Network requirements As shown in Figure 66, the host and the DHCP server are connected to the switch through interfaces VLAN-interface 100 and VLAN-interface 200 respectively. DHCP relay is enabled on the switch. The host obtains an IP address from the DHCP server through the DHCP relay agent.
Page 225: Static Ipv6 Source Guard Configuration Example
Static IPv6 source guard configuration example Network requirements As shown in Figure 67, the host is connected to port Ten-GigabitEthernet 1/0/1 of the switch. Configure a static IPv6 source guard binding entry for Ten-GigabitEthernet 1/0/1 of the switch to allow only IPv6 packets from the host to pass.
Page 226: Configuring Arp Attack Protection
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
Page 227: Configuring Arp Source Suppression
ARP source suppression—If the attack packets have the same source address, you can enable the • ARP source suppression function, and set the maximum number of unresolvable IP packets that the device can receive from a host within 5 seconds. If the threshold is reached, the device stops resolving packets from the host until the 5 seconds elapse.
Page 228: Configuring Arp Packet Rate Limit
Figure 68 Network diagram IP network ARP attack protection Gateway Device VLAN 10 VLAN 20 Host A Host B Host C Host D R&D Office Configuration considerations If the attack packets have the same source address, configure the ARP source suppression function as follows: Enable ARP source suppression.
Page 229: Configuration Guidelines
Configuration guidelines Configure this feature when ARP detection, ARP snooping, or when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. Log messages are sent to the information center of the device. You can set output rules for log messages on the information center.
Page 230: Displaying And Maintaining Source Mac-Based Arp Attack Detection
Step Command Remarks Enable source MAC-based ARP attack detection and arp source-mac { filter | monitor } By default, this feature is disabled. specify the handling method. arp source-mac threshold Configure the threshold. By default, the threshold is 30. threshold-value Configure the aging timer for By default, the lifetime is 300 arp source-mac aging-time time...
Page 231 Figure 69 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address.
Page 232: Configuring Arp Packet Source Mac Consistency Check
Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body, so that the gateway can learn correct ARP entries.
Page 233: Configuring Arp Packet Validity Check
Static IP source guard binding entries are created by using the ip source binding command. For more information, see "Configuring IP source guard." DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide. Configuration guidelines Make sure at least one among static IP source guard binding entries and DHCP snooping entries is •...
Page 234: Configuring Arp Restricted Forwarding
Step Command Remarks Enable ARP detection. arp detection enable By default, ARP detection is disabled. Return to system view. quit Enable ARP packet validity check arp detection validate By default, ARP packet validity check and specify the objects to be { dst-mac | ip | src-mac } is disabled.
Page 235: User Validity Check And Arp Packet Validity Check Configuration Example
User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 70, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts. Figure 70 Network diagram Gateway DHCP server...
Page 236: Configuring Arp Automatic Scanning And Fixed Arp
[SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface (an interface is an untrusted interface by default). [SwitchB-vlan10] interface ten-gigabitethernet 1/0/3 [SwitchB-Ten-GigabitEthernet1/0/3] arp detection trust [SwitchB-Ten-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface Ten-GigabitEthernet 1/0/2 for user validity check.
Page 237: Configuration Procedure
Configuration procedure To configure ARP automatic scanning and fixed ARP: Step Command Enter system view. system-view Enter VLAN interface view. interface interface-type interface-number Enable ARP automatic scanning. arp scan [ start-ip-address to end-ip-address ] Return to system view. quit Enable fixed ARP. arp fixup Configuring ARP gateway protection Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.
Page 238: Configuration Example
Configuration example Network requirements As shown in Figure 71, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 71 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B.
Page 239: Configuration Procedure
Do not configure both the arp filter source and arp filter binding commands on an interface. • • If ARP filtering works with ARP detection and ARP snooping, ARP filtering applies first. Configuration procedure To configure ARP filtering: Step Command Remarks Enter system view.
Page 240 [SwitchB-Ten-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, Ten-GigabitEthernet 1/0/1 permits ARP packets from Host A, and discards other ARP packets. Ten-GigabitEthernet 1/0/2 permits ARP packets from Host B and discards other ARP packets.
Page 241: Configuring Urpf
Configuring uRPF Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Page 242 Figure 74 uRPF work flow uRPF works in the following steps: uRPF checks source address validity: Discards packets with a source broadcast address. Discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.)
Page 243 Proceeds to step 2 for other packets. uRPF checks whether the source address matches a FIB entry: If yes, proceeds to step 3. If not, proceeds to step 6. uRPF checks whether the check mode is loose: If yes, proceeds to step 8. If not, uRPF checks whether the matching route is a direct route: if yes, proceeds to step 5.
Page 244: Network Application
Network application Figure 75 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User Configure strict uRPF check between an ISP network and a customer network, and loose uRPF check between ISPs. Configuration procedure When you configure uRPF, follow these guidelines: uRPF checks only incoming packets on an interface.
Page 245: Displaying And Maintaining Urpf
Displaying and maintaining uRPF Execute display commands in any view. Task Command Display uRPF configuration display ip urpf [ slot slot-number ] Configuration example Network requirements As shown in Figure 76, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks.
Page 246: Configuring Fips
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptography modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4", from low to high. The switch supports Level 2.
Page 247: Configuring Fips Mode
save. Other commands used for configuration preparation to enter FIPS mode. To switch to non-FIPS mode, execute the undo fips mode enable command in system view, save the • configuration, and reboot the device. Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and •...
Page 248: Configuration Changes In Fips Mode
The system automatically uses the startup configuration file to reboot the device and enter FIPS mode. You can only use the configured username and password to log in to the FIPS device. After login, you are assigned a user role of crypto officer. Manual reboot To use manual reboot to enter FIPS mode: Enable the password control function globally.
Page 249: Fips Self-Tests
If the conditional self-test fails, the system outputs self-test failure information. NOTE: If a self-test fails, contact H3C Support. Power-up self-tests The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed cryptographic algorithms.
Page 250: Triggering Self-Tests
Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It • uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If the decryption is successful, the test succeeds. Otherwise, the test fails. •...
Page 251: Entering Fips Mode Through Manual Reboot
Enter password(15~63 characters): Confirm: Waiting for reboot ...After reboot, the device will enter FIPS mode. Verifying the configuration After the device reboots, enter the username root and the password 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode.
Page 252: Configuration File
# Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of Terminal.
Page 253 confirm: Updating user information. Please wait ..… <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.
Page 254: Configuring Ipsec
Configuring IPsec CAUTION: If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match the QoS traffic classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to different queues, causing packets to be sent out of order.
Page 255: Security Protocols And Encapsulation Modes
Security protocols and encapsulation modes Security protocols IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets and the security services that they can provide. AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown in Figure •...
Page 256: Security Association
IKE negotiation mode—The peers negotiate and maintain the SA through IKE. This configuration • mode is simple and has good expansibility. In medium- and large-scale dynamic networks, H3C recommends setting up SAs through IKE negotiations. A manually configured SA never ages out. An IKE-created SA has a lifetime, which comes in two types: Time-based lifetime—Defines how long the SA can be valid after it is created.
Page 257: Authentication And Encryption
Authentication and encryption Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. The receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid.
Page 258: Protocols And Standards
The device supports the following data flow protection modes: • Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it. Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL. •...
Page 259: Acl-Based Ipsec Configuration Task List
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50, respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or IPsec configured. ACL-based IPsec configuration task list The generic configuration procedure for implementing ACL-based IPsec is as follows: Configure an ACL for identifying data flows to be protected.
Page 260: Configuring An Ipsec Transform Set
Each ACL rule matches both the outbound traffic and the returned inbound traffic. • • In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires protection and continues to process it. If a deny statement is matched or no match is found, IPsec considers that the packet does not require protection and delivers it to the next function module.
Page 261 Step Command Remarks Enter system view. system-view Create an IPsec transform set ipsec transform-set By default, no IPsec transform set and enter its view. transform-set-name exists. Optional. Specify the security protocol protocol { ah | ah-esp | esp } By default, the IPsec transform set for the IPsec transform set.
Page 262: Configuring A Manual Ipsec Policy
Step Command Remarks By default, the PFS feature is not used for SA negotiation. For more information about PFS, • In non-FIPS mode: "Configuring IKE." pfs { dh-group1 | dh-group2 | The security level of local (Optional.) Enable the Perfect dh-group5 | dh-group14 | Diffie-Hellman group must be Forward Secrecy (PFS) feature...
Page 263 Step Command Remarks By default, an IPsec policy references no ACL. Specify an ACL for the security acl [ ipv6 ] { acl-number | IPsec policy. name acl-name } An IPsec policy can reference only one ACL. By default, an IPsec policy references no Specify an IPsec IPsec transform set.
Page 264: Configuring An Ike-Based Ipsec Policy
Configuring an IKE-based IPsec policy In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE. To configure an IKE-based IPsec policy, use one of the following methods: Directly configure it by configuring the parameters in IPsec policy view. •...
Page 265 Step Command Remarks Specify IPsec transform sets transform-set By default, the IPsec policy for the IPsec policy. transform-set-name&<1-6> references no IPsec transform set. By default, the IPsec policy references no IKE profile, and it uses the IKE parameters configured in system view for negotiation. An IPsec policy can reference only Specify an IKE profile for the ike-profile profile-name...
Page 266 A device referencing an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator. For example, in an IPsec policy template, the ACL is optional. If you do not specify an ACL, the IPsec protection range has no limit.
Page 267: Applying An Ipsec Policy To An Interface
Step Command Remarks Configure the IPsec SA sa duration { time-based seconds | By default, the global SA lifetime lifetime. traffic-based kilobytes } settings are used. (Optional.) Set the IPsec SA By default, the global SA idle sa idle-time seconds idle timeout.
Page 268: Enabling Acl Checking For De-Encapsulated Packets
Step Command Remarks By default, no IPsec policy is applied to the interface. An interface can reference only Apply an IPsec policy to the ipsec { policy | ipv6-policy } one IPsec policy. interface. policy-name An IKE-mode IPsec policy can be applied to multiple interfaces, and a manual IPsec policy can be applied to only one interface.
Page 269: Binding A Source Interface To An Ipsec Policy
IMPORTANT: IPsec anti-replay is enabled by default. Failure to detect anti-replay attacks might result in denial of • services. Use caution when you disable IPsec anti-replay. Specify an anti-replay window size that is as small as possible to reduce the impact on system •...
Page 270: Enabling Qos Pre-Classify
Step Command Remarks ipsec { ipv6-policy | policy } Bind a source interface to an By default, no source interface is policy-name local-address IPsec policy. bound to an IPsec policy. interface-type interface-number Enabling QoS pre-classify If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using the new headers added by IPsec.
Page 271: Displaying And Maintaining Ipsec
clear—Clears the DF bit in the new header. • • set—Sets the DF bit in the new header. copy—Copies the DF bit in the original IP header to the new IP header. • You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes precedence over the system-view DF bit setting.
Page 272: Ipsec Configuration Examples
Task Command display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name Display IPsec SA information. [ seq-number ] | profile policy-name | remote [ ipv6 ] ip-address ] Display IPsec statistics. display ipsec statistics [ tunnel-id tunnel-id ] Display IPsec tunnel information.
Page 273 # Specify the encapsulation mode as tunnel. [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create a manual IPsec policy entry, with the policy name map1 and sequence number 10. [SwitchA] ipsec policy map1 10 manual # Apply ACL 3101.
Page 274 [SwitchB-ipsec-transform-set-tran1] quit # Create a manual IPsec policy entry, with the policy name use1 and sequence number 10. [SwitchB] ipsec policy use1 10 manual # Apply ACL 3101. [SwitchB-ipsec-policy-manual-use1-10] security acl 3101 # Apply IPsec transform set tran1. [SwitchB-ipsec-policy-manual-use1-10] transform-set tran1 # Specify the remote IP address of the IPsec tunnel as 2.2.2.1.
Page 275: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets
[Outbound ESP SA] SPI: 12345 (0x00003039) Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1 No duration limit for this SA Configuring an IKE-based IPsec tunnel for IPv4 packets Network requirements As shown in Figure 81, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches.
Page 276 [SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchA-ike-keychain-keychain1] quit # Create the IKE profile named profile1. [SwitchA] ike profile profile1 # Reference the keychain keychain1. [SwitchA-ike-profile-profile1] keychain keychain1 [SwitchA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0 [SwitchA-ike-profile-profile1] quit # Create an IKE-based IPsec policy entry, with the policy name map1 and sequence number 10. [SwitchA] ipsec policy map1 10 isakmp # Apply ACL 3101.
Page 277 [SwitchB] ike keychain keychain1 # Configure the pre-shared key used with the peer 2.2.2.1 as plaintext string of 12345zxcvb!@#$%ZXCVB. [SwitchB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchB-ike-keychain-keychain1] quit # Create the IKE profile named profile1. [SwitchB] ike profile profile1 # Reference the keychain keychain1.
Page 278: Configuring Ike
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, dramatically simplifying the configuration and maintenance of IPsec.
Page 279: Ike Security Mechanism
Figure 83 IKE exchange process in main mode As shown in Figure 83, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the security policy. Key exchange—Used for exchanging the DH public value and other values like the random number. •...
Page 280: Protocols And Standards
the pre-shared key authentication method, you must configure a pre-shared key for each branch on the Headquarters node. DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials.
Page 281: Configuring An Ike Profile
Tasks at a glance Remarks Required when the IKE profile needs to (Optional.) Configuring an IKE proposal reference IKE proposals. Required when pre-shared authentication is (Optional.) Configuring an IKE keychain used in IKE negotiation phase 1. (Optional.) Configuring the global identity information (Optional.) Configuring the IKE keepalive function (Optional.)
Page 282 First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority number has a higher priority.
Page 283: Configuring An Ike Proposal
Step Command Remarks By default, the IKE DPD function is not configured for an IKE profile and an IKE profile uses the DPD settings configured in (Optional.) Configure IKE dpd interval interval-seconds [ retry system view. If the IKE DPD DPD.
Page 284: Configuring An Ike Keychain
Step Command Remarks Enter system view. system-view By default, there is an IKE Create an IKE proposal and ike proposal proposal-number proposal that is used as the enter its view. default IKE proposal. By default, an IKE proposal uses the 56-bit DES encryption Specify an encryption encryption-algorithm { 3des-cbc | algorithm in CBC mode in...
Page 285: Configuring The Global Identity Information
Step Command Remarks Enter system view. system-view Create an IKE keychain and ike keychain keychain-name By default, no IKE keychain enter its view. [ vpn-instance vpn-name ] exists. By default, no pre-shared key is configured. pre-shared-key { address { ipv4-address [ mask | mask-length ] | For security purposes, all Configure a pre-shared key.
Page 286: Configuring The Ike Keepalive Function
Step Command Remarks By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication. Configure this command on the local (Optional.) Configure the device when the following conditions local device to always obtain exist: ike signature-identity the identity information from...
Page 287: Configuring Ike Dpd
To configure the IKE NAT keepalive function: Step Command Remarks Enter system view. system-view Set the IKE NAT keepalive ike nat-keepalive seconds The default interval is 20 seconds. interval. Configuring IKE DPD DPD detects dead peers. It can operate in periodic mode or on-demand mode. Periodic DPD—Sends a DPD message at regular intervals.
Page 288: Setting The Maximum Number Of Ike Sas
which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. Because no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
Page 289: Main Mode Ike With Pre-Shared Key Authentication Configuration Example
Task Command Delete IKE SAs. reset ike sa [ connection-id connection-id ] Main mode IKE with pre-shared key authentication configuration example Network requirements As shown in Figure 84, configure an IPsec tunnel that uses IKE negotiation between Switch A and Switch B to secure the communication.
Page 290 # Create IKE keychain keychain1. [SwitchA] ike keychain keychain1 # Specify 12345zxcvb!@#$%ZXCVB as the plaintext pre-shared key. [SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchA-ike-keychain-keychain1] quit # Create IKE profile profile1. [SwitchA] ike profile profile1 # Specify IKE keychain keychain1. [SwitchA-ike-profile-profile1] keychain keychain1 # Configure a peer ID with the identity type of IP address and the value of 2.2.2.2.
Page 291: Verifying The Configuration
[SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create IKE keychain keychain1. [SwitchB]ike keychain keychain1 # Specify the plaintext abcde as the pre-shared key to be used with the remote peer at 1.1.1.1. [SwitchB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchB-ike-keychain-keychain1] quit # Create IKE profile profile1.
Page 292: Troubleshooting Ike
Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom The IKE SA is in Unknown state. <Sysname> display ike sa Connection-ID Remote Flag ------------------------------------------------------------------ 192.168.222.5 Unknown IPSEC Flags: RD--READY RL--REPLACED FD-FADING When IKE event debugging and packet debugging are enabled, the following messages appear: IKE event debugging message: The attributes are unacceptable.
Page 293: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found
Analysis If the following debugging information appeared, the matched IKE profile is not referencing the • matched IKE proposal: Failed to find proposal 1 in profile profile1. If the following debugging information appeared, the matched IKE profile is not referencing the •...
Page 294 Analysis Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows: Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy is referencing an IKE profile, the IPsec SA negotiation fails.
Page 295 Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Verify that the ACL referenced by the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.
Page 296 If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, modify the responder's ACL so the ACL defines a flow range equal to or greater than that of the initiator's ACL. For example: [Sysname] display acl 3000 Advanced ACL 3000, named -none-, 2 rules,...
Page 297 EAP-Message attribute, HWTACACS accounting server specification, EAPOL packet format, HWTACACS authentication server specification, enable, HWTACACS authorization server specification, H3C MAC-based access control, HWTACACS implementation, H3C port-based access control, HWTACACS outgoing packet source IP address, maintaining, HWTACACS scheme configuration, mandatory port authentication domain,...
Page 298 ISP domain authentication methods SSH user local authentication+HWTACACS configuration, authorization+RADIUS accounting, ISP domain authorization methods, troubleshooting HWTACACS, ISP domain creation, troubleshooting LDAP, ISP domain methods configuration, troubleshooting RADIUS, ISP domain status configuration, troubleshooting RADIUS accounting error, LDAP administrator attribute configuration, troubleshooting RADIUS authentication failure, LDAP authentication server specification, troubleshooting RADIUS packet delivery failure,...
Page 299 AAA RADIUS, architecture security AAA RADIUS common standard security 802.1X, attributes, security PKI, security AAA RADIUS extended attributes, security AAA RADIUS H3C proprietary attack protection. See ARP attack protection attributes, ARP attack protection security AAA RADIUS scheme configuration, active acknowledgement,...
Page 300 security 802.1X RADIUS security SSH server configuration, Message-Authentication attribute, security SSH SFTP client publickey security 802.1X timeout timers, authentication, security AAA configuration, 1, security SSH SFTP server password authentication, security AAA ISP domain authentication methods configuration, security SSH Stelnet client password authentication, security AAA LDAP authentication, security SSH Stelnet client publickey...
Page 301 security PKI certificate, security 802.1X authentication (access device initiated), security PKI certificate export, security 802.1X authentication (client-initiated), security PKI certificate obtain, security 802.1X authentication client timeout security PKI certificate removal, timer, security PKI certificate request, security 802.1X authentication configuration, security PKI certificate request (automatic), security 802.1X authentication initiation, security PKI certificate request (manual), security 802.1X configuration, 68,...
Page 302 security AAA LDAP schemes, security IPsec IKE (main mode/pre-shared key authentication), security AAA LDAP server IP address, security IPsec IKE DPD, security AAA LDAP server SSH user authentication, security IPsec IKE global identity information, security AAA LDAP user attributes, security IPsec IKE keepalive function, security AAA local user, security IPsec IKE keychain, security AAA local user attributes,...
Page 303 security SSH, security PKI architecture, security SSH client host public key, security PKI CA policy, security SSH device as server, security PKI certificate access control policy, security SSH device as SFTP client, security PKI certificate export, security SSH device as Stelnet client, security PKI certificate removal, security SSH SCP client device, troubleshooting PKI CRL obtain failure,...
Page 304 security AAA implementation, security SFTP server function enable, security AAA LDAP authentication server security SSH SCP client configuration, specification, security SSH server configuration, security AAA LDAP implementation, security SSH server function enable, security AAA LDAP scheme configuration, security SSH SFTP client configuration, security AAA LDAP server SSH user security SSH Stelnet client configuration, authentication,...
Page 305 security PKI OpenCA server certificate security 802.1X mandatory port authentication request, domain, security PKI peer certificate, security AAA ISP domain accounting methods configuration, security PKI RA certificate, security AAA ISP domain authentication security PKI RSA Keon CA server certificate methods, request, security AAA ISP domain authorization methods, security PKI verification (CRL checking),...
Page 306 security 802.1X packet format, security IPsec tunnel for IPv4 packets configuration, ECDSA security peer public key entry, security public key management, security public key import from file, email (PKI secure), security public key management, enabling security SSH configuration, port security, security SSH server configuration, security 802.1X, security SSL services,...
Page 307 ARP configuration, security SSH local RSA key pair, format security 802.1X EAP packet format, security 802.1X EAPOL packet format, security AAA RADIUS H3C proprietary security 802.1X packet, attributes, security AAA HWTACACS username, handshake function (802.1X online user), security AAA RADIUS packet format,...
Page 308 AAA RADIUS session-control feature, implementing security 802.1X H3C MAC-based access identity control, security IPsec IKE global identity information security 802.1X H3C port-based access control, configuration, security AAA for MPLS L3VPNs, ignoring security AAA HWTACACS, port security server authorization security AAA LDAP,...
Page 309 security ARP unresolvable IP attack protection FIPS compliance, (displaying), IKE configuration, 264, security ARP unresolvable IP attack protection IKE configuration (main mode/pre-shared key (source suppression), authentication), security uRPF configuration, 227, 230, IKE DPD configuration, IP addressing IKE global identity information configuration, security AAA HWTACACS outgoing packet IKE identity authentication, source IP address,...
Page 310 tunnel for IPv4 packets configuration, IPv4 keepalive security IPsec IKE-based tunnel for IPv4 packets security IPsec IKE function configuration, configuration, security IPsec IKE NAT function configuration, security IPsec tunnel for IPv4 packets configuration, security IPsec IKE pre-shared key source guard. See IPv4 source guard authentication, IPv4 source guard...
Page 311 troubleshooting, authentication. See MAC authentication user attribute configuration, security SSL services, version specification, MAC address Lightweight Directory Access Protocol. Use LDAP MAC local authentication configuration, limiting MAC RADIUS-based authentication configuration, port security secure MAC addresses, security 802.1X authentication (access device security ARP packet rate limit configuration, initiated), local...
Page 312 port security MAC/802.1X authentication, port security macAddressWithRadius authentication, port security mode, port security secure MAC learning control mode, port security NTK configuration, security 802.1X EAP relay/termination RADIUS-based, 78, comparison, timer configuration, security 802.1X multicast trigger mode, user account format, security 802.1X unicast trigger mode, user account policies, security IPsec ACL-based implementation MAC learning...
Page 313 need to know. Use security AAA ISP domain status configuration, negotiating security AAA LDAP implementation, security IPsec IKE negotiation, security AAA LDAP scheme configuration, security IPsec IKE negotiation mode, security AAA local user configuration, network security AAA MPLS L3VPN implementation, IPv4 source guard dynamic binding entries, security AAA network access user configuration, port security feature configuration,...
Page 314 security IPsec source interface policy bind, security SSH server function enable, security IPsec transform set configuration, security SSH SFTP client device configuration, security IPsec tunnel establishment, security SSH SFTP client source IP address/interface, security IPv4 source guard configuration, security SSH SFTP directories, security IPv4 source guard on interface, security SSH SFTP files, security IPv6 source guard configuration,...
Page 315 security AAA SSH user local security SSH Stelnet client publickey authentication+HWTACACS authentication, authorization+RADIUS accounting, security SSH Stelnet configuration, security ARP attack protection security SSH Stelnet server password configuration, authentication, security FIPS configuration, 232, security SSH Stelnet server publickey security FIPS mode entry (automatic authentication, reboot), security SSL configuration, 197,...
Page 316 security ARP active acknowledgement, security SSH SCP file transfer with password authentication, security ARP attack protection (unresolvable IP attack), security SSH SFTP server password authentication, security ARP filtering, 224, security SSH Stelnet client password security ARP packet rate limit configuration, authentication, security ARP packet source MAC consistency security SSH Stelnet server password...
Page 317 applications, Windows 2003 CA server certificate request configuration, architecture, policy CA digital certificate, security AAA RADIUS security policy server IP CA policy, address configuration, CA storage path specification, security IPsec application to interface, certificate access control policy, security IPsec configuration (IKE-based/direct), certificate export, security IPsec configuration certificate import/export,...
Page 318 configuration, 86, 89, configuring secure PKI certificate import/export, displaying, configuring security 802.1X, enabling, configuring security 802.1X authentication, feature configuration, configuring security 802.1X online user handshake features, function, intrusion protection configuration, configuring security 802.1X quiet timer, intrusion protection feature, configuring security AAA, MAC address autoLearn mode configuring security AAA authentication methods configuration,...
Page 319 configuring security ARP packet rate limit, configuring security IPsec policy (IKE-based), configuring security ARP packet source MAC configuring security IPsec policy consistency check, (IKE-based/direct), configuring security ARP packet validity configuring security IPsec policy check, (IKE-based/template), configuring security ARP restricted configuring security IPsec policy (manual), forwarding, configuring security IPsec transform set, configuring security ARP source MAC-based...
Page 320 configuring security SSH device as Stelnet displaying security ARP source MAC-based attack client, detection, configuring security SSH SCP client device, displaying security ARP unresolvable IP attack protection, configuring security SSH SCP file transfer with password authentication, displaying security FIPS, configuring security SSH SFTP, displaying security host public key, 1 18 configuring security SSH SFTP client publickey...
Page 321 establishing security SSH SFTP server setting security AAA RADIUS max request connection, transmission attempts, establishing security SSH Stelnet server setting security AAA RADIUS server status, connection, setting security AAA RADIUS timer, exporting security host public key to file, 1 17 setting security AAA RADIUS traffic statistics exporting security PKI certificate, unit,...
Page 322 specifying security SSH SFTP client source IP proposal address/interface, security IPsec IKE configuration, specifying security SSH Stelnet client source IP protocols and standards address or interface, IPsec IKE, terminating security SSH SFTP server IPsec security protocol 50 (ESP), connection, IPsec security protocol 51 (AH), troubleshooting port security, security 802.1X overview, troubleshooting port security mode cannot be...
Page 323 ARP packet rate limit configuration, common standard attributes, real-time displaying, security AAA HWTACACS real-time accounting extended attributes, timer, H3C proprietary attributes, security AAA RADIUS real-time accounting timer, HWTACACS/RADIUS differences, record protocol (SSL), information exchange security mechanism, recoverinng maintaining,...
Page 324 FIPS configuration restrictions, Secure Sockets Layer. Use IPsec policy configuration (IKE-based), security security IPsec configuration restrictions, 802.1X access control method, routing 802.1X authentication configuration, security 802.1X authentication configuration, 802.1X authentication request max number attempts, security 802.1X configuration, 68, 802.1X authentication server timeout timer, security SSH configuration, 802.1X authentication trigger function, security SSH server configuration,...
Page 325 AAA scheme configuration, host public key export to file, 1 17 AAA SSH user local host public key save to file, 1 18 authentication+HWTACACS IP, 240, See also IPsec authorization+RADIUS accounting, IP source guard configuration, 202, 203, ARP active acknowledgement, IP source guard static binding entry, ARP attack protection (unresolvable IP IPsec ACL de-encapsulated packet check,...
Page 326 IPv4 source guard dynamic binding entries, PKI CA certificate import failure, IPv4 source guard dynamic configuration with PKI CA policy, DHCP relay, PKI CA storage path specification, IPv4 source guard dynamic configuration with PKI certificate access control policy, DHCP snooping, PKI certificate export, IPv4 source guard static configuration, PKI certificate export failure,...
Page 327 SSH configuration, server SSH local DSA key pair generation, port security authorization information, SSH local RSA key pair generation, security 802.1X authentication configuration, SSH management parameters, security 802.1X authentication server timeout timer, SSH SCP client device configuration, security 802.1X configuration, 68, SSH SCP file transfer with password authentication, security AAA HWTACACS quiet timer,...
Page 328 security password control user group security AAA RADIUS outgoing packet source IP parameters, address, security SSH management parameters, security AAA RADIUS scheme VPN, security super password control parameters, 1 10 security AAA RADIUS shared keys, SFTP security MAC authentication domain, client device configuration, security PKI CA storage path, client publickey authentication,...
Page 329 SFTP directories, Stelnet SFTP files, client device configuration, SFTP help information, client password authentication, SFTP server connection establishment, client publickey authentication, SFTP server connection termination, client source IP address/interface, Stelnet, configuration, Stelnet client device configuration, security SSH application, Stelnet client password authentication, server connection establishment, Stelnet client publickey authentication, server password authentication,...
Page 330 TFTP security AAA LDAP, security local host public key distribution, 1 17 security AAA RADIUS, time security AAA RADIUS accounting error, security IPsec IKE negotiation (time-based security AAA RADIUS authentication failure, lifetime), security AAA RADIUS packet delivery failure, timer security IPsec IKE, security 802.1X authentication timeout security IPsec IKE negotiation failure (no proposal timers,...
Page 331 configuration, 227, 230, security password max user account idle time, displaying, security password not displayed, network application, security password setting, operation, security password updating, 105, user security password user first login, security 802.1X periodic online user security password user login attempt limit, re-authentication, security password user login control, security 802.1X port max number users,...
Page 332 security IPsec IKE-based tunnel for IPv4 packets configuration, security IPsec tunnel for IPv4 packets configuration, security PKI application, WAPI security PKI configuration, 125, 128, security PKI, Windows 2000 security PKI CA server SCEP add-on, security PKI entity configuration, Windows 2003 security PKI CA server certificate request, WLAN port security client...

This manual is also suitable for:

S5820v2

H3C S5830V2 Security Configuration Manual

Quick Links

Troubleshooting

Related Manuals for H3C S5830V2

Summary of Contents for H3C S5830V2