1. Manuals
  2. Brands
  3. HPE Manuals
  4. Network Router
  5. FlexNetwork MSR Series
  6. Comware 5 security configuration manual

HPE FlexNetwork MSR Series Comware 5 Security Configuration Manual

Hide thumbs Also See for FlexNetwork MSR Series:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual
HPE FlexNetwork MSR Router Series
Comware 5 Security Configuration Guide
 
Part number: 5200-2323
Software version: CMW710-R2516
Document version: 6W107-20160831

Advertisement

Table of Contents
loading

Related Manuals for HPE FlexNetwork MSR Series

Summary of Contents for HPE FlexNetwork MSR Series

  • Page 1 HPE FlexNetwork MSR Router Series Comware 5 Security Configuration Guide   Part number: 5200-2323 Software version: CMW710-R2516 Document version: 6W107-20160831...
  • Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Security overview ···························································································· 1     Network security threats ···································································································································· 1   Network security services ·································································································································· 1   Network security technologies ··························································································································· 1   Identity authentication ································································································································ 1   Access security ·········································································································································· 2   Data security ·············································································································································· 2   Firewall and connection control ··················································································································...
  • Page 4   802.1X client as the initiator ····················································································································· 81   Access device as the initiator ··················································································································· 81   802.1X authentication procedures ··················································································································· 81   Comparing EAP relay and EAP termination ····························································································· 82   EAP relay ················································································································································· 82   EAP termination ······································································································································· 84 Configuring 802.1X ·······················································································...
  • Page 5   Hardware compatibility with EAD fast deployment ························································································ 108   Configuration prerequisites ···························································································································· 109   Configuring a free IP ······································································································································ 109   Configuring the redirect URL ························································································································· 109   Setting the EAD rule timer ····························································································································· 109   Displaying and maintaining EAD fast deployment ························································································· 110  ...
  • Page 6   Troubleshooting port security ························································································································· 147   Cannot set the port security mode ········································································································· 147   Cannot configure secure MAC addresses ····························································································· 147   Cannot change port security mode when a user is online ····································································· 148 Configuring IPsec ························································································ 149  ...
  • Page 7   Configuring a DPD detector ··························································································································· 208   Disabling next payload field checking ············································································································ 208   Displaying and maintaining IKE ····················································································································· 209   IKE configuration examples ··························································································································· 209   Configuring main mode IKE with pre-shared key authentication ··························································· 209   Configuring aggressive mode IKE with NAT traversal ···········································································...
  • Page 8   Failed to request local certificates ·········································································································· 262   Failed to retrieve CRLs ·························································································································· 263 Managing public keys ················································································· 264     FIPS compliance ············································································································································ 264   Configuration task list ····································································································································· 265   Creating a local asymmetric key pair ············································································································· 265  ...
  • Page 9   Configuring portal detection functions ············································································································ 306   Configuring online Layer 2 portal user detection ···················································································· 306   Configuring online Layer 3 portal user detection ···················································································· 307   Configuring the portal server detection function ····················································································· 307   Configuring portal user information synchronization ·············································································· 308  ...
  • Page 10   Stelnet client configuration task list ········································································································ 356   Specifying a source IP address or source interface for the Stelnet client ·············································· 356   Enabling and disabling first-time authentication ····················································································· 357   Establishing a connection to an Stelnet server ······················································································ 358  ...
  • Page 11   Displaying and maintaining source MAC-based ARP attack detection ·················································· 402   Source MAC-based ARP attack detection configuration example ························································· 402   Configuring ARP packet source MAC consistency check ·············································································· 403   Configuring ARP active acknowledgement ···································································································· 403   Configuring ARP automatic scanning and fixed ARP ···················································································· 403  ...
  • Page 12 Configuring password control ····································································· 433     Overview ························································································································································ 433   FIPS compliance ············································································································································ 435   Password control configuration task list ········································································································· 436   Enabling password control ····························································································································· 436   Setting global password control parameters ·································································································· 437   Setting user group password control parameters ·························································································· 438  ...
  • Page 13 Configuring FIPS ························································································· 482     Overview ························································································································································ 482   Hardware compatibility with FIPS mode ········································································································ 482   FIPS self-tests ················································································································································ 482   Power-up self-tests ································································································································ 482   Conditional self-tests ······························································································································ 483   Triggering self-tests ································································································································ 483   Configuring FIPS mode ·································································································································· 484  ...

  • Page 14: Security Overview

    Security overview Network security threats are happened or potential threats to data confidentiality, data integrity, data availability or authorized usage of some resource in a network system. Network security services provide solutions to solve or reduce those threats to different extents. Network security threats •...

  • Page 15: Access Security

    • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device. • Accounting—Records all network service usage information, including the service type, start time, and traffic.

  • Page 16: Firewall And Connection Control

    IPsec and IKE IPsec is a security framework for securing IP communications. It is a Layer 3 VPN technology mainly for data encryption and data origin authentication. IKE provides automatic negotiation security parameters for IPsec, simplifying the configuration and maintenance of IPsec. Security parameters for IKE negotiation include authentication and encryption algorithms, authentication and encryption keys, IP packet encapsulation modes (tunnel mode and transport mode), and key lifetime.

  • Page 17: Attack Detection And Protection

    Connection limits To protect internal network resources (hosts or servers) and correctly allocate system resources on the device, you can configure connection limit policies to collect statistics and limit the number of connections, connection establishment rate, and connection bandwidth. Attack detection and protection ARP attack protection Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
  • Page 18 include minimum password length, minimum password update interval, password aging, and early notice on pending password expiration. RSH allows users to execute OS commands on a remote host that runs the RSH daemon. The RSH daemon supports authentication of the privileged port on a trusted host. The device works as an RSH client, and you can use the rsh command on the device to execute an OS command on a remote host.

  • Page 19: Configuring Aaa

    Configuring AAA The HPE MSR series routers support EXEC user access. The HPE MSR series routers do not support the attribute access-limit command. The idle-cut enable command, which is used in ISP domain view to configure the idle cut function, takes effect only on LAN users.

  • Page 20: Radius

    AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS, of which RADIUS is most often used. RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
  • Page 21 Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user's username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted using the MD5 algorithm and the shared key.
  • Page 22 Figure 4 RADIUS packet format Code Identifier Length Authenticator Attributes Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 Main values of the Code field Packet type Description From the client to the server.
  • Page 23 "Commonly used standard RADIUS shows a list of the attributes. For more information, see attributes." Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value sub-fields. Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and Length sub-fields.

  • Page 24: Hwtacacs

    Attribute Attribute NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes Attribute 26 (Vendor-Specific), an attribute defined in RFC 2865, allows a vendor to define extended attributes to implement functions that the standard RADIUS protocol does not provide.
  • Page 25 HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, some terminal users need to log in to the NAS for operations. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS sever for authentication.
  • Page 26 Figure 6 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: A Telnet user sends an access request to the HWTACACS client. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server.

  • Page 27: Domain-Based User Management

    The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. 11. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication.

  • Page 28: Radius Server Feature Of The Router

    As long as passing level switching authentication, users can switch their user privilege levels, without logging out and disconnecting current connections. For more information about user privilege level switching, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals Configuration Guide.

  • Page 29: Aaa For Mpls L3Vpns

    A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an HPE device listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an HPE device as the RADIUS server.

  • Page 30: Protocols And Standards

    Figure 9 Network diagram This feature can help a multi-VPN-instance CE to implement portal authentication for VPNs. For more information about multi-VPN-instance CEs, see HPE FlexNetwork MSR Router Series Comware 5 MPLS Configuration Guide. For more information about portal authentication, see "Configuring portal authentication."...
  • Page 31 Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
  • Page 32 Attribute Description Used for authentication and verification of authentication packets to Message-Authenticator prevent spoofing Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. Proprietary RADIUS sub-attributes (vendor ID 25506) Sub-attribute Description Input-Peak-Rate...

  • Page 33: Fips Compliance

    Sub-attribute Description Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the NAS and User_HeartBeat is used for verifying the handshake messages from the 802.1X user. This attribute only exists in Access-Accept and Accounting-Request packets.
  • Page 34 Local authentication—Configure local users and the related attributes, including the usernames and passwords for the users to be authenticated. Remote authentication—Configure the required RADIUS and HWTACACS schemes. You must configure user attributes on the servers accordingly. Configure AAA methods for the ISP domain. Authentication method—No authentication (none), local authentication (local), or remote authentication (scheme) Authorization method—No authorization (none), local authorization (local), or remote...

  • Page 35: Configuring Aaa Schemes

    NOTE: To use AAA methods to control access of login users, you must configure the user interfaces to use AAA by using the authentication-mode command. For more information, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals Configuration Guide. Configuring AAA schemes Configuring local users To implement local AAA, you must create local users and configure user attributes on the device.
  • Page 36 For more information about user interface authentication mode and user interface command level, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals Configuration Guide. • You can configure the user profile authorization attribute in local user view, user group view, and ISP domain view.
  • Page 37 Step Command Remarks Optional. A local user with no password configured directly passes authentication after providing the valid local username and attributes. To • In non-FIPS mode: enhance security, configure a password [ [ hash ] password for each local user. { cipher | simple } Configure a password for If you do not specify any parameter,...
  • Page 38 Step Command Remarks bind-attribute { call-number call-number [ : subcall-number ] | Optional. Configure binding ip ip-address | location port attributes for the local By default, no binding attribute is slot-number subslot-number user. configured for a local user. port-number | mac mac-address | vlan vlan-id } * Optional.

  • Page 39: Configuring Radius Schemes

    In FIPS mode, the value for the type-number [ type-length type-number argument must be 4. type-length ] For more information about the password control attribute commands, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference. authorization-attribute { acl acl-number | callback-number Optional.
  • Page 40 RADIUS scheme configuration task list Task Remarks Creating a RADIUS scheme Required. Specifying the RADIUS authentication/authorization servers Required. Specifying the RADIUS accounting servers and the relevant parameters Optional. Specifying the shared keys for secure RADIUS communication Optional. Specifying a VPN for the RADIUS scheme Optional.
  • Page 41 You can enable the server status detection feature. With the feature, the device periodically sends an authentication request to check whether or not the target RADIUS authentication/authorization server is reachable. If the server can be reached, the device sets the status of the server to active. If the server cannot be reached, the device sets the status of the server to block.
  • Page 42 If you delete an accounting server that is serving users, the device no longer sends real-time accounting requests or stop-accounting requests for the users to that server, or buffers the stop-accounting requests. RADIUS does not support accounting for FTP users. To specify RADIUS accounting servers and set relevant parameters for a scheme: Step Command...
  • Page 43 Step Command Remarks radius scheme Enter RADIUS scheme view. radius-scheme-name By default, no shared key is specified. In FIPS mode, the shared key must be at least eight characters Specify a shared key for that contain digits, uppercase secure RADIUS key { accounting | letters, lowercase letters, and authentication/authorization...
  • Page 44 Do not apply the RADIUS scheme to more than one ISP domain if you have configured the user-name-format without-domain command for that RADIUS scheme. Otherwise, users in different ISP domains are considered the same user if they use the same username. For level switching authentication, user-name-format keep-original and user-name-format without-domain commands all produce the same results: they make sure that usernames sent to the RADIUS server carry no ISP domain name.
  • Page 45 Step Command Remarks Set the maximum number of Optional. RADIUS request transmission retry retry-times The default setting is 3. attempts. Setting the status of RADIUS servers By setting the status of RADIUS servers to blocked or active, you can control the AAA servers with which the device communicates when the current servers are no longer available.
  • Page 46 Step Command Remarks Enter system view. system-view Enter RADIUS scheme view. radius scheme radius-scheme-name • Set the status of the primary RADIUS authentication/authorization server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | block }...
  • Page 47 Step Command Remarks radius nas-ip { ip-address | Specify a source IP address By default, the IP address of the ipv6 ipv6-address } for outgoing RADIUS outbound interface is used as the [ vpn-instance packets. source IP address. vpn-instance-name ] To specify a source IP address for a specific RADIUS scheme: Step Command...
  • Page 48 Configuring the IP address of the security policy server The core of the HPE EAD solution is integration and cooperation. The security policy server is the management and control center for EAD. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
  • Page 49 To configure the IP address of the security policy server for a scheme: Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme view. radius-scheme-name No security policy server is specified by default. Specify a security policy security-policy-server ip-address You can specify up to eight security server.

  • Page 50: Configuring Hwtacacs Schemes

    Step Command Remarks radius trap Enable the trap function for { accounting-server-down | Disabled by default. RADIUS. authentication-error-threshold | authentication-server-down } Enabling the RADIUS client service To receive and send RADIUS packets, enable the RADIUS client service on the device. If RADIUS is not required, disable the RADIUS client service to avoid attacks that exploit RADIUS packets.
  • Page 51 Task Remarks Specifying the shared keys for secure HWTACACS communication Required. Specifying a VPN for the HWTACACS scheme Optional. Setting the username format and traffic statistics units Optional. Specifying the source IP address for outgoing HWTACACS packets Optional. Setting HWTACACS timers Optional.
  • Page 52 You can remove an authentication server only when no active TCP connection for sending authentication packets is using it. Specifying the HWTACACS authorization servers You can specify one primary authorization server and one secondary authorization server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. In a scenario where redundancy is not required, specify only the primary server.
  • Page 53 Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS accounting server: primary accounting ip-address [ port-number | key [ cipher | simple ] key | vpn-instance Configure at least one vpn-instance-name ] * command.
  • Page 54 To specify a VPN for an HWTACACS scheme: Step Command Enter system view. system-view Enter HWTACACS scheme view. hwtacacs scheme hwtacacs-scheme-name Specify a VPN for the HWTACACS scheme. vpn-instance vpn-instance-name Setting the username format and traffic statistics units A username is usually in the format userid@isp-name, where isp-name represents the user's ISP domain name.
  • Page 55 You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for a specific HWTACACS scheme, or in system view for all HWTACACS schemes whose servers are in a VPN or the public network. Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: The source IP address specified for the HWTACACS scheme.

  • Page 56: Configuring Aaa Methods For Isp Domains

    Step Command Remarks Optional. Set the HWTACACS server timer response-timeout The default HWTACACS server response timeout timer. seconds response timeout timer is 5 seconds. Optional. Set the quiet timer for the timer quiet minutes The default quiet timer for the primary server.

  • Page 57: Configuring Isp Domain Attributes

    • The ISP domain in the username • The default ISP domain of the device • The ISP domain specified for users with unknown domain names If all the domains are unavailable, user authentication will fail. NOTE: Support for the authentication domain configuration depends on the access module. You can specify an authentication domain for 802.1X, portal, or MAC address authentication.

  • Page 58: Configuring Authentication Methods For An Isp Domain

    Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name Optional. By default, an ISP domain is in Place the ISP domain to the state { active | block } active state, and users in the active or blocked state. domain can request network services.
  • Page 59 You can configure AAA authentication to work alone without authorization and accounting. By default, an ISP domain uses the local authentication method. Configuration prerequisites Before configuring authentication methods, complete the following tasks: • For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first.
  • Page 60 Step Command Remarks • In non-FIPS mode: authentication dvpn { local | none | radius-scheme radius-scheme-name Optional. Specify the [ local ] } authentication method The default authentication • In FIPS mode: for DVPN users. method is used by default. authentication dvpn { local | radius-scheme radius-scheme-name [ local ] }...

  • Page 61: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks Optional. 11. Specify the authentication voip radius-scheme authentication method The default authentication radius-scheme-name for VoIP users. method is used by default. Configuring authorization methods for an ISP domain In AAA, authorization is a separate process at the same level as authentication and accounting. Its responsibility is to send authorization requests to the specified authorization servers and to send authorization information to users after successful authorization.
  • Page 62 Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name • In non-FIPS mode: authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme Optional.

  • Page 63: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks • In non-FIPS mode: authorization portal { local | none | radius-scheme Optional. radius-scheme-name [ local ] } Specify the authorization The default authorization • method for portal users. In FIPS mode: method is used by default. authorization portal { local | radius-scheme radius-scheme-name [ local ] }...
  • Page 64 Configuration guidelines When configuring accounting methods, follow these guidelines: • You can configure a default accounting method for an ISP domain. This method will be used for all users who support the accounting method and have no specific accounting method configured.

  • Page 65: Tearing Down User Connections

    Step Command Remarks • In non-FIPS mode: accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | Optional. Specify the accounting none ] } The default accounting method for LAN users. • In FIPS mode: method is used by default. accounting lan-access { local | radius-scheme radius-scheme-name [ local ] }...

  • Page 66: Configuring A Nas Id-Vlan Binding

    Step Command Remarks cut connection { access-type { dot1x | mac-authentication | portal } | all | domain The command Tear down AAA user isp-name | interface interface-type applies to LAN, connections. interface-number | ip ip-address | mac mac-address portal, and PPP | ucibindex ucib-index | user-name user-name | user connections.

  • Page 67: Configuring A Radius User

    Configuring a RADIUS user This task is to create a RADIUS user and configure a set of attributes for the user on a network device serving as the RADIUS server. User attributes include the password, authorization attribute, expiration time, and user description. After configuration, the specified RADIUS user can use the username and password for RADIUS authentication on the device.

  • Page 68: Displaying And Maintaining Aaa

    Displaying and maintaining AAA Task Command Remarks Display the configuration of display domain [ isp-name ] [ | { begin | exclude | Available in include } regular-expression ] ISP domains. any view. display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | Display information about interface interface-type interface-number | ip ip-address |...
  • Page 69 − Set the shared key for secure authentication and accounting communication to expert. − Select the service type Device Management Service. − Set the ports for authentication and accounting to 1812 and 1813, respectively. − Select the protocol type Extensible Protocol. −...
  • Page 70 Configuring the RADIUS server on IMC PLAT 3.20 In this section, the RADIUS server runs on IMC PLAT 3.20-R2606 and IMC UAM 3.60-E6206. Add the router to the IMC Platform as an access device: a. Click the Service tab. b. From the navigation tree, select Access Service > Access Device. c.
  • Page 71 Figure 15 Adding a user account for device management Configuring the RADIUS server on IMC PLAT 5.0 In this section, the RADIUS server runs on IMC PLAT 5.0 (E0101H03) and IMC UAM 5.0 SP1 (E0101P03). Add the router to the IMC Platform as an access device: a.
  • Page 72 Figure 16 Adding the router as an access device Add a user account for device management: a. Click the User tab. b. From the navigation tree, select Access User View > Device Mgmt User. c. Click Add to configure a device management account as follows: −...
  • Page 73 Figure 17 Adding an account for device management Configuring the router # Assign an IP address to interface Ethernet 1/1, the Telnet user access interface. <Router> system-view [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.1.70 255.255.255.0 [Router-Ethernet1/1] quit # Configure the IP address of interface Ethernet 1/2, through which the router communicates with the server.

  • Page 74: Local Authentication/Authorization For Telnet/Ftp Users

    [Router-radius-rad] key authentication expert # Specify the service type for the RADIUS server, which must be extended when the server runs on CAMS or IMC. [Router-radius-rad] server-type extended # Include the domain names in usernames sent to the RADIUS server. [Router-radius-rad] user-name-format with-domain [Router-radius-rad] quit # Configure the AAA methods for domain bbb.

  • Page 75: Aaa For Ppp Users By An Hwtacacs Server

    [Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] quit # Create local user named telnet. [Router] local-user telnet [Router-luser-telnet] service-type telnet [Router-luser-telnet] password simple aabbcc [Router-luser-telnet] quit # Configure the AAA methods for the ISP domain as local authentication and authorization. [Router] domain system [Router-isp-system] authentication login local [Router-isp-system] authorization login local...

  • Page 76: Level Switching Authentication For Telnet Users By A Radius Server

    On the HWTACACS server, set the shared keys for secure communication with the router to expert, add an account for the PPP user, and specify the password. (Details not shown.) Configure the router: # Create HWTACACS scheme hwtac. <Router> system-view [Router] hwtacacs scheme hwtac # Specify the primary authentication server.
  • Page 77 • Use local authentication for the Telnet user and assign the privilege level of 0 to the user when the user passes authentication. • Use the RADIUS server for level switching authentication of the Telnet user. If the RADIUS server is not available, use local authentication. Figure 20 Network diagram Configuration considerations Configure the router to use AAA, particularly, local authentication for Telnet users:...
  • Page 78 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] quit # Use RADIUS authentication for user privilege level switching authentication and, if RADIUS authentication is not available, use local authentication. [Router] super authentication-mode scheme local # Create RADIUS scheme rad. [Router] radius scheme rad # Specify the IP address of the primary authentication server as 10.1.1.1, and the port for authentication as 1812.
  • Page 79 A username configured on the RADIUS server is in the format $enablevel$, where level specifies the privilege level to which the user wants to switch. Figure 21 Configuring a username for privilege level switching (take $enab1$ for example) Figure 22 List of the usernames for privilege level switching Verifying the configuration After the configuration is complete, the user can Telnet to the router and use username test@bbb and password aabbcc to enter the user interface of the router, and access all level 0 commands.

  • Page 80: Aaa For Portal Users By A Radius Server

    * Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** Login authentication Username:test@bbb Password: <Router> ? User view commands: cluster Run cluster command display Display current system information ping Ping function quit...
  • Page 81 On the RADIUS server, add a service that charges 120 dollars for up to 120 hours per month, and configure a user and register the service for the user. Set the shared keys for secure RADIUS communication to expert. Set the ports for authentication/authorization and accounting to 1812 and 1813, respectively.
  • Page 82 Figure 24 Adding the router as an access device Add a service: a. Click the Service tab. b. From the navigation tree, select User Access Manager > Service Configuration. c. Click Add to configure a service as follows: − Enter Portal auth/acct as the service name. −...
  • Page 83 Figure 26 Adding an access user account Configuring the portal server In this section, the RADIUS server runs on IMC PLAT 5.0 (E0101H03) and IMC UAM 5.0 SP1 (E0101P03). Configure the portal server: a. Click the Service tab. b. From the navigation tree, select User Access Manager > Portal Service Management > Server.
  • Page 84 − Set the start IP address to 192.168.1.1 and the end IP address to 192.168.1.255. Make sure the IP address group contains the IP address of the host. − Select the action Normal. c. Click OK. Figure 28 Adding an IP address group Configure the router as a portal device: a.
  • Page 85 − Enter the port group name. − Select an IP address group you just configured from the IP Group list. c. Leave the default settings for other parameters and click OK. Figure 30 Device list Figure 31 Associating the portal device with IP address group From the navigation tree, select User Access Manager >...
  • Page 86 [Router-Ethernet1/1] quit Verifying the configuration The user can initiate portal authentication by using the HPE iNode client or by accessing a Web page. All the initiated Web requests will be redirected to the portal authentication page at http://10.1.1.1:8080/portal. Before passing portal authentication, the user can access only the authentication page.

  • Page 87: Radius Authentication And Authorization For Telnet Users By A Network Device

    RADIUS authentication and authorization for Telnet users by a network device The following matrix shows the feature and hardware compatibility: Hardware Feature compatibility MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000 Network requirements Figure 32, configure Router B as the RADIUS server to provide user authentication and As shown in authorization on port 1645.

  • Page 88: Troubleshooting Aaa

    # Set the source IP address for outgoing RADIUS packets as 10.1.1.1. [RouterA-radius-rad] nas-ip 10.1.1.1 # Configure the RADIUS server type as standard. When a network device is configured to be a RADIUS server, the server type must be set to standard. [RouterA-radius-rad] server-type standard [RouterA-radius-rad] quit # Create ISP domain bbb.
  • Page 89 Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The username is not in the format userid@isp-name or the ISP domain is not correctly configured on the NAS. • The user is not configured on the RADIUS server. •...

  • Page 90: Troubleshooting Hwtacacs

    Solution Check that: • The accounting port number is correctly configured. • The accounting server IP address is correctly configured on the NAS. Troubleshooting HWTACACS RADIUS." Similar to RADIUS troubleshooting. See "Troubleshooting...

  • Page 91: 802.1X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.

  • Page 92: 802.1X-Related Protocols

    Performs bidirectional traffic control to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. The HPE devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server.

  • Page 93: Eap Over Radius

    • Code—Type of the EAP packet. Options include Request (1), Response (2), Success (3), or Failure (4). • Identifier—Used for matching Responses with Requests. • Length—Length (in bytes) of the EAP packet. The length is the sum of the Code, Identifier, Length, and Data fields.

  • Page 94: Initiating 802.1X Authentication

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, use an 802.1X client, the HPE iNode 802.1X client for example, that can send broadcast EAPOL-Start packets.

  • Page 95: Comparing Eap Relay And Eap Termination

    EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an EAP termination supports PAP or CHAP HPE iNode 802.1X client. authentication. • The processing is complex on the network access device. EAP relay Figure 41 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that...
  • Page 96 Figure 41 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge (EAP-Request/MD5 challenge) (6) EAP-Request/MD5 challenge (7) EAP-Response/MD5 challenge (8) RADIUS Access-Request (EAP-Response/MD5 challenge) (9) RADIUS Access-Accept (EAP-Success) (10) EAP-Success...

  • Page 97: Eap Termination

    10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network. 11. After the client comes online, the network access device periodically sends handshake requests to check whether the client is still online.
  • Page 98 MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 99: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port.
  • Page 100 VLAN remains unchanged. The network device assigns a hybrid port to an 802.1X guest VLAN as an untagged member. For more information about VLAN configuration, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—LAN Switching Configuration Guide. Auth-Fail VLAN Auth-Fail VLAN is not supported on ports that perform MAC-based access control.
  • Page 101 For more information about VLAN configuration, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—LAN Switching Configuration Guide. Critical VLAN Critical VLAN is not supported on ports that perform MAC-based access control. Configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication because none of the RADIUS authentication servers in their ISP domain is reachable (active).

  • Page 102: Configuration Prerequisites

    • If MAC-based access control is used, the port sends a unicast Identity EAP/Request to the 802.1X user to trigger authentication. • If port-based access control is used, the port sends a multicast Identity EAP/Request to the 802.1X users to trigger authentication. ACL assignment The following matrix shows the feature and hardware compatibility: Hardware...

  • Page 103: Enabling 802.1X

    • If the PVID of a port is a voice VLAN, the 802.1X function cannot take effect on the port. For more information about voice VLANs, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—LAN Switching Configuration Guide. •...

  • Page 104: Setting The Port Authorization State

    • The client is an HPE iNode 802.1X client and initiates only the username and password EAP authentication. If EAP termination is used, you can enable either PAP or CHAP authentication on the access device. However, if the password is required to be transmitted in cipher text, you must use CHAP authentication on the access device.

  • Page 105: Specifying An Access Control Method

    Step Command Remarks • In system view: dot1x port-control { authorized-force | auto | Set the port unauthorized-force } [ interface interface-list ] authorization • In Ethernet interface view: state in system By default, auto applies. view or Ethernet a. interface interface-type interface-number interface view.

  • Page 106: Setting The Maximum Number Of Authentication Request Attempts

    Setting the maximum number of authentication request attempts The network access device retransmits an authentication request if it receives no response to the request it has sent to the client within a period of time (specified by using the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command).

  • Page 107: Configuration Guidelines

    Before you enable the proxy detection function, complete the following tasks: "Configuring the online user handshake • Enable the online user handshake function (see function"). • Deploy HPE iNode client software in your network. To configure the proxy detection function: Step Command Remarks Enter system view.

  • Page 108: Configuring The Authentication Trigger Function

    • In system view: dot1x supp-proxy-check { logoff | trap } interface interface-list Enable the proxy detection • In Ethernet interface view: function on one or more By default, the ports in system view or function is disabled. a. interface interface-type Ethernet interface view.

  • Page 109: Specifying A Mandatory Authentication Domain On A Port

    Step Command Remarks Enter Ethernet interface interface-type interface view. interface-number Required if you want to enable the unicast Enable an trigger. dot1x { multicast-trigger authentication | unicast-trigger } By default, the multicast trigger is enabled, and trigger. the unicast trigger is disabled. Specifying a mandatory authentication domain on a port You can place all 802.1X users in a mandatory authentication domain for authentication,...

  • Page 110: Enabling The Periodic Online User Re-Authentication Function

    VLAN tagged traffic. • You cannot specify a VLAN as both a super VLAN and an 802.1X guest VLAN. For more information about super VLAN, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—LAN Switching Configuration Guide.

  • Page 111: Configuration Prerequisites

    • You cannot specify a VLAN as both a super VLAN and an 802.1X Auth-Fail VLAN. For more information about super VLAN, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—LAN Switching Configuration Guide. Configuration prerequisites •...

  • Page 112: Configuring An 802.1X Critical Vlan

    • You cannot specify a VLAN as both a super VLAN and an 802.1X critical VLAN. For information about super VLANs, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—LAN Switching Configuration Guide. Configuration prerequisites •...

  • Page 113: Specifying Supported Domain Name Delimiters

    Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users that use other domain name delimiters. The configurable delimiters include the at sign (@), back slash (\), and forward slash (/). If an 802.1X username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter.

  • Page 114: Displaying And Maintaining 802.1X

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type interface-number view. Enable the 802.1X By default, the 802.1X MAC address dot1x binding-mac enable MAC address binding binding feature. feature is disabled. Optional. Manually configure By default, no 802.1X 802.1X MAC dot1x binding-mac mac-address MAC address binding...

  • Page 115: Configuration Procedure

    Figure 43 Network diagram Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.)

  • Page 116: Verifying The Configuration

    [Device-radius-radius1] quit NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. Configure the ISP domain: # Create the ISP domain aabbcc.net and enter its view. [Device] domain aabbcc.net # Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.

  • Page 117: Configuration Procedure

    The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference.
  • Page 118 [Device] vlan 1 [Device-vlan1] port ethernet 1/2 [Device-vlan1] quit [Device] vlan 10 [Device-vlan10] port ethernet 1/1 [Device-vlan10] quit [Device] vlan 2 [Device-vlan2] port ethernet 1/4 [Device-vlan2] quit [Device] vlan 5 [Device-vlan5] port ethernet 1/3 [Device-vlan5] quit Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view.

  • Page 119: Verifying The Configuration

    For information about AAA and RADIUS configuration commands, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference. Configure 802.1X client. Make sure the client is able to update its IP address after the access port is assigned to the 802.1X guest VLAN or a server-assigned VLAN.

  • Page 120: Verifying The Configuration

    [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Create an ISP domain and specify the RADIUS scheme 2000 as the default AAA schemes for the domain.

  • Page 121: Configuring Ead Fast Deployment

    Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an integrated endpoint access control solution of Hewlett Packard Enterprise, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

  • Page 122: Configuration Prerequisites

    Configuration prerequisites • Enable 802.1X globally. • Enable 802.1X on the port, and set the port authorization mode to auto. Configuring a free IP When a free IP is configured, the EAD fast deployment is enabled. To allow a user to obtain a dynamic IP address before passing 802.1X authentication, make sure the DHCP server is on the free IP segment.

  • Page 123: Displaying And Maintaining Ead Fast Deployment

    Step Command Remarks dot1x timer ead-timeout Set the EAD rule timer. The default timer is 30 minutes. ead-timeout-value Displaying and maintaining EAD fast deployment Task Command Remarks display dot1x [ sessions | statistics ] Display 802.1X session [ interface interface-list ] [ | { begin | information, statistics, or Available in any view.

  • Page 124: Configuration Procedure

    Figure 46 Network diagram In addition to the configuration on the access device, complete the following tasks: • Configure the DHCP server so that the host can obtain an IP address on the segment of 192.168.1.0/24. • Configure the web server so that users can log in to the web page to download 802.1X clients. •...

  • Page 125: Verifying The Configuration

    [Device] dot1x url http://192.168.2.3 # Enable 802.1X globally. [Device] dot1x # Enable 802.1X on the port. [Device] interface ethernet 1/1 [Device-Ethernet1/1] dot1x Verifying the configuration Use the display dot1x command to display the 802.1X configuration. After the host obtains an IP address from a DHCP server, use the ping command from the host to ping an IP address on the network segment specified by free IP.
  • Page 126 Solution Enter a dotted decimal IP address that is not in any free IP segment. Ensure that the network access device and the server are correctly configured.

  • Page 127: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 128: Mac Authentication Timers

    MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.

  • Page 129: Configuration Task List

    Configuration task list Task Remarks Basic configuration for MAC authentication: Configuring MAC authentication globally • Required. Configuring MAC authentication on a port • Specifying a MAC authentication domain Optional. Configuring MAC authentication delay Optional. Basic configuration for MAC authentication Before you perform basic configuration for MAC authentication, complete the following tasks: •...

  • Page 130: Configuring Mac Authentication On A Port

    Configuring MAC authentication on a port The following matrix shows the feature of configuring MAC authentication for a list of ports in system view and hardware compatibility: Hardware Feature compatibility MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000 You cannot add a MAC authentication enabled port in to a link aggregation group, or enable MAC authentication on a port already in a link aggregation group.

  • Page 131: Specifying A Mac Authentication Domain

    Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: • Specify a global authentication domain in system view. This domain setting applies to all ports. •...

  • Page 132: Displaying And Maintaining Mac Authentication

    Displaying and maintaining MAC authentication Task Command Remarks display mac-authentication [ interface interface-list ] [ | { begin | Display MAC authentication Available in any view. information. exclude | include } regular-expression ] Clear MAC authentication reset mac-authentication Available in user view. statistics.

  • Page 133: Radius-Based Mac Authentication Configuration Example

    # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain aabbcc.net # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lowercase.
  • Page 134 • The device detects whether a user has gone offline every 180 seconds. If a user fails authentication, the device does not authenticate the user within 180 seconds. • All MAC authentication users belong to ISP domain 2000 and share the user account aaa with password 123456.

  • Page 135: Acl Assignment Configuration Example

    [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verifying the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC address authentication is enabled. User name format is fixed account Fixed username:aaa Fixed password: ****** Offline detect period is 180s Quiet period is 180s.
  • Page 136 Figure 49 Network diagram Configuration procedure Make sure the RADIUS server and the access device can reach each other. Configure the ACL assignment on the device: Configure ACL 3000 to deny packets destined for 10.0.0.1. <Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Sysname-acl-adv-3000] quit Configure RADIUS-based MAC authentication on the device:...
  • Page 137 Configure the RADIUS servers: Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) Verifying the configuration # After the host passes authentication, use the display connection command on the device to display online user information.

  • Page 138: Configuring Port Security

    Port security is available on Ethernet and WLAN ports. Supported port types depend on the command. For more information, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference. For scenarios that require only 802.1X authentication or MAC authentication, Hewlett Packard Enterprise recommends that you use the 802.1X authentication or MAC authentication feature...
  • Page 139 • Authentication—Implements MAC authentication, 802.1X authentication, or a combination of the two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode.
  • Page 140 MAC address learning is disabled on a port in secure mode. You configure MAC addresses by using the mac-address static and mac-address dynamic commands. For more information about configuring MAC address table entries, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—LAN Switching Configuration Guide.

  • Page 141: Support For Wlan

    For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. For wireless users, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. • macAddressOrUserLoginSecureExt This mode is similar to the macAddressOrUserLoginSecure mode except that this mode supports multiple 802.1X and MAC authentication users.

  • Page 142: Working With Guest Vlan And Auth-Fail Vlan

    • macAddressAndPresharedKey mode—The maximum number of PSK users on the port is the MAC authentication feature's limit on the number of concurrent users or port security's limit on the number of MAC addresses, whichever is smaller. The actual maximum number of PSK users on the port also depends on the total number of PSK users that the system can support.

  • Page 143: Setting Port Security's Limit On The Number Of Mac Addresses On A Port

    Step Command Remarks Enter system view. system-view Enable port security. port-security enable The port security is disabled. You can use the undo port-security enable command to disable port security when no online users are present. Enabling or disabling port security resets the following security settings to the default: •...

  • Page 144: Configuration Prerequisites

    Port security mode compatibility Hardware autoLearn secure userLogin MSR20-1X MSR20 Supported only on FSW Supported only on Supported only on modules installed on MSR MSR30 MSR30-11E and MSR30-11E and 30 series except for MSR30-11F MSR30-11F MSR30-11E and MSR30-11F Supported only on FSW MSR50 modules MSR1000...

  • Page 145: Configuring Port Security Features

    Step Command Remarks Required for the userlogin-withoui mode. Set an OUI value for user port-security oui oui-value Not configured by default. authentication. index index-value To set multiple OUI values, repeat this step. To specify the autoLearn or interface interface-type userloginWithOUI mode, you Enter interface view.

  • Page 146: Configuring Intrusion Protection

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number port-security ntk-mode By default, NTK is disabled on a Configure the NTK feature. { ntk-withbroadcasts | port and all frames are allowed to ntk-withmulticasts | ntkonly } be sent.

  • Page 147: Configuring Secure Mac Addresses

    To enable port security traps: Step Command Remarks Enter system system-view view. port-security trap { addresslearned | Enable port dot1xlogfailure | dot1xlogoff | dot1xlogon | By default, port security security traps. intrusion | ralmlogfailure | ralmlogoff | traps are disabled. ralmlogon } Configuring secure MAC addresses Secure MAC addresses are configured or learned in autoLearn mode and can survive link down/up...

  • Page 148: Configuration Prerequisites

    Configuration prerequisites • Enable port security. • Set port security's limit on the number of MAC addresses on the port. Perform this task before you enable autoLearn mode. • Set the port security mode to autoLearn. Configuration procedure To configure a secure MAC address: Step Command Remarks...

  • Page 149: Setting The Port Security Mode Of A Wlan Port

    For more information about WLAN service templates, see HPE FlexNetwork MSR Router Series Comware 5 WLAN Configuration Guide. By default, an 802.1X-enabled access device periodically multicasts Identity EAP-Request packets out of ports to detect 802.1X clients and trigger authentication. To save the bandwidth of WLAN ports, Hewlett Packard Enterprise recommends that you disable the multicast trigger function (see "Configuring 802.1X").

  • Page 150: Configuring A Psk

    Step Command Remarks interface interface-type Enter interface view. interface-number Enable key negotiation of the port-security tx-key-type 11key Disabled by default. 11key type. Configuring a PSK A PSK pre-configured on the device is used to negotiate the session key between the user and the device.

  • Page 151: Port Security Configuration Examples

    Task Command Remarks display port-security mac-address block Display information about blocked [ interface interface-type interface-number ] Available in any [ vlan vlan-id ] [ count ] [ | { begin | exclude | MAC addresses. view. include } regular-expression ] display port-security preshared-key user Display information about PSK Available in any...
  • Page 152 Verifying the configuration # Display the port security configuration. <Device> display port-security interface ethernet 1/1 Equipment port-security is enabled Intrusion trap is enabled AutoLearn aging time is 30 minutes Disableport Timeout: 30s OUI value: Ethernet1/1 is link-up Port mode is autoLearn NeedToKnow mode is disabled Intrusion Protection mode is DisablePortTemporarily Max MAC address number is 64...

  • Page 153: Configuring The Userloginwithoui Mode

    # Execute the display interface command, and you can see that the port security feature has disabled the port. [Device-Ethernet1/1] display interface ethernet 1/1 Ethernet1/1 current state: DOWN (Port Security Disabled) IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: Ethernet1/1 Interface ..
  • Page 154 Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference. Configuration procedures for the host and RADIUS servers are not shown. Configure the RADIUS protocol: # Configure a RADIUS scheme named radsun.
  • Page 155 SchemeName : radsun Index : 1 Type : standard Primary Auth Server: IP: 192.168.1.2 Port: 1812 State: active Encryption Key : N/A VPN instance : N/A Probe username : N/A Probe interval : N/A Primary Acct Server: IP: 192.168.1.3 Port: 1813 State: active Encryption Key : N/A VPN instance...
  • Page 156 # Display the port security configuration. <Device> display port-security interface ethernet 1/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s OUI value: Index is 1, OUI value is 123401 Index is 2, OUI value is 123402 Index is 3, OUI value is 123403 Index is 4, OUI value is 123404...

  • Page 157: Configuring The Macaddresselseuserloginsecure Mode

    Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based 802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Critical VLAN: NOT configured Critical recovery-action: NOT configured Max number of on-line users is 256 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316...
  • Page 158 Configuration procedure Configuration procedures for the host and RADIUS servers are not shown. Configure the RADIUS protocol: Configure the RADIUS authentication/accounting and ISP domain settings the same as in "Configuring the userLoginWithOUI mode." Configure port security: # Enable port security. <Device>...
  • Page 159 Fixed password:not configured Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 3 Current domain is mac Silent MAC User info: MAC Addr From Port Port Index...

  • Page 160: Troubleshooting Port Security

    Authentication Mode is Auto Port Control Type is Mac-based 802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Critical VLAN: NOT configured Critical recovery-action: NOT configured Max number of on-line users is 256 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6...

  • Page 161: Cannot Change Port Security Mode When A User Is Online

    [Device-Ethernet1/1] port-security mac-address security 1-1-2 vlan 1 Error: Security MAC address configuration failed. Error:Can not operate security MAC address for current port mode is not autoLearn! Analysis Secure MAC addresses can be configured only on ports operating in autoLearn mode. Solution Set the port security mode to autoLearn.

  • Page 162: Configuring Ipsec

    Configuring IPsec Overview IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints. IPsec provides the following security services in insecure network environments: •...
  • Page 163 Security association A security association is an agreement negotiated between two communicating parties called IPsec peers. It comprises a set of parameters for data protection, including security protocols, encapsulation mode, authentication and encryption algorithms, and shared keys and their lifetime. SAs can be set up manually or through IKE.

  • Page 164: Ipsec Implementation On An Encryption Card

    IPsec supports the following hash algorithms for authentication: MD5—Takes a message of arbitrary length as input and produces a 128-bit message digest. SHA-1—Takes a message of a maximum length less than the 64th power of 2 in bits as input and produces a 160-bit message digest. Compared with SHA-1, MD5 is faster but less secure.

  • Page 165: Ipsec Tunnel Interface

    The card processes all IPsec protected packets and hands the processed packets back to the device for forwarding. IPsec tunnel interface An IPsec tunnel interface is a Layer 3 logical interface. It supports dynamic routing. All packets including multicast packets that are routed to an IPsec tunnel interface are IPsec protected. The IPsec tunnel interface has the following advantages: •...

  • Page 166: Ipsec For Ipv6 Routing Protocols

    Figure 54 De-encapsulation process of an IPsec packet The router forwards an IPsec packet received on the inbound interface to the forwarding module. Identifying that the destination address of the packet is the tunnel interface and the protocol is AH or ESP, the forwarding module forwards the packet to the IPsec tunnel interface for de-encapsulation.

  • Page 167: Protocols And Standards

    Figure 55 An IPsec VPN You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local gateway.

  • Page 168: Implementing Acl-Based Ipsec

    interface-based IPsec"). By using IPsec profiles, this IPsec implementation method simplifies IPsec VPN configuration and management, and improves the scalability of large VPN networks. • Application-based IPsec protects the packets of a service. This IPsec implementation method can be used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the routing mechanism.

  • Page 169: Configuring An Acl

    Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50 respectively. Make sure that flows of these protocols are not denied on the interfaces with IKE or IPsec configured. Configuring an ACL ACLs can be used to identify traffic.
  • Page 170 rule 1 deny ip acl number 3001 rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255 rule 1 deny ip ipsec policy test 1 isakmp security acl 3000 ike-peer aa transform-set 1 ipsec policy test 2 isakmp security acl 3001 ike-peer bb transform-set 1 •...

  • Page 171: Configuring An Ipsec Transform Set

    When the anti-replay function is enabled, IPsec will discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss. For more information about QoS classification rules, see HPE FlexNetwork MSR Router Series Comware 5 ACL and QoS Configuration Guide.
  • Page 172 Step Command Remarks Optional. ESP by default. You can configure security algorithms for a security protocol only after you select the protocol. Specify the security For example, you can specify the protocol for the IPsec transform { ah | ah-esp | esp } ESP-specific security algorithms transform set.

  • Page 173: Configuring An Ipsec Policy

    Configuring an IPsec policy IPsec policies define which IPsec transform sets should be used to protect which data flows. An IPsec policy is uniquely identified by its name and sequence number. IPsec policies include the following categories: • Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode.
  • Page 174 Step Command Remarks Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications. By default, an IPsec policy references no ACL. Assign an ACL to the security acl acl-number The ACL supports match criteria of the IPsec policy.
  • Page 175 • Directly configure it by configuring the parameters in IPsec policy view. • Configure it by referencing an existing IPsec policy template with the parameters to be negotiated configured. A device referencing an IPsec policy that is configured in this way cannot initiate SA negotiation but can respond to a negotiation request.
  • Page 176 Step Command Remark Optional. By default, the IP address of the Configure an IP address interface to which the IPsec local-address { ipv4-address | for the local security policy is applied is used as the ipv6 ipv6-address } gateway. local gateway IP address. This command is available only for IKEv2.
  • Page 177 Step Command Remark 15. Return to system view. quit Optional. 3600 seconds for time-based ipsec sa global-duration SA lifetime by default. 16. Set the global SA lifetime. { time-based seconds | 1843200 kilobytes for traffic-based kilobytes } traffic-based SA lifetime by default.

  • Page 178: Applying An Ipsec Policy Group To An Interface

    Step Command Remark Optional. By default, the PFS feature is not used for negotiation. If the local end uses PFS, the remote end must also use PFS Enable and configure the for negotiation and both ends pfs { dh-group1 | dh-group2 | perfect forward secrecy must use the same DH group.

  • Page 179: Binding An Ipsec Policy, Ipsec Policy Group, Or Ipsec Profile To An Encryption Card

    Step Command Enter system view. system-view Enter interface view. interface interface-type interface-number Apply an IPsec policy group to the interface. ipsec policy policy-name Binding an IPsec policy, IPsec policy group, or IPsec profile to an encryption card The following matrix shows the feature and hardware compatibility: Hardware Feature compatibility MSR900...

  • Page 180: Enabling The Encryption Engine

    Step Command Remarks Enter encryption card interface encrypt interface view. interface-number By default, an encryption card interface is bound with no IPsec policy, policy group, or IPsec Bind an IPsec policy, policy ipsec binding policy profile. group, or IPsec profile to the policy-name [ seq-number ] The seq-number argument is not encryption card.

  • Page 181: Configuring The Ipsec Session Idle Timeout

    Step Command Remarks Enter system view. system-view Enable the IPsec module ipsec cpu-backup enable Enabled by default. backup function. Configuring the IPsec session idle timeout An IPsec session is created when the first packet matching an IPsec policy arrives. Also created is an IPsec session entry, which records the quintuplet (source IP address, destination IP address, protocol number, source port, and destination port) and the matched IPsec tunnel.

  • Page 182: Configuring A Shared Source Interface Policy Group

    IPsec packet de-encapsulation involves complicated calculation and consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste. In some cases, however, the sequence numbers of some normal service data packets might be out of the current sequence number range, and the IPsec anti-replay function might drop them as well, affecting the normal communications.

  • Page 183: Configuring Packet Information Pre-Extraction

    IPsec-encapsulated packets. If you want QoS to classify packets by the headers of the original IP packets, enable the packet information pre-extraction feature. For more information about QoS policy and classification, see HPE FlexNetwork MSR Router Series Comware 5 ACL and QoS Configuration Guide.

  • Page 184: Configuring Ipsec Rri

    Step Command Remarks Optional. ipsec invalid-spi-recovery Enable invalid SPI recovery. enable Disabled by default. Configuring IPsec RRI IPsec RRI operates in static mode or dynamic mode. Static IPsec RRI Static IPsec RRI creates static routes based on the destination address information in the ACL that the IPsec policy references.

  • Page 185: Enabling Transparent Data Transmission Without Nat

    Step Command Remarks Disabled by default. reverse-route [ remote-peer To enable static IPsec RRI, Enable IPsec RRI. ip-address [ gateway | static ] | specify the static keyword. If the static ] keyword is not specified, dynamic IPsec RRI is enabled. Change the preference of Optional.

  • Page 186: Implementing Tunnel Interface-Based Ipsec

    Step Command Remarks • To enable fragmentation Use either command as needed. before encryption: ipsec fragmentation By default, fragmentation after before-encryption enable Enable fragmentation encryption is enabled. • before/after encryption. To enable fragmentation The IPsec transport mode does after encryption: not support fragmentation before undo ipsec fragmentation encryption.

  • Page 187: Configuring An Ipsec Profile

    DVPN is a technology when VPN is established between enterprise branches that use dynamic addresses to access the public network. For more information about DVPN tunnel interface, see — HPE FlexNetwork MSR Router Series Comware 5 Layer 3 IP Services Configuration Guide. To configure an IPsec profile:...

  • Page 188: Configuring An Ipsec Tunnel Interface

    Step Command Remarks Optional. Tunnel mode by default. This command is available only for IKEv2. Specify the IP packet encapsulation-mode { transport Transport mode applies only encapsulation mode. | tunnel } when the source and destination IP addresses of data flows match those of the IPsec tunnel.

  • Page 189: Enabling Packet Information Pre-Extraction On The Ipsec Tunnel Interface

    For more information about commands interface tunnel, tunnel-protocol, source and destination, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Commands Reference. An IPsec profile cannot be applied to both an IPsec tunnel interface and a DVPN tunnel interface simultaneously.

  • Page 190: Applying A Qos Policy To An Ipsec Tunnel Interface

    To implement QoS for IPsec packets, however, you also need to apply a QoS policy to the physical outbound interface. For more information about how to apply a QoS policy to a physical interface, see HPE FlexNetwork MSR Router Series Comware 5 ACL and QoS Configuration Guide. IMPORTANT: When the QoS policy applied to the physical outbound interface provides congestion management, IPsec packets arriving at the destination might be out of order.

  • Page 191: Displaying And Maintaining Ipsec

    Configuring a manual IPsec policy ACLs and IPsec tunnel addresses are not needed. Required. Applying an IPsec policy to an IPv6 routing See HPE FlexNetwork MSR Router Series Comware 5 protocol Layer 3—IP Routing Configuration Guide. Displaying and maintaining IPsec...

  • Page 192: Ipsec Configuration Examples

    IPsec configuration examples Configuring manual mode IPsec tunnel Network requirements Figure 58, configure an IPsec tunnel between Router A and Router B to protect data As shown in flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the tunnel to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96.
  • Page 193 # Configure the remote IP address of the tunnel. [RouterA-ipsec-policy-manual-map1-10] tunnel remote 2.2.3.1 # Configure the local IP address of the tunnel. [RouterA-ipsec-policy-manual-map1-10] tunnel local 2.2.2.1 # Configure the SPIs. [RouterA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [RouterA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the keys.

  • Page 194: Configuring Ike-Based Ipsec Tunnel

    [RouterB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345 # Configure the keys. [RouterB-ipsec-policy-manual-use1-10] sa string-key outbound esp gfedcba [RouterB-ipsec-policy-manual-use1-10] sa string-key inbound esp abcdefg [RouterB-ipsec-policy-manual-use1-10] quit # Configure the IP address of the serial interface. [RouterB] interface serial 2/2 [RouterB-Serial2/2] ip address 2.2.3.1 255.255.255.0 # Apply the IPsec policy group to the interface.
  • Page 195 # Apply the IPsec transform set. [RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Apply the ACL. [RouterA-ipsec-policy-isakmp-map1-10] security acl 3101 # Apply the IKE peer. [RouterA-ipsec-policy-isakmp-map1-10] ike-peer peer [RouterA-ipsec-policy-isakmp-map1-10] quit # Configure the IP address of the serial interface. [RouterA] interface serial 2/1 [RouterA-Serial2/1] ip address 2.2.2.1 255.255.255.0 # Apply the IPsec policy group to the interface.

  • Page 196: Configuring Encryption Cards For Ipsec Services

    [RouterB-Serial2/2] ip address 2.2.3.1 255.255.255.0 # Apply the IPsec policy group to the interface. [RouterB-Serial2/2] ipsec policy use1 Verify the configuration: After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs are set up, the traffic between the two subnets will be IPsec protected.
  • Page 197 # Configure the IKE peer. [RouterA] ike peer peer [RouterA-ike-peer-peer] pre-shared-key abcde [RouterA-ike-peer-peer] remote-address 2.2.3.1 [RouterA-ike-peer-peer] quit # Create an IPsec policy that uses IKE for IPsec SA negotiation. [RouterA] ipsec policy map1 10 isakmp # Apply the IPsec transform set. [RouterA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Apply the ACL.

  • Page 198: Configuring Ipsec Interface Backup

    [RouterB-ipsec-transform-set-tran1] quit # Configure the IKE peer. [RouterB] ike peer peer [RouterB-ike-peer-peer] pre-shared-key abcde [RouterB-ike-peer-peer] remote-address 2.2.2.1 [RouterB-ike-peer-peer] quit # Create an IPsec policy that uses IKE for IPsec SA negotiation. [RouterB] ipsec policy use1 10 isakmp # Apply the ACL. [RouterB-ipsec-policy-isakmp-use1-10] security acl 3101 # Apply the IPsec transform set.
  • Page 199 Figure 60 Network diagram Configuration procedure Configure Router A: # Define an ACL to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <RouterA> system-view [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-adv-3101] quit # Configure an IPsec transform set named tran1.
  • Page 200 [RouterA-Ethernet1/1] ipsec policy map1 [RouterA-Ethernet1/1] quit # Apply the shared source interface policy group to interface Ethernet 1/2. [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ip address 4.4.4.4 24 [RouterA-Ethernet1/2] ipsec policy map1 [RouterA-Ethernet1/2] quit # Configure interface Ethernet 1/3. [RouterA] interface ethernet 1/3 [RouterA-Ethernet1/3] ip address 10.1.1.1 24 [RouterA-Ethernet1/3] quit # Configure a static route to Host B.
  • Page 201 [RouterB] ipsec policy map1 local-address loopback 0 # Apply the shared source interface policy group to interface Ethernet 1/1. [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ip address 2.2.2.3 24 [RouterB-Ethernet1/1] ipsec policy map1 [RouterB-Ethernet1/1] quit # Apply the shared source interface policy group to interface Ethernet 1/2. [RouterB] interface ethernet 1/2 [RouterB-Ethernet1/2] ip address 4.4.4.5 24 [RouterB-Ethernet1/2] ipsec policy map1...

  • Page 202: Configuring Ipsec With Ipsec Tunnel Interfaces

    Configuring IPsec with IPsec tunnel interfaces Network requirements Figure 61, the gateway of the branch accesses the Internet through a dial-up line and As shown in obtains the IP address dynamically. The headquarters accesses the Internet by using a fixed IP address.
  • Page 203 [RouterA-ipsec-profile-atob] ike-peer atob # Configure the IPsec profile to reference the IPsec transform set method1. [RouterA-ipsec-profile-atob] transform-set method1 [RouterA-ipsec-profile-atob] quit # Create tunnel interface Tunnel 1. [RouterA] interface tunnel 1 # Assign IPv4 address 10.1.1.1/24 to tunnel interface Tunnel 1. [RouterA–Tunnel1] ip address 10.1.1.1 24 # Set the tunnel mode of tunnel interface Tunnel 1 to IPsec over IPv4.
  • Page 204 # Configure the IPsec profile to reference the IPsec transform set method1. [RouterB-ipsec-profile-btoa] transform-set method1 [RouterB-ipsec-profile-btoa] quit # Create tunnel interface Tunnel 1. This interface will be used to protect the data flows between Router B and Router A. As the public IP address of the remote peer is not known, you do not need to configure the destination address on the tunnel interface.
  • Page 205 IPsec policy name: "btoa" sequence number: 1 acl version: None mode: tunnel ----------------------------- PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 1.1.1.2 flow : sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: IP [inbound ESP SAs] spi: 0x75B6EF44(1974923076) transform: ESP-ENCRYPT-DES ESP-AUTH-MD5...

  • Page 206: Configuring Ipsec For Ripng

    Configuring IPsec for RIPng The IPsec configuration procedures for protecting OSPFv3 and IPv6 BGP are similar. For more information about RIPng, OSPFv3, and IPv6 BGP, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Routing Configuration Guide. Network requirements Figure 62, Router A, Router B, and Router C are connected.
  • Page 207 [RouterA] ipsec policy policy001 10 manual [RouterA-ipsec-policy-manual-policy001-10] transform-set tran1 [RouterA-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [RouterA-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [RouterA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [RouterA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [RouterA-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [RouterA] ripng 1 [RouterA-ripng-1] enable ipsec-policy policy001 [RouterA-ripng-1] quit...
  • Page 208 # Create a RIPng process and enable it on Ethernet 1/1. <RouterC> system-view [RouterC] ripng 1 [RouterC-ripng-1] quit [RouterC] interface ethernet 1/1 [RouterC-Ethernet1/1] ripng 1 enable [RouterC-Ethernet1/1] quit # Create an IPsec transform set named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.

  • Page 209: Configuring Ipsec Rri

    # Execute the display ipsec sa command on Router A to view the information about the inbound and outbound SAs. <RouterA> display ipsec sa =============================== Protocol: RIPng =============================== ----------------------------- IPsec policy name: "policy001" sequence number: 10 acl version: none mode: manual ----------------------------- PFS: N, DH group: none tunnel:...
  • Page 210 Figure 63 Network diagram Router A Router B Eth1/1 Eth1/1 1.1.1.1/16 2.2.2.2/16 Internet Eth1/2 Eth1/2 10.4.4.1/24 10.5.5.1/24 Headquarters Branch Host A Host B 10.4.4.4/24 10.5.5.5/24 Configuration procedure Figure 63. Make sure Assign IPv4 addresses to the interfaces on the routers according to Router A and Router B can reach each other.
  • Page 211 [RouterA-ipsec-policy-isakmp-map1-10] ike-peer peer # Enable dynamic IPsec RRI and use 1.1.1.2 as the next hop of the static route. [RouterA-ipsec-policy-isakmp-map1-10] reverse-route remote-peer 1.1.1.2 [RouterA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to interface Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipsec policy map1 [RouterA-Ethernet1/1] quit Configure Router B: # Configure ACL 3101 to identify traffic from subnet 10.5.5.0/24 to subnet 10.4.4.0/24.
  • Page 212 # Send traffic from subnet 10.5.5.0/24 to subnet 10.4.4.0/24, or from subnet 10.4.4.0/24 to 10.5.5.0/24. IKE negotiation is triggered to establish IPsec SAs between Router A and Router # Display the routing table on Router A. [RouterA] display ip routing-table Routing Tables: Public Destinations : 8 Routes : 8...

  • Page 213: Configuring Ike

    Configuring IKE Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.

  • Page 214: Ike Functions

    Figure 64 IKE exchange process in main mode Figure 64, the main mode of IKE negotiation in phase 1 involves three pairs of As shown in messages: • SA exchange—Used for negotiating the security policy. • Key exchange—Used for exchanging the DH public value and other values like the random number.

  • Page 215: Relationship Between Ike And Ipsec

    FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see HPE FlexNetwork MSR Router Series Comware 5 Security Configuration Guide.

  • Page 216: Ike Configuration Task List

    Hardware FIPS mode MSR50 MSR1000 IKE configuration task list Determine the following parameters prior to IKE configuration: • The strength of the algorithms for IKE negotiation (the security protection level), including the identity authentication method, encryption algorithm, authentication algorithm, and DH group. Different algorithms provide different levels of protection.

  • Page 217: Configuring An Ike Proposal

    Configuring an IKE proposal An IKE proposal defines a set of attributes describing how IKE negotiation should take place. You can create multiple IKE proposals with different preferences. The preference of an IKE proposal is represented by its sequence number. The lower the sequence number, the higher the preference. Two peers must have at least one matching IKE proposal for successful IKE negotiation.

  • Page 218: Configuring An Ike Peer

    Step Command Remarks Optional. 86400 seconds by default. Before an ISAKMP SA expires, IKE Set the ISAKMP SA negotiates a new SA to replace it. DH lifetime for the IKE calculation in IKE negotiation takes sa duration seconds proposal. time, especially on low-end devices. To prevent SA updates from influencing normal communication, set the lifetime greater than 10...
  • Page 219 Step Command Remarks Optional. By default, an IKE peer references no IKE proposals, and, when initiating IKE Specify the IKE proposals negotiation, it uses the IKE for the IKE peer to proposal proposal-number&<1-6> proposals configured in system reference. view. If the IKE negotiation mode in phase 1 is aggressive, only the first IKE proposal specified for the IKE peer takes effect.

  • Page 220: Setting Keepalive Timers

    Step Command Remarks • Set the subnet type of the local Optional. end: The default subnet type is local { multi-subnet | single-subnet. single-subnet } 12. Set the subnet types of the • two ends. Use these two commands only Set the subnet type of the peer when the device is working end:...

  • Page 221: Configuring A Dpd Detector

    to the intended end. To prevent NAT mappings from being aged, an ISAKMP SA behind the NAT security gateway sends NAT keepalive packets to its peer at a certain interval to keep the NAT session alive. To set the NAT keepalive timer: Step Command Remarks...

  • Page 222: Displaying And Maintaining Ike

    Step Command Remark Disable Next payload field ike next-payload check Enabled by default. checking. disabled Displaying and maintaining IKE Task Command Remarks display ike dpd [ dpd-name ] [ | { begin | Display IKE DPD information. Available in any view. exclude | include } regular-expression ] display ike peer [ peer-name ] [ | { begin | Display IKE peer information.
  • Page 223 Configuration procedure Make sure that Router A and Router B can reach each other. Configure Router A: # Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <RouterA> system-view [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-adv-3101] quit # Create IPsec transform set tran1.
  • Page 224 [RouterA-Ethernet1/2] ip address 10.1.1.1 255.255.255.0 [RouterA-Ethernet1/2] quit # Assign an IP address to interface Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 1.1.1.1 255.255.255.0 # Apply the IPsec policy to interface Ethernet 1/1. [RouterA-Ethernet1/1] ipsec policy map1 # Configure a static route to subnet 10.1.2.0/24. [RouterA] ip route-static 10.1.2.0 255.255.255.0 2.2.2.2 Configure Router B: # Configure ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.
  • Page 225 [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ip address 2.2.2.2 255.255.255.0 # Apply the IPsec policy to interface Ethernet 1/1. [RouterB-Ethernet1/1] ipsec policy use1 # Configure a static route to subnet 10.1.1.0/24. [RouterB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1 Verify the configuration: # Check the IKE proposal configuration. [RouterA] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method...

  • Page 226: Configuring Aggressive Mode Ike With Nat Traversal

    tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs] spi: 0x3D6D3A62(1030568546) transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1 in use setting: Tunnel connection id: 1 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/3590 anti-replay detection: Enabled anti-replay window size(counter based): 32...
  • Page 227 Configuration guidelines The IKE negotiation mode must be aggressive because Router B uses a dynamic IP address. You must configure NAT traversal at both ends of the IPsec tunnel because one end of the tunnel uses a public IP address but the other end uses a private IP address. Configuration procedure Configure Router A: # Specify a name for the local security gateway.
  • Page 228 [RouterA-Serial2/0] ipsec policy policy [RouterA-Serial2/0] quit # Configure the IP address of interface Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 172.16.0.1 255.255.255.0 [RouterA-Ethernet1/1] quit # Configure a static route to the branch LAN. [RouterA] ip route-static 192.168.0.0 255.255.255.0 serial 2/0 Configure Router B: # Specify a name for the local security gateway.

  • Page 229: Troubleshooting Ike

    [RouterB-ipsec-policy-isakmp-policy-10] quit # Create a dialer rule. [RouterB] dialer-rule 1 ip permit # Configure dialer interface Dialer 0. Use the username and password assigned by the ISP for dial and PPP authentication. [RouterB] interface dialer 0 [RouterB-Dialer0] link-protocol ppp [RouterB-Dialer0] ppp pap local-user test password simple 123456 [RouterB-Dialer0] ip address ppp-negotiate [RouterB-Dialer0] dialer user 1 [RouterB-Dialer0] dialer-group 1...

  • Page 230: Proposal Mismatch

    got NOTIFY of type INVALID_ID_INFORMATION drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION Solution Verify that the ACLs in the IPsec policies configured on the interfaces at both ends are compatible. Configure the ACLs to mirror each other. For more information about ACL mirroring, see "Configuring IPsec."...

  • Page 231: Acl Configuration Error

    ACL configuration error Symptom ACL configuration error results in data flow blockage. Analysis When multiple devices create different IPsec tunnels early or late, a device might have multiple peers. If the device is not configured with ACL rule, the peers send packets to it to set up different IPsec tunnels in different protection granularity respectively.

  • Page 232: Configuring Ikev2

    Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks to provide reliable identity authentication, key distribution, and IPsec SA establishment services. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs less protocol message exchanges than IKEv1.

  • Page 233: Protocols And Standards

    respond. If the initiator's guess is correct, the IKE_SA_INIT exchange is finished at the cost of two messages. If the guess is wrong, the responder will respond with an INVALID_KE_PAYLOAD message, indicating the DH group that it wants to use. Then, the initiator uses the DH group selected by the responder to initiate another negotiation.

  • Page 234: Configuring Global Ikev2 Parameters

    • The local and remote identity authentication methods. To use the pre-shared key authentication method, you must determine the pre-shared key. To use the RSA digital signature authentication method, you must determine the PKI domain for the local end to use. For information about configuring PKI, see "Configuring PKI."...

  • Page 235: Setting Limits On The Number Of Ikev2 Sas

    If the time interval exceeds the DPD interval, it sends a DPD hello to the peer to detect its liveliness. To configure the IKEv2 DPD function: Step Command Remarks Enter system view. system-view Configure the IKEv2 DPD ikev2 dpd interval { on-demand | Disabled by default.

  • Page 236: Configuring An Ikev2 Proposal

    NOTE: The device supports assigning an IPv6 address to an IKEv2 negotiation initiator. You can configure an IPv4 address pool, but the configuration does not take effect. Configuring an IKEv2 proposal An IKEv2 proposal comprises security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups.

  • Page 237: Configuring An Ikev2 Keyring

    • If no IKEv2 policy is configured, IKEv2 uses the system predefined IKEv2 policy default. You can configure multiple IKEv2 policies. A policy configured earlier has a higher priority. To configure an IKEv2 policy: Step Command Remarks Enter system view. system-view By default, the device has a system predefined IKEv2 policy...

  • Page 238: Configuring An Ikev2 Profile

    Step Command Remarks • To configure a host name for Configure one of them. the peer: By default, an IKEv2 peer has no hostname host-name hostname, host IP address, • To configure a host IP address range or identity address or address range for information.
  • Page 239 Step Command Remarks Required when either or both peers use the pre-shared key authentication method. Specify a keyring. keyring keyring-name By default, an IKEv2 profile references no keyring. An IKEv2 profile can reference only one keyring. Required for the device to work as a responder.

  • Page 240: Displaying And Maintaining Ikev2

    Step Command Remarks Optional. 13. Specify the local { ip-pool | ipv6-pool } pool-name By default, an IKEv2 profile address pool. references no address pool. Optional. By default, the mask length of a local 14. Specify a mask length IPv4 address pool referenced by an { ip-mask mask-length | ipv6-mask or prefix length for the IKEv2 profile is 32, and the prefix...
  • Page 241 Figure 69 Network diagram Configuration prerequisites Make sure Router A and Router B can reach each other. Configure the security gateway Router A Configure ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <RouterA> system-view [RouterA] acl number 3101 [RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [RouterA-acl-adv-3101] quit...
  • Page 242 # Create IKEv2 keyring keyring_a. [RouterA] ikev2 keyring keyring_a # Create IKEv2 peer peer_a. [RouterA-keyring-keyring_a] peer peer_a # Configure the address range 2.2.2.2/16 for the peer. [RouterA-keyring-keyring_a-peer-peer_a] address 2.2.2.2 16 # Use the plain text key 123 for both certificate signing and certificate authentication. [RouterA-keyring-keyring_a-peer-peer_a] pre-shared-key simple 123 [RouterA-keyring-keyring_a-peer-peer_a] quit [RouterA-keyring-keyring_a] quit...
  • Page 243 # Configure ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24. <RouterB> system-view [RouterB] acl number 3101 [RouterB-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [RouterB-acl-adv-3101] quit Configure an IPsec transform set: # Create IPsec transform set transform_b. [RouterB] ipsec transform-set transform_b # Configure the IPsec transform set to use the security protocol ESP, encryption algorithm DES, and authentication algorithm SHA1.
  • Page 244 [RouterB-profile-profile_b] authentication remote pre-share # Use the FQDN router_b as the local identity information. [RouterB-profile-profile_b] identity local fqdn router_b # Use the keyring keyring_b. [RouterB-profile-profile_b] keyring keyring_b # Use remote FQDN router_a for IKEv2 profile matching. [RouterB-profile-profile_b] match identity remote fqdn router_a [RouterB-profile-profile_b] quit Configure an IPsec policy that uses IKEv2.
  • Page 245 DH Group : MODP1536/Group MODP1024/Group # Display the IKEv2 profile configuration information. [RouterA] display ikev2 profile IKEv2 profile : profile_a Match : match identity remote fqdn router_b Identity : identity local fqdn router_a Auth type : authentication local pre-share authentication remote pre-share Keyring : keyring_a Sign domain...

  • Page 246: Configuring Ikev2 Certificate Authentication

    acl version: ACL4 mode: isakmp ----------------------------- PFS: N, DH group: none tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: IP [inbound ESP SAs] spi: 225986146 (0xd784662) transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1 in use setting: Tunnel connection id: 1 sa duration (kilobytes/sec): 1843200/3600...
  • Page 247 Figure 70 Network diagram Configuration prerequisites Make sure Router A and Router B can reach each other. Make sure both Router A and Router B have the CA certificates for certificate signing and authentication and have obtained a local certificate for IKEv2 negotiation. Configuring the security gateway Router A Configure PKI: # Create PKI entity entity_a.
  • Page 248 [RouterA-acl-adv-3101] quit Configure an IPsec transform set: # Create IPsec transform set transform_a. [RouterA] ipsec transform-set transform_a # Configure the IPsec transform set to use the security protocol ESP, encryption algorithm DES, and authentication algorithm SHA1. [RouterA-ipsec-transform-set-transform_a] transform esp [RouterA-ipsec-transform-set-transform_a] esp encryption-algorithm des [RouterA-ipsec-transform-set-transform_a] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-transform_a] quit Configure an IKEv2 proposal:...
  • Page 249 [RouterA-ipsec-policy-isakmp-map1-1] local-address 1.1.1.1 [RouterA-ipsec-policy-isakmp-map1-1] transform-set transform_a [RouterA-ipsec-policy-isakmp-map1-1] quit Assign an IP address to interface Ethernet 1/2. [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ip address 10.1.1.1 255.255.255.0 [RouterA-Ethernet1/2] quit Assign an IP address to interface Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 1.1.1.1 255.255.0.0 10.
  • Page 250 Configure an IPsec transform set: # Create IPsec transform set transform_a. [RouterB] ipsec transform-set transform_b # Configure the IPsec transform set to use the security protocol ESP, encryption algorithm DES, and authentication algorithm SHA1. [RouterB-ipsec-transform-set-transform_b] transform esp [RouterB-ipsec-transform-set-transform_b] esp encryption-algorithm des [RouterB-ipsec-transform-set-transform_b] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-transform_b] quit Configure an IKEv2 proposal:...
  • Page 251 [RouterB-ipsec-policy-isakmp-map1-1] transform-set transform_b [RouterB-ipsec-policy-isakmp-map1-1] quit Assign an IP address to interface Ethernet 1/2. [RouterB] interface ethernet 1/2 [RouterB-Ethernet1/2] ip address 10.1.2.1 255.255.255.0 [RouterB-Ethernet1/2] quit Assign an IP address to interface Ethernet 1/1. [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ip address 2.2.2.2 255.255.0.0 10.
  • Page 252 Lifetime : 86400 seconds : disable # Display the IKEv2 SA established by the IKE_SA_INIT exchange. [RouterA] display ikev2 sa total SAs: connection-id peer flag ------------------------------------------------------------------------ 2.2.2.2 RD|ST flag meaning RD--READY ST--STAYALIVE FD--FADING TO—TIMEOUT # Display the IPsec SAs established by the IKE_AUTH exchange. [RouterA] display ipsec sa =============================== Interface: Ethernet1/1...

  • Page 253: Troubleshooting Ikev2

    spi: 118757629 (0x71418fd) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 in use setting: Tunnel connection id: 1 sa duration (kilobytes/sec): 1843200/3600 sa remaining duration (kilobytes/sec): 1843199/965 anti-replay detection: Enabled anti-replay window size(counter based): 32 udp encapsulation used for nat traversal: N communication entity: Responder status: -- Troubleshooting IKEv2 To troubleshoot IKEv2, use the following command to enable IKEv2 error debugging.

  • Page 254: Configuring Pki

    Configuring PKI Overview The PKI uses a general security infrastructure to provide information security through public key technologies. PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key pair consists of a private key and a public key. The private key must be kept secret but the public key needs to be distributed.

  • Page 255: Pki Architecture

    binding of a public key with an entity, make sure you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown Figure Figure 71 PKI architecture •...

  • Page 256: Pki Applications

    The entity retrieves the certificate. With the certificate, the entity can communicate with other entities safely through encryption and digital signature. The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the request, updates the CRLs and publishes the CRLs on the LDAP server or other distribution points.

  • Page 257: Configuring An Entity Dn

    Task Remarks Retrieving a certificate manually Optional. Verifying PKI certificates Optional. Destroying the local RSA key pair Optional. Deleting a certificate Optional. Configuring a certificate access control policy Optional. Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN).

  • Page 258: Configuring A Pki Domain

    Step Command Remarks Include the device serial By default, the identity information number in the identity include serial-number of an entity does not include the information of the entity. device serial number. Optional. Configure the IP address for ip ip-address No IP address is specified by the entity.

  • Page 259: Requesting A Pki Certificate

    • Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate.

  • Page 260: Configuring Automatic Certificate Request

    Configuring automatic certificate request In auto mode, an entity that does not have a local certificate automatically requests a certificate from the CA server when an application works with the PKI entity. For example, when IKE negotiation uses a digital signature for identity authentication, but no local certificate is available, the entity automatically submits a certificate request and saves the certificate locally after obtaining it from the A CA certificate must already exist before you request a local certificate.

  • Page 261: Manually Requesting A Certificate

    To generate a new RSA key pair, delete the local certificate and then execute the public-key local create command. For more information about the public-key local create command, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference.

  • Page 262: Retrieving A Certificate Manually

    Step Command Remarks pki request-certificate domain Submit a local certificate domain-name [ password ] This command is not saved in the request manually. [ pkcs10 [ filename filename ] ] configuration file. Retrieving a certificate manually You can download CA certificates or local certificates from the CA server and save them locally. To do so, use either the offline mode or the online mode.

  • Page 263: Verifying Certificates With Crl Checking

    Verifying certificates with CRL checking Step Command Remarks Enter system view. system-view Enter PKI domain view. pki domain domain-name Optional. Specify the URL of the CRL crl url url-string No CRL distribution point URL is distribution point. specified by default. Optional.

  • Page 264: Deleting A Certificate

    Step Command Enter system view. system-view Destroy a local RSA key pair. public-key local destroy rsa Deleting a certificate When a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or CA certificate. To delete a certificate: Step Command...

  • Page 265: Displaying And Maintaining Pki

    Displaying and maintaining PKI Task Command Remarks display pki certificate { { ca | local } domain domain-name | Display the contents or request request-status } [ | { begin | Available in any view. status of a certificate. exclude | include } regular-expression ] display pki crl domain domain-name [ | { begin |...
  • Page 266 The other attributes might be left using the default values. Configure extended attributes: After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting. Configure the CRL distribution behavior: After completing the configuration, you need to perform CRL related configurations.
  • Page 267 Apply for certificates: # Retrieve the CA certificate and save it locally. [Router] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 268: Certificate Request From A Windows 2003 Ca Server

    EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl You can also use some other display commands (display pki certificate ca domain and display pki crl domain commands) to display detailed information about the CA certificate and CRLs.
  • Page 269 d. Specify the path for certificate service in the Local path text box. To avoid conflict with existing services, specify an available port number as the TCP port number of the default website. Synchronize the system time of the device with the CA server, so that the device can correctly request certificates or obtain CRLs.
  • Page 270 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..CA certificates retrieval success. # Request a local certificate manually. [Router] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait..[Router] Enrolling the local certificate,please wait a while..Certificate request successfully! Saving the local certificate to device..

  • Page 271: Ike Negotiation With Rsa Digital Signature

    URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e … You can also use some other display command, for example, the display pki certificate ca domain command, to display more information about the CA certificate. IKE negotiation with RSA digital signature Network requirements An IPsec tunnel is set up between Router A and Router B to secure the traffic between Host A on...
  • Page 272 [RouterA-pki-entity-en] ip 2.2.2.1 [RouterA-pki-entity-en] common-name routera [RouterA-pki-entity-en] quit # Configure the PKI domain. The URL of the registration server varies with the CA server. [RouterA] pki domain 1 [RouterA-pki-domain-1] ca identifier CA1 [RouterA-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.dll [RouterA-pki-domain-1] certificate request entity en [RouterA-pki-domain-1] ldap-server ip 1.1.1.102 # Set the registration authority to RA.

  • Page 273: Certificate Access Control Policy Configuration Example

    Figure 75 Network diagram Configuration procedure For more information about SSL configuration, see "Configuring SSL." For more information about HTTPS configuration, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals Configuration Guide. NOTE: The PKI domain to be referenced by the SSL policy must be created in advance. For information about how to configure a PKI domain, see "Configuring a PKI...
  • Page 274 # Configure the SSL policy for the HTTPS server. <Router> system-view [Router] ssl server-policy myssl [Router-ssl-server-policy-myssl] pki-domain 1 [Router-ssl-server-policy-myssl] client-verify enable [Router-ssl-server-policy-myssl] quit Configure the certificate attribute group. # Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of the certificate issuer is 10.0.0.1.

  • Page 275: Troubleshooting Pki Configurationtroubleshooting Pki Configuration

    Troubleshooting PKI configurationTroubleshooting PKI configuration Failed to obtain the CA certificate Symptom The CA certificate cannot be retrieved. Analysis • The network connection is down because, for example, the network cable is damaged or the connectors have bad contact. • No trusted CA is specified.

  • Page 276: Failed To Retrieve Crls

    Specify the authority for certificate request. Configure the required entity DN parameters. Failed to retrieve CRLs Symptom CRLs cannot be retrieved. Analysis • The network connection is down because, for example, the network cable is damaged or the connectors have bad contact. •...

  • Page 277: Managing Public Keys

    Managing public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with Figure the help of a key to decrypt the data, as shown in Figure 76 Encryption and decryption The keys that participate in the conversion between plain text and cipher text can be the same or different, dividing the encryption and decryption algorithms into the following types:...

  • Page 278: Configuration Task List

    Hardware FIPS mode compatibility MSR1000 Configuration task list Public key configuration tasks enable you to manage the local asymmetric key pairs and configure the peer host public keys on the local device. By completing these tasks, the local device is ready to work with applications such as SSH and SSL to implement data encryption/decryption, or digital signature.

  • Page 279: Displaying Or Exporting The Local Host Public Key

    Table 16 A comparison of different types of asymmetric key algorithms Type Number of key pairs Modulus length • In non-FIPS mode: If you specify the key pair name, the command creates a host key pair. • In non-FIPS mode: 512 to If you do not specify the key pair name, the 2048 bits, 1024 bits by command creates one server key pair and...

  • Page 280: Displaying And Recording The Host Public Key Information

    Displaying and recording the host public key information Task Command Remarks display public-key local rsa public [ | { begin | exclude | include } Display the local RSA public keys Available in any view. regular-expression ] Use at least one display public-key local dsa public [ | command.

  • Page 281: Destroying A Local Asymmetric Key Pair

    Destroying a local asymmetric key pair You might have to destroy a local asymmetric key pair and generate a new pair when an intrusion event has occurred, the storage media of the device is replaced, the asymmetric key has been used for a long time, or the local certificate expires.

  • Page 282: Importing An Rsa Key Pair

    • Manually configure If the peer device is an HPE device, format-incompliant public key the public key by use the display public-key local will fail.

  • Page 283: Displaying Public Keys

    Step Command Import the host public key from the public key public-key peer keyname import sshkey filename file. To manually configure the peer public key on the local device: Step Command Remarks Enter system view. system-view Specify a name for the public public-key peer key and enter public key keyname...
  • Page 284 Configuration procedure Configure Device A: # Create local RSA key pairs on Device A, setting the modulus length to the default, 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.

  • Page 285: Importing A Public Key From A Public Key File

    Public key view: return to System View with "peer-public-key end". [DeviceB-pkey-public-key] public-key-code begin Public key code view: return to last view with "public-key-code end". [DeviceB-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100 D900 03FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E5 1E5E 353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62 DB12 5035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A 1020 3010001 [DeviceB-pkey-key-code] public-key-code end [DeviceB-pkey-public-key] peer-public-key end # Display the host public key of Device A saved on Device B. [DeviceB] display public-key peer name devicea ===================================== Key Name...
  • Page 286 <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 287 [DeviceA-luser-ftp] service-type ftp [DeviceA-luser-ftp] authorization-attribute level 3 [DeviceA-luser-ftp] quit On Device B, get the public key file of Device A: # From Device B, use FTP to log in to Device A, and get the public key file devicea.pub with the file transfer mode of binary.

  • Page 288: Exporting And Importing An Rsa Key Pair

    Exporting and importing an RSA key pair Network requirements Create and export an RSA key pair on Device A, and then import the key pair to Device B. Figure 79 Network diagram Configuration procedure Configure Device A: # Create a local RSA key pair named rsa1 with the default modulus length of 1024 bits. <DeviceA>...
  • Page 289 HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/ q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg== -----END RSA PRIVATE KEY----- Copy the private key (started from -----BEGIN RSA PRIVATE KEY----- ) to a file for later import. Configure Device B: # Import the RSA key pair in PEM format, and name the imported RSA key pair as rsa1 on Device B.
  • Page 290 <DeviceB> # Display the public key information of the local RSA key pairs on Device A. <DeviceA> display public-key local rsa public Time of Key pair created: 14:42:29 2013/03/21 Key name: rsa1 Key type: RSA ===================================================== Key code:30819F300D06092A864886F70D010101050003818D0030818902818100CD7891BEB84FE E1F6ECF45C4D533B03BAFD73A983D3DEA9FE362C153D6E2BEB80DD234E749A42A5541F23B6C45AEC 04C7F80D81F40B18105A88DFDE1802279062906F8DC65872A1F763F7BF471548D709118494C5F622 0E58D5F2722A7A183999075EB494828DB7843855A81A0E701C1CDC15BBEF136329308DC179CD9D38 BB30203010001...

  • Page 291: Configuring Rsh

    Configuring RSH Remote shell (RSH) allows users to execute OS commands on a remote host that runs the RSH daemon. Windows NT, 2000, XP, and 2003 are shipped with no RSH daemon. The RSH daemon must be separately obtained and installed on the remote host. Figure 80 The RSH daemon supports authentication of an RSH client by the username.
  • Page 292 Configuration Procedure Check that the RSH daemon has been installed and started properly on the remote host: a. From the Windows Control Panel, open the Administrative Tools folder. (For Windows XP, if you use the category view of the Control Panel window, select Administrative Tools from Performance and Maintenance.) Figure 82 Administrative Tools folder b.
  • Page 293 Figure 84 Remote Shell Daemon Properties window Configure the router: # Configure a route to the remote host. (Details not shown.) # Set the time of the host remotely. <Router>rsh 192.168.1.10 command time Trying 192.168.1.10 ... Press CTRL+K to abort The current time is: 6:56:42.57 Enter the new time: 12:00...

  • Page 294: Configuring Portal Authentication

    Configuring portal authentication Overview Portal authentication helps control access to the Internet. Portal authentication is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website.
  • Page 295 Client security check is implemented through communications between the client and the security policy server. To implement security check, the client must be the HPE iNode client. Access device Access devices control user access. An access device can be a switch or router that provides the following functions: •...

  • Page 296: Portal System Using The Local Portal Server

    Internet resources. NOTE: Portal authentication supports NAT traversal whether it is initiated by a Web client or an HPE iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.

  • Page 297: Portal Authentication Modes

    page, the logon failure page, and the system busy page. A local portal server pushes a corresponding authentication page at each authentication phase. If you do not customize the authentication pages, the local portal server pushes the default authentication pages. For "Customizing authentication pages."...

  • Page 298: Portal Support For Eap

    RADIUS server. Therefore, no additional configuration is needed on the access device. NOTE: To use portal authentication that supports EAP, the portal server and client must be the HPE IMC portal server and the HPE iNode portal client. Layer 2 portal authentication process...

  • Page 299: Layer 3 Portal Authentication Process

    The local Layer 2 portal authentication process is as follows: The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the access device redirects the request to the listening IP address of the local portal server, which then pushes a Web authentication page to the authentication client.
  • Page 300 The portal server assembles the username and password into an authentication request message and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an authentication reply message. The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
  • Page 301 10. The portal server notifies the authentication client of logon success. 11. The portal server sends a user IP address change acknowledgment message to the access device. With extended portal functions, the process includes additional steps: 12. The security policy server exchanges security check information with the authentication client to check whether the authentication client meets the security requirements.
  • Page 302 Portal support for EAP authentication process Figure 92 Portal support for EAP authentication process All portal authentication modes share the same EAP authentication steps. The following example uses direct portal authentication to show the EAP authentication process: The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process.

  • Page 303: Portal Authentication Across Vpns

    Portal server Host Portal authentication configured on MCE devices can also support authentication across VPNs. For information about MCE, see HPE FlexNetwork MSR Router Series Comware 5 MPLS Configuration Guide. For information about AAA implementation across VPNs, see "Configuring AAA."...
  • Page 304 Task Remarks Configuring Layer 2 portal authentication to support Web proxy Enabling support for portal user moving Specifying an autoredirection URL for authenticated portal users Optional. Configuring online Layer 2 portal user detection Optional. Logging off portal users Optional. To configure Layer 3 portal authentication: Task Remarks Specifying a portal server for Layer 3 portal authentication...

  • Page 305: Configuration Prerequisites

    Configuration prerequisites Although the portal feature provides a solution for user identity authentication and security check, the portal feature cannot implement this solution by itself. RADIUS authentication must be configured on the access device to cooperate with the portal feature to complete user authentication. The prerequisites for portal authentication configuration are as follows: •...

  • Page 306: Specifying A Portal Server For Layer 3 Portal Authentication

    Layer 2 portal authentication uses the local portal server. Specify the IP address of a Layer 3 interface on the device that is routable to the portal client as the listening IP address of the local portal server. Hewlett Packard Enterprise recommends using the IP address of a loopback interface rather than a physical Layer 3 interface, because: •...

  • Page 307: Configuring The Local Portal Server

    Configuring the local portal server The following matrix shows the feature and hardware compatibility: Hardware Feature compatibility MSR900 MSR93X MSR20-1X MSR20 Supported only on MIM-FSW modules, MSR30-11E, MSR30 and MSR30-11F MSR50 MSR1000 Configuring a local portal server is required only for local portal authentication. During local portal authentication, the local portal server pushes authentication pages to users.
  • Page 308 Main authentication page File name Online page online.htm Pushed after the user gets online for online notification System busy page busy.htm Pushed when the system is busy or the user is in the logon process Logoff success page logoffSuccess.htm Page request rules The local portal server supports only Get and Post requests.
  • Page 309 • Zip files can be transferred to the device through FTP or TFTP. The default authentication pages file must be saved in the root directory of the device, and other authentication files can be saved in the root directory or the portal directory under the root directory of the device. Examples of zip files on the device: <Sysname>...

  • Page 310: Configuring The Local Portal Server

    Redirecting authenticated users to a specific webpage To make the device automatically redirect authenticated users to a specific webpage, do the following in logon.htm and logonSuccess.htm: In logon.htm, set the target attribute of Form to blank. See the contents in gray: <form method=post action=logon.cgi target="blank">...

  • Page 311: Enabling Portal Authentication

    An AC in a different subnet from an AP cannot obtain the SSID of a client associated with that AP and thus does not support binding SSIDs to an authentication page file. For more information about AC and SSID, see HPE FlexNetwork MSR Router Series Comware 5 WLAN Configuration Guide. Enabling portal authentication You must first enable portal authentication on an access interface before it can perform portal authentication for connected clients.

  • Page 312: Controlling Access Of Portal Users

    • You can enable both direct/cross-subnet portal authentication and 802.1X authentication on a Layer 3 interface, and a user can access the network after passing either authentication. If you enable both 802.1X authentication and re-DHCP portal authentication on a Layer 3 interface, portal authentication will fail.

  • Page 313: Configuring An Authentication Source Subnet

    Configuration guidelines • If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. Otherwise, the rule does not take effect. • You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the system prompts that the rule already exists.

  • Page 314: Configuring An Authentication Destination Subnet

    To set the maximum number of online portal users allowed in the system: Step Command Remarks Enter system view. system-view For the default setting, see HPE Set the maximum number of FlexNetwork MSR Router Series portal max-user max-number online portal users. Comware 5 Security Command Reference.

  • Page 315: Configuring Layer 2 Portal Authentication To Support Web Proxy

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Specify an authentication By default, no authentication domain for portal users on portal domain domain-name domain is specified for portal the interface. users. The device selects the authentication domain for a portal user on an interface in this order: the authentication domain specified for the interface, the authentication domain carried in the username, and the system default authentication domain.

  • Page 316: Enabling Support For Portal User Moving

    Enabling support for portal user moving The following matrix shows the feature and hardware compatibility: Hardware Feature compatibility MSR900 MSR93X MSR20-1X MSR20 Supported only on MIM-FSW modules, MSR MSR30 30-11E, and MSR 30-11F MSR50 MSR1000 Only Layer 2 portal authentication supports this feature. In cases where there are hubs, Layer 2 switches, or APs between users and the access devices and authenticated user...

  • Page 317: Specifying Nas-Port-Type For An Interface

    Specifying NAS-Port-Type for an interface NAS-Port-Type is a standard RADIUS attribute for indicating a user access port type. With this attribute specified on an interface, when a portal user logs on from the interface, the device uses the specified NAS-Port-Type value as that in the RADIUS request to be sent to the RADIUS server. If NAS-Port-Type is not specified, the device uses the access port type obtained.

  • Page 318: Specifying A Source Ip Address For Outgoing Portal Packets

    Remarks Enter system view. system-view For more information about the Create a NAS ID profile and command, see HPE FlexNetwork aaa nas-id profile profile-name enter NAS ID profile view. MSR Router Series Comware 5 Security Command Reference. For more information about the...

  • Page 319: Specifying An Autoredirection Url For Authenticated Portal Users

    Specifying an autoredirection URL for authenticated portal users If you specify an autoredirection URL on the access device, after an unauthenticated user passes portal authentication through the portal authentication page, the access device redirects the user to the URL after a specific period of time. When no autoredirection URL is specified for authenticated portal users, an authenticated user is usually redirected to the URL the user entered in the address bar before portal authentication.

  • Page 320: Configuring Online Layer 3 Portal User Detection

    Configuring online Layer 3 portal user detection This feature is available only for the direct and re-DHCP portal authentication configured on a Layer 3 interface. With online portal user detection enabled on an interface, the device periodically sends probe packets (ARP requests) to the portal users on the interface to check whether the portal users are still online, to find portal users who get offline without logging off.

  • Page 321: Configuring Portal User Information Synchronization

    succeeds and the portal server is reachable. Otherwise, it considers that the probe fails and the portal server is unreachable. Probe parameters Probe interval—Interval at which probe attempts are made. Maximum number of probe attempts—Maximum number of consecutive probe attempts allowed.

  • Page 322: Logging Off Portal Users

    problem, the device provides the portal user information synchronization function. This function is implemented by sending and detecting the portal synchronization packet. The process is as follows: The portal server sends the online user information to the access device in a user synchronization packet at the user heartbeat interval, which is set on the portal server.

  • Page 323: Configuring Mandatory Web Page Pushing

    user-mac: Includes the user's MAC address or AP's MAC address in the redirection URL. The MAC address is in the format of XX-XX-XX-XX-XX-XX. des-encrypt: Encrypts the MAC address with DES. If you do not specify this keyword, the MAC address carried in the redirection URL is in plaintext form. param-name param-name: Specifies a name for the MAC address parameter carried in the redirection URL.

  • Page 324: Displaying And Maintaining Portal

    Step Command Remarks interface interface-type Enter interface view. interface-number Configure the mandatory Web web-redirect url url-string [ interval page pushing function on the Not configured by default. interval ] interface. Displaying and maintaining portal Task Command Remarks display portal acl { all | dynamic | static } Display the ACLs on a specific Available in any interface interface-type interface-number [ |...

  • Page 325: Portal Configuration Examples

    Portal configuration examples Configuring direct portal authentication Network requirements Figure 94, the host is assigned with a public network IP address either manually or As shown in through DHCP. Configure the router to perform direct portal authentication for users on the host. Before a user passes portal authentication, the user can access only the portal server.
  • Page 326 Figure 95 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Figure b. Click Add to enter the page shown in c.
  • Page 327 This example uses direct portal authentication, and therefore select No from the Reallocate IP list. e. Select whether to support sever heartbeat and user heartbeat functions. In this example, select No for both Support Server Heartbeat and Support User Heartbeat. f.
  • Page 328 Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the router Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Router> system-view [Router] radius scheme rs1 # Set the server type for the RADIUS scheme.

  • Page 329: Configuring Re-Dhcp Portal Authentication

    Status: Portal running Portal server: newpt Portal backup-group: None Authentication type: Direct Authentication domain: Authentication network: The user can initiate portal authentication by using the HPE iNode client or by accessing a Web page. initiated requests redirected portal authentication page http://192.168.0.111:8080/portal.
  • Page 330 IP address (a public IP address) and a secondary IP address (a private IP address). For information about DHCP relay agent configuration, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide.

  • Page 331: Configuring Cross-Subnet Portal Authentication

    # Configure the portal server as follows: Name: newpt IP address: 192.168.0.111 Key: portal, in plain text Port number: 50100 URL: http://192.168.0.111:8080/portal [Router] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the router as a DHCP relay agent, and enable the IP address check function. [Router] dhcp enable [Router] dhcp relay server-group 0 ip 192.168.0.112 [Router] interface ethernet 1/2...
  • Page 332 • Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example).

  • Page 333: Configuring Direct Portal Authentication With Extended Functions

    On Router B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown.) Configuring direct portal authentication with extended functions Network requirements Figure 102, the host is assigned with a public network IP address either manually or As shown in through DHCP.

  • Page 334: Configuring Re-Dhcp Portal Authentication With Extended Functions

    [Router-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [Router-radius-rs1] security-policy-server 192.168.0.113 [Router-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1...
  • Page 335 IP address (a public IP address) and a secondary IP address (a private IP address). For information about DHCP relay agent configuration, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide.
  • Page 336 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.113 [Router-radius-rs1] primary accounting 192.168.0.113 [Router-radius-rs1] key authentication simple radius [Router-radius-rs1] key accounting simple radius [Router-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server.

  • Page 337: Configuring Cross-Subnet Portal Authentication With Extended Functions

    [Router-Ethernet1/2] dhcp select relay [Router-Ethernet1/2] dhcp relay server-select 0 [Router-Ethernet1/2] dhcp relay address-check enable # Enable portal authentication on the interface connecting the host. [Router–Ethernet1/2] portal server newpt method redhcp [Router–Ethernet1/2] quit Configuring cross-subnet portal authentication with extended functions Network requirements Figure 104, configure Router A to perform extended cross-subnet portal authentication As shown in...
  • Page 338 [RouterA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [RouterA-radius-rs1] primary authentication 192.168.0.112 [RouterA-radius-rs1] primary accounting 192.168.0.112 [RouterA-radius-rs1] key authentication simple radius [RouterA-radius-rs1] key accounting simple radius [RouterA-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server.

  • Page 339: Configuring Portal Server Detection And Portal User Information Synchronization

    On Router B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown.) Configuring portal server detection and portal user information synchronization Network requirements Figure 105, a host is directly connected to a router (the access device) and must pass As shown in portal authentication before it can access the Internet.
  • Page 340 • Configure the RADIUS server correctly to provide authentication and accounting functions for users. Configuring the portal server This example assumes that the portal server runs on IMC PLAT 5.1 SP1 (E0202P05) and IMC UAM 5.1 (E0301). Configure the portal server: a.
  • Page 341 Figure 107 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Figure 108. b. Click Add to enter the page shown in c.
  • Page 342 c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. e. Use the default settings for other parameters. f. Click OK. Figure 110 Adding a port group Select User Access Manager >...
  • Page 343 # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Router] domain default enable dm1 Configure portal authentication: # Configure a portal server on the router, specifying the portal server name as newpt, IP address as 192.168.0.111, key as plaintext string portal, port number as 50100, and URL as...

  • Page 344: Cross-Subnet Portal Authentication Across Vpns

    VPN targets for VPN 1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other. This example gives only the access authentication configuration on the user-side PE. For information about MPLS L3VPN, see HPE FlexNetwork MSR Router Series Comware 5 MPLS Configuration Guide.
  • Page 345 # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain. [RouterA-isp-dm1] authentication portal radius-scheme rs1 [RouterA-isp-dm1] authorization portal radius-scheme rs1 [RouterA-isp-dm1] accounting portal radius-scheme rs1 [RouterA-isp-dm1] quit # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and accounting methods of the default domain are used for the user.

  • Page 346: Troubleshooting Portal

    Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom When a user is forced to access the portal server, the portal server displays a blank Web page, rather than the portal authentication page or an error message. Analysis The keys on the access device and those on the portal server are not configured consistently, causing CHAP message exchange failure.

  • Page 347: Configuring Firewall

    ACL rules providing for exact match. When subsequent fragments arrive, the firewall uses saved information to implement exact match with each match condition of an ACL rule. For more information about ACL, see HPE FlexNetwork MSR Router Series Comware 5 ACL and QoS Configuration Guide.

  • Page 348: Aspf

    Exact match slightly decreases the efficiency of packet filtering. The more the match items, the lower the packet filtering efficiency. You can specify a threshold to limit the maximum number of match entries to be processed by the firewall. ACL packet-filter limitations An ACL packet-filter is a static firewall.
  • Page 349 • While application layer protocols use the standard port numbers for communication, PAM allows you to define a set of new port numbers for different applications, and provides mechanisms to maintain and use the configuration information of user-defined ports. PAM supports two types of port mapping mechanisms: general port mapping and host port mapping.
  • Page 350 • TACL—Created at the same time the status entry is created, and is deleted at the end of the session. It is equivalent to a permit statement in an extended ACL. The TACL is mainly used to match all the return packets of the session, and can set up a temporary return channel on the external interface of the firewall for packets returned by the application.

  • Page 351: Configuring A Packet-Filter Firewall

    Configuring a packet-filter firewall Packet-filter firewall configuration task list Task Remarks Enabling the firewall function Required Configuring the default filtering action of the firewall Optional Enabling fragment inspection Optional Configuring the high and low thresholds for fragment inspection Optional Configuring packet filtering on an interface Required Configuring Ethernet frame filtering Optional...

  • Page 352: Enabling Fragment Inspection

    Step Command Remarks Enter system view. system-view Optional. Specify the default filtering firewall ipv6 default { deny | permit (permit packets to pass action of the firewall. permit } the firewall) by default. Enabling fragment inspection Exact match can be implemented only after fragment inspection is enabled. In doing so, packet-filter firewall records the status of the fragment and performs exact match to information of layer 3 or above based on advanced ACL rules.

  • Page 353: Configuring Packet Filtering On An Interface

    Step Command Remarks Optional. By default, the high threshold for Configure the high and low firewall fragments-inspect the number of fragment status thresholds for fragment [ high | low ] { number | default } records is 2000, and the low inspection.

  • Page 354: Configuring Ethernet Frame Filtering

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number firewall packet-filter ipv6 Configure IPv6 packet IPv6 packets are not filtered by { acl6-number | name acl6-name } filtering on an interface. default. { inbound | outbound } Configuring Ethernet frame filtering The following matrix shows the feature and hardware compatibility: Hardware...

  • Page 355: Packet-Filter Firewall Configuration Example

    Task Command Remarks display firewall-statistics { all | fragments-inspect | interface Display the packet filtering interface-type interface-number } [ | Available in any view. statistics of the IPv4 firewall. { begin | exclude | include } regular-expression ] display firewall ipv6 statistics { all | Display the packet filtering interface interface-type Available in any view.

  • Page 356: Configuring An Aspf

    [Router] firewall enable # Create advanced ACL 3001. [Router] acl number 3001 # Configure rules to permit specific hosts to access external networks and permit internal servers to access external networks. [Router-acl-adv-3001] rule permit ip source 129.1.1.1 0 [Router-acl-adv-3001] rule permit ip source 129.1.1.2 0 [Router-acl-adv-3001] rule permit ip source 129.1.1.3 0 [Router-acl-adv-3001] rule permit ip source 129.1.1.4 0 # Configure a rule to prohibit all IP packets from passing the firewall.

  • Page 357: Enabling The Firewall Function

    Enabling the firewall function Step Command Remarks Enter system view. system-view Enable the IPv4 firewall function. firewall enable Disabled by default. Configuring an ASPF policy Follow these guidelines when you configure an ASPF policy: • If you enable TCP or UDP inspection without configuring application layer protocol inspection, some packets might fail to get a response.

  • Page 358: Enabling The Session Logging Function For Aspf

    Hardware Feature compatibility MSR20-1X MSR20 MSR30 MSR50 MSR1000 Two concepts are distinguished in ASPF policy: internal interface and external interface. If the device is connected to both the internal network and the Internet, and employs ASPF to protect the internal servers, the interface connected to the internal network is the internal interface and the one connected to the Internet is the external interface.

  • Page 359: Displaying And Maintaining Aspf

    • General port mapping—Refers to a mapping of a user-defined port number to an application layer protocol. If port 8080 is mapped to HTTP, for example, all TCP packets the destination port of which is port 8080 are regarded as HTTP packets. •...
  • Page 360 Figure 115 Network diagram Router A Router B S2/0 10.1.1.1/24 Eth1/1 Internal network External network 192.168.1.1/24 Server Host 2.2.2.11/24 192.168.1.2/24 Configuration procedure # Enable the firewall function on Router A. <RouterA> system-view [RouterA] firewall enable # Configure ACL 3111 to prohibit all IP packets from entering into the internal network. The ASPF will create a TACL for packets permitted to pass the firewall.

  • Page 361: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network. SSH uses the typical client/server model, establishing a channel to protect data transfer based on TCP.

  • Page 362: Ssh Authentication Methods

    Stages Description The two parties use the Diffie-Hellman (DH) exchange algorithm to dynamically generate the session key for protecting data transfer and the Key exchange session ID for identifying the SSH connection. In this stage, the client authenticates the server as well. The SSH server authenticates the client in response to the client's Authentication authentication request.

  • Page 363: Ssh Support For Mpls L3Vpn

    The client directly sends the user's public key information to the server, and the server checks the validity of the user's public key. The client sends the user's public key information to the server through a digital certificate, and the server checks the validity of the digital certificate. When acting as a client, the device does not support this method.

  • Page 364: Configuring The Device As An Ssh Server

    Hardware FIPS mode compatibility MSR1000 Configuring the device as an SSH server You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures are similar, the SSH server represents the Stelnet server, SFTP server, and SCP server unless otherwise specified.

  • Page 365: Enabling The Ssh Server Function

    The public-key local create dsa command generates only the host key pair. SSH1 does not support the DSA algorithm. To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the SSH server. To generate local DSA or RSA key pairs on the SSH server: Step Command...

  • Page 366: Configuring A Client's Host Public Key

    By default, all protocols (Telnet, to support SSH login. PAD, and SSH) are supported. For more information about the authentication-mode and protocol inbound commands, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals Command Reference. Configuring a client's host public key This configuration task is only necessary if publickey authentication is configured for users and the clients directly send the public key to the server for authentication.

  • Page 367: Configuring An Ssh User

    SSH user account on an authentication server, for example, a RADIUS server, for remote authentication. For more information about the local-user command, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference.

  • Page 368: Setting The Ssh Management Parameters

    authentication method is password, the command level accessible to the user is authorized by AAA. • SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or all. • For an SFTP SSH user, the working folder depends on the authentication method: If the authentication method is password, the working folder is authorized by AAA.

  • Page 369: Configuring The Device As An Stelnet Client

    • Maximum number of SSH authentication attempts. This parameter is used to prevent malicious password cracking. • SFTP connection idle timeout period. Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down. To set the SSH management parameters: Step Command...

  • Page 370: Enabling And Disabling First-Time Authentication

    To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, Hewlett Packard Enterprise recommends that you specify a loopback interface or dialer interface as the source interface.

  • Page 371: Establishing A Connection To An Stelnet Server

    Step Command Remarks ssh client authentication server Specify the host public key server assign publickey name of the server. keyname Establishing a connection to an Stelnet server You can launch the Stelnet client to establish a connection to an Stelnet server, and specify the public key algorithm, the preferred encryption algorithm, the preferred HMAC algorithm, and the preferred key exchange algorithm.

  • Page 372: Sftp Client Configuration Task List

    SFTP client configuration task list Task Remarks Specifying a source IP address or source interface for the SFTP client Optional. Enabling and disabling first-time authentication Optional. Establishing a connection to an SFTP server Required. Working with SFTP directories Optional. Working with SFTP files Optional.

  • Page 373: Working With Sftp Directories

    Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 |...

  • Page 374: Working With Sftp Files

    Step Command Remarks Change the working directory of the remote SFTP cd [ remote-path ] Optional. server. Return to the upper-level cdup Optional. directory. Display the current working directory on the SFTP Optional. server. Optional. • dir [ -a | -l ] [ remote-path ] Display files under a The dir command functions as •...

  • Page 375: Displaying Help Information

    Displaying help information Use the help command to display all commands or the help information of an SFTP client command, including the command format and parameters. To display all commands or the help information of an SFTP client command: Step Command For more information, see "Establishing a connection to an...

  • Page 376: Transferring Files With An Scp Server

    Transferring files with an SCP server Task Command Remarks • In non-FIPS mode, upload a file to the SCP server: scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 377: Stelnet Configuration Examples

    Task Command Remarks Display SSH server status display ssh server { status | session } [ | information or session information { begin | exclude | include } Available in any view. on an SSH server. regular-expression ] Display the mappings between display ssh server-info [ | { begin | SSH servers and their host public Available in any view.
  • Page 378 ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Router] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 379: Publickey Authentication Enabled Stelnet Server Configuration Example

    Figure 118 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server.
  • Page 380 The device supports different types of Stelnet client software, such as PuTTY and OpenSSH. The following example takes PuTTY version 0.58 on the Stelnet client. Configuration procedure Generate an RSA key pair on the Stelnet client: c. Launch PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 120 Generating a key pair on the client a.
  • Page 381 Figure 121 Generating process c. After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 122 Saving a key pair on the client d. Click Save private key to save the private key.
  • Page 382 A confirmation dialog box appears. e. Click Yes and enter the name of the file for saving the key (private.ppk in this example). f. Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs.
  • Page 383 b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server . Figure 123 Specifying the host name (or IP address) c. Select Connection > SSH > Auth from the navigation tree. d. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk), and click OK.

  • Page 384: Password Authentication Enabled Stelnet Client Configuration Example

    Figure 124 Specifying the private key file e. Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements...
  • Page 385 NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key size is (512 ~ 2048).
  • Page 386 If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to the Stelnet server 192.168.1.40. <RouterA> ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ...

  • Page 387: Publickey Authentication Enabled Stelnet Client Configuration Example

    [RouterA] quit # Establish an SSH connection to SSH server 192.168.1.40. <RouterA> ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 Press CTRL+K to abort Connected to 192.168.1.40... Enter password: After you enter the correct username and password, you can log in to Router B successfully. Publickey authentication enabled Stelnet client configuration example Network requirements...
  • Page 388 # Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs. <RouterB> system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.

  • Page 389: Sftp Configuration Examples

    <RouterA> ssh2 192.168.1.40 Username: client002 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Then, you can log in to Router B successfully. SFTP configuration examples This section provides examples of configuring SFTP.
  • Page 390 It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server function. [Router] ssh server enable # Enable the SFTP server. [Router] sftp server enable # Configure an IP address for interface Ethernet 1/1.

  • Page 391: Publickey Authentication Enabled Sftp Client Configuration Example

    Figure 128 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements Figure 129, you can log in to Router B through the SFTP client that runs on Router A. As shown in Router B acts as the SFTP server, adopting publickey authentication and the RSA public key algorithm.
  • Page 392 NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Export the host public key to file pubkey. [RouterA] public-key local export rsa ssh2 pubkey [RouterA] quit # Transmit the public key file to the server through FTP or TFTP .
  • Page 393 [RouterB-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [RouterB-ui-vty0-4] protocol inbound ssh [RouterB-ui-vty0-4] quit # Import the peer public key from the file pubkey, and name it RouterKey. [RouterB] public-key peer RouterKey import sshkey pubkey # Create an SSH user client001 with the service type SFTP, authentication method publickey, public key RouterKey, and working folder cf:/.

  • Page 394: Scp Configuration Example

    -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename the directory new1 to new2 and verify the result.

  • Page 395: Configuration Procedure

    Figure 130 Network diagram Configuration procedure Configure the SCP server: <RouterB> system-view [RouterB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
  • Page 396 [RouterB-luser-client001] service-type ssh [RouterB-luser-client001] quit # Create an SSH user client001 with the service type scp and the authentication method password. (Optional. If an SSH user is not created, password authentication is used by default.) [RouterB] ssh user client001 service-type scp authentication-type password Configure an IP address for Ethernet 1/1.

  • Page 397: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. SSL security mechanism Secure connections provided by SSL have these features: • Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the asymmetric key algorithm of RSA to encrypt the key to be used by the symmetric encryption algorithm.

  • Page 398: Fips Compliance

    Figure 132 SSL protocol stack • SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.

  • Page 399: Configuring An Ssl Server Policy

    Configuring an SSL server policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application such as HTTPS. SSL protocol versions include SSL 2.0, SSL 3.0, and TLS 1.0 (or SSL 3.1).

  • Page 400: Configuring An Ssl Client Policy

    Step Command Remarks Optional. Set the handshake timeout handshake timeout time The default handshake timeout time for the SSL server. time is 3600 seconds. Optional. By default, An SSL server sends a Set the SSL connection close-notify alert message to the close-mode wait close mode.

  • Page 401: Displaying And Maintaining Ssl

    Step Command Remarks Optional. No PKI domain is specified by default. If the SSL server authenticates the SSL client through a digital Specify a PKI domain for the certificate, you must use this pki-domain domain-name SSL client policy. command to specify a PKI domain and request a local certificate for the SSL client in the PKI domain.
  • Page 402 Figure 133 Network diagram Configuration considerations To meet the network requirements, perform the following tasks: • Configure Device to work as the HTTPS server and request a certificate for Device. • Request a certificate for Host so that Device can authenticate the identity of Host. •...

  • Page 403: Troubleshooting Ssl

    Verify that now you can log in to the Web interface to access and manage the device. For more information about configuring PKI commands, see "Configuring PKI." For more information about the public-key local create rsa command, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference. For more information about HTTPS, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals Configuration Guide.
  • Page 404 If the server’s certificate cannot be trusted, install the root certificate of the CA that issued the local certificate to the SSL server on the SSL client, or let the server request a certificate from the CA that the SSL client trusts. If the SSL server is configured to authenticate the client, but the SSL client has no certificate or the certificate cannot be trusted, request and install a certificate for the client.

  • Page 405: Configuring Ssl Vpn

    Configuring SSL VPN SSL VPN is a VPN technology based on Secure Sockets Layer (SSL). It works between the transport layer and the application layer. Using the certificate-based identity authentication, data encryption, and integrity verification mechanisms that the SSL protocol provides, SSL VPN can establish secure connections for communications at the application layer.

  • Page 406: Configuration Procedure

    Configuration procedure This section describes how to enable the SSL VPN service. You must use the Web interface provided by the router to configure SSL VPN functions. For more information, see the Web configuration manual. Complete the following tasks to enable SSL VPN: •...
  • Page 407 Figure 135 Network diagram Host Remote user 10.1.1.1/24 Internet Device SSL VPN gateway Internal servers 10.2.1.1/24 Configuration procedure In this example, the Windows Server is used as the CA. Install the SCEP plugin on the CA. Before the following configurations, make sure the intended SSL VPN gateway, the CA, and the host used by the remote user can reach each other, and the CA is enabled with the CA service and can issue certificates to the device (SSL VPN gateway) and the host.
  • Page 408 You can open the web login interface of the SSL VPN gateway. For more information about PKI configuration commands, SSL configuration commands, and the public-key local create rsa command, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference.

  • Page 410: Configuring A User Profile

    Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. Different user profiles are applicable to different application scenarios. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.

  • Page 411: Performing Configurations In User Profile View

    Supported configurations include QoS policies and WLAN configurations. For more information about QoS policies, see HPE FlexNetwork MSR Router Series Comware 5 ACL and QoS Configuration Guide. For more information about WLAN configuration, see HPE FlexNetwork MSR Router Series Comware 5 WLAN Configuration Guide.

  • Page 412: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses threaten LAN security. This chapter describes multiple features used to detect and prevent such attacks. Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 413: Configuring Arp Source Suppression

    Configuring ARP source suppression Step Command Remarks Enter system view. system-view arp source-suppression Enable ARP source suppression. Disabled by default. enable Set the maximum number of unresolvable Optional. arp source-suppression packets that the device can receive from a limit limit-value 10 by default.

  • Page 414: Configuring Source Mac-Based Arp Attack Detection

    Configuration considerations If the attack packets have the same source address, you can enable the ARP source suppression function as follows: Enable ARP source suppression. Set the threshold to 100. If the number of unresolvable IP packets received from a host within 5 seconds exceeds 100, the device stops resolving packets from the host until the 5 seconds elapse.

  • Page 415: Displaying And Maintaining Source Mac-Based Arp Attack Detection

    Displaying and maintaining source MAC-based ARP attack detection Task Command Remarks display arp anti-attack source-mac Display attacking MAC addresses [ interface interface-type detected by source MAC-based Available in any view. interface-number ] [ | { begin | exclude | ARP attack detection. include } regular-expression ] Source MAC-based ARP attack detection configuration example...

  • Page 416: Configuring Arp Packet Source Mac Consistency Check

    Configuration procedure # Enable source MAC-based ARP attack detection and specify the handling method. <Device> system-view [Device] arp source-mac filter # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude 0012-3f86-e94c from this detection.

  • Page 417: Configuration Guidelines

    Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated through ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. Use both ARP automatic scanning and fixed ARP in small-scale networks such as a cybercafe. Configuration guidelines When you configure ARP automatic scanning and fixed ARP, follow these guidelines: •...

  • Page 418: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent invalid hosts from using a valid IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address, and VLAN tag.

  • Page 419: Dynamic Ip Source Guard Binding Entries

    Dynamic IPv4 source guard binding entries are generated dynamically based on DHCP snooping entries to filter incoming IPv4 packets on a port. For information about DHCP snooping, see HPE FlexNetwork MSR Router Series Comware 5 Layer — IP Services Configuration Guide.

  • Page 420: Enabling Ipv4 Source Guard On A Port

    To generate IPv4 source guard binding entries dynamically based on DHCP entries, make sure DHCP snooping is configured and working correctly. For information about DHCP snooping configuration, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide.

  • Page 421: Configuring A Static Ipv4 Source Guard Binding Entry

    NOTE: Although dynamic IPv4 source guard binding entries are generated based on DHCP entries, the number of dynamic IPv4 source guard binding entries is not necessarily the same as that of the DHCP entries. Configuring a static IPv4 source guard binding entry Static IPv4 source guard binding entries take effect only on the ports enabled with the IPv4 source "Enabling IPv4 source guard on a port").

  • Page 422: Displaying And Maintaining Ip Source Guard

    Displaying and maintaining IP source guard Task Command Remarks display ip source binding static [ interface interface-type Display static IP source guard interface-number | ip-address ip-address Available in any view. binding entries. | mac-address mac-address ] [ | { begin | exclude | include } regular-expression ] display ip source binding [ interface interface-type interface-number |...
  • Page 423 [DeviceA] interface ethernet 1/2 [DeviceA-Ethernet1/2] ip verify source ip-address mac-address # Configure Ethernet 1/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass. [DeviceA] interface ethernet 1/2 [DeviceA-Ethernet1/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [DeviceA-Ethernet1/2] quit # Enable IPv4 source guard on Ethernet 1/1 to filter packets based on both the source IP...

  • Page 424: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example

    IP addresses through the DHCP server to pass. For information about DHCP server configuration, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide. Figure 140 Network diagram...

  • Page 425: Troubleshooting Ip Source Guard

    The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= 192.168.0.1 0001-0203-0406 86335 Ethernet1/1 The output shows that a dynamic IPv4 source guard binding entry has been generated based on the DHCP snooping entry.

  • Page 426: Configuring Attack Detection And Protection

    Configuring attack detection and protection Overview Attack detection and protection is an important network security feature. It determines whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack, such as recording alarm logs, dropping packets, and blacklisting the source IP address.

  • Page 427: Blacklist Function

    Single-packet Description attack An attacker exploits the route record option in the IP header to probe the topology Route Record of a network. An attacker sends an ICMP echo request to the broadcast address of the target Smurf network. As a result, all hosts on the target network reply to the request, causing the network congested and hosts on the target network unable to provide services.

  • Page 428: Traffic Statistics Function

    packets and therefore can filter packets at a high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses. Working in conjunction with the scanning attack protection function or the user login authentication function, the device can add blacklist entries automatically and can age such blacklist entries. More specifically: •...

  • Page 429: Attack Detection And Protection Configuration Task List

    The traffic statistics function does not concern about the session status (except the TCP half-open and half-close states). As long as a session is established, the count increases by 1. As long as a session is deleted, the count decreases by 1. Attack detection and protection configuration task list The attack detection and protection configuration tasks include three categories:...

  • Page 430: Configuring An Attack Protection Policy

    Step Command Remarks Enter system view. system-view Create an attack protection attack-defense policy By default, no attack protection policy and enter attack policy-number [ interface policy is created. protection policy view. interface-type interface-number ] Configuring an attack protection policy In an attack protection policy, you can specify the signatures for attack detection and the corresponding protection measures according to the security requirements of your network.
  • Page 431 Step Command Remarks Enter attack protection attack-defense policy policy-number policy view. Enable scanning attack defense scan enable Disabled by default. protection. Specify the connection Optional. rate threshold that defense scan max-rate rate-number 4000 connections per second triggers scanning attack by default. protection.
  • Page 432 Step Command Remarks Optional. Configure the global action defense syn-flood By default, the action threshold is and silence thresholds for rate-threshold high 1000 packets per second and the SYN flood attack rate-number [ low rate-number ] silence threshold is 750 packets per protection.

  • Page 433: Applying An Attack Protection Policy To An Interface

    Step Command Remarks Configure the action and defense udp-flood ip ip-address Optional. silence thresholds for UDP rate-threshold high flood attack protection for a Not configured by default. rate-number [ low rate-number ] specific IP address. Optional. Configure the device to defense udp-flood action drop UDP flood attack By default, the device only outputs...

  • Page 434: Enabling Traffic Statistics On An Interface

    the aging time, which is configurable. For the configuration of scanning attack protection, see "Configuring a scanning attack protection policy." Enabling traffic statistics on an interface To collect traffic statistics on an interface, enable the traffic statistics function on the interface. The device supports traffic statistics in the following two modes: •...

  • Page 435: Attack Detection And Protection Configuration Examples

    Task Command Remarks Display configuration information display attack-defense policy [ policy-number ] [ | { begin | exclude | about one or all attack protection Available in any view. policies. include } regular-expression ] display blacklist { all | ip sour-address } [ | Display information about { begin | exclude | include } Available in any view.
  • Page 436 Figure 141 Network diagram Host A Host B Attacker Router GE1/1 GE1/2 192.168.1.1/16 202.1.0.1/16 Internet GE1/3 Host D 10.1.1.1/24 5.5.5.5/24 Host C Server 10.1.1.2/24 Configuration procedure # Configure IP addresses for interfaces. (Details not shown.) # Enable the blacklist function. <Router>...

  • Page 437: Blacklist Configuration Example

    [Router-attack-defense-policy-2] quit # Apply policy 2 to GigabitEthernet 1/3. [Router] interface gigabitethernet 1/3 [Router-GigabitEthernet1/3] attack-defense apply policy 2 [Router-GigabitEthernet1/3] quit Verifying the configuration Use the display attack-defense policy command to view the contents of attack protection policy 1 and 2. If Smurf attack packets are received on GigabitEthernet 1/2, the device should output alarm logs.

  • Page 438: Traffic Statistics Configuration Example

    [Router] display blacklist all Blacklist information ------------------------------------------------------------------------- Blacklist : enabled Blacklist items ------------------------------------------------------------------------------ Type Aging started Aging finished Dropped packets YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss 5.5.5.5 manual 2008/04/09 16:02:20 Never 192.168.1.4 manual 2008/04/09 16:02:26 2008/04/09 16:52:26 0 After the configuration takes effect, the router should: •...
  • Page 439 # Enable traffic statistics based on destination IP address. [Router-GigabitEthernet1/1] flow-statistic enable destination-ip Verifying the configuration If you suspect that the server is under an attack, you can view the traffic statistics information on the interface to check whether there is an attack. [Router-GigabitEthernet1/1] display flow-statistics statistics destination-ip 10.1.1.2 Flow Statistics Information ------------------------------------------------------------...

  • Page 440: Configuring Tcp Attack Protection

    If you enable MD5 authentication for TCP connections, the SYN Cookie configuration is ineffective. Then, if you disable MD5 authentication for TCP connections, the SYN Cookie configuration automatically becomes effective. For more information about MD5 authentication, see HPE — FlexNetwork MSR Router Series Comware 5 Layer 3 IP Routing Configuration Guide.

  • Page 441: Enabling Protection Against Naptha Attacks

    Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only SYN_RECEIVED state. Naptha attackers control a huge amount of hosts to establish TCP connections with the server, keep these connections in same state (any of the six), and request for no data so as to exhaust the memory resource of the server.

  • Page 442: Configuring Connection Limits

    Configuring connection limits Overview An internal user initiating a large quantity of connections to external networks in a short period of time occupies large amounts of system resources on the device, limiting access to network resources for other users. An internal server that receives large numbers of connection requests within a short period of time cannot process them in time or accept other normal connection requests.

  • Page 443: Configuring An Acl-Based Connection Limit Rule

    • If the default connection limit action is deny, the user connections are not limited. • If the default connection limit action is permit, the user connections are limited according to the configured default connection limit parameters. When the number of connections reaches the upper limit, users cannot establish new connections.

  • Page 444: Applying The Connection Limit Policy

    Step Command Enter connection limit policy view. connection-limit policy policy-number Configure an ACL-based connection limit limit-id acl acl-number [ { per-destination | per-service | limit rule. per-source } * amount max-amount min-amount ] Applying the connection limit policy To make a connection limit policy take effect, apply it to a NAT service module. To apply a connection limit policy: Step Command...

  • Page 445: Analysis

    [Router] connection-limit policy 0 [Router-connection-limit-policy-0] limit 0 source ip 192.168.0.0 24 destination ip any protocol ip max-connections 10 per-source [Router-connection-limit-policy-0] limit 1 source ip 192.168.0.100 32 destination ip any protocol ip max-connections 100 per-source With the configuration, the host at 192.168.0.100 can only initiate up to 10 connections to the external network.

  • Page 446: Configuring Password Control

    In non-FIPS mode, this function is not effective for manage-level users. In FIPS mode, this function is effective for both non-manage-level and manage-level users. For information about user levels, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals Configuration Guide.
  • Page 447 characters must not be the same. Otherwise, the user will fail to change the password and the system displays an error message. You can set the maximum number of history password records for the system to maintain for each user. When the number of history password records exceeds your setting, the most recent record overwrites the earliest one.

  • Page 448: Fips Compliance

    • Password complexity checking policy A less complicated password such as a password containing the username or repeated characters is more likely to be cracked. For higher security, you can configure a password complexity checking policy to make sure all user passwords are relatively complicated. With such a policy configured, when a user configures a password, the system checks the complexity of the password.

  • Page 449: Password Control Configuration Task List

    Password control configuration task list The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have the following application ranges: • Settings for super passwords apply to only super passwords. •...

  • Page 450: Setting Global Password Control Parameters

    Step Command Remarks Enable the global password By default, the global password password-control enable control feature. control feature is disabled. Optional. password-control { aging | Enable a specific password By default, all of the four composition | history | length } control function.

  • Page 451: Setting User Group Password Control Parameters

    Step Command Remarks Set the number of days Optional. during which the user is password-control warned of the pending alert-before-expire alert-time The default setting is 7 days. password expiration. 10. Set the maximum number of Optional. days and maximum number password-control By default, a user can log in 3 of times that a user can log...

  • Page 452: Setting Super Password Control Parameters

    To switch from a lower user level to a higher one, a user needs to enter a password for authentication. This password is called a super password. For more information on super passwords, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals Configuration Guide.

  • Page 453: Setting A Local User Password In Interactive Mode

    Setting a local user password in interactive mode You can set a password for a local user in interactive mode. When doing so, you need to confirm the password. To set a password for a local user in interactive mode: Step Command Enter system view.
  • Page 454 Configure a password control policy for the local Telnet user test to meet the following requirements: • The password must contain at least 12 characters. • The password must contain at least two character types and at least five characters for each type.
  • Page 455 [Sysname-luser-test] quit Verifying the configuration # Display the global password control configuration. <Sysname> display password-control Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Password history: Enabled (max history record:4) Early notice on password expiration: 7 days...

  • Page 456: Configuring Habp

    Configuring HABP The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device. Figure 144, 802.1X authenticator Switch A has two switches attached to it: Switch B and As shown in Switch C.

  • Page 457: Configuring An Habp Server

    Otherwise, the cluster management device will not be able to manage the devices attached to this member device. For more information about the cluster function, see HPE FlexNetwork MSR Router Series Comware 5 Network Management and Monitoring Configuration Guide.

  • Page 458: Displaying And Maintaining Habp

    Step Command Remarks Optional. HABP operates in client mode by default. Configure HABP to operate The VLAN to which an HABP undo habp server in client mode. client belongs must be the same as that specified on the HABP server for transmitting HABP packets.
  • Page 459 Figure 145 Network diagram Internet Authentication server HABP server GE1/2 GE1/1 Device HABP client HABP client VLAN 1 VLAN 1 Switch B Switch A Host A Host B Host C Host D Configuration procedure Configure the device: # Perform 802.1X related configurations on the device. For detailed configurations, see "Configuring 802.1X."...
  • Page 460 Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries. <Device> display habp table Holdtime Receive Port 001f-3c00-0030 GigabitEthernet1/2 001f-3c00-0031 GigabitEthernet1/1...

  • Page 461: Configuring Urpf

    Configuring URPF Overview Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator.
  • Page 462 Figure 147 URPF work flow Check the received packet A broadcast source address? An all-zero source address? Discard broadcast destination address? Does the source address match a FIB entry? the default route A default route? allowed for URPF check? Does the receiving interface match the Loose URPF?

  • Page 463: Network Application

    If not, proceeds to step 4. URPF checks whether the receiving interface matches the output interface of the matching FIB entry: If yes, the packet is forwarded. If not, URPF checks whether the check mode is loose: if yes, the packet is forwarded, if not, proceeds to step 5.

  • Page 464: Urpf Configuration Example

    To enable URPF on an interface: Step Command Remarks Enter system view. system-view Enter interface view. interface interface-type interface-number Enable URPF check on the ip urpf { loose | strict } Disabled by default. interface. [ allow-default-route ] [ acl acl-number ] URPF configuration example Network requirements Figure...

  • Page 465: Configuring Wlan Client Isolation

    Configuring WLAN client isolation The terms AP and fat AP in this document refer to MSR900, MSR93X, and MSR20-1X routers with IEEE 802.11b/g and MSR series routers installed with a SIC WLAN module. WLAN client isolation enables a fat AP to isolate Layer 2 packets (unicast/broadcast) that are exchanged between wireless clients associated with it, disabling them from direct communication.

  • Page 466: Configuring Group Domain Vpn

    Configuring group domain VPN Group domain Virtual Private Network (group domain VPN) provides a point-to-multipoint tunnel-less VPN solution. It is mainly used to protect multicast traffic. Overview Group domain VPN uses a group-based IPsec model. Members in a group use a common IPsec policy, which includes security protocols, algorithms, and keys.

  • Page 467: Group Domain Vpn Establishment

    The KS maintains security policies for groups, and creates and maintains key information. It responds to registration requests from GMs and sends rekey messages to GMs. After a GM registers with the KS, the KS sends the IPsec policy and keys to the GM. The keys are periodically updated.

  • Page 468: Ks Redundancy

    No change is made to the original IP header. Group domain VPN also supports protection of MPLS L3VPN data. For more information about MPLS L3VPN, see HPE FlexNetwork MSR Router Series Comware 5 MPLS Configuration Guide. Rekey If rekey parameters are configured on the KS, the KS periodically unicasts or multicasts (the default mode is multicast) rekey messages to registered GMs to update their IPsec SAs or rekey SAs.

  • Page 469: Protocols And Standards

    Figure 154 KS redundancy The KSs use a proprietary protocol of Hewlett Packard Enterprise to perform primary KS election, data exchange, and keepalive functions. Primary KS election The KSs elect the KS that has the highest priority as the primary KS. The priority of a KS is set in "Configuring GDOI KS redundancy."...

  • Page 470: Configuring The Gdoi Ks

    The IKE settings on the primary and secondary KSs must match. Otherwise, phase-1 IKE negotiation will fail. Configuring the GDOI KS Complete the following tasks before you configure the GDOI KS: • IKE configuration—Configure an IKE proposal and IKE peers for phase-1 IKE negotiation with GMs.
  • Page 471 one KS, and import the key pair to the other KSs to ensure the key pair consistency. For information about exporting and importing key pairs, see "Managing public keys." • To protect unicast traffic, the ACL referenced by the IPsec policy must have rules in pairs. Each pair of rules identifies a bidirectional traffic flow.

  • Page 472: Configuring Gdoi Ks Redundancy

    Configuring GDOI KS redundancy The following describes GDOI KS redundancy settings: • UDP port number—Specifies the UDP port number that a GDOI KS uses to send and receive redundancy protocol packets to and from other KSs. All KSs in the same GDOI KS group must use the same UDP port number.

  • Page 473: Specifying The Source Address For Packets Sent By The Ks

    Step Command Remarks Optional. The default settings are as follows: • As the primary KS, the Configure the redundancy device sends redundancy hello packet sending hello packets regularly at interval and the maximum redundancy hello { interval interval | an interval of 20 seconds. number of consecutive number number } * •...

  • Page 474: Displaying And Maintaining Gdoi Ks

    To configure rekey parameters: Step Command Remarks Enter system view. system-view Enter GDOI KS group view. gdoi ks group group-name Optional. rekey encryption { 3des-cbc | Specify the encryption By default, the KEK uses the aes-cbc-128 | aes-cbc-192 | algorithm used by the KEK. 3DES-CBC encryption aes-cbc-256 | des-cbc } algorithm.

  • Page 475: Gdoi Gm Configuration Task List

    GDOI GM configuration task list Task Remarks Configuring a GDOI GM group Required. Configuring a GDOI IPsec policy Required. Applying a GDOI IPsec policy to an interface Required. Configuring a GDOI GM group You can configure multiple GDOI GM groups on a GM. Different GDOI GM groups must have different KS addresses and group IDs.

  • Page 476: Configuring A Gdoi Ipsec Policy

    Create a GDOI IPsec policy ipsec policy policy-name For more information about this entry and enter GDOI seq-number gdoi command, see HPE FlexNetwork IPsec policy entry view. MSR Router Series Comware 5 Security Command Reference. By default, no GDOI GM group is referenced.

  • Page 477: Applying A Gdoi Ipsec Policy To An Interface

    For more information about this command, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference. Applying a GDOI IPsec policy to an interface After you apply a GDOI IPsec policy to an interface, the interface uses the group ID and KS addresses in the GDOI GM group referenced by the policy to perform registration, and uses the local ACL and the downloaded ACL for packet filtering and encryption.

  • Page 478: Group Domain Vpn Configuration Example

    [ group group-name ] GM and initiate registration. For more information about the display ike sa, display ipsec sa, and display ipsec policy commands, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference. Group domain VPN configuration example Network requirements...

  • Page 479: Configuration Procedure

    Figure 155 Network diagram Configuration procedure Make sure each GM (GM 1, GM 2, and GM 3) and each KS can reach each other, and the two KSs can reach each other. Make sure the multicast packets between the GMs and the multicast rekey messages between the KS and GMs can be forwarded correctly.
  • Page 480 [KS1-ike-peer-toks2] remote-address 200.2.2.200 [KS1-ike-peer-toks2] quit # Create the IKE peer togm for IKE negotiation with GMs. [KS1] ike peer togm # Apply IKE proposal 1 to the IKE peer. [KS1-ike-peer-togm] proposal 1 # Configure the pre-shared key as tempkey1 in plaintext. [KS1-ike-peer-togm] pre-shared-key simple tempkey1 [KS1-ike-peer-togm] quit # Create an IPsec transform set fortek.
  • Page 481 Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++ +++++++ +++++++++ # Export the local RSA key pair rsa1 by using 3DES CBC and password 12345678. Copy the key or key pair as needed, which will be used in RSA key import on KS 2. [KS1] public-key local export rsa name rsa1 pem 3des-cbc-128 12345678 -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6Ne4EtnoKqBCL2YZvSjrG+8He...
  • Page 482 [KS1-gdoi-ks-group-ks1-ipsec-10] security acl name fortek [KS1-gdoi-ks-group-ks1-ipsec-10] quit # Specify the peer KS 200.2.2.200. [KS1-gdoi-ks-group-ks1] peer address 200.2.2.200 # Specify the source address of sent packets as 100.1.1.100. [KS1-gdoi-ks-group-ks1] source address 100.1.1.100 # Specify the local priority as 10000. [KS1-gdoi-ks-group-ks1] local priority 10000 # Enable GDOI KS redundancy.
  • Page 483 # Specify the encryption algorithm AES-CBC 128 for the IPsec transform set fortek. [KS2-ipsec-transform-set-fortek] esp encryption-algorithm aes-cbc-128 # Specify the authentication algorithm SHA1 for the IPsec transform set fortek. [KS2-ipsec-transform-set-fortek] esp authentication-algorithm sha1 [KS2-ipsec-transform-set-fortek] quit # Create an IPsec profile fortek. [KS2] ipsec profile fortek # Reference the IPsec transform set fortek for the IPsec profile fortek.
  • Page 484 HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/ q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV 0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg== -----END RSA PRIVATE KEY----- Please input the password: # Create the GDOI KS group ks2. [KS2] gdoi ks group # Configure the group ID as 12345. [KS2-gdoi-ks-group-ks2] identity number 12345 # Reference the key pair rsa1. [KS2-gdoi-ks-group-ks2] rekey authentication public-key rsa rsa1 # Reference the rekey ACL forrekey.
  • Page 485 [GM1-ike-peer-toks1] proposal 1 # Configure the pre-shared key used in IKE negotiation as the plaintext string tempkey1. [GM1-ike-peer-toks1] pre-shared-key simple tempkey1 # Specify the IP address of the IKE peer as 100.1.1.100. [GM1-ike-peer-toks1] remote-address 100.1.1.100 [GM1-ike-peer-toks1] quit # Create IKE peer toks2. [GM1] ike peer toks2 # Reference IKE proposal 1 for the IKE peer.
  • Page 486 # Create IKE peer toks1. [GM2] ike peer toks1 # Reference IKE proposal 1 for the IKE peer. [GM2-ike-peer-toks1] proposal 1 # Configure the pre-shared key used in IKE negotiation as the plaintext string tempkey1. [GM2-ike-peer-toks1] pre-shared-key simple tempkey1 # Specify the IP address of the IKE peer as 100.1.1.100. [GM2-ike-peer-toks1] remote-address 100.1.1.100 [GM2-ike-peer-toks1] quit # Create IKE peer toks2.

  • Page 487: Verifying The Configuration

    # Specify DH group2 for the IKE proposal. [GM3-ike-proposal-1] dh group2 [GM3-ike-proposal-1] quit # Create IKE peer toks1. [GM3] ike peer toks1 # Reference IKE proposal 1 for the IKE peer. [GM3-ike-peer-toks1] proposal 1 # Configure the pre-shared key used in IKE negotiation as the plaintext string tempkey1. [GM3-ike-peer-toks1] pre-shared-key simple tempkey1 # Specify the IP address of the IKE peer as 100.1.1.100.
  • Page 488 connection-id peer flag phase status ---------------------------------------------------------------------------- 100.1.1.100 RD|ST GROUP 100.1.1.100 RD|RK GROUP flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT RK--REKEY The output shows the IKE SA and rekey SA generated after IKE negotiation. The SA with connection-id of 658 is the IKE SA, and the SA with connection-id of 659 is the rekey SA. # Execute the display ipsec sa command on GM 1 to display IPsec SAs.
  • Page 489 [outbound ESP SAs] spi: 0xDB865076(3683012726) transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 318 sa duration (kilobytes/sec): 0/900 sa remaining duration (kilobytes/sec): 0/63 anti-replay detection: Disabled spi: 0x640321A(104870426) transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 326 sa duration (kilobytes/sec): 0/900 sa remaining duration (kilobytes/sec): 0/853 anti-replay detection: Disabled -----------------------------...
  • Page 490 anti-replay detection: Disabled [outbound ESP SAs] spi: 0xDB865076(3683012726) transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 322 sa duration (kilobytes/sec): 0/340 sa remaining duration (kilobytes/sec): 0/61 anti-replay detection: Disabled spi: 0x640321A(104870426) transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1 in use setting: Transport connection id: 330 sa duration (kilobytes/sec): 0/900 sa remaining duration (kilobytes/sec): 0/851 anti-replay detection: Disabled...
  • Page 491 ACL Downloaded From KS 100.1.1.100: rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 rule 1 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 rule 2 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255 rule 3 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 KEK Policy: Rekey transport type : Multicast...

  • Page 492: Troubleshooting Group Domain Vpn

    Rekey ACKs received Rekey ACKs missed KS 2 stores the same GM information. # Display KS redundancy information on KS 1. <KS1> display gdoi ks redundancy Group Name :ks1 Local address : 100.1.1.100 Local version : 1.0 Local priority : 10000 Local role : Primary Primary address : 100.1.1.100...

  • Page 493: Gm Registration Failure

    <Router> display ike sa total phase-1 SAs: connection-id peer flag phase status ---------------------------------------------------------------------------- Solution If the failure occurred between GM and KS, verify that the IKE proposal and IKE peer configurations on the GM and the KS match, and that the GM and the KS can reach each other. If the failure occurred between KSs, verify that the IKE proposal and IKE peer configurations on the KSs match, and that the KSs can reach each other.
  • Page 494 Peer role : Unknown Peer status : Down Solution Verify that the KSs have the same group ID. Verify that the KSs can reach each other.

  • Page 495: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4" from low to high.

  • Page 496: Conditional Self-Tests

    Table 25 List of power-up self-tests Type Operations Tests the following algorithms: • DSA (signature and authentication) • RSA (signature and authentication) • RSA (encryption and decryption) • Cryptographic algorithm • 3DES self-test • SHA1 • SHA256 • SHA512 • HMAC-SHA1 •...

  • Page 497: Configuring Fips Mode

    Step Command Enter system view. system-view Trigger a self-test. fips self-test Configuring FIPS mode Configuration considerations To enter the FIPS mode, follow these steps: Enable FIPS mode. Enable the password control function. Configure a username and password used to log in to the device. The password must include at least 10 characters that must contain uppercase and lowercase letters, digits, and special characters.

  • Page 498: Displaying And Maintaining Fips

    • RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus length from 1024 to 2048 bits. • SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5. Displaying and maintaining FIPS Task Command Remarks...

  • Page 499: Verifying The Configuration

    [Sysname-luser-test] authorization-attribute level 3 [Sysname-luser-test] password Password:*********** Confirm :*********** Updating user(s) information, please wait... [Sysname-luser-test] quit # Save the configuration. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[cfa0:/startup.cfg] (To leave the existing filename unchanged, press the enter key): cfa0:/startup.cfg exists, overwrite? [Y/N]:y Validating file.

  • Page 500: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 501: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 502: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 503: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 504 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 505: Index

    Index packet format, Numerics port authorization status, 3DES port security authentication control mode, security IPsec encryption algorithm, port security client 802.1X macAddressElseUserLoginSecure access control methods, configuration, access device as authentication initiator, port security client userLoginWithOUI ACL assignment, configuration, architecture, port security configuration, 125, 129, authentication, port security feature configuration, Auth-Fail VLAN,...
  • Page 506 configuring RADIUS user, RADIUS scheme creation, configuring router as RADIUS server, RADIUS scheme VPN specification, displaying, RADIUS security policy server IP address configuration, displaying HWTACACS, RADIUS server for portal users, displaying local users/local user groups, RADIUS server status, displaying RADIUS, RADIUS server Telnet/SSH user domain-based user management, authentication/authorization,...
  • Page 507 configuring port mapping for ASPF, security ASPF policy to interface, MAC authentication ACL assignment, security GDOI IPsec policy to interface, packet filter (firewall), security IPsec policy to interface, security IPsec ACL de-encapsulated packet security QoS policy to IPsec tunnel interface, check, architecture security IPsec ACL rule keywords,...
  • Page 508 creating local pair, attack protection policy destroying local pair, applying to interface, destroying local RSA pair, configuration, attack creating, attack protection policy applying to traffic statistics function, interface, attribute attack protection policy configuration, EAP-Message (802.1X), creating attack protection policy, Message-Authentication (802.1X), detection and protection, RADIUS, flood attack, 414,...
  • Page 509 security IPsec IKE-based tunnel custom portal authentication pages, configuration, direct/cross-subnet portal authentication security IPsec IKEv2 certificate process, authentication, EAP relay (802.1X), security IPsec IKEv2 pre-shared key EAP termination (802.1X), authentication, enabling 802.1X periodic online user security IPsec RIPng configuration, re-authentication function, security IPsec tunnel configuration, enabling Layer 2 portal authentication, security password control...
  • Page 510 port security support, troubleshooting PKI CA certificate retrieve failure, authorization CAR parameter (RADIUS), 802.1X port status, certificate setting 802.1X port authorization state, authority. Use authorized-force (802.1X port authorization state), configuring local RSA key pair, authorizing PKI, port security server information, security PKI certificate access control policy, security AAA configuration, 6, security PKI certificate verification (CRL...
  • Page 511 configuration restrictions and guidelines extended cross-subnet portal authentication, group domain VPN, extended direct portal authentication, user profile, extended re-DHCP portal authentication, configuring FIPS mode, 802.1X, firewall, 802.1X ACL assignment, firewall default filtering action, 802.1X Auth-Fail VLAN, firewall fragment inspection threshold, 802.1X critical VLAN, fixed ARP (ARP attack protection), 802.1X guest VLAN, 97,...
  • Page 512 portal user information security GDOI GM, synchronization, 308, security GDOI GM group, portal user moving, security GDOI IPsec policy, portal-free rule, security GDOI KS, public key, security global IKEv2 parameters, RADIUS class attribute as CAR parameter, security group domain VPN, 453, RADIUS related attributes, security HABP, 443, RADIUS user (AAA),...
  • Page 513 security PKI certificate verification, configuring ACL-based rule, security PKI domain, configuring default connection limit action, security PKI entity DN, configuring default connection limit parameter, security PKI RSA digital signature, displaying, security PKI RSA Keon CA server certificate request, maintaining, security PKI Windows 2003 CA server policy application, certificate request, policy configuration,...
  • Page 514 data transmission (public key), 264, security AAA local Telnet/FTP user authentication/authorization, DDoS attack (URPF), 448, security AAA local user configuration, default connection limit action, security AAA MPLS L3VPN implementation, default connection limit parameter, security AAA RADIUS accounting server deleting parameters specification, security PKI certificate, security AAA RADIUS delimiters (802.1X domain name),...
  • Page 515 security IPsec IKE, FIPS, security IPsec PFS, GDOI GM, DHCP GDOI KS, configuring extended re-DHCP portal HABP, authentication, host public key in specific format, configuring re-DHCP portal host public key information, authentication, local host public key, Layer 3 portal authentication process, MAC authentication, portal authentication modes, packet-filter firewall,...
  • Page 516 security SSH client host public key 802.1X EAP termination, configuration, 802.1X periodic online user re-authentication security SSH DSA host key pair, function, security SSH Stelnet client publickey 802.1X proxy detection function, authentication, encryption engine, dynamic FIPS mode, security IP source guard dynamic binding firewall, entry, firewall fragment inspection,...
  • Page 517 security IPsec encryption algorithm configuration consideration, (DES), displaying, security IPsec IKE-based tunnel enabling, configuration, known-answer test, security IPsec RIPng configuration, mode system changes, security IPsec tunnel configuration, password control FIPS compliance, security SSH configuration, power-up self-test, security SSH server configuration, public key FIPS compliance, security SSL services, security AAA FIPS compliance,...
  • Page 518 RADIUS packet, GDOI IPsec policy security AAA HWTACACS username, application to interface, security AAA RADIUS username, configuration, forwarding GDOI KS security IP source guard basic settings for a GDOI KS group configuration, 405, configuration, security IPv4 source guard dynamic configuration, configuration with DHCP snooping, displaying, security IPv4 source guard static binding entry...
  • Page 519 configuring 802.1X, 97, identity authentication port security support, AAA, verifying 802.1X guest VLAN PKI, configuration, ignoring port security server authorization information, IKE, 200, See also ISAKMP HABP ACL configuration error, client configuration, configuration, 200, 203, 209, configuration, 443, configuration (aggressive mode/RSA signature displaying, authentication), server configuration,...
  • Page 520 DPD configuration, intrusion protection global parameters configuration, blockmac mode, keyring configuration, disableport mode, limits on the number of IKEv2 SAs setting, disableport-temporarily mode, maintaining, port security feature, message retransmission, negotiation failure troubleshooting (IPsec EAD free IP, tunnels cannot be set up), security.
  • Page 521 configuring IPsec interface backup, IKEv2 new feature, configuring the IPsec session idle IKEv2 policy configuration, timeout, IKEv2 pre-shared key authentication, cookie challenging configuration, IKEv2 profile configuration, disabling next payload field checking, IKEv2 proposal configuration, displaying, IKEv2 troubleshooting, enabling fragmentation before/after implementation, encryption, implementation on an encryption card,...
  • Page 522 flexible service application, reduced payload, keepalive simplified configuration, NAT timer setting, IPv4 timers setting, configuring firewall default filtering action, configuring packet filtering on interface, IPsec IKE data authentication, enabling firewall, port security key negotiation, enabling firewall fragment inspection, port security PSK, security IPsec IKE-based tunnel key pair configuration,...
  • Page 523 security password control local user methods, parameters, port security authentication control mode, security PKI digital certificate, port security client troubleshooting PKI certificate request macAddressElseUserLoginSecure failure, configuration, port security client userLoginWithOUI configuration, enabling for ASPF, port security configuration, 125, 129, logging off portal users, port security feature configuration, port security intrusion protection configuration,...
  • Page 524 message multicast enabling RADIUS trap function, security group domain VPN configuration, 453, exchange process (HWTACACS), exchange process (RADIUS), Message Authentication Code. Use method configuring NAS ID-VLAN binding (AAA), 802.1X access control, Port-Type (RADIUS), mirroring security AAA configuration, security IPsec mirror image ACLs, security AAA HWTACACS implementation, security IPsec non-mirror image ACLs, security AAA MPLS L3VPN implementation,...
  • Page 525 port security features, security IPsec implementation on an encryption card, port security intrusion protection configuration, security IPsec IPv6 routing protocols, 153, port security MAC address learning security IPsec policy application to interface, control, security IPsec policy configuration, 160, port security mode, 125, security IPsec policy configuration port security NTK configuration, (IKE-based),...
  • Page 526 security SSH SFTP client device GDOI KS redundancy configuration, configuration, port security client security SSH SFTP client source IP macAddressElseUserLoginSecure address/interface, configuration, security SSH SFTP directories, port security client userLoginWithOUI configuration, security SSH SFTP files, port security configuration, 125, 129, security SSH SFTP server connection establishment, port security MAC address autoLearn mode...
  • Page 527 security password control security encryption card configuration for configuration, 433, 436, IPsec, 183, security PKI configuration, 241, 243, security IPsec ACL de-encapsulated packet check, security SSH configuration, security IPsec anti-replay configuration, security SSH SCP configuration, security IPsec implementation on an encryption security SSH SFTP client publickey card, authentication,...
  • Page 528 displaying, troubleshooting configuration, enable, troubleshooting CRL retrieve failure, FIPS compliance, troubleshooting local certificate request failure, global parameters, Windows 2003 CA server certificate request local user parameters, configuration, local user password set (interactive PKI application mode), email, maintaining, VPN, super parameters, Web security, user group parameters, PKI configuration...
  • Page 529 portal authentication configuration, WLAN port configuration, security. See port security WLAN port security mode configuration, security MAC authentication delay WLAN support, configuration, portal setting 802.1X authorization state, access device, setting max number 802.1X concurrent users across VPNs, on port, authentication modes, specifying 802.1X mandatory port authentication process with the local portal authentication domain,...
  • Page 530 security policy server, configuring AAA for portal users by RADIUS server, server, configuring ACL-based connection limit rule, setting max number of online users, configuring address pool for assigning addresses specifying authentication domain, to initiators, specifying auto redirect URL for users, configuring ARP attack protection, specifying interface NAS ID profile, configuring ARP attack protection active...
  • Page 531 configuring GDOI KS redundancy, configuring portal server detection, 307, configuring global IKEv2 parameters, configuring portal user information synchronization, 308, configuring HABP client, configuring portal-free rule, configuring HABP server, configuring public keys, configuring IKEv2 DPD, configuring RADIUS class attribute as CAR configuring IPsec interface backup, parameter, configuring IPsec with tunnel interface,...
  • Page 532 configuring security ASPF policy, configuring security PKI certificate request (automatic), configuring security FIPS, configuring security PKI certificate request configuring security IP source guard, (manual), configuring security IPsec, configuring security PKI domain, configuring security IPsec ACL, configuring security PKI entity DN, configuring security IPsec ACL anti-replay configuring security PKI RSA digital function,...
  • Page 533 configuring Web proxy for Layer 2 portal EAP relay authentication (802.1X), authentication, EAP termination authentication (802.1X), controlling portal user access, enabling 802.1X, creating connection limit policy, enabling 802.1X EAP relay, creating local asymmetric key pair, enabling 802.1X EAP termination, creating security AAA HWTACACS enabling 802.1X periodic online user scheme, re-authentication function,...
  • Page 534 generating security SSH local DSA key setting port security mode, pair, setting RADIUS supported server type, generating security SSH local RSA key setting rule timer (EAD fast deployment), pair, setting security AAA HWTACACS timer, ignoring port security server authorization setting security AAA HWTACACS traffic statistics information, unit, implementing security ACL-based IPsec,...
  • Page 535 specifying RADIUS verifying 802.1X guest VLAN configuration, authentication/authorization server, verifying EAD fast deployment configuration, specifying RADIUS client (AAA), verifying local MAC authentication specifying security AAA HWTACACS configuration, authentication server, verifying MAC authentication ACL assignment specifying security AAA HWTACACS configuration, authorization server, verifying PKI certificate verification (CRL specifying security AAA HWTACACS outgoing checking),...
  • Page 536 public key security PKI certificate, configuration, RADIUS configuring client public key manually, AAA configuration, 6, creating local asymmetric key pair, AAA for portal users by RADIUS server, destroying local asymmetric key pair, AAA for Telnet users (network device), displaying, AAA implementation, displaying host public key in specific AAA level switching authentication for Telnet format,...
  • Page 537 server response timeout timer, security IPsec RIPng configuration, server status, route server Telnet/SSH user security IPsec RRI, authentication/authorization, security IPsec RRI configuration, 171, setting supported server type, routing shared keys specification, 802.1X configuration, specifying authentication/authorization security IPsec IPv6 routing protocols server, configuration, 153, specifying interface NAS ID profile,...
  • Page 538 security SSH application, attack protection policy configuration, transferring files with SCP server, binding IPsec policy, policy group, profile to encryption card, secure shell. Use blacklist configuration, Secure Sockets Layer. Use blacklist function, security conditional self-test, 802.1X ACL assignment configuration, configuring ACL-based connection limit rule, 802.1X configuration, configuring blacklist, 802.1X overview,...
  • Page 539 FIPS configuration consideration, IPsec IKEv2 pre-shared key authentication, FIPS mode system changes, IPsec IKEv2 profile configuration, FIPS self-test, IPsec IKEv2 proposal configuration, firewall configuration, IPsec IKEv2 troubleshooting, flood attack, IPsec implementation, flood attack protection policy IPsec IPv6 routing protocols, 153, configuration, IPsec packet information pre-extraction fragmentation before/after encryption,...
  • Page 540 overview, SSH authentication methods, password control configuration, 433, 436, SSH client host public key configuration, password control enable, SSH client user interface configuration, password control global parameters, SSH configuration, password control local user parameters, SSH local DSA key pair generation, password control user group parameters, SSH local RSA key pair generation, PKI application,...
  • Page 541 verifying MAC authentication ACL assignment AAA for portal users by RADIUS server, configuration, authentication/accounting (portal verifying RADIUS-based MAC authentication authentication), configuration, configuring local portal server, WLAN client isolation configuration, configuring portal server detection, security service configuring router as RADIUS server (AAA), access security, HABP server configuration, attack detection and protection,...
  • Page 542 max number 802.1X authentication request single-packet attack attempts, protection policy configuration, max number 802.1X concurrent users on types, port, source max number of online portal users, MAC-based attack detection, 401, NAT keepalive timer, source suppression (ARP attack protection), port security mode, specifying RADIUS supported server type, 802.1X access control method,...
  • Page 543 client user interface configuration, displaying, configuration, FIPS compliance, configuring client public key manually, protocol stack, disabling first-time authentication, 357, security PKI configuration, 241, 243, displaying, security services, enabling first-time authentication, 357, server policy configuration, 386, FIPS compliance, SSL VPN configuration, 392, how it works, troubleshooting, importing client public key from public key...
  • Page 544 switching user profile, URPF configuration, 448, 448, terminating symmetric key security SSH SFTP server connection, algorithm, testing SYN cookie feature (TCP attack protection), security FIPS conditional self-test, system administration security FIPS power-up self-test, security FIPS configuration, security FIPS triggered self-test, security FIPS mode system changes, threshold configuring firewall fragment inspection...
  • Page 545 triggering security IPsec implementation, configuring authentication trigger function, tunnel interface troubleshooting QoS policy application to IPsec tunnel interface, ACL configuration error, security IPsec configuration, 175, cannot change port security mode when user online, security IPsec tunnel interface-based implementation, connection limit, tunneling EAD fast deployment, security IPsec configuration, 149,...
  • Page 546 configuring re-DHCP portal userLoginWithOUI, authentication, username controlling portal access, security AAA HWTACACS format, enabling 802.1X periodic online user security AAA RADIUS format, re-authentication function, enabling portal user moving, verifying extended configuring cross-subnet portal authentication, 802.1X ACL assignment, logging off (portal), 802.1X configuration, portal information synchronization 802.1X guest VLAN configuration,...
  • Page 547 group domain VPN, 453, portal support for EAP, portal authentication across VPNs, portal system components, security AAA HWTACACS scheme VPN security PKI, specification, setting max number of online portal users, security AAA MPLS L3VPN specifying auto redirect URL for authenticated implementation, users (portal), security AAA RADIUS scheme VPN...

Table of Contents