Page of 385
Download Table of ContentsContents Print This PagePrint Bookmark
HP 5120 SI Switch Series
Security
Part number: 5998-1815
Software version: Release 1513
Document version: 6W100-20130830

Advertising

   Also See for HP 5120 SI Series

   Summary of Contents for HP 5120 SI Series

  • Page 1: Configuration Guide

    HP 5120 SI Switch Series Security Configuration Guide Part number: 5998-1815 Software version: Release 1513 Document version: 6W100-20130830...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    A comparison of EAP relay and EAP termination ······························································································ 61   EAP relay ································································································································································ 62   EAP termination ····················································································································································· 63   802.1X configuration ················································································································································ 65   HP implementation of 802.1X ······································································································································ 65   Access control methods ········································································································································ 65   Using 802.1X authentication with other features ······························································································ 65  ...

  • Page 4: Table Of Contents

    Configuring 802.1X ······················································································································································ 70   Configuration prerequisites ·································································································································· 70   802.1X configuration task list ······························································································································ 70   Enabling 802.1X ··················································································································································· 71   Specifying EAP relay or EAP termination ··········································································································· 72   Setting the port authorization state ······················································································································ 72   Specifying an access control method ·················································································································· 73  ...

  • Page 5: Table Of Contents

    Configuration prerequisites ································································································································ 101   Configuration procedure ···································································································································· 101   Displaying and maintaining MAC authentication ···································································································· 101   MAC authentication configuration examples ············································································································ 102   Local MAC authentication configuration example··························································································· 102   RADIUS-based MAC authentication configuration example··········································································· 103   ACL assignment configuration example············································································································ 105  ...

  • Page 6: Table Of Contents

    Inconsistent keys on the access device and the portal server ········································································· 159   Incorrect server port number on the access device ·························································································· 160   Triple authentication configuration ························································································································ 161   Introduction to triple authentication ···························································································································· 161   Overview ······························································································································································ 161  ...

  • Page 7: Table Of Contents

    FIPS compliance ··························································································································································· 197   Password control configuration task list ····················································································································· 198   Configuring password control ···································································································································· 198   Enabling password control ································································································································· 198   Setting global password control parameters ···································································································· 199   Setting user group password control parameters ···························································································· 200  ...

  • Page 8: Table Of Contents

    Displaying and maintaining PKI ································································································································· 231   PKI configuration examples ········································································································································· 231   Requesting a certificate from a CA running RSA Keon ··················································································· 231   Requesting a certificate from a CA running Windows 2003 Server ···························································· 235   Configuring a certificate attribute-based access control policy ······································································ 238  ...

  • Page 9: Table Of Contents

    SCP client configuration example ······················································································································ 277   SCP server configuration example ···················································································································· 278   SSL configuration ···················································································································································· 280   SSL overview ································································································································································· 280   SSL security mechanism ······································································································································ 280   SSL protocol stack ··············································································································································· 281   FIPS compliance ··························································································································································· 282  ...

  • Page 10: Table Of Contents

    Displaying and maintaining source MAC address based ARP attack detection ·········································· 307   Configuring ARP packet source MAC address consistency check ········································································· 307   Introduction ·························································································································································· 307   Configuration procedure ···································································································································· 307   Configuring ARP active acknowledgement ··············································································································· 307   Introduction ··························································································································································...

  • Page 11: Table Of Contents

    Failing to establish an IPsec tunnel ···················································································································· 367   ACL configuration error ······································································································································ 367   Support and other resources ·································································································································· 368   Contacting HP ······························································································································································ 368   Subscription service ············································································································································ 368   Related information ······················································································································································ 368   Documents ···························································································································································· 368...

  • Page 12

    Websites ······························································································································································· 368   Conventions ·································································································································································· 369   Index ········································································································································································ 371  ...

  • Page 13: Aaa Configuration

    AAA configuration This chapter includes these sections: AAA overview • AAA configuration considerations and task list • Displaying and maintaining AAA • • AAA configuration examples Troubleshooting AAA • AAA overview This section covers these topics: RADIUS • HWTACACS • •...

  • Page 14: Radius

    Figure 1 Network diagram for AAA When a user tries to log in to the NAS, use network resources, or access other networks, the NAS authenticates the user. The NAS can transparently pass the user's authentication, authorization, and accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and a remote server exchange user information between them.

  • Page 15

    users, and returns user access control information (for example, rejecting or accepting the user access request) to the clients. In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary, as shown in Figure Figure 2 RADIUS server components •...

  • Page 16

    Figure 3 RADIUS basic message exchange process RADIUS operates in the following manner: The host initiates a connection request carrying the username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.

  • Page 17

    Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...

  • Page 18

    The Attribute field, with a variable length, carries the specific authentication, authorization, and • accounting information that defines the configuration details of the request or response. This field contains multiple attributes, and each attribute is represented in triplets of Type, Length, and Value. Type—One byte, in the range 1 to 255.

  • Page 19

    Vendor-ID—ID of the vendor (4 bytes long). Its most significant byte is 0; the other three bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see "Proprietary RADIUS sub-attributes of HP."...

  • Page 20: Hwtacacs

    Figure 5 Segment of a RADIUS packet containing an extended attribute HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.

  • Page 21

    Figure 6 HWTACACS basic message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 22: Domain-based User Management

    The user inputs the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user authorization request packet to the HWTACACS server.

  • Page 23: Protocols And Standards

    Portal—Portal users must pass portal authentication to access the network. • For a user who has logged in to the device, AAA provides the following services to enhance device security: Command authorization—Enables the NAS to defer to the authorization server to determine •...

  • Page 24

    Maximum idle time permitted for the user before termination of the session. Identification of the user that the NAS sends to the server. With the LAN access Calling-Station-Id service provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses for indicating itself.

  • Page 25

    NAS-Port-Id String for describing the port of the NAS that is authenticating the user. Proprietary RADIUS sub-attributes of HP Table 5 Proprietary RADIUS sub-attributes of HP Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.

  • Page 26: Fips Compliance

    Sub-attribute Description IP address and MAC address of the user carried in authentication and Ip_Host_Addr accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address. Information that needs to be sent from the server to the client User_Notify transparently Hash value assigned after an 802.1X user passes authentication, which...

  • Page 27

    Authorization method—No authorization (none), local authorization (local), or remote authorization (scheme) Accounting method—No accounting (none), local accounting (local), or remote accounting (scheme) Figure 8 illustrates the configuration procedure. Figure 8 AAA configuration procedure Table 6 AAA configuration task list Task Remarks Configuring local users Required...

  • Page 28: Configuring Aaa Schemes

    NOTE: For login users, you must configure the login authentication mode for the user interfaces as scheme before Fundamentals Configuration Guide performing the above configurations. For more information, see the Configuring AAA schemes Configuring local users For local authentication, you must create local users and configure user attributes on the device in advance.

  • Page 29

    Authorization attributes • Authorization attributes indicate the rights that a user has after passing local authentication. Authorization attributes include the ACL, idle cut function, user level, user role, user profile, VLAN, and FTP/SFTP work directory. For more information about authorization attributes, see "Configuring local user attributes."...

  • Page 30

    To do… Use the command… Remarks Optional By default, the setting for the user Set the minimum password-control length length group is used. If there is no such password length setting for the user group, the global setting is used. Optional Configure the password-control composition...

  • Page 31

    NOTE: For more information about password control attribute commands, see the chapter "Password control • configuration." On a device supporting the password control feature, local user passwords are not displayed, and the • local-user password-display-mode command is not effective. • With the local-user password-display-mode cipher-force command configured, a local user password is always displayed in cipher text, regardless of the configuration of the password command.

  • Page 32: Configuring Radius Schemes

    To do… Use the command… Remarks Optional Configure the password-control composition password type-number type-number By default, the global composition policy [ type-length type-length ] setting is used. authorization-attribute { acl Optional acl-number | callback-number By default, no Configure the authorization attributes for callback-number | idle-cut minute | authorization attribute is the user group...

  • Page 33

    Task Remarks Specifying a source IP address for outgoing RADIUS packets Optional Setting timers for controlling communication with RADIUS servers Optional Configuring RADIUS accounting-on Optional Specifying a security policy server Optional Configuring interpretation of RADIUS class attribute as CAR Optional parameters Enabling the RADIUS trap function Optional...

  • Page 34

    To do… Use the command… Remarks primary authentication { ipv4-address | ipv6 Required Specify the primary RADIUS ipv6-address } [ port-number | key [ cipher | authentication/authorization Configure at least one simple ] key | probe username name [ interval server command.

  • Page 35

    To do… Use the command… Remarks Enable the device to buffer Optional stop-accounting requests to stop-accounting-buffer enable which no responses are Enabled by default received Optional Set the maximum number of retry stop-accounting retry-times stop-accounting attempts 500 by default Optional Set the maximum number of retry realtime-accounting retry-times real-time accounting attempts...

  • Page 36

    Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • • Extended—Uses the proprietary RADIUS protocol of HP. When the RADIUS server runs iMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies.

  • Page 37

    When the primary server is in the active state, the device communicates with the primary server. If • the primary server fails, the device changes the state of the primary server to blocked and starts a quiet timer for the server, and then turns to a secondary server in the active state (a secondary server configured earlier has a higher priority).

  • Page 38

    NOTE: The server status set by the state command cannot be saved in the configuration file and will be restored • to active every time the server restarts. To display the states of the servers, use the display radius scheme command. •...

  • Page 39

    You can specify a source IP address for outgoing RADIUS packets in RADIUS scheme view for a specific RADIUS scheme, or in system view for all RADIUS schemes. Before sending a RADIUS packet, a NAS selects a source IP address in this order: The source IP address specified for the RADIUS scheme.

  • Page 40

    To do… Use the command… Remarks Optional Set the RADIUS server response timer response-timeout seconds timeout timer 3 seconds by default Optional Set the quiet timer for the servers timer quiet minutes 5 minutes by default Optional Set the real-time accounting timer timer realtime-accounting minutes 12 minutes by default NOTE:...

  • Page 41

    To do… Use the command… Remarks Required accounting-on enable Enable accounting-on and Disabled by default. [ interval seconds | send configure parameters The default interval is 3 seconds and the send-times ] * default number of send-times is 50. NOTE: The accounting-on feature requires the cooperation of the iMC network management system.

  • Page 42

    To do… Use the command… Remarks Required Specify to interpret the class attribute 25 car Be default, RADIUS attribute 25 is not attribute as the CAR parameters interpreted as CAR parameters. NOTE: Whether to configure this feature depends on the implementation of the device and the RADIUS server. Enabling the RADIUS trap function With the RADIUS trap function, a NAS sends a trap message in either of these situations: The status of a RADIUS server changes.

  • Page 43: Configuring Hwtacacs Schemes

    To do… Use the command… Remarks display stop-accounting-buffer { radius-scheme radius-scheme-name | Display information about buffered session-id session-id | time-range stop-accounting requests that get no start-time stop-time | user-name Available in any view responses user-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] Clear RADIUS statistics...

  • Page 44

    To do… Use the command… Remarks Create an HWTACACS scheme Required hwtacacs scheme and enter HWTACACS scheme hwtacacs-scheme-name Not defined by default view NOTE: Up to 16 HWTACACS schemes can be configured. • A scheme can be deleted only when it is not referenced. •...

  • Page 45

    To do… Use the command… Remarks No authorization server is Specify the secondary secondary authorization ip-address specified by default. HWTACACS authorization [ port-number | key [ cipher | simple ] server key ] * NOTE: If both the primary and secondary authorization servers are specified, the secondary one is used when •...

  • Page 46

    Setting the shared keys for HWTACACS packets The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt packets exchanged between them and use shared keys to verify the packets. Only when they use the same key for an exchanged packet can they receive the packets and make responses properly.

  • Page 47

    NOTE: If an HWTACACS server does not support a username with the domain name, configure the device to • remove the domain name before sending the username to the server. For level switching authentication, the user-name-format keep-original and user-name-format • without-domain commands produce the same results: they ensure that usernames sent to the HWTACACS server carry no ISP domain name.

  • Page 48: Configuring Aaa Methods For Isp Domains

    To do… Use the command… Remarks hwtacacs scheme Enter HWTACACS scheme view — hwtacacs-scheme-name Optional Set the HWTACACS server timer response-timeout seconds response timeout timer 5 seconds by default Optional Set the quiet timer for the primary timer quiet minutes server 5 minutes by default Optional...

  • Page 49: Configuration Prerequisites

    Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts (see "Configuring local user attributes") on the access device. To use remote authentication, authorization, and accounting, create the required RADIUS and HWTACACS schemes as described in "Configuring RADIUS schemes"...

  • Page 50: Configuring Aaa Authentication Methods For An Isp Domain

    To do… Use the command… Remarks Optional Specify the maximum number of access-limit enable active users in the ISP domain max-user-number No limit by default Optional Disabled by default Configure the idle cut function idle-cut enable minute [ flow ] This command is effective for only LAN users and portal users.

  • Page 51

    Before configuring authentication methods, complete the following tasks: • For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. The local and none authentication methods do not require any scheme. Determine the access mode or service type to be configured. With AAA, you can configure an •...

  • Page 52: Configuring Aaa Authorization Methods For An Isp Domain

    NOTE: The authentication method specified with the authentication default command is for all types of users • and has a priority lower than that for a specific access mode. With an authentication method that references a RADIUS scheme, AAA accepts only the authentication •...

  • Page 53

    Determine the access mode or service type to be configured. With AAA, you can configure an authorization scheme for each access mode and service type, limiting the authorization protocols that can be used for access. Determine whether to configure an authorization method for all access modes or service types. Follow these steps to configure AAA authorization methods for an ISP domain: To do…...

  • Page 54: Configuring Aaa Accounting Methods For An Isp Domain

    Configuring AAA accounting methods for an ISP domain In AAA, accounting is a separate process at the same level as authentication and authorization. Its responsibility is to send accounting start/update/end requests to the specified accounting server. Accounting is not required, and therefore accounting method configuration is optional. AAA supports the following accounting methods: No accounting—The system does not perform accounting for the users.

  • Page 55: Tearing Down User Connections Forcibly

    To do… Use the command… Remarks Optional accounting portal { local | none | Specify the accounting method for radius-scheme radius-scheme-name The default accounting method portal users [ local ] } is used by default. NOTE: With the accounting optional command configured, a user that would be otherwise disconnected can •...

  • Page 56: Displaying And Maintaining Aaa

    To do… Use the command… Remarks Enter system view system-view — Create a NAS ID profile and enter aaa nas-id profile profile-name Required NAS ID profile view Required nas-id nas-identifier bind vlan Configure a NAS ID-VLAN binding By default, no NAS ID-VLAN vlan-id binding exists.

  • Page 57

    Figure 9 Configure AAA for Telnet users by an HWTACACS server Configuration procedure # Configure the IP addresses of the interfaces (omitted). # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme [Switch-ui-vty0-15] quit...

  • Page 58: Aaa For Telnet Users By Separate Servers

    [Switch-isp-bbb] authentication default hwtacacs-scheme hwtac [Switch-isp-bbb] authorization default hwtacacs-scheme hwtac [Switch-isp-bbb] accounting default hwtacacs-scheme hwtac When Telnetting in to the switch, a user enters username userid@bbb for authentication using domain bbb. AAA for Telnet users by separate servers Network requirements As shown in Figure 10, configure the switch to provide local authentication, HWTACACS authorization,...

  • Page 59: Authentication/authorization For Ssh/telnet Users By A Radius Server

    [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the RADIUS scheme. [Switch] radius scheme rd [Switch-radius-rd] primary accounting 10.1.1.1 1813 [Switch-radius-rd] key accounting expert [Switch-radius-rd] server-type extended [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a local user named hello.

  • Page 60

    Specify the ports for authentication and accounting as 1812 and 1813 respectively • Select Device Management Service as the service type • Select HP as the access device type • • Select the access device from the device list or manually add the device with the IP address of 10.1.1.2...

  • Page 61

    Figure 12 Add an access device # Add a user for device management Log in to the iMC management platform, select the User tab, and select Device Management User from the navigation tree to enter the Device Management User page. Then, click Add to enter the Add Device Management User window and perform the following configurations as shown in Figure Add a user named hello@bbb and specify the password...

  • Page 62

    Figure 13 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 63: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    # Create RADIUS scheme rad. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for authentication packets to expert. [Switch-radius-rad] key authentication expert # Specify the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs iMC.

  • Page 64

    Figure 14 Configure level switching authentication for Telnet users by an HWTACACS server Configuration considerations Configure the switch to use AAA, particularly, local authentication for Telnet users. Create ISP domain bbb and configure it to use local authentication for Telnet users. •...

  • Page 65

    # Use HWTACACS authentication for user level switching authentication and, if HWTACACS authentication is not available, use local authentication. [Switch] super authentication-mode scheme local # Create an HWTACACS scheme named hwtac. [Switch] hwtacacs scheme hwtac # Specify the IP address for the primary authentication server as 10.1.1.1 and the port for authentication as 49.

  • Page 66

    Figure 15 Configure advanced attributes for the Telnet user Verify the configuration After you complete the configuration, the Telnet user should be able to telnet to the switch and use username test@bbb and password aabbcc to enter the user interface of the switch, and access all level 0 commands.

  • Page 67: Troubleshooting Aaa

    User view commands: cluster Run cluster command display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function When switching to user privilege level 3, the Telnet user only needs to enter password enabpass as...

  • Page 68: Troubleshooting Hwtacacs

    The username is in the userid@isp-name format and a default ISP domain is specified on the NAS. The user is configured on the RADIUS server. The correct password is entered. The same shared key is configured on both the RADIUS server and the NAS. Symptom 2 RADIUS packets cannot reach the RADIUS server.

  • Page 69: X Fundamentals

    802.1X fundamentals 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. This chapter includes these sections: •...

  • Page 70: X-related Protocols

    Performs unidirectional traffic control to deny traffic from the client. • NOTE: The HP switches support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.

  • Page 71

    Protocol version: The EAPOL protocol version used by the EAPOL packet sender. Type: Type of the EAPOL packet. Table 7 lists the types of EAPOL packets that the HP • implementation of 802.1X supports. Table 7 Types of EAPOL packets...

  • Page 72: Eap Over Radius

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support this multicast address, you must use an 802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL_Start packets.

  • Page 73: X Authentication Procedures

    The access device supports the following modes: • Multicast trigger mode—The access device multicasts EAP-Request/Identify packets periodically (every 30 seconds by default) to initiate 802.1X authentication. Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC •...

  • Page 74: Eap Relay

    • Supports only MD5-Challenge EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an HP EAP termination supports PAP or CHAP authentication. iNode 802.1X client. • The processing is complex on the network access device.

  • Page 75: Eap Termination

    In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the network access device. The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database.

  • Page 76

    Figure 25 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 77: X Configuration

    802.1X configuration This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, for example, that requires different authentication methods for different users on a port.

  • Page 78

    Access control VLAN manipulation • If the port is a hybrid port with MAC-based VLAN enabled, maps the MAC address of each user to the VLAN assigned by the authentication server. The default VLAN of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed.

  • Page 79

    Authentication status VLAN manipulation If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail A user in the 802.1X guest VLAN. VLAN fails 802.1X authentication If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest VLAN.

  • Page 80

    On a port that performs MAC-based access control Authentication status VLAN manipulation A user fails 802.1X Re-maps the MAC address of the user to the Auth-Fail VLAN. The user can authentication access only resources in the Auth-Fail VLAN. A user in the Auth-Fail VLAN The user is still in the Auth-Fail VLAN.

  • Page 81

    Authentication status VLAN manipulation • Assigns the VLAN specified for the user to the port as the PVID, and removes the port from the critical VLAN. After the user logs off, the default A user in the critical VLAN or user-configured PVID restores. passes 802.1X •...

  • Page 82: Configuring 802.1x

    NOTE: To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you • must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port. The network device assigns a hybrid port to an 802.1X critical VLAN as an untagged member. •...

  • Page 83: Enabling 802.1x

    Task Remarks Specifying EAP relay or EAP termination Optional Setting the port authorization state Optional Specifying an access control method Optional Setting the maximum number of concurrent 802.1X users on a port Optional Setting the maximum number of authentication request attempts Optional Setting the 802.1X authentication timeout timers Optional...

  • Page 84: Specifying Eap Relay Or Eap Termination

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...

  • Page 85: Specifying An Access Control Method

    You can set authorization state for one port in interface view, or for multiple ports in system view. If different authorization state is set for a port in system view and interface view, the one set later takes effect. Follow these steps to set the authorization state of a port: To do…...

  • Page 86: Setting The Maximum Number Of Authentication Request Attempts

    To do… Use the command… Remarks dot1x max-user user-number In system view Set the [ interface interface-list ] Optional maximum number of interface interface-type Use either approach. In Layer 2 concurrent interface-number By default, the maximum number Ethernet 802.1X users concurrent 802.1X users is 256.

  • Page 87: Configuring The Online User Handshake Function

    If not, the device will tear down the connections with such online users for not receiving handshake responses. HP recommends that you use the iNode client software and iMC server to ensure the normal operation •...

  • Page 88: Configuring The Authentication Trigger Function

    Configuring the authentication trigger function About the authentication trigger function The authentication trigger function enables the network access device to initiate 802.1X authentication when 802.1X clients cannot initiate authentication. This function provides the following types of authentication trigger: Multicast trigger—Periodically multicasts Identity EAP-Request packets out of a port to detect 802.1X •...

  • Page 89: Enabling The Quiet Timer

    through the port. The implementation of a mandatory authentication domain enhances the flexibility of 802.1X access control deployment. Follow these steps to specify a mandatory authentication domain for a port: To do… Use the command… Remarks Enter system view system-view —...

  • Page 90: Configuring An 802.1x Guest Vlan

    The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and enables periodic online user re-authentication, even if the function is not configured. Support for the server assignment of re-authentication timer and the re-authentication timer configuration on the server vary with servers.

  • Page 91: Configuring An Auth-fail Vlan

    If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, • enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as an untagged member. For more information about the MAC-based VLAN function, see the Layer 2 —...

  • Page 92: Configuring An 802.1x Critical Vlan

    member. For more information about the MAC-based VLAN function, see the Layer 2 — Switching Configuration Guide. Follow these steps to configure an Auth-Fail VLAN: To do… Use the command… Remarks Enter system view system-view — Enter Layer 2 Ethernet interface interface interface-type —...

  • Page 93: Specifying Supported Domain Name Delimiters

    Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users that use other domain name delimiters. The configurable delimiters include the at sign (@), back slash (\), forward slash (/), and dot (.). If an 802.1X username string includes multiple configured delimiters, the leftmost delimiter is the domain name delimiter.

  • Page 94: X Configuration Examples

    For information about the RADIUS commands used on the access device in this example, see the Command Reference Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Configuration omitted) Configure the RADIUS servers and add user accounts for the 802.1X users.

  • Page 95

    [Device-luser-localuser] password simple localpass # Configure the idle cut function to log off any online user that has been idled for 20 minutes. [Device-luser-localuser] authorization-attribute idle-cut 20 [Device-luser-localuser] quit Configure a RADIUS scheme # Create the RADIUS scheme radius1 and enter its view. [Device] radius scheme radius1 # Specify the IP addresses of the primary authentication and accounting RADIUS servers.

  • Page 96: X With Guest Vlan And Vlan Assignment Configuration Example

    [Device] dot1x # Enable 802.1X on port GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x [Device-GigabitEthernet1/0/1] quit # Enable MAC-based access control on the port. (Optional. MAC-based access control is the default setting.) [Device] dot1x port-method macbased interface gigabitethernet 1/0/1 Verifying the configuration Use the display dot1x interface gigabitethernet 1/0/1 command to verify the 802.1X configuration.

  • Page 97

    Figure 27 Network diagram for 802.1X with guest VLAN and VLAN assignment configuration Configuration procedure NOTE: The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are omitted. For more information about Security Command Reference AAA/RADIUS configuration commands, see the Configure the 802.1X client.

  • Page 98

    [Device-vlan5] port gigabitethernet 1/0/3 [Device-vlan5] quit Configure a RADIUS scheme. # Configure RADIUS scheme 2000 and enter its view. <Device> system-view [Device] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets.

  • Page 99: X With Acl Assignment Configuration Example

    802.1X with ACL assignment configuration example Network requirements As shown in Figure 33, the host 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.

  • Page 100

    [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1. [Device] acl number 3000 [Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 # Enable 802.1X globally.

  • Page 101: Ead Fast Deployment Configuration

    • EAD fast deployment overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defense capability of a network. If a terminal device seeks to access a network that deploys EAD, it must have an EAD client, which performs 802.1X authentication.

  • Page 102: Configuration Procedure

    Enable 802.1X on the port, and set the port authorization mode to auto. • Configuration procedure Configuring a free IP When a free IP is configured, the EAD fast deployment is enabled. To allow a user to obtain a dynamic IP address before passing 802.1X authentication, make sure the DHCP server is on the free IP segment.

  • Page 103: Displaying And Maintaining Ead Fast Deployment

    To do… Use the command… Remarks Optional dot1x timer ead-timeout Set the EAD rule timer ead-timeout-value The default timer is 30 minutes. Displaying and maintaining EAD fast deployment To do… Use the command… Remarks Display 802.1X session display dot1x [ sessions | statistics ] information, statistics, or [ interface interface-list ] [ | { begin | Available in any view...

  • Page 104

    Figure 29 Network diagram for EAD fast deployment NOTE: In addition to the configuration on the access device, complete the following tasks: Configure the DHCP server so that the host can obtain an IP address on the segment of 192.168.1.0/24. •...

  • Page 105: Troubleshooting Ead Fast Deployment

    # Configure the redirect URL for client software download. [Device] dot1x url http://192.168.2.3 # Enable 802.1X globally. [Device] dot1x # Enable 802.1X on the port. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x Verification Use the display dot1x command to display the 802.1X configuration. After the host obtains an IP address from a DHCP server, use the ping command from the host to ping an IP address on the network segment specified by free IP.

  • Page 106

    The address is within a free IP segment. No redirection will take place, even if no host is present with • the address. The redirect URL is not in a free IP segment, no server is using the redirect URL, or the server with the •...

  • Page 107: Mac Authentication Configuration

    MAC authentication configuration This chapter includes these sections: MAC authentication overview • Using MAC authentication with other features • Basic configuration for MAC authentication • • Specifying an authentication domain for MAC authentication users Configuring a MAC authentication guest VLAN •...

  • Page 108: Mac Authentication Timers

    In the local authentication approach: • If MAC-based accounts are used, the access device uses the source MAC address of the packet as the username and password to search its local account database for a match. If a shared account is used, the access device uses the shared account username and password to •...

  • Page 109: Acl Assignment

    ACL assignment You can specify an ACL in the user account for a MAC authentication user to control its access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the access port to filter the traffic from this user. You must configure the ACL on the access device for the ACL assignment function.

  • Page 110: Basic Configuration For Mac Authentication

    Task Remarks Specifying an authentication domain for MAC authentication users Optional Configuring a MAC authentication guest VLAN Optional Configuring a MAC authentication critical VLAN Optional Basic configuration for MAC authentication Configuration prerequisites Create and configure an authentication domain, also called "an ISP domain." •...

  • Page 111: Specifying An Authentication Domain For Mac Authentication Users

    Configuring MAC authentication on a port Follow these steps to configure MAC authentication on a port: To do… Use the command… Remarks Enter system view system-view — mac-authentication interface In system view interface-list Required Enable MAC authentication for interface interface-type Use either approach.

  • Page 112: Configuring A Mac Authentication Guest Vlan

    Configuring a MAC authentication guest VLAN Configuration prerequisites Before you configure a MAC authentication guest VLAN on a port, complete the following tasks: Enable MAC authentication. • • Enable MAC-based VLAN on the port. Create the VLAN to be specified as the MAC authentication guest VLAN. •...

  • Page 113: Configuring A Mac Authentication Critical Vlan

    Configuring a MAC authentication critical VLAN Configuration prerequisites Before you configure a MAC authentication critical VLAN on a port, complete the following tasks: Enable MAC authentication. • • Enable MAC-based VLAN on the port. Create the VLAN to be specified as the MAC authentication critical VLAN. •...

  • Page 114: Mac Authentication Configuration Examples

    MAC authentication configuration examples Local MAC authentication configuration example Network requirements In the network in Figure 35, perform local MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Ensure that: All users belong to domain aabbcc.net. • • Local users use their MAC address as the username and password for MAC authentication. The MAC addresses are hyphen separated and in lower case.

  • Page 115: Radius-based Mac Authentication Configuration Example

    [Device] mac-authentication user-name-format mac-address with-hyphen lowercase Verify the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC address authentication is enabled. User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx Fixed username:mac Fixed password:not configured Offline detect period is 180s Quiet period is 180s.

  • Page 116

    Figure 31 Network diagram for RADIUS-based MAC authentication Configuration procedure NOTE: Ensure that the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account.

  • Page 117: Acl Assignment Configuration Example

    [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verify the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC address authentication is enabled. User name format is fixed account Fixed username:aaa Fixed password:****** Offline detect period is 180s Quiet period is 180s.

  • Page 118

    Figure 32 Network diagram for ACL assignment RADIUS servers Auth:10.1.1.1 Acct:10.1.1.2 GE1/0/1 Internet Host Switch FTP server 192.168.1.10 10.0.0.1 Configuration procedure NOTE: Check that the RADIUS server and the access device can reach each other. Configure the ACL assignment # Configure ACL 3000 to deny packets destined for 10.0.0.1. <Sysname>...

  • Page 119

    # Enable MAC authentication for port GigabitEthernet 1/0/1. [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-authentication Configure the RADIUS servers # Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the server-assigned ACL for the user account. Omitted.

  • Page 120: Portal Configuration

    Portal configuration Overview Portal authentication helps control access to the Internet. It is also called "web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website;...

  • Page 121

    Figure 33 Portal system components Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. A client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.

  • Page 122: Portal System Using The Local Portal Server

    NOTE: Only a RADIUS server can serve as the remote authentication/accounting server in a portal system. • To implement security check, the client must be the HP iNode client. • Portal system using the local portal server System components In addition to use a separate device as the portal server, a portal system can also use the local portal server function of the access device to authenticate web users directly.

  • Page 123: Portal Authentication Modes

    storage medium of the device. A set of customized authentication pages consists of six authentication pages—the logon page, the logon success page, the online page, the logoff success page, the logon failure page, and the system busy page. A local portal server pushes a corresponding authentication page at each authentication phase.

  • Page 124: Layer 2 Portal Authentication Process

    EAP-Message attributes but only transports them between the portal server and the RADIUS server. Therefore, no additional configuration is needed on the access device. NOTE: To use portal authentication that supports EAP, the portal server and client must be the HP iMC portal • server and the HP iNode portal client.

  • Page 125: Layer 3 Portal Authentication Process

    authentication server assigns the authorized VLAN to the access device. Then, the access device adds the user to the authorized VLAN and generates a MAC VLAN entry. If the authorized VLAN does not exist, the access device first creates the VLAN. Then, the port allows the packets from the VLAN to pass, with the VLAN tag stripped.

  • Page 126

    Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 37 Direct authentication/cross-subnet authentication process The direct authentication/cross-subnet authentication takes the following procedure: An authentication client initiates authentication by sending an HTTP request. When the HTTP packet arrives at the access device, the access device allows it to pass if it is destined for the portal server or a predefined free website, or redirects it to the portal server if it is destined for other websites.

  • Page 127

    Authentication process with the local portal server Figure 38 Authentication process with the local portal server With the local portal server, the direct/cross-subnet authentication takes the following procedure: A portal client initiates authentication by sending an HTTP request. When the HTTP packet arrives at an access device using the local portal server, it is redirected to the local portal server, which then pushes a web authentication page for the user to enter the username and password.

  • Page 128: Portal Configuration Task List

    The portal server sends a portal authentication request to the access device, and starts a timer to wait for the portal authentication reply. The portal authentication request contains several EAP-Message attributes, which are used to encapsulate the EAP packet sent from the authentication client and carry the certificate information of the client.

  • Page 129

    Task Remarks Logging off portal users Optional Complete these tasks to configure Layer 3 portal authentication: Task Remarks Specifying a portal server for Layer 3 portal authentication Required Enabling Layer 3 portal authentication Required Configuring a portal-free rule Configuring an authentication source subnet Controlling access of portal Optional users...

  • Page 130: Specifying The Portal Server

    Layer 2 portal authentication uses the local portal server. Specify the IP address of a Layer 3 interface on the device that is routable to the portal client as the listening IP address of the local portal server. HP recommends using the IP address of a loopback interface rather than a physical Layer 3 interface, because: The status of a loopback interface is stable.

  • Page 131: Configuring The Local Portal Server

    To do… Use the command… Remarks Enter system view system-view — portal server server-name ip ip-address [ key [ cipher | simple ] Required Specify a portal server and key-string | port port-id | url By default, no portal server is configure related parameters url-string ] * | ipv6 ipv6-address specified.

  • Page 132

    Main authentication page File name System busy page busy.htm Pushed when the system is busy or the user is in the logon process Logoff success page logoffSuccess.htm NOTE: You can define the names of the files other than the main authentication page files. The file names and directory names are case-insensitive.

  • Page 133

    Rules on page file compression and saving A set of authentication page files must be compressed into a standard zip file. The name of a zip • file can contain only letters, numerals, and underscores. The zip file of the default authentication pages must be saved with name defaultfile.zip.

  • Page 134

    ..</body> </html> NOTE: HP recommends using browser IE 6.0 or above on the authentication clients. • Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the • access device. Otherwise, the user cannot log off by closing the logon success or online page and can only click Cancel to return back to the logon success or online page.

  • Page 135: Enabling Portal Authentication

    To do… Use the command… Remarks Enter system view system-view — Required Configure the protocol type for the portal local-server { http | https local portal server to support and load By default, the local portal server server-policy policy-name } the default authentication page file does not support any protocol.

  • Page 136: Controlling Access Of Portal Users

    Cross-subnet authentication mode (portal server server-name method layer3) does not require • Layer 3 forwarding devices between the access device and the authentication clients. However, if Layer 3 forwarding devices exist between the authentication client and the access device, you must select the cross-subnet portal authentication mode.

  • Page 137: Configuring An Authentication Source Subnet

    To do… Use the command… Remarks portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | mask } | any } } | source { any | [ ip { ip-address mask { mask-length | mask } | any } | mac mac-address | vlan vlan-id ] Configure a * } } *...

  • Page 138: Setting The Maximum Number Of Online Portal Users

    NOTE: Configuration of authentication source subnets applies to only cross-subnet authentication. In direct • authentication mode, the authentication source subnet is 0.0.0.0/0. You can configure multiple authentication source subnets by executing the portal auth-network • command repeatedly. Setting the maximum number of online portal users You can use this feature to control the total number of online portal users in the system.

  • Page 139: Configuring Layer 2 Portal Authentication To Support Web Proxy

    Configuring Layer 2 portal authentication to support web proxy By default, proxied HTTP requests cannot trigger Layer 2 portal authentication but are silently dropped. To allow such HTTP requests to trigger portal authentication, configure the port numbers of the web proxy servers on the device.

  • Page 140: Specifying An Auth-fail Vlan For Portal Authentication

    To do… Use the command… Remarks Required Enable support for portal user portal move-mode auto moving Disabled by default NOTE: For a user with authorization information (such as authorized VLAN) configured, after the user moves from a port to another, the device tries to assign the authorization information to the new port. If the operation fails, the device deletes the user's information from the original port and re-authenticates the user on the new port.

  • Page 141: Specifying Nas-port-type For An Interface

    Specifying NAS-Port-Type for an interface NAS-Port-Type is a standard RADIUS attribute for indicating a user access port type. With this attribute specified on an interface, when a portal user logs on from the interface, the device uses the specified NAS-Port-Type value as that in the RADIUS request to be sent to the RADIUS server. If NAS-Port-Type is not specified, the device uses the access port type obtained.

  • Page 142: Specifying A Source Ip Address For Outgoing Portal Packets

    To do… Use the command… Remarks Required Specify a NAS ID profile portal nas-id-profile By default, an interface is specified with no for the interface profile-name NAS ID profile. Specifying a source IP address for outgoing portal packets NOTE: Only Layer 3 portal authentication supports this feature. After you specify a source IP address for outgoing portal packets on an interface, the IP address is used as the source IP address of packets that the access device sends to the portal server, and the destination IP address of packets that the portal server sends to the access device.

  • Page 143: Configuring Portal Detection Functions

    NOTE: To use this feature for remote Layer 3 portal authentication, the portal server must be the iMC portal • server and the iMC portal server must support the page auto-redirection function. period The wait-time option is effective to only local portal authentication. •...

  • Page 144

    portal server can be established, the access device considers that the probe succeeds (the HTTP service of the portal server is open and the portal server is reachable). If the TCP connection cannot be established, the access device considers that the probe fails and the portal server is unreachable.

  • Page 145: Configuring Portal User Information Synchronization

    HP recommends configuring the interval to be greater than the portal server heartbeat interval configured on the portal server.

  • Page 146: Logging Off Portal Users

    Logging off portal users Logging off a user terminates the authentication process for the user or removes the user from the authenticated users list. Follow these steps to log off users: To do… Use the command… Remarks Enter system view system-view —...

  • Page 147: Portal Configuration Examples

    To do… Use the command… Remarks Available in user Clear TCP spoofing statistics reset portal tcp-cheat statistics view Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for direct authentication. The •...

  • Page 148

    Configure the portal server parameters as needed. This example uses the default values. • Figure 41 Portal server configuration # Configure the IP address group. Select Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page.

  • Page 149

    Set whether to support the portal server heartbeat and user heartbeat functions. In this example, • select No for both Support Server Heartbeat and Support User Heartbeat. Figure 43 Add a portal device # Associate the portal device with the IP address group. As shown in Figure 49, click the icon in the Port Group Information Management column of device NAS...

  • Page 150

    Figure 45 Port group configuration # Select Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the portal server (iMC PLAT 5.0) NOTE: This example assumes that the portal server runs on iMC PLAT 5.0(E0101) and iMC UAM 5.0(E0101). # Configure the portal server.

  • Page 151

    Figure 46 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Enter the IP group name.

  • Page 152

    Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Enter the device name NAS. • Enter the IP address of the switch's interface connected to the user. •...

  • Page 153

    Figure 50 Add a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the switch Configure a RADIUS scheme • # Create a RADIUS scheme named rs1 and enter its view. <Switch>...

  • Page 154: Configuring Cross-subnet Portal Authentication

    # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Switch] domain default enable dm1 Configure portal authentication •...

  • Page 155

    Configure Switch A: Configure a RADIUS scheme # Create a RADIUS scheme named rs1 and enter its view. <SwitchA> system-view [SwitchA] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the iMC server, set it to extended. [SwitchA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 156: Configuring Direct Portal Authentication With Extended Functions

    Configuring direct portal authentication with extended functions Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for direct extended portal • authentication. The host is assigned with a public network IP address either manually or through DHCP.

  • Page 157

    [Switch-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [Switch-radius-rs1] security-policy-server 192.168.0.113 [Switch-radius-rs1] quit Configure an authentication domain # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...

  • Page 158: Configuring Cross-subnet Portal Authentication With Extended Functions

    Configuring cross-subnet portal authentication with extended functions Network requirements As shown in Figure Switch A is configured for cross-subnet extended portal authentication. If a user fails security check • after passing identity authentication, the user can access only subnet 192.168.0.0/24. After passing security check, the user can access Internet resources.

  • Page 159

    [SwitchA-radius-rs1] primary accounting 192.168.0.112 [SwitchA-radius-rs1] key accounting radius [SwitchA-radius-rs1] key authentication radius [SwitchA-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [SwitchA-radius-rs1] security-policy-server 192.168.0.113 [SwitchA-radius-rs1] quit Configure an authentication domain # Create an ISP domain named dm1 and enter its view. [SwitchA] domain dm1 # Configure AAA methods for the ISP domain.

  • Page 160: Configuring Portal Server Detection And Portal User Information Synchronization

    On Switch B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown) Configuring portal server detection and portal user information synchronization Network requirements As shown in Figure 59, a host is directly connected to a switch (the access device) and must pass portal authentication before access...

  • Page 161

    NOTE: Configure IP addresses for the host, switch, and servers as shown in Figure 59 and make sure that they • can reach each other. Configure the RADIUS server properly to provide authentication and accounting functions for users. • Configure the portal server (iMC PLAT 3.20) NOTE: This example assumes that the portal server runs on iMC PLAT 3.20-R2606P13 and iMC UAM 3.60-E6301.

  • Page 162

    Figure 56 Add an IP address group # Add a portal device. Select Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page for adding a portal device, as shown in Figure Enter the device name NAS.

  • Page 163

    Figure 58 Device list On the port group configuration page, click Add to enter the page shown in Figure 64. Perform the following configurations: Enter the port group name. • Select the configured IP address group. The IP address used by the user to access the network must •...

  • Page 164

    Figure 60 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Enter the IP group name.

  • Page 165

    Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Enter the device name NAS. • Enter the IP address of the switch's interface connected to the user. •...

  • Page 166

    Figure 64 Add a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the switch Configure a RADIUS scheme • # Create RADIUS scheme rs1 and enter its view. <Switch>...

  • Page 167

    NOTE: The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and HP recommends configuring the interval as a value greater than the portal server heartbeat interval configured on the portal server.

  • Page 168: Configuring Layer 2 Portal Authentication

    Status : Up The Up state of the portal server indicates that the portal server is reachable. If the access device detects that the portal server is unreachable, you can see the portal server status is Down in the output, and the access device generates a server unreachable trap "portal server newpt lost"...

  • Page 169

    NOTE: Make sure that the host, switch, and servers can reach each other before portal authentication is • enabled. Configure the RADIUS server properly to provide normal authentication/authorization/accounting • functions for users. In this example, you must create a portal user account with the account name userpt on the RADIUS server, and configure an authorized VLAN for the account.

  • Page 170

    # Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the iMC server, set the server type to extended. [Switch-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 171: Troubleshooting Portal

    # Correlate DHCP server group 1 with VLAN-interface 3. [Switch-Vlan-interface3] dhcp relay server-select 1 [Switch-Vlan-interface3] quit Verifying the configuration Before user userpt accesses a web page, the user is in VLAN 8 (the initial VLAN), and is assigned with an IP address on subnet 192.168.1.0/24. When the user accesses a web page on the external network, the web request will be redirected to authentication page https://4.4.4.4/portal/logon.htm.

  • Page 172: Incorrect Server Port Number On The Access Device

    Analysis The keys configured on the access device and the portal server are inconsistent, causing CHAP message exchange failure. As a result, the portal server does not display the authentication page. Solution Use the display portal server command to display the key for the portal server on the access device •...

  • Page 173: Triple Authentication Configuration

    Triple authentication configuration This chapter includes these sections: Introduction to triple authentication • Triple authentication configuration task list • Triple authentication configuration examples • Introduction to triple authentication Overview The terminals in a LAN may support different authentication methods. As shown in Figure 71, a printer supports only MAC authentication, a PC installed with the 802.1X client supports 802.1X authentication,...

  • Page 174: Extended Functions

    Upon receiving an ARP or DHCP broadcast packet from a terminal for the first time, the access port • performs MAC authentication on the terminal. If the terminal passes MAC authentication, no other types of authentication will be performed for it. If it fails, 802.1X or portal authentication can be triggered.

  • Page 175: Triple Authentication Configuration Task List

    Triple authentication configuration task list Complete the following tasks to configure triple authentication: Task Remarks Reference 802.1X configuration in Configure 802.1X MAC-based access control the Security Configuration authentication (macbased) is required. Guide. Required MAC authentication Configure MAC configuration in the Configure at least —...

  • Page 176

    NOTE: Make sure that the terminals, the server, and the switch can reach each other. • The host of the web user must have a route to the listening IP address of the local portal server. • Complete the configuration on the RADIUS server and make sure the authentication, authorization, and •...

  • Page 177

    [Switch-radius-rs1] server-type extended # Specify the primary authentication and accounting servers and keys. [Switch-radius-rs1] primary authentication 1.1.1.2 [Switch-radius-rs1] primary accounting 1.1.1.2 [Switch-radius-rs1] key authentication radius [Switch-radius-rs1] key accounting radius # Specify usernames sent to the RADIUS server to carry no domain names. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an ISP domain...

  • Page 178: Triple Authentication Supporting Vlan Assignment And Auth-fail Vlan Configuration Example

    Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example Network requirement As shown in Figure 73, the terminals are connected to a switch to access the IP network. It is required to configure triple authentication on the Layer-2 interface of the switch which connects to the terminals, so that a terminal passing one of the three authentication methods, 802.1X authentication, portal authentication, and MAC authentication, can access the IP network.

  • Page 179

    NOTE: Make sure that the terminals, the servers, and the switch can reach each other. • When using an external DHCP server, ensure that the terminals can get IP addresses from the server • before and after authentication. • Complete the configuration on the RADIUS server, and make sure the authentication, authorization, and accounting functions work normally.

  • Page 180

    # Configure IP address pool 3, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals use to re-acquire IP addresses after the terminals are offline. [Switch] dhcp server ip-pool 3 [Switch-dhcp-pool-3] network 3.3.3.0 mask 255.255.255.0 [Switch-dhcp-pool-3] expired day 0 hour 0 minute 1 [Switch-dhcp-pool-3] gateway-list 3.3.3.1 [Switch-dhcp-pool-3] quit...

  • Page 181

    Configure MAC authentication # Enable MAC authentication globally. [Switch] mac-authentication # Enable MAC authentication on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN [Switch] interface gigabitethernet 1/0/1 [Switch–GigabitEthernet1/0/1] mac-authentication [Switch–GigabitEthernet1/0/1] mac-authentication guest-vlan 2 [Switch–GigabitEthernet1/0/1] quit Configure a RADIUS scheme # Create a RADIUS scheme named rs1.

  • Page 182

    IPv6=N/A MAC=0015-e9a6-7cfe Index=31 , Username=userdot@triple IP=3.3.3.2 IPv6=N/A MAC=0002-0002-0001 Index=32 , Username=001588f80dd7@triple IP=N/A IPv6=N/A MAC=0015-88f8-0dd7 Total 3 connection(s) matched on slot 1. Total 3 connection(s) matched. Use the display mac-vlan all command to view the MAC-VLAN entries of online users. VLAN 3 is the authorized VLAN.

  • Page 183: Port Security Configuration

    MAC authentication. They apply to scenarios that require both 802.1X authentication and MAC authentication. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you configure 802.1X authentication or MAC authentication rather than port security. For information about 802.1X and MAC authentication, see the chapters "802.1X configuration" and "MAC authentication configuration...

  • Page 184: Port Security Features

    Port security features The need to know (NTK) feature checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices and hosts that have passed authentication or are using MAC addresses on the MAC address list. This prevents illegal devices from intercepting network traffic. Intrusion protection The intrusion protection feature checks the source MAC address in inbound frames for illegal frames and takes a pre-defined action on each detected illegal frame.

  • Page 185

    Features that can be On the port, if you want to… Use the security mode… triggered authentication and 802.1X protection macAddressOrUserLoginSecureExt authentication macAddressElseUserLoginSecure Else macAddressElseUserLoginSecureExt TIP: These security mode naming rules may help you remember the modes: • userLogin specifies 802.1X authentication and port-based access control. •...

  • Page 186: Support For Guest Vlan And Auth-fail Vlan

    This mode is similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users. userLoginWithOUI This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specified organizationally unique identifier (OUI). For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames.

  • Page 187: Port Security Configuration Task List

    You can use the MAC authentication VLAN feature together with security modes that support MAC • authentication. For more information about the MAC authentication guest VLAN, see the chapter "MAC authentication configuration." NOTE: If you configure both an 802.1X Auth-Fail VLAN and a MAC authentication guest VLAN on a port that performs MAC-based access control, the 802.1X Auth-Fail VLAN has a higher priority.

  • Page 188: Setting The Maximum Number Of Secure Mac Addresses

    802.1X (disabled), port access control method (macbased), and port authorization mode (auto) • • MAC authentication (disabled) Port security cannot be disabled when a user is present on a port. NOTE: • For more information about 802.1X configuration, see the chapter "802.1X configuration." For more information about MAC authentication configuration, see the chapter "MAC authentication •...

  • Page 189

    The requirements above must be all met. Otherwise, an error message appears when you set a security mode on the port. On the other hand, after setting a port security mode on a port, you cannot change any of the configurations above. •...

  • Page 190: Configuring Port Security Features

    Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is discarded. The NTK feature supports the following modes: •...

  • Page 191: Configuring Port Security Traps

    To do… Use the command… Remarks Enter Layer 2 Ethernet interface interface interface-type — view interface-number Required port-security intrusion-mode Configure the intrusion protection { blockmac | disableport | By default, intrusion protection is feature disableport-temporarily } disabled. Return to system view quit —...

  • Page 192

    When the maximum number of secure MAC address entries is reached on the port, the port changes to secure mode, and no more secure MAC addresses can be added or learned. The port allows only frames sourced from a secure MAC address or MAC addresses configured with the mac-address dynamic or mac-address static command to pass through.

  • Page 193: Displaying And Maintaining Port Security

    Displaying and maintaining port security To do… Use the command… Remarks Display port security configuration display port-security [ interface information, operation interface-list ] [ | { begin | exclude Available in any view information, and statistics about | include } regular-expression ] one or more ports or all ports display port-security mac-address security [ interface interface-type...

  • Page 194

    [Switch-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Switch-GigabitEthernet1/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-GigabitEthernet1/0/1] quit [Switch] port-security timer disableport 30 Verify the configuration After completing the configurations, use the following command to view the port security configuration information:...

  • Page 195: Configuring The Userloginwithoui Mode

    IfIndex: 9437185 Port: 9437185 MAC Addr: 00:02:00:00:00:32 VLAN ID: 1 IfAdminStatus: 1 In addition, you will see that the port security feature has disabled the port if you issue the following command: [Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: Port Security Disabled IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface...

  • Page 196

    Figure 70 Network diagram for configuring the userLoginWithOUI mode Configuration procedure NOTE: The following configuration steps cover some AAA/RADIUS configuration commands. For details about • the commands, see the chapter "AAA configuration commands." Configurations on the host and RADIUS servers are not shown. •...

  • Page 197: Verify The Configuration

    # Enable port security. [Switch] port-security enable # Add five OUI values. [Switch] port-security oui 1234-0100-1111 index 1 [Switch] port-security oui 1234-0200-1111 index 2 [Switch] port-security oui 1234-0300-1111 index 3 [Switch] port-security oui 1234-0400-1111 index 4 [Switch] port-security oui 1234-0500-1111 index 5 [Switch] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI.

  • Page 198

    Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme : radius:radsun Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes: Use the following command to view the port security configuration information: <Switch> display port-security interface gigabitethernet 1/0/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s...

  • Page 199: Configuring The Macaddresselseuserloginsecure Mode

    802.1X unicast-trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based 802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Max number of on-line users is 256 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6...

  • Page 200: Configuration Information

    NOTE: Configurations on the host and RADIUS servers are not shown. Configure the RADIUS protocol The required RADIUS authentication/accounting configurations and ISP domain configurations are the same as those in Configuring the userLoginWithOUI mode. Configure port security # Enable port security. <Switch>...

  • Page 201

    MAC address authentication is enabled. User name format is fixed account Fixed username:aaa Fixed password:123456 Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 3 Current domain is mac Silent MAC User info: MAC Addr...

  • Page 202: Troubleshooting Port Security

    Port Control Type is Mac-based 802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Max number of on-line users is 256 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6 EAP Success Packets: 4, Fail Packets: 5 Received EAPOL Start Packets : 6...

  • Page 203: Cannot Change Port Security Mode When A User Is Online

    Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn. Solution Set the port security mode to autoLearn. [Switch-GigabitEthernet1/0/1] undo port-security port-mode [Switch-GigabitEthernet1/0/1] port-security max-mac-count 64 [Switch-GigabitEthernet1/0/1] port-security port-mode autolearn [Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1 Cannot change port security mode when a user is online Symptom...

  • Page 204: User Profile Configuration

    User profile configuration This chapter includes these sections: User profile overview • User profile configuration task list • Creating a user profile • • Configuring a user profile Enabling a user profile • Displaying and maintaining user profile • User profile overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy.

  • Page 205: Creating A User Profile

    Creating a user profile Configuration prerequisites Before you create a user profile, complete the following tasks: Configure authentication parameters on the device. • • Perform configurations on the client, the access device, and the authentication server, for example, username, password, authentication scheme, domain, and binding a user profile with a user. Creating a user profile Follow these steps to create a user profile: To do…...

  • Page 206: Enabling A User Profile

    NOTE: If a user profile is enabled, you cannot change the QoS policy or edit any QoS policy content (including • the ACL that is referenced by the QoS policy). The QoS policies that can be applied to user profiles support only the remark and filter actions. •...

  • Page 207: Password Control Configuration

    Password control configuration This chapter includes these sections: Password control overview • FIPS compliance • Password control configuration task list • • Configuring password control Displaying and maintaining password control • Password control configuration example • Password control overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies.

  • Page 208

    the new password and the time. If the user chooses to leave the password or the user fails to change it, the system allows the user to log in using the current password. NOTE: Telnet, SSH, and terminal users can change their passwords by themselves. FTP users, on the contrary, can only have their passwords changed by the administrator.

  • Page 209

    Depending on the system security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters that are from each character type the password must contain. In FIPS mode, a password must contain four types of characters and each type must contain at least one character.

  • Page 210: Password Control Configuration Task List

    Password control configuration task list The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities: Global settings in system view apply to all local user passwords and super passwords. •...

  • Page 211: Setting Global Password Control Parameters

    To do… Use the command… Remarks Required Enable the password control password-control enable feature Disabled by default Optional password-control { aging | Enable a password control composition | history | length } All of the four password control function individually enable functions are enabled by default.

  • Page 212: Setting User Group Password Control Parameters

    To do… Use the command… Remarks Optional Specify the maximum number of By default, the maximum number login attempts and the action to be password-control login-attempt of login attempts is 3 and a user taken when a user fails to log in login-times [ exceed { lock | unlock failing to log in after the specified after the specified number of...

  • Page 213: Setting Local User Password Control Parameters

    Setting local user password control parameters Follow these steps to set password control parameters for a local user: To do… Use the command… Remarks Enter system view system-view — Create a local user and enter local local-user user-name — user view Optional By default, the setting equals that for the user group to which the...

  • Page 214: Setting A Local User Password In Interactive Mode

    To do… Use the command… Remarks Optional Set the password aging time for password-control super aging By default, the super password super passwords aging-time aging time is the same as the global password aging time. Optional Configure the minimum length for password-control super length By default, the minimum super super passwords...

  • Page 215: Password Control Configuration Example

    NOTE: The reset password-control history-record command can delete the history password records of one or all users even when the password history function is disabled. Password control configuration example Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode. Network requirements Implementing the following global password control policy: An FTP or VTY user failing to provide the correct password in two successive login attempts is...

  • Page 216

    [Sysname] password-control complexity same-character check # Specify that all super passwords must each contain at least three types of valid characters and each type contains at least five characters. [Sysname] password-control super composition type-number 3 type-length 5 # Configure a super password. [Sysname] super password level 3 simple 12345ABGFTweuix # Create a local user named test.

  • Page 217

    Password aging: Enabled (30 days) Password length: Enabled (10 characters) Password composition: Enabled (3 types, 5 characters per type) # Display the password control configuration information for the local user test. <Sysname> display local-user user-name test The contents of local user test: State: Active ServiceType:...

  • Page 218: Habp Configuration

    HABP configuration This chapter includes these sections: Introduction to HABP • Configuring HABP • Displaying and maintaining HABP • • HABP configuration example Introduction to HABP The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device.

  • Page 219: Configuring Habp

    addresses of all the clients, it registers the MAC addresses as HABP entries. Then, link layer frames exchanged between the clients can bypass the 802.1X authentication on ports of the server without affecting the normal operation of the whole network. All HABP packets must travel in a specific VLAN. Communication between the HABP server and HABP clients is implemented through this VLAN.

  • Page 220: Displaying And Maintaining Habp

    address to the server, and forwards the HABP request to its attached switches. HABP packets are transmitted in the VLAN to which the HABP client belongs. Follow these steps to configure an HABP client: To do… Use the command… Remarks Enter system view system-view —...

  • Page 221

    Figure 72 Network diagram for HABP configuration Configuration procedure Configure Switch A # Perform 802.1X related configurations on Switch A. For more information about 802.1X configurations, see the chapter "802.1X configuration." # Enable HABP. (As HABP is enabled by default, this configuration is optional.) <SwitchA>...

  • Page 222

    Configurations on Switch C are similar to those on Switch B. Verify your configuration # Display HABP configuration information. <SwitchA> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries. <SwitchA>...

  • Page 223: Public Key Configuration

    Public key configuration This chapter includes these sections: Asymmetric key algorithm overview • FIPS compliance • Configuring the local asymmetric key pair • • Configuring a remote host's public key Displaying and maintaining public keys • Public key configuration examples •...

  • Page 224: Asymmetric Key Algorithm Applications

    Asymmetric key algorithm applications Asymmetric key algorithms can be used for encryption and digital signature. Encryption—The sender uses the public key of the intended receiver to encrypt the information to be • sent. Only the intended receiver, the holder of the paired private key, can decrypt the information. This mechanism ensures confidentiality.

  • Page 225: Displaying Or Exporting The Local Rsa Or Dsa Host Public Key

    In non-FIPS mode, the DSA and RSA key modulus lengths are in the range of 512 to 2048 bits, and • default to 1024 bits. In FIPS mode, the DSA key modulus length is in the range of 1024 to 2048 bits, and defaults to •...

  • Page 226: Configuring A Remote Host's Public Key

    Standards) format. HP recommends that you follow this method to configure the remote host's public key. Configure it manually—If the remote host is an HP device, you can use the display public-key local • public command to view and record its public key. On the local host, input or copy the key data in public key code view.

  • Page 227: Displaying And Maintaining Public Keys

    Displaying and maintaining public keys To do… Use the command… Remarks display public-key local { dsa | Display the public keys of the local rsa } public [ | { begin | exclude | key pairs include } regular-expression ] Available in any view display public-key peer [ brief | Display the public keys of the...

  • Page 228

    # Display the public keys of the created RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06 2011/01/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2011/01/07...

  • Page 229: Importing A Remote Host's Public Key From A Public Key File

    30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 Importing a remote host's public key from a public key file Network requirements As shown in Figure 80, to prevent illegal access, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.

  • Page 230

    ===================================================== Time of Key pair created: 09:50:07 2011/01/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B44 90DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0 203010001 # Export the RSA host public key to a file named devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub [DeviceA] quit Enable the FTP server function on Device B.

  • Page 231

    ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001...

  • Page 232: Pki Configuration

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for Secure Sockets Layer (SSL). PKI terms Digital certificate A digital certificate is a file signed by a certificate authority (CA) for an entity.

  • Page 233: Architecture Of Pki

    This document introduces local certificate and CA certificate. A local certificate is a digital certificate signed by a CA for an entity, and a CA certificate is the certificate of a CA. If multiple CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certificate signed by itself, and each lower level CA has a CA certificate signed by the CA at the next higher level.

  • Page 234: Applications Of Pki

    A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.

  • Page 235: Pki Configuration Task List

    The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued. The entity retrieves the certificate. With the certificate, the entity can communicate with other entities safely through encryption and digital signature.

  • Page 236: Configuring A Pki Domain

    NOTE: The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate requests might be rejected. Follow these steps to configure an entity DN: To do…...

  • Page 237

    applications like IKE and SSL, and has only local significance. The PKI domain configured on a device is invisible to the CA and other devices, and each PKI domain has its own parameters. A PKI domain is defined by these parameters: Trusted CA—An entity requests a certificate from a trusted CA.

  • Page 238: Submitting A Pki Certificate Request

    To do… Use the command… Remarks Optional ldap-server ip ip-address [ port Specify the LDAP server port-number ] [ version No LDP server is specified by version-number ] default. Required when the certificate request mode is auto and optional when the certificate request mode is manual.

  • Page 239: Submitting A Certificate Request In Manual Mode

    Submitting a certificate request in manual mode In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair, and submit a local certificate request for an entity. The goal of retrieving a CA certificate will verify the authenticity and validity of a local certificate. Generating an RSA key pair is an important step in certificate request.

  • Page 240: Retrieving A Certificate Manually

    Retrieving a certificate manually You can download CA certificates and local certificates and save them locally. To do so, use either the online mode or the offline mode. In offline mode, you must retrieve a certificate by an out-of-band means like FTP, disk, or email, and then import it into the local PKI system.

  • Page 241

    To do… Use the command… Remarks Optional Specify the URL of the CRL crl url url-string No CRL distribution point URL is distribution point specified by default. Optional By default, the CRL update period Set the CRL update period crl update-period hours depends on the next update field in the CRL file.

  • Page 242: Destroying A Local Rsa Key Pair

    Destroying a local RSA key pair A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate is about to expire, destroy the old RSA key pair and then create a pair to request a new certificate. Follow these steps to destroy a local RSA key pair: To do…...

  • Page 243: Displaying And Maintaining Pki

    To do… Use the command… Remarks Required Create a certificate attribute-based pki certificate access-control-policy access control policy and enter its No access control policy exists by policy-name view default. Required Configure a certificate rule [ id ] { deny | permit } No access control rule exists by attribute-based access control rule group-name...

  • Page 244: Network Requirements

    NOTE: The CA server runs RSA Keon in this configuration example. Network requirements The device submits a local certificate request to the CA server. • • The device acquires the CRLs for certificate verification. Figure 77 Request a certificate from a CA running RSA Keon Configuration procedure Configure the CA server: # Create a CA server named myca.

  • Page 245

    [Switch-pki-domain-torsa] ca identifier myca # Configure the URL of the registration server in the format of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server. [Switch-pki-domain-torsa] certificate request url http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 # Set the registration authority to CA. [Switch-pki-domain-torsa] certificate request from ca # Specify the entity for certificate request as aaa.

  • Page 246

    Enrolling the local certificate,please wait a while..Certificate request Successfully! Saving the local certificate to device..Done! Verify your configuration # Use the following command to view information about the local certificate acquired. [Switch] display pki certificate local domain torsa Certificate: Data: Version: 3 (0x2)

  • Page 247: Requesting A Certificate From A Ca Running Windows 2003 Server

    8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands—display pki certificate ca domain and display pki crl domain commands—to view detailed information about the CA certificate and CRLs. For more information about the commands, see the Security Command Reference.

  • Page 248

    path text box. In addition, specify an available port number as the TCP port number of the default website to avoid conflict with existing services. After completing the configuration, check that the system clock of the switch is synchronous to that of the CA server, ensuring that the switch can request a certificate normally.

  • Page 249

    Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..CA certificates retrieval success. # Request a local certificate manually. [Switch] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait..[Switch] Enrolling the local certificate,please wait a while..Certificate request Successfully! Saving the local certificate to device..

  • Page 250: Configuring A Certificate Attribute-based Access Control Policy

    keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B (Omitted) You can also use some other display commands—such as, display pki certificate ca domain command—to view more information about the CA certificate.

  • Page 251: Troubleshooting Pki

    <Switch> system-view [Switch] ssl server-policy myssl [Switch-ssl-server-policy-myssl] pki-domain 1 [Switch-ssl-server-policy-myssl] client-verify enable [Switch-ssl-server-policy-myssl] quit Configure the certificate attribute group # Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of the certificate issuer is 10.0.0.1.

  • Page 252: Failed To Request A Local Certificate

    Analysis Possible reasons include: • The network connection is not proper. For example, the network cable might be damaged or loose. No trusted CA is specified. • The URL of the registration server for certificate request is not correct or not configured. •...

  • Page 253: Failed To Retrieve Crls

    Failed to retrieve CRLs Symptom Failed to retrieve CRLs. Analysis Possible reasons include: The network connection is not proper. For example, the network cable might be damaged or loose. • No CA certificate has been retrieved before you try to retrieve CRLs. •...

  • Page 254: Ssh2.0 Configuration

    SSH2.0 configuration This chapter includes these sections: SSH2.0 overview • FIPS compliance • Configuring the device as an SSH server • • Configuring the device as an SSH client Displaying and maintaining SSH • SSH server configuration examples • SSH client configuration examples •...

  • Page 255

    Stages Description After the server grants the request, the client and server start to Interaction communicate with each other. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends a packet that carries a version information string to the client.

  • Page 256

    Password authentication—The server uses AAA for authentication of the client. During password • authentication, the client encrypts its username and password, encapsulates them into a password authentication request, and sends the request to the server. Upon receiving the request, the server decrypts the username and password, checks the validity of the username and password locally or by a remote AAA server, and then informs the client of the authentication result.

  • Page 257

    NOTE: In the interaction stage, you can execute commands from the client by pasting the commands in text • format—the text must be within 2000 bytes. The commands should be in the same view. Otherwise, the server might not be able to perform the commands correctly. If the command text exceeds 2000 bytes, you can execute the commands by saving the text as a •...

  • Page 258: Enabling The Ssh Server Function

    NOTE: Security Command For more information about the public-key local create command, see the • Reference You should generate both DSA and RSA key pairs on the SSH server to support SSH clients using • different types of key pairs. •...

  • Page 259: Configuring A Client Public Key

    TFTP. CAUTION: • HP recommends you to configure a client public key by importing it from a public key file. You can configure up to 20 client public keys on an SSH server. • Configuring a client public key manually Follow these steps to configure the client public key manually: To do…...

  • Page 260: Configuring An Ssh User

    Importing a client public key from a public key file Follow these steps to import a public key from a public key file: To do… Use the command… Remarks Enter system view system-view — Import the public key from a public public-key peer keyname import Required key file...

  • Page 261: Setting The Ssh Management Parameters

    CAUTION: A user without an SSH account can still pass password authentication and log in to the server, as long • as the user can pass AAA authentication and the service type is SSH. An SSH server supports up to 1024 SSH users. •...

  • Page 262: Configuring The Device As An Ssh Client

    To do… Use the command… Remarks Optional Set the SSH user authentication ssh server authentication-timeout timeout period time-out-value 60 seconds by default Optional Set the maximum number of SSH ssh server authentication-retries authentication attempts times 3 by default NOTE: Authentication will fail if the number of authentication attempts—including both publickey and password authentication—exceeds that specified in the ssh server authentication-retries command.

  • Page 263: Establishing A Connection Between The Ssh Client And Server

    public key on the client. When accessing the server again, the client will use the saved server host public key to authenticate the server. Without first-time authentication, a client not configured with the server host public key will refuse to •...

  • Page 264: Displaying And Maintaining Ssh

    To do... Use the command… Remarks • In non-FIPS mode: ssh2 [ipv6] server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | Establish a connection sha1 | sha1-96 } | prefer-kex between the SSH client { dh-group-exchange | dh-group1 |...

  • Page 265: Ssh Server Configuration Examples

    SSH server configuration examples Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode. When switch acts as server for password authentication Network requirements As shown in Figure 85, an SSH connection is required between the host and the switch for secure data exchange.

  • Page 266

    [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-15] protocol inbound ssh [Switch-ui-vty0-15] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001...

  • Page 267: When Switch Acts As Server For Publickey Authentication

    Figure 81 SSH client configuration interface In the window shown in Figure 86, click Open to connect to the server. If the connection is normal, you will be prompted to enter the username and password. After entering the username client001 and password aabbcc, you can enter the configuration interface of the server.

  • Page 268

    Configure the SSH client # Generate the RSA key pairs. Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 83 Generate a key pair on the client 1) While the key pair is being generated, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 89.

  • Page 269

    Figure 84 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 85 Generate a key pair on the client 3)

  • Page 270

    Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key—private in this case. Figure 86 Save a key pair on the client 4) Then, you need to transmit the public key file to the server through FTP or TFTP.

  • Page 271

    [Switch-ui-vty0-15] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-15] protocol inbound ssh # Set the user command privilege level to 3. [Switch-ui-vty0-15] user privilege level 3 [Switch-ui-vty0-15] quit # Import the client's public key from file key.pub and name it Switch001. [Switch] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.

  • Page 272: Ssh Client Configuration Examples

    Figure 88 SSH client configuration interface 2) In the window shown in Figure 93, click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username client002, you can enter the configuration interface of the server.

  • Page 273

    # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 274

    # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit If the client supports first-time authentication, the client directly establishes a connection with the • server. # Establish an SSH connection to server 10.165.87.136. <SwitchA>...

  • Page 275: When Switch Acts As Client For Publickey Authentication

    [SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server—10.165.87.136—as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 Press CTRL+K to abort...

  • Page 276

    Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, you need to transmit the public key file to the server through FTP or TFTP. Configure the SSH server # Generate the RSA key pairs.

  • Page 277

    # Set the user command privilege level to 3. [SwitchB-ui-vty0-15] user privilege level 3 [SwitchB-ui-vty0-15] quit # Import the peer public key from the file key.pub. [SwitchB] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.

  • Page 278: Sftp Configuration

    SFTP configuration This chapter includes these sections: SFTP overview • Configuring the device as an SFTP server • Configuring the device an SFTP client • SFTP client configuration example • • SFTP server configuration example SFTP overview The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer.

  • Page 279: Configuring The Sftp Connection Idle Timeout Period

    NOTE: When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server.

  • Page 280: Working With Sftp Directories

    To do… Use the command… Remarks • In non-FIPS mode: sftp [ ipv6 ] server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des |...

  • Page 281: Working With Sftp Files

    Working with SFTP files SFTP file operations include: Changing the name of a file • Downloading a file • Uploading a file • Displaying a list of the files • • Deleting a file Follow these steps to work with SFTP files: To do…...

  • Page 282: Sftp Client Configuration Example

    To do… Use the command… Remarks For more information, see Required Enter SFTP client view "Establishing a connection to the Execute the command in user view. SFTP server." Required Terminate the connection to the Use any of the commands. exit remote SFTP server and return to These three commands function in user view...

  • Page 283

    ++++++++ # Export the host public key to file pubkey. [SwitchA] public-key local export rsa ssh2 pubkey [SwitchA] quit Then, you need to transmit the public key file to the server through FTP or TFTP. Configure the SFTP server # Generate the RSA key pairs. <SwitchB>...

  • Page 284

    [SwitchB] public-key peer Switch001 import sshkey pubkey # For user client001, set the service type as SFTP, authentication method as publickey, public key as Switch001, and working folder as flash:/ [SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey Switch001 work-directory flash:/ Establish a connection between the SFTP client and the SFTP server # Establish a connection to the remote SFTP server and enter SFTP client view.

  • Page 285: Sftp Server Configuration Example

    -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename directory new1 to new2 and check if the directory has been renamed successfully. sftp-client> rename new1 new2 File successfully renamed sftp-client>...

  • Page 286

    Figure 92 Network diagram for SFTP server configuration Configuration procedure Configure the SFTP server # Generate the RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.

  • Page 287

    [Switch-ui-vty0-15] quit # Configure a local user named client002 with the password being aabbcc and the service type being SSH. [Switch] local-user client002 [Switch-luser-client002] password simple aabbcc [Switch-luser-client002] service-type ssh [Switch-luser-client002] quit # Configure the user authentication method as password and service type as SFTP. [Switch] ssh user client002 service-type sftp authentication-type password Establish a connection between the SFTP client and the SFTP server NOTE:...

  • Page 288: Scp Configuration

    SCP configuration This chapter includes these sections: SCP overview • Configuring the switch as an SCP server • Configuring the switch as the SCP client • • SCP client configuration example SCP server configuration example • SCP overview Secure copy (SCP) is based on SSH2.0 and offers a secure approach to copying files. SCP uses SSH connections for copying files.

  • Page 289: Configuring The Switch As The Scp Client

    If only password authentication is used, the working directory specified in the ssh user command • does not take effect. You must set the working directory on the remote server or in the local user account for the SSH user. •...

  • Page 290: Scp Server Configuration Example

    Figure 94 Network diagram Configuration procedure # Create VLAN-interface 1 and assign an IP address to it. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface1] quit # Download the file remote.bin from the SCP server, save it locally and change the file name to local.bin. <SwitchA>...

  • Page 291

    ++++++++ ++++++++++++++ +++++ ++++++++ # Generate the DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.

  • Page 292: Ssl Configuration

    SSL configuration This chapter includes these sections: SSL overview • FIPS compliance • SSL configuration task list • • Configuring an SSL server policy Configuring an SSL client policy • Displaying and maintaining SSL • Troubleshooting SSL • SSL overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP.

  • Page 293: Ssl Protocol Stack

    Figure 96 Message integrity verification by a MAC algorithm NOTE: For more information about symmetric key algorithms, asymmetric key algorithm RSA and digital • signature, see the chapter "Public key configuration." • For more information about PKI, certificate, and CA, see the chapter "PKI configuration." SSL protocol stack As shown in Figure...

  • Page 294

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. SSL configuration task list Complete the following tasks to configure SSL: Task Remarks Configuring an SSL server policy...

  • Page 295: Ssl Server Policy Configuration Example

    To do... Use the command... Remarks Optional Set the SSL connection close mode close-mode wait Not wait by default Optional The defaults are as follows: Set the maximum number of session { cachesize size | timeout • 500 for the maximum number cached sessions and the caching time } * of cached sessions,...

  • Page 296

    Figure 98 Network diagram for SSL server policy configuration Configuration procedure Configure the HTTPS server (Device) # Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as ssl.security.com. <Device> system-view [Device] pki entity en [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit...

  • Page 297: Configuring An Ssl Client Policy

    [Device] ip https enable # Create a local user named usera, and set the password to 123 and service type to telnet. [Device] local-user usera [Device-luser-usera] password simple 123 [Device-luser-usera] service-type telnet Configure the HTTPS client (Host) On Host, launch IE, enter http://10.1.2.2/certsrv in the address bar and request a certificate for Host as prompted.

  • Page 298: Displaying And Maintaining Ssl

    To do… Use the command… Remarks • In non-FIPS mode: prefer-cipher { rsa_aes_128_cbc_sha | rsa_des_cbc_sha | Optional rsa_rc4_128_md5 | Specify the preferred cipher suite rsa_rc4_128_sha } for the SSL client policy rsa_rc4_128_md5 by default • In FIPS mode prefer-cipher { dhe_rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha } •...

  • Page 299

    The server and the client have no matching cipher suite. • Solution Issue the debugging ssl command and view the debugging information to locate the problem: If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, •...

  • Page 300: Tcp Attack Protection Configuration

    TCP attack protection configuration This chapter includes these sections: TCP attack protection overview • Enabling the SYN Cookie feature • Enabling protection against Naptha attacks • • Displaying and maintaining TCP attack protection TCP attack protection overview An attacker can attack the device during the process of TCP connection establishment. To prevent such attacks, the device provides the following features: SYN Cookie •...

  • Page 301: Enabling Protection Against Naptha Attacks

    NOTE: With the SYN Cookie feature enabled, only the maximum segment size (MSS), is negotiated during TCP connection establishment, instead of the window's zoom factor and timestamp. Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only the SYN_RECEIVED state.

  • Page 302: Ip Source Guard Configuration

    IP source guard configuration This chapter includes these sections: IP source guard overview • Configuring IPv4 source guard • Configuring IPv6 source guard • • IP source guard configuration examples Troubleshooting IP source guard • IP source guard overview IP source guard is intended to work on a user access port. It filters received packets to block illegal access to network resources, improving the network security.

  • Page 303: Configuring Ipv4 Source Guard

    Static IP source guard entries A static IP source guard entry is configured manually. It is suitable for scenarios where only a few hosts exist in a LAN and their IP addresses are manually configured. For example, you can configure a static binding entry on a port that connects a server, allowing the port to receive packets from and send packets to only the server.

  • Page 304: Configuring Dynamic Ipv4 Source Guard

    To do… Use the command… Remarks Enter system view system-view — Enter Layer 2 Ethernet interface interface interface-type — view interface-number Required user-bind ipv6 ip-address Configure a static IPv4 source ipv6-address [ mac-address No static IPv4 source guard entry guard entry for the port mac-address ] [vlan vlan-id ] exists on a port by default.

  • Page 305: Setting The Maximum Number Of Ipv4 Source Guard Entries

    NOTE: To implement dynamic IPv4 source guard, make sure that DHCP snooping or DHCP relay is configured • Layer 3—IP Services Configuration and works normally. For DHCP configuration information, see the Guide If you configure dynamic IPv4 source guard on a port for multiple times, the last configuration will •...

  • Page 306: Configuring Dynamic Ipv6 Source Guard

    To do… Use the command… Remarks user-bind ipv6 { ip-address ipv6-address | Required Configure a static IPv6 source ip-address ipv6-address No static IPv6 source guard entry guard entry for the port mac-address mac-address | exists on a port by default. mac-address mac-address } [ vlan vlan-id ] NOTE:...

  • Page 307: Setting The Maximum Number Of Ipv6 Source Guard Entries

    NOTE: To implement dynamic IPv6 source guard, make sure that DHCPv6 snooping or ND snooping is • Layer configured and works normally. For DHCPv6 and ND snooping configuration information, see the 3—IP Services Configuration Guide If you configure dynamic IPv6 source guard on a port for multiple times, the last configuration will •...

  • Page 308: Ip Source Guard Configuration Examples

    To do… Use the command… Remarks display user-bind ipv6 [ interface interface-type interface-number | ip-address Display static IPv6 source guard ip-address | mac-address mac-address ] [ | Available in any view entries { begin | exclude | include } regular-expression ] display ip check source ipv6 [ interface interface-type interface-number | ip-address Display IPv6 source guard entries...

  • Page 309: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example

    [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-0203-0405 [DeviceA-GigabitEthernet1/0/2] quit # Configure port GigabitEthernet 1/0/1 of Device A to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406...

  • Page 310

    Enable DHCP and DHCP snooping on the device, so that the host (with the MAC address of 0001-0203-0406) can obtain an IP address through the DHCP server and the IP address and MAC address of the host can be recorded in a DHCP snooping entry. Enable the dynamic IPv4 source guard on port GigabitEthernet 1/0/1 of the device, allowing only packets from a client that obtains an IP address through the DHCP server to pass.

  • Page 311: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example

    192.168.0.1 0001-0203-0406 86335 GigabitEthernet1/0/1 The output shows that a dynamic IPv4 source guard entry has been generated based on the DHCP snooping entry. Dynamic IPv4 source guard using DHCP relay configuration example Network requirements As shown in Figure 107, the switch connects the host and the DHCP server through interfaces VLAN-interface 100 and VLAN-interface 200, respectively.

  • Page 312: Static Ipv6 Source Guard Configuration Example

    Verification # Display IPv4 source guard entries. [Switch] display ip check source Total entries found: 1 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.1 Vlan100 DHCP-RLY Static IPv6 source guard configuration example Network requirements As shown in Figure 108, the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a static IPv6 source guard entry for GigabitEthernet 1/0/1 of the device to allow only packets from the host to pass.

  • Page 313

    Enable dynamic IPv6 source guard on port GigabitEthernet 1/0/1 of the device to filter packets based on DHCPv6 snooping entries, allowing only packets from a client that obtains an IP address through DHCP server to pass. Figure 104 Network diagram VLAN 2 GE1/0/1 GE1/0/2...

  • Page 314: Dynamic Ipv6 Source Guard Using Nd Snooping Configuration Example

    Dynamic IPv6 source guard using ND snooping configuration example Network requirements The client is connected to the device through port GigabitEthernet 1/0/1. Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. Enable dynamic IPv6 source guard on port GigabitEthernet 1/0/1 to filter packets based on ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.

  • Page 315: Troubleshooting Ip Source Guard

    Troubleshooting IP source guard Neither static nor dynamic IP source guard can be configured Symptom Failed to configure static binding entries or dynamic binding on a port. Analysis IP source guard is not supported on a port in an aggregation group. Solution Remove the port from the aggregation group.

  • Page 316: Arp Attack Protection Configuration

    ARP attack protection configuration This chapter includes these sections: ARP attack protection overview • ARP attack protection configuration task list • Configuring ARP packet rate limit • • Configuring source MAC address based ARP attack detection Configuring ARP packet source MAC address consistency check •...

  • Page 317: Configuring Arp Packet Rate Limit

    Task Remarks Optional Configuring ARP packet source MAC address Configure this function on gateways consistency check (recommended). Optional Configuring ARP active acknowledgement Configure this function on gateways (recommended). User and gateway Optional spoofing Configuring ARP detection Configure this function on access prevention devices (recommended).

  • Page 318: Configuring Source Mac Address Based Arp Attack Detection

    Configuring source MAC address based ARP attack detection Introduction This feature allows the switch to check the source MAC address of ARP packets delivered to the CPU. If the number of ARP packets from a MAC address exceeds the specified threshold within five seconds, the switch considers this an attack and adds the MAC address to the attack detection table.

  • Page 319: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    Displaying and maintaining source MAC address based ARP attack detection To do… Use the command… Remarks display arp anti-attack source-mac Display attacking MAC addresses detected { slot slot-number | interface Available in any by source MAC address based ARP attack interface-type interface-number } [ | view detection...

  • Page 320: Configuring Arp Detection

    To do… Use the command… Remarks Required Enable the ARP active arp anti-attack active-ack enable acknowledgement function Disabled by default. Configuring ARP detection Introduction The ARP detection feature is mainly configured on an access device to allow only the ARP packets of authorized clients to be forwarded and prevent user spoofing and gateway spoofing.

  • Page 321: Configuring Arp Detection Based On Specified Objects

    NOTE: Static IP Source Guard binding entries are created by using the user-bind command. For more • information, see the chapter "IP source guard configuration." Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function. For • Layer 3—IP Services Configuration Guide more information, see the •...

  • Page 322: Configuring Arp Restricted Forwarding

    ip: Checks the sender and target IP addresses in an ARP packet. The all-zero, all-one or multicast IP • addresses are considered invalid and the corresponding packets are discarded. With this object specified, the sender and target IP addresses of ARP replies, and the source IP address of ARP requests are checked.

  • Page 323: Arp Detection Configuration Example I

    To do… Use the command… Remarks display arp detection statistics [ interface Display the ARP detection interface-type interface-number ] [ | { begin | Available in any view statistics exclude | include } regular-expression ] Clear the ARP detection reset arp detection statistics [ interface Available in user view statistics interface-type interface-number ]...

  • Page 324: Arp Detection Configuration Example Ii

    [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/1] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default).

  • Page 325: Arp Restricted Forwarding Configuration Example

    Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Omitted) Configure Switch A as a DHCP server # Configure DHCP address pool 0 <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure Host A and Host B as 802.1X clients (the configuration procedure is omitted) and...

  • Page 326

    Configure Switch B to still perform port isolation on ARP broadcast requests. Figure 108 Network diagram for ARP restricted forwarding configuration Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 113.

  • Page 327: Configuring Arp Gateway Protection

    [SwitchB-GigabitEthernet1/0/2] user-bind ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [SwitchB-GigabitEthernet1/0/2] quit # Enable the checking of the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac # Configure port isolation. [SwitchB] port-isolate group 2 [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port-isolate enable group 2 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2...

  • Page 328: Arp Gateway Protection Configuration Example

    NOTE: You can enable ARP gateway protection for up to eight gateways on a port. • Commands arp filter source and arp filter binding cannot be both configured on a port. • If ARP gateway protection works with ARP detection or ARP snooping, ARP gateway protection applies •...

  • Page 329: Configuring Arp Filtering

    Configuring ARP filtering Introduction To prevent gateway spoofing and user spoofing, the ARP filtering feature controls the forwarding of ARP packets on a port. The port checks the sender IP and MAC addresses in a received ARP packet against configured ARP filtering entries.

  • Page 330

    Figure 110 Network diagram for ARP filtering configuration Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, GigabitEthernet 1/0/1 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.2 and 000f-e349- 1 233, and discard other ARP packets.

  • Page 331: Nd Attack Defense Configuration

    ND attack defense configuration This chapter includes these sections: Introduction to ND attack defense • Enabling source MAC consistency check for ND packets • Configuring the ND detection function • • ND detection configuration example Introduction to ND attack defense The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection,...

  • Page 332: Enabling Source Mac Consistency Check For Nd Packets

    The mapping between the source IPv6 address and the source MAC address in the Ethernet frame header is invalid. To identify forged ND packets, HP developed the source MAC consistency check and ND detection features. Enabling source MAC consistency check for ND...

  • Page 333: Configuring Nd Detection

    The ND detection function operates on a per VLAN basis. In an ND detection-enabled VLAN, a port is either ND-trusted or ND-untrusted: An ND-trusted port does not check ND packets for address spoofing. • An ND-untrusted port checks all ND packets but RA and RR messages in the VLAN for source •...

  • Page 334: Displaying And Maintaining Nd Detection

    NOTE: ND detection performs source check by using the binding tables of IP source guard, DHCPv6 snooping, • and ND snooping. To prevent an ND-untrusted port from discarding legal ND packets in an ND detection-enabled VLAN, ensure that at least one of the three functions is available. When creating an IPv6 static binding with IP source guard for ND detection in a VLAN, specify the •...

  • Page 335

    Figure 112 Network diagram for ND detection configuration Internet Gateway Switch A GE1/0/3 Vlan-int10 10::1 VLAN 10 ND snooping GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10::5 10::6 0001-0203-0405 0001-0203-0607 Configuration procedure Configuring Switch A # Enable IPv6 forwarding. <SwitchA>...

  • Page 336

    # Assign ports GigabitEthernet 1/0/1 to GigabitEthernet 1/0/3 to VLAN 10. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port access vlan 10 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port access vlan 10 [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port link-type trunk [SwitchB-GigabitEthernet1/0/3] port trunk permit vlan 10 [SwitchB-GigabitEthernet1/0/3] quit # Enable ND snooping in VLAN 10.

  • Page 337: Savi Configuration

    SAVI configuration SAVI overview Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol packets, ND protocol packets, and IPv6 data packets.

  • Page 338: Savi Configuration In Dhcpv6-only Address Assignment Scenario

    To do... Use the command… Remarks Optional One second by default. This command is used with the DHCPv6 snooping function. After DHCPv6 snooping Set the time to wait for a ipv6 savi dad-preparedelay detects that a client obtains an IPv6 address, it DAD NS from a DHCPv6 value monitors whether the client detects IP address...

  • Page 339

    Configure a static IPv6 source guard binding entry on each interface connected to a client. This step • is optional. If this step is not performed, SAVI does not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see the chapter "IP source guard configuration."...

  • Page 340: Savi Configuration In Slaac-only Address Assignment Scenario

    [SwitchB-GigabitEthernet1/0/3] ip check source ipv6 ip-address mac-address [SwitchB-GigabitEthernet1/0/3] quit SAVI configuration in SLAAC-only address assignment scenario Network requirements Figure 114 Network diagram Internet Gateway Switch A GE1/0/3 Vlan-int10 10::1 VLAN 10 GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10::5 10::6 0001-0203-0405...

  • Page 341

    Enable DHCPv6 snooping and leave the interface connected to the gateway as its default status • (non-trusted port) so that the hosts cannot obtain IP addresses through DHCPv6. For more information about DHCPv6 snooping, see Layer 3—IP Services Configuration Guide. Packet check principles Switch B checks ND protocol packets against ND snooping entries and static binding entries;...

  • Page 342: Savi Configuration In Dhcpv6+slaac Address Assignment Scenario

    SAVI configuration in DHCPv6+SLAAC address assignment scenario Network requirements Figure 115 Network diagram As shown in Figure 120, Switch B connects to the DHCPv6 server through interface GigabitEthernet 1/0/1 and connects to the DHCPv6 client through interface GigabitEthernet 1/0/3. Host A and Host B access Gateway (Switch A) through Switch B.

  • Page 343

    Packet check principles Switch B checks DHCPv6 protocol packets from DHCPv6 clients against link-local address ND snooping entries; checks ND protocol packets against ND snooping entries, DHCPv6 snooping entries, and static binding entries; and checks the IPv6 data packets from the hosts against dynamic binding entries (including ND snooping entries and DHCPv6 snooping entries) applied on the interfaces connected to the hosts and against static binding entries.

  • Page 344

    [SwitchB] interface gigabitethernet 1/0/5 [SwitchB-GigabitEthernet1/0/5] ip check source ipv6 ip-address mac-address...

  • Page 345: System-guard Configuration

    System-guard configuration An attacker can make queue congestions by en-queuing a large amount of packets into CPU packet queues, which is used to buffer the packets to be submitted to the CPU. As a result, normal protocol packets are dropped and protocol abnormity or management interruption may occur. To avoid these problems, the switch provides an anti-attack feature named system-guard.

  • Page 346: Displaying System-guard

    To do… Use the command… Remarks Optional Set the aging time for system-guard system-guard aging-time time By default, the aging time of system-guard is 60 seconds. Optional Set a system-guard rate limit for the system-guard rate-limit queue By default, the rate limit is 1500 specified queues queue-number rate &<1-8>...

  • Page 347: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the requirements for cryptography modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the switch supports Level 2.

  • Page 348

    Configuration procedure To configure FIPS, complete the following tasks: Remove the existing key pairs and certificates. Enable the FIPS mode. Enable the password control function. Configure local user attributes (including local username, service type, password, and so on) on the switch. Save the configuration.

  • Page 349: Triggering A Self-test

    Triggering a self-test To examine whether the cryptography modules operate normally, you can use a command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. To trigger a self-test: Step Command...

  • Page 350: Verifying The Configuration

    [Sysname-luser-test] service-type terminal [Sysname-luser-test] authorization-attribute level 3 [Sysname-luser-test] password Password:*********** Confirm :*********** Updating user(s) information, please wait... [Sysname-luser-test] quit # Save the configuration. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file.

  • Page 351

    <Sysname> display fips status FIPS mode is enabled...

  • Page 352: Configuring Ipsec

    Configuring IPsec The term "router" in this document refers to both routers and switches. A switch in IRF mode does not support IPsec automatic negotiation. IPsec configuration is available only for the switches in FIPS mode. For more information about FIPS mode, "Configuring FIPS."...

  • Page 353

    Standard (AES), and authentication algorithms such as MD5 and SHA- 1 . The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.

  • Page 354

    Figure 117 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.

  • Page 355

    Protocols and standards Protocols and standards relevant to IPsec are as follows: RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload • Configuring IPsec IPsec can be implemented based on only ACLs. ACL-based IPsec uses ACLs to identify the data flows to be protected.

  • Page 356: Configuring Acls

    Task Remarks Configuring the IPsec session idle timeout Optional. Enabling ACL checking of de-encapsulated IPsec packets Optional. Configuring the IPsec anti-replay function Optional. Configuring packet information pre-extraction Optional. CAUTION: Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50 respectively.

  • Page 357: Configuring An Ipsec Proposal

    a deny statement in a higher priority IPsec policy. Otherwise, the packets will be sent out as normal packets; if they match a permit statement at the receiving end, they will be dropped by IPsec. An ACL can be specified for only one IPsec policy. ACLs referenced by IPsec policies cannot be used •...

  • Page 358: Configuring An Ipsec Policy

    Step Command Remarks Optional. • Specify the encryption algorithm for ESP: For ESP, the default esp encryption-algorithm aes [ key-length ] encryption algorithm is Specify the security • Specify the authentication algorithm for ESP: AES-128. algorithms esp authentication-algorithm sha1 For ESP and AH, the •...

  • Page 359

    The keys for the local and remote inbound and outbound SAs must be in the same format. For • example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters. Before you configure a manual IPsec policy, configure ACLs used for identifying protected traffic and IPsec transform sets.

  • Page 360

    NOTE: You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to configure an IPsec policy.

  • Page 361: Applying An Ipsec Policy Group To An Interface

    Step Command Remark An IPsec policy cannot reference any IKE Specify an IKE peer for ike-peer peer-name peer that is already referenced by an IPsec the IPsec policy. profile, and vice versa. Optional. Enable and configure the By default, the PFS feature is not used for pfs { dh-group2 | dh-group5 | perfect forward secrecy negotiation.

  • Page 362: Configuring The Ipsec Session Idle Timeout

    Step Command Enter system view. system-view Enter interface view. interface interface-type interface-number Apply an IPsec policy group to the ipsec policy policy-name interface. NOTE: • IPsec policies can be applied only to VLAN interfaces on the switch. An interface can reference only one IPsec policy group. An IPsec policy can be applied to only one •...

  • Page 363: Configuring The Ipsec Anti-replay Function

    Configuring the IPsec anti-replay function The IPsec anti-replay function protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window. This function checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window. If the sequence number is not in the current sequence number range, the packet is considered a replayed packet and is discarded.

  • Page 364: Displaying And Maintaining Ipsec

    Step Command Remarks ipsec policy policy-name Enter IPsec policy view. Configure either command. seq-number [ isakmp | manual ] Enable packet information qos pre-classify Disabled by default. pre-extraction. Displaying and maintaining IPsec To do… Use the command… Remarks display ipsec policy [ brief | name Display IPsec policy information policy-name [ seq-number ] ] [ | { begin | Available in any view.

  • Page 365

    Figure 118 Network diagram Configuration procedure Configure Switch A: # Assign an IP address to VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Define an ACL to identify data flows from Switch A to Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] rule 5 permit ip source 2.2.3.1 0 destination 2.2.2.1 0...

  • Page 366

    [SwitchA-Vlan-interface1] ipsec policy map1 Configure Switch B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0 [SwitchB-Vlan-interface1] quit # Define an ACL to identify data flows from Switch B to Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0 [SwitchB-acl-adv-3101] rule 5 permit ip source 2.2.2.1 0 destination 2.2.3.1 0...

  • Page 367: Configuring Ike

    Configuring IKE This feature is applicable only to the switches in FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.

  • Page 368: Ike Functions

    Figure 119 IKE exchange process in main mode As shown in Figure 124, the main mode of IKE negotiation in phase 1 involves three pairs of messages: SA exchange, used for negotiating the security policy. • Key exchange, used for exchanging the Diffie-Hellman public value and other values like the •...

  • Page 369: Relationship Between Ike And Ipsec

    Relationship between IKE and IPsec Figure 120 Relationship between IKE and IPsec Figure 125 illustrates the relationship between IKE and IPsec: IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. •...

  • Page 370: Configuring A Name For The Local Security Gateway

    Task Remarks Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional. Configuring a name for the local security gateway If the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation (the id-type name or id-type user-fqdn command is configured on the initiator), configure the ike local-name command in system view or the local-name command in IKE peer view on the local device.

  • Page 371: Configuring An Ike Peer

    Step Command Remarks Specify an encryption Optional. encryption-algorithm aes-cbc algorithm for the IKE [ key-length ] The default is AES-CBC-128. proposal. Optional. Specify an authentication authentication-method { pre-share method for the IKE proposal. | rsa-signature } Pre-shared key by default. Specify an authentication Optional.

  • Page 372

    Step Command Remarks Enter system view. system-view Create an IKE peer and enter ike peer peer-name IKE peer view. Optional. Specify the IKE negotiation exchange-mode main mode for phase 1. The default is main. Optional. By default, an IKE peer references Specify the IKE proposals for no IKE proposals, and, when proposal proposal-number&<1-6>...

  • Page 373: Setting Keepalive Timers

    Step Command Remarks Optional. No DPD detector is applied to an Apply a DPD detector to the IKE peer by default. dpd dpd-name IKE peer. For more information about DPD configuration, see "Configuring a detector." NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs.

  • Page 374: Configuring A Dpd Detector

    Step Command Remarks Set the NAT keepalive ike sa nat-keepalive-timer interval 20 seconds by default. interval. seconds Configuring a DPD detector Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows: When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.

  • Page 375: Displaying And Maintaining Ike

    Displaying and maintaining IKE Task Command Remarks display ike dpd [ dpd-name ] [ | { begin | Display IKE DPD information Available in any view. exclude | include } regular-expression ] display ike peer [ peer-name ] [ | { begin | Display IKE peer information Available in any view.

  • Page 376

    [SwitchA] ipsec proposal tran1 # Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-proposal-tran1] encapsulation-mode tunnel # Use security protocol ESP. [Switch-ipsec-proposal-tran1] transform esp # Specify encryption and authentication algorithms. [SwitchA-ipsec-proposal-tran1] esp encryption-algorithm aes 128 [SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-proposal-tran1] quit # Create an IKE proposal numbered 10.

  • Page 377

    [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic from Switch B to Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchB-acl-adv-3101] quit # Create IPsec proposal tran1.

  • Page 378: Troubleshooting Ike

    # Reference IKE peer peer. [SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy to VLAN-interface 1. [SwitchB-Vlan-interface1] ipsec policy use1 Verifying the configuration After the above configuration, send traffic from Switch B to Switch A. Switch A starts IKE negotiation with Switch B when receiving the first packet.

  • Page 379: Failing To Establish An Ipsec Tunnel

    Solution For the negotiation in phase 1, look up the IKE proposals for a match. For the negotiation in phase 2, check whether the parameters of the IPsec policies applied on the interfaces are matched, and whether the referred IPsec proposals have a match in protocol, encryption and authentication algorithms. Failing to establish an IPsec tunnel Symptom The expected IPsec tunnel cannot be established.

  • Page 380: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 381: Command Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 382

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 383

    Index A B C D E F G H I L M N O P R S T U Configuring EAD fast deployment,89 Configuring HABP,207 AAA configuration considerations and task list,14 Configuring IPsec,343 AAA configuration examples,44 Configuring IPv4 source guard,291 overview,1 Configuring IPv6 source guard,293...

  • Page 384

    Portal configuration examples,135 Global SAVI configuration,325 Portal configuration task list,1 16 Public key configuration examples,215 HP implementation of 802.1X,65 HABP configuration example,208 Retrieving a certificate manually,228 Ignoring authorization information from the server,180 SAVI configuration in DHCPv6+SLAAC address IKE configuration...

  • Page 385

    SAVI overview,325 overview,280 overview,276 Submitting a PKI certificate request,226 Setting keepalive timers,361 System-guard configuration example,334 Setting the maximum number of secure MAC addresses,176 TCP attack protection overview,288 Setting the NAT keepalive timer,361 Tearing down user connections forcibly,43 Setting the port security mode,176 Triple authentication configuration examples,163...

Comments to this Manuals

Symbols: 0
Latest comments: