Page of 367
Download Table of ContentsContents Print This PagePrint Bookmark

HP 10500 Series Configuration Manual

Security configuration guide.
Hide thumbs
HP 10500 Switch Series
Security
Part number: 5998-2214
Software version: Release 1201 and later
Document version: 6W102-20130530

Advertising

   Related Manuals for HP 10500 Series

   Summary of Contents for HP 10500 Series

  • Page 1: Configuration Guide

    HP 10500 Switch Series Security Configuration Guide Part number: 5998-2214 Software version: Release 1201 and later Document version: 6W102-20130530...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

      802.1X authentication procedures ······························································································································ 76   A comparison of EAP relay and EAP termination ······························································································ 76   EAP relay ································································································································································ 77   EAP termination ····················································································································································· 78   Configuring 802.1X ·················································································································································· 80   HP implementation of 802.1X ······································································································································ 80  ...

  • Page 4: Table Of Contents

    Access control methods ········································································································································ 80   Using 802.1X authentication with other features ······························································································ 80   Configuration prerequisites ··········································································································································· 85   802.1X configuration task list ······································································································································· 85   Enabling 802.1X ···························································································································································· 86   Enabling EAP relay or EAP termination ······················································································································· 86  ...

  • Page 5: Table Of Contents

    Configuration prerequisites ········································································································································· 106   Configuring a free IP ··················································································································································· 106   Configuring the redirect URL ······································································································································· 107   Setting the EAD rule timer ··········································································································································· 107   Displaying and maintaining EAD fast deployment ··································································································· 107   EAD fast deployment configuration example ············································································································ 108  ...

  • Page 6: Table Of Contents

    Specifying the NAS-Port-ID for an interface ····································································································· 137   Specifying a NAS ID profile for an interface ··································································································· 137   Specifying a source IP address for outgoing portal packets ··················································································· 138   Specifying an auto redirection URL for authenticated portal users ········································································· 138  ...

  • Page 7: Table Of Contents

    Displaying and maintaining user profiles ·················································································································· 190   Managing public keys ············································································································································ 191   Configuration task list ·················································································································································· 191   Creating a local asymmetric key pair ························································································································ 192   Displaying or exporting the local host public key ···································································································· 192   Destroying a local asymmetric key pair ····················································································································...

  • Page 8: Table Of Contents

    When the switch acts as an SFTP client for publickey authentication ··························································· 231   Configuring TCP attack protection ························································································································· 235   Enabling the SYN Cookie feature ······························································································································ 235   Displaying and maintaining TCP attack protection ·································································································· 235   Configuring IP source guard ·································································································································· 236  ...

  • Page 9: Table Of Contents

    Configuring URPF ···················································································································································· 268   URPF check modes ·············································································································································· 268   URPF work flow ···················································································································································· 268   Network application ··········································································································································· 271   Configuring URPF ························································································································································· 271   URPF configuration example ······························································································································ 272   Configuring MFF ····················································································································································· 273   Basic concepts ····················································································································································· 274  ...

  • Page 10: Table Of Contents

    Failing to establish an IPsec tunnel ···················································································································· 327   ACL configuration error ······································································································································ 327   Support and other resources ·································································································································· 328   Contacting HP ······························································································································································ 328   Subscription service ············································································································································ 328   Related information ······················································································································································ 328   Documents ···························································································································································· 328  ...

  • Page 11: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, •...

  • Page 12: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.

  • Page 13

    Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user's username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the MD5 algorithm and the shared key.

  • Page 14

    Figure 4 RADIUS packet format Code Identifier Length Authenticator Attributes Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. • Table 1 Main values of the Code field Code Packet type Description From the client to the server.

  • Page 15

    Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2 shows a list of the attributes. For more information, see "Commonly used standard RADIUS attributes."...

  • Page 16

    Vendor-ID—ID of the vendor. Its most significant byte is 0. The other three bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes." Vendor-Type—Type of the sub-attribute.

  • Page 17: Hwtacacs

    HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP users, VPDN users, and terminal users. In a typical HWTACACS scenario, some terminal users need to log in to the NAS for operations.

  • Page 18

    Figure 6 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: A Telnet user sends an access request to the HWTACACS client. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server.

  • Page 19: Domain-based User Management

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user authorization request packet to the HWTACACS server.

  • Page 20: Aaa For Mpls L3vpns

    In addition, AAA provides the following services for login users to enhance device security: • Command authorization—Enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted, ensuring that login users execute only commands they are authorized to execute.

  • Page 21: Radius Attributes

    RFC 2869, RADIUS Extensions • RFC 1492, An Access Control Protocol, Sometimes Called TACACS • RADIUS attributes This section provides tables of commonly used standard RADIUS attributes and HP proprietary RADIUS sub-attributes. Commonly used standard RADIUS attributes Attribute Description User-Name Name of the user to be authenticated.

  • Page 22

    Access-Requests. This attribute is present when EAP authentication is used. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.

  • Page 23

    Sub-attribute Description Total remaining available traffic for the connection, in different units for Remanent_Volume different server types. Operation for the session, used for session control: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value.

  • Page 24: Fips Compliance

    Sub-attribute Description Input-Interval-Gigawords Amount of bytes input within an accounting interval, in units of 4G bytes. Output-Interval-Gigawords Amount of bytes output within an accounting interval, in units of 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name.

  • Page 25

    Figure 9 AAA configuration procedure Local AAA Configure AAA methods Configure local users and related attributes None Authentication method local (the default) scheme Create an ISP domain None No AAA and enter its view Authorization method local (the default) scheme None Accounting method local (the default)

  • Page 26: Configuring Aaa Schemes

    Configuring AAA schemes Configuring local users To implement local AAA, you must create local users and configure user attributes on the device. Local users and attributes are stored on the device in the local user database. Local users are uniquely identified by username.

  • Page 27

    Every configurable authorization attribute has its definite application environments and purposes. When you configure authorization attributes for a local user, consider which attributes are needed and which are not. You can configure an authorization attribute in user group view or local user view to make the attribute effective for all local users in the group or only for the local user.

  • Page 28

    Step Command Remarks Optional. If you do not configure any password for a local user, the local user does not need to provide any password during authentication, and can pass authentication after entering the correct • In non-FIPS mode: local user name and passing attribute password [ [ hash ] { cipher | Configure a password for checks.

  • Page 29

    Step Command Remarks Optional. By default, no authorization attribute is configured for a local user. For LAN and portal users, only acl, authorization-attribute { acl idle-cut, user-profile, and vlan are acl-number | idle-cut minute | supported. Configure authorization level level | user-profile attributes for the local user.

  • Page 30: Configuring Radius Schemes

    Step Command Remarks authorization-attribute { acl Optional. acl-number | idle-cut minute | level Configure authorization By default, no authorization level | user-profile profile-name | attributes for the user group. attribute is configured for a user vlan vlan-id | work-directory group. directory-name } * Displaying and maintaining local users and local user groups Task...

  • Page 31

    Task Remarks Configuring RADIUS accounting-on Optional. Configuring the IP address of the security policy server Optional. Configuring interpretation of the RADIUS class attribute as CAR parameters Optional. Enabling the trap function for RADIUS Optional. Enabling the RADIUS client service Optional. Setting the DSCP value for RADIUS packets Optional.

  • Page 32

    To specify RADIUS authentication/authorization servers for a RADIUS scheme: Step Command Remarks Enter system view. system-view Enter RADIUS scheme view. radius scheme radius-scheme-name • Specify the primary RADIUS authentication/authorization server: primary authentication { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] Configure at least one...

  • Page 33

    Step Command Remarks Enter RADIUS scheme radius scheme radius-scheme-name view. • Specify the primary RADIUS accounting server: primary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance Configure at least one vpn-instance-name ] * command.

  • Page 34

    Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • Extended—Uses the proprietary RADIUS protocol of HP. • When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the...

  • Page 35

    Changing the RADIUS server type restores the unit for data flows and that for the packets sent to the RADIUS server to the defaults. To set the RADIUS server type: Step Command Remarks Enter system view. system-view Enter RADIUS scheme view. radius scheme radius-scheme-name Optional.

  • Page 36

    If the quiet timer of a server expires or an authentication or accounting response is received from the server, the status of the server changes back to active automatically, but the device does not check the server again during the authentication or accounting process. If no server is found reachable during one search process, the device considers the authentication or accounting attempt a failure.

  • Page 37

    Step Command Remarks • Set the status of the primary RADIUS authentication/authorization server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | block } Optional. •...

  • Page 38

    Step Command Remarks radius scheme Enter RADIUS scheme view. radius-scheme-name By default, the IP address of the Specify a source IP address nas-ip { ip-address | ipv6 outbound interface is used as the for outgoing RADIUS packets. ipv6-address } source IP address. Setting RADIUS timers The device uses the following types of timers to control the communication with a RADIUS server: •...

  • Page 39

    Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation. The security policy server is the management and control center for EAD. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.

  • Page 40

    To configure the IP address of the security policy server for a scheme: Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. Specify a security policy No security policy server is security-policy-server ip-address server. specified by default. Configuring interpretation of the RADIUS class attribute as CAR parameters This task is required when the RADIUS server supports assigning CAR parameters through the class attribute and the device supports CAR parameters assignment.

  • Page 41

    Step Command Remarks radius trap Enable the trap function for { accounting-server-down | Disabled by default. RADIUS. authentication-error-threshold | authentication-server-down } Enabling the RADIUS client service To receive and send RADIUS packets, enable the RADIUS client service on the device. If RADIUS is not required, disable the RADIUS client service to avoid attacks that exploit RADIUS packets.

  • Page 42: Configuring Hwtacacs Schemes

    Task Command Remarks display stop-accounting-buffer { radius-scheme Display information about buffered radius-scheme-name | session-id session-id | stop-accounting requests for which no Available in any time-range start-time stop-time | user-name responses have been received. (In view. user-name } [ slot slot-number ] [ | { begin | standalone mode.) exclude | include } regular-expression ] display stop-accounting-buffer { radius-scheme...

  • Page 43

    Creating an HWTACACS scheme The HWTACACS protocol is configured on a per-scheme basis. Before performing other HWTACACS configurations, you must create an HWTACACS scheme and enter HWTACACS scheme view. You can configure up to 16 HWTACACS schemes, and cannot delete the schemes that are referenced. To create an HWTACACS scheme and enter HWTACACS scheme view: Step Command...

  • Page 44

    An HWTACACS server can function as the primary authorization server of one scheme and as the • secondary authorization server of another scheme at the same time. The IP addresses of the primary and secondary authorization servers cannot be the same. •...

  • Page 45

    Step Command Remarks • Specify the primary HWTACACS accounting server: primary accounting ip-address [ port-number | vpn-instance Configure at least one command. vpn-instance-name ] * Specify HWTACACS No accounting server is specified accounting servers. • Specify a secondary HWTACACS by default. accounting server: secondary accounting ip-address [ port-number | vpn-instance...

  • Page 46

    Setting the username format and traffic statistics units A username is usually in the format userid@isp-name, where isp-name represents the ISP domain name of the user and is used by the device to determine which users belong to which ISP domains. However, some HWTACACS servers do not recognize usernames that contain the user ISP domain name.

  • Page 47

    The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides. The IP address of the outbound interface specified by the route. To specify a source IP address for all HWTACACS schemes of a VPN or the public network: Step Command Remarks...

  • Page 48: Configuring Aaa Methods For Isp Domains

    Step Command Remarks Optional. Set the HWTACACS server The default HWTACACS server timer response-timeout seconds response timeout timer. response timeout timer is 5 seconds. Optional. Set the quiet timer for the timer quiet minutes The default quiet timer for the primary server.

  • Page 49: Configuration Prerequisites

    local authorization, and local accounting. If you do not configure any AAA methods for an ISP domain, the device uses the system-predefined AAA methods for users in the domain. Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device (see "Configuring local user attributes").

  • Page 50: Configuring Isp Domain Attributes

    Configuring ISP domain attributes In an ISP domain, you can configure the following attributes: Domain status—By placing the ISP domain to the active or blocked state, you allow or deny • network service requests from users in the domain. • Maximum number of online users—The device controls the number of online users in a domain to ensure the system performance and service reliability.

  • Page 51: Configuring Authentication Methods For An Isp Domain

    Configuring authentication methods for an ISP domain In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the interactive authentication process of username/password/user information during an access or service request. The authentication process neither sends authorization information to a supplicant nor triggers any accounting.

  • Page 52: Configuring Authorization Methods For An Isp Domain

    Local authentication (local) and no authentication (none) cannot have a backup method. • • If the method for level switching authentication references an HWTACACS scheme, by default the device uses the login username of the user for level switching authentication of the user. If the method for level switching authentication references a RADIUS scheme, the system uses the username configured for the corresponding privilege level on the RADIUS server for level switching authentication, rather than the login username.

  • Page 53

    Remote authorization (scheme)—The NAS cooperates with a RADIUS or HWTACACS server to • authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only after RADIUS authentication is successful, and the authorization information is carried in the Access-Accept message. HWTACACS authorization is separate from HWTACACS authentication, and the authorization information is carried in the authorization response after successful authentication.

  • Page 54: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks authorization login { hwtacacs-scheme Optional. Specify the authorization hwtacacs-scheme-name [ local ] | local | The default authorization method for login users. none | radius-scheme radius-scheme-name method is used by default. [ local ] } Optional. authorization portal { local | none | Specify the authorization radius-scheme radius-scheme-name The default authorization...

  • Page 55: Tearing Down User Connections

    Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name Optional. Disabled by default. With the accounting optional feature, a device allows users Enable the accounting accounting optional to use network resources when optional feature.

  • Page 56: Configuring A Nas Id-vlan Binding

    Step Command Remarks cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name This command is Tear down AAA user | interface interface-type interface-number | ip effective only for connections. (In IRF ip-address | mac mac-address | ucibindex ucib-index LAN and portal user mode.) | user-name user-name | vlan vlan-id } [ chassis...

  • Page 57: Aaa Configuration Examples

    AAA configuration examples AAA for Telnet users by an HWTACACS server Network requirements As shown in Figure 10, configure the switch to use the HWTACACS server for Telnet user authentication, authorization, and accounting. Set the shared keys for secure communication with the HWTACACS server to expert. Configure the switch to remove the domain name from a username sent to the HWTACACS server.

  • Page 58: Local Authentication And Authorization For Telnet Users

    # Set the shared keys for secure authentication, authorization, and accounting communication to expert. [Switch-hwtacacs-hwtac] key authentication simple expert [Switch-hwtacacs-hwtac] key authorization simple expert [Switch-hwtacacs-hwtac] key accounting simple expert # Remove domain names from the usernames sent to the HWTACACS server. [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the AAA methods for the domain.

  • Page 59: Authentication/authorization For Ssh/telnet Users By A Radius Server

    [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] quit # Configure authentication and authorization methods for the ISP domain. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login local [Switch-isp-bbb] quit Verify the configuration: Telnet to the switch, and enter the username hello@bbb and the correct password. You pass authentication and log in to the switch.

  • Page 60

    Set the ports for authentication and accounting to 1812 and 1813, respectively. Select Device Management Service as the service type. Select HP(General) as the access device type. Select the access device from the device list, or manually add the device with the IP address 10.1.1.2.

  • Page 61

    Select SSH as the service type. Set the EXEC privilege level to 3. This argument identifies the privilege level of the SSH user after login and defaults to 0. Specify the IP address range of the hosts to be managed as 10.1.1.0 to 10.1.1.255. Click OK.

  • Page 62: Aaa For Portal Users By A Radius Server

    [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme # Configure the user interfaces to support SSH. [Switch-ui-vty0-15] protocol inbound ssh [Switch-ui-vty0-15] quit # Create RADIUS scheme rad. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert.

  • Page 63

    Set the ports for authentication and accounting to 1812 and 1813, respectively. Select LAN Access Service as the service type. Select HP(General) as the access device type. Select the access device from the device list, or manually add the device with the IP address 10.1.1.2.

  • Page 64

    Figure 16 Adding the switch as an access device # Add a charging plan. Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree to enter the charging plan configuration page. Then, click Add to configure a charging plan as follows: Add a plan named UserAcct.

  • Page 65

    Add a service named Portal auth/acct, and set the service suffix to dm1, the authentication domain for the portal user. With the service suffix configured, you must configure the access device to send usernames that carry domain names to the RADIUS server. Select UserAcct as the charging plan.

  • Page 66

    Configure the portal server (when the server runs on IMC PLAT 5.0): NOTE: This section assumes that the RADIUS server runs on IMC PLAT 5.0 (E0101H03) and IMC UAM 5.0 SP1 (E0101P03). # Configure the portal server. Log in to IMC and click the Service tab. Then, select User Access Manager > Portal Service Management >...

  • Page 67

    Figure 21 Adding an IP address group # Add a portal device. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to configure a portal device as follows: Enter the device name NAS.

  • Page 68

    Figure 23 Device list On the port group configuration page, click Add to configure a port group as follows: Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group.

  • Page 69

    [Switch-Vlan-interface2] quit Verify the configuration: The user can initiate portal authentication by using the HP iNode client or by accessing a Webpage. All the initiated Web requests are redirected to the portal authentication page at http://10.1.1.1:8080/portal. Before passing portal authentication, the user can access only the authentication page.

  • Page 70: Aaa For 802.1x Users By A Radius Server

    Total 1 user(s) matched, 1 listed. # Use the display connection command to view the connection information on the switch. [Switch] display connection Index=20 ,Username=portal@dm1 IP=192.168.1.58 IPv6=N/A MAC=00-15-E9-A6-7C-FE Total 1 connection(s) matched. AAA for 802.1X users by a RADIUS server Network requirements As shown in Figure...

  • Page 71

    Set the ports for authentication and accounting to 1812 and 1813, respectively. Select LAN Access Service as the service type. Select HP(General) as the access device type. Select the access device from the device list, or manually add the device with the IP address 10.1.1.2.

  • Page 72

    Figure 27 Adding a charging plan # Add a service. Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree. Then, click Add to configure a service as follows: Add a service named Dot1x auth, and set the service suffix to bbb, the authentication domain for the 802.1X user.

  • Page 73

    Figure 28 Adding a service # Add a user. Click the User tab, and select Access User View > All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to configure a user as follows: Select the user or add a user named hello.

  • Page 74

    Figure 29 Adding an access user account Configure the switch: Configure a RADIUS scheme: # Create a RADIUS scheme named rad and enter its view. <Switch> system-view [Switch] radius scheme rad # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended.

  • Page 75

    MD5 challenge as the EAP authentication type on the Authentication tab of the connection's properties. If the user host runs the HP iNode client, no advanced authentication options need to be enabled. •...

  • Page 76: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in Figure 30, configure the switch to: Use local authentication for the Telnet user and assign the privilege level of 0 to the user after the •...

  • Page 77

    [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit # Enable the switch to provide Telnet service. [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.

  • Page 78

    Configure the HWTACACS server: NOTE: The HWTACACS server in this example runs ACSv4.0. Add a user named test on the HWTACACS server and configure advanced attributes for the user as shown in Figure Select Max Privilege for any AAA Client and set the privilege level to level 3. After these configurations, the user needs to use the password enabpass when switching to level 1, level 2, or level 3.

  • Page 79: Troubleshooting Aaa

    Login authentication Username:test@bbb Password: <Switch> ? User view commands: cluster Run cluster command display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert...

  • Page 80

    The password entered by the user is incorrect. • • The RADIUS server and the NAS are configured with different shared keys. Solution Check that: • The NAS and the RADIUS server can ping each other. The username is in the userid@isp-name format and the ISP domain is correctly configured on the •...

  • Page 81: Troubleshooting Hwtacacs

    Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS."...

  • Page 82: X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs). 802.1X has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 83: X-related Protocols

    • Performs unidirectional traffic control to deny traffic from the client. • The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.

  • Page 84: Eap Over Radius

    Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • • Type—Type of the EAPOL packet. Table 5 lists the types of EAPOL packets supported by HP implementation of 802.1X. Table 5 Types of EAPOL packets Value Type...

  • Page 85: Initiating 802.1x Authentication

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client (the HP iNode 802.1X client, for example) that can send broadcast EAPOL-Start packets.

  • Page 86: X Authentication Procedures

    • Supports only MD5-Challenge EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an HP EAP termination supports PAP or CHAP authentication. iNode 802.1X client. • The processing is complex on the...

  • Page 87: Eap Relay

    EAP relay Figure 40 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used. Figure 40 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge...

  • Page 88: Eap Termination

    The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5 Challenge packet to the network access device. The network access device relays the EAP-Response/MD5 Challenge packet in a RADIUS Access-Request packet to the authentication server. The authentication server compares the received encrypted password with the one it generated at step 5.

  • Page 89

    Figure 41 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 90: Configuring 802.1x

    HP implementation of 802.1X Access control methods HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent •...

  • Page 91

    On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed. For more information about VLAN configuration and MAC-based VLAN, see Layer 2 LAN Switching —...

  • Page 92

    Authentication status VLAN manipulation If an 802.1X Auth-Fail VLAN is available, re-maps the MAC address of the user A user in the 802.1X guest to the Auth-Fail VLAN. The user can access only resources in the Auth-Fail VLAN. VLAN fails 802.1X If no 802.1X Auth-Fail VLAN is configured, the user is still in the 802.1X guest authentication VLAN.

  • Page 93

    Authentication status VLAN manipulation Re-maps the MAC address of the user to the server-assigned VLAN. A user in the Auth-Fail VLAN If the authentication server assigns no VLAN, re-maps the MAC address of the passes 802.1X authentication user to the initial PVID on the port. To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you must ensure that the port is a hybrid port, and enable MAC-based VLAN on the port.

  • Page 94

    Authentication status VLAN manipulation A user in the 802.1X guest VLAN or the Auth-Fail The PVID of the port remains unchanged. All 802.1X users VLAN fails authentication because all the on this port can access only resources in the guest VLAN or RADIUS servers is reachable.

  • Page 95

    ACL assignment You can specify an ACL for an 802.1X user to control its access to network resources. After the user passes 802.1X authentication, the authentication server (either the local access device or a RADIUS server) assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the ACL on the access device.

  • Page 96: Enabling 802.1x

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...

  • Page 97: Setting The Port Authorization State

    Step Command Remarks By default, the network access device performs EAP termination and uses CHAP to communicate with the Configure EAP RADIUS server. dot1x authentication-method relay or EAP { chap | eap | pap } Specify the eap keyword to enable EAP termination. termination.

  • Page 98: Specifying An Access Control Method

    Specifying an access control method You can specify an access control method for one port in interface view or for multiple ports in system view. If different access control methods are specified for a port in system view and interface view, the one specified later takes effect.

  • Page 99: Setting The 802.1x Authentication Timeout Timers

    access device stops retransmitting the request if it has made the maximum number of request transmission attempts but still receives no response. To set the maximum number of authentication request attempts: Step Command Remarks Enter system view. system-view Set the maximum number of attempts for The default setting is dot1x retry max-retry-value sending an authentication request.

  • Page 100: Configuration Guidelines

    To use the online handshake security function, make sure the online user handshake function is • enabled. HP recommends that you use the iNode client software and IMC server to ensure the normal operation of the online user handshake security function.

  • Page 101: Configuring The Authentication Trigger Function

    Step Command Remarks • (Approach 1) In system view: dot1x supp-proxy-check { logoff | trap } interface interface-list Use either approach. • (Approach 2) In Ethernet interface view: Enable the proxy detection By default, the function on one or more ports. interface interface-type function is disabled.

  • Page 102: Specifying A Mandatory Authentication Domain On A Port

    Step Command Remarks Optional. Set the username dot1x timer tx-period request timeout timer. tx-period-value The default is 30 seconds. Enter Ethernet interface interface-type interface view. interface-number Required if you want to enable the unicast trigger. Enable an dot1x { multicast-trigger | By default, the multicast trigger is enabled, and the authentication trigger.

  • Page 103: Enabling The Periodic Online User Re-authentication Function

    Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS. The re-authentication interval is user configurable. Configuration guidelines The periodic online user re-authentication timer can also be set by the authentication server in the •...

  • Page 104: Configuring An 802.1x Guest Vlan

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HP iNode client does not have this problem. To configure a VLAN group:...

  • Page 105

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HP iNode client does not have this problem. Table 7 when configuring multiple security features on a port.

  • Page 106

    Table 7 Relationships of the 802.1X Auth-Fail VLAN with other features Feature Relationship description Reference You cannot specify a VLAN as both a super See Layer 2 LAN Switching — Super VLAN VLAN and an 802.1X Auth-Fail VLAN. Configuration Guide. MAC authentication guest VLAN on a port that The 802.1X Auth-Fail VLAN has a high...

  • Page 107

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HP iNode client does not have this problem. Configuration prerequisites •...

  • Page 108: Displaying And Maintaining 802.1x

    Step Command Remarks Enter system view. system-view Specify a set of domain name By default, only the at sign (@) dot1x domain-delimiter string delimiters for 802.1X users. delimiter is supported. NOTE: If you configure the access device to include the domain name in the username sent to the RADIUS server, make sure the domain delimiter in the username can be recognized by the RADIUS server.

  • Page 109: Configuration Procedure

    Figure 42 Network diagram Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

  • Page 110: Verifying The Configuration

    [Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. Configure the ISP domain: # Create the ISP domain aabbcc.net and enter its view.

  • Page 111: X Guest Vlan And Vlan Assignment Configuration Example

    802.1X guest VLAN and VLAN assignment configuration example Network requirements Figure A host is connected to port GigabitEthernet 1/0/2 of the device and must pass 802.1X • authentication to access the Internet. GigabitEthernet 1/0/2 is in VLAN 1. • GigabitEthernet 1/0/2 implements port-based access control. GigabitEthernet 1/0/3 is in VLAN 5 and is for accessing the Internet.

  • Page 112

    Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN.

  • Page 113

    # Enable 802.1X globally. [Device] dot1x # Enable 802.1X for port GigabitEthernet 1/0/2. [Device] interface gigabitethernet1/0/2 [Device-GigabitEthernet1/0/2] dot1x # Implement port-based access control on the port. [Device-GigabitEthernet1/0/2] dot1x port-method portbased # Set the port authorization mode to auto. This step is optional. By default, the port is in auto mode. [Device-GigabitEthernet1/0/2] dot1x port-control auto [Device-GigabitEthernet1/0/2] quit # Set VLAN 10 as the 802.1X guest VLAN for port GigabitEthernet 1/0/2.

  • Page 114

    Configuration procedure The following configuration procedure provides the major AAA and RADIUS configuration on the access device. The configuration procedures on the 802.1X client and RADIUS server are beyond the scope of this configuration example. For information about AAA and RADIUS configuration commands, see Security Command Reference.

  • Page 115

    Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has taken effect on the user, and the user cannot access the FTP server.

  • Page 116: Configuring Ead Fast Deployment

    Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

  • Page 117: Configuring The Redirect Url

    To configure a free IP: Step Command Remarks Enter system view. system-view dot1x free-ip ip-address Configure a free IP. By default, no free IP is configured. { mask-address | mask-length } Configuring the redirect URL Step Command Remarks Enter system view. system-view Configure the redirect dot1x url url-string...

  • Page 118: Ead Fast Deployment Configuration Example

    EAD fast deployment configuration example Network requirements As shown in Figure 45, the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet 1/0/1 of the network access device, and they use DHCP to obtain IP addresses. Deploy the EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network.

  • Page 119

    # Enable DHCP. <Device> system-view [Device] dhcp enable # Configure a DHCP server for a DHCP server group. [Device] dhcp relay server-group 1 ip 192.168.2.1 # Enable the relay agent on VLAN interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select relay # Correlate VLAN interface 2 to the DHCP server group.

  • Page 120: Troubleshooting Ead Fast Deployment

    server, which provides the 802.1X client software download service. Enter the external website address in dotted decimal notation (for example, 3.3.3.3 or http://3.3.3.3) in the address bar. Troubleshooting EAD fast deployment Web browser users cannot be correctly redirected Symptom Unauthenticated users are not redirected to the specified redirect URL after they enter external website addresses in their Web browsers.

  • Page 121: Configuring Mac Authentication

    Configuring MAC authentication This chapter describes how to configure MAC authentication. Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 122: Mac Authentication Timers

    For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user idle.

  • Page 123: Critical Vlan

    MAC authentication guest VLAN is configured, the user who fails MAC authentication cannot access any network resources. If a user in the guest VLAN passes MAC authentication, the user is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. A hybrid port is always assigned to a guest VLAN as an untagged member.

  • Page 124: Configuring Mac Authentication Globally

    For local authentication, create local user accounts, and specify the lan-access service for the • accounts. For RADIUS authentication, verify that the device and the RADIUS server can reach each other, and • create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure the username and password for each account is the same as the MAC address of the MAC authentication users.

  • Page 125: Specifying A Mac Authentication Domain

    Step Command Remarks Set the maximum number of Optional. mac-authentication max-user concurrent MAC authentication user-number The default is 1024. users allowed on a port. NOTE: When both (and only both) 802.1X authentication and MAC authentication are enabled on a port, the device performs 802.1X authentication for 802.1X users that first access the network from the port.

  • Page 126: Configuring A Mac Authentication Critical Vlan

    Feature Relationship description Reference The MAC authentication guest VLAN function has higher priority than the block MAC action "Configuring port Port intrusion protection but lower priority than the shut down port security." action of the port intrusion protection feature. 802.1X guest VLAN on a The MAC authentication guest VLAN has a port that performs "Configuring...

  • Page 127: Configuring Mac Authentication Delay

    Feature Relationship description Reference The MAC authentication critical VLAN function has higher priority than the block MAC action but lower "Configuring port Port intrusion protection priority than the shut down port action of the port security." intrusion protection feature. If MAC authentication clients in your network cannot trigger an immediate DHCP-assigned IP address renewal in response to a VLAN change, the MAC authentication users cannot access authorized network resources immediately after a MAC authentication is complete.

  • Page 128: Mac Authentication Configuration Examples

    Task Command Remarks display mac-authentication [ interface Display MAC authentication Available in any interface-list ] [ | { begin | exclude | include } information. view. regular-expression ] Clear MAC authentication reset mac-authentication statistics [ interface Available in user statistics. interface-list ] view.

  • Page 129: Radius-based Mac Authentication Configuration Example

    [Device] mac-authentication domain aabbcc.net # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lower case. [Device] mac-authentication user-name-format mac-address with-hyphen lowercase Verifying the configuration # Display MAC authentication settings and statistics.

  • Page 130

    Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure the following requirements are met: The device detects whether a user has gone offline every 180 seconds. If a user fails authentication, • the device does not authenticate the user within 180 seconds. All MAC authentication users belong to ISP domain 2000 and share the user account aaa with •...

  • Page 131: Acl Assignment Configuration Example

    # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users. [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verifying the configuration # Display MAC authentication settings and statistics.

  • Page 132

    Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure an authenticated user can access the Internet but the FTP server at 10.0.0.1. Use MAC-based user accounts for MAC authentication users. The MAC addresses are separated by hyphens and in lower case.

  • Page 133

    # Configure the device to use MAC-based user accounts. The MAC addresses are separated by hyphens and in lower case. [Sysname] mac-authentication user-name-format mac-address with-hyphen lowercase # Enable MAC authentication for port GigabitEthernet 1/0/1. [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-authentication Configure the RADIUS servers.

  • Page 134: Configuring Portal Authentication

    Configuring portal authentication This chapter describes how to configure portal authentication. Overview Portal authentication helps control access to the Internet. Portal authentication is also referred to as "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website.

  • Page 135

    Figure 49 Portal system components Authentication client Security policy server Authentication client Portal server Access device Authentication/accounting Authentication client server Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal such as a PC. A client can use a browser or portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.

  • Page 136: Portal Authentication Modes

    NOTE: Only a RADIUS server can serve as the remote authentication/accounting server in a portal system. • To implement security check, the client must be the HP iNode client. • Portal authentication modes Portal authentication may work at Layer 2 or Layer 3 of the OSI model. The switch supports only Layer 3 portal authentication.

  • Page 137: Portal Support For Eap

    Therefore, no additional configuration is needed on the access device. NOTE: To use portal authentication that supports EAP, the portal server and client must be the HP IMC portal server and the HP iNode portal client. Layer 3 portal authentication process Direct authentication and cross-subnet authentication share the same authentication process.

  • Page 138

    Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 51 Direct authentication/cross-subnet authentication process Direct authentication/cross-subnet authentication process is as follows: An authentication client initiates authentication by sending an HTTP request. When the HTTP packet arrives at the access device, the access device allows the packet to pass if it is destined for the portal server or a predefined free website, or it redirects the packet to the portal server if it is destined for other websites.

  • Page 139

    Re-DHCP authentication process (with CHAP/PAP authentication) Figure 52 Re-DHCP authentication process Authentication Authentication/ Security Portal server Access device client accounting server policy server 1) Initiate a connection 2) CHAP authentication 3) Authentication request 4) RADIUS authentication Timer 5) Authentication reply 6) Authentication succeeds 7) The user obtains...

  • Page 140

    Portal support for EAP authentication process Figure 53 Portal support for EAP authentication process All portal authentication modes share the same EAP authentication steps. The following example uses direct portal authentication to show the EAP authentication process: The authentication client sends an EAP Request/Identity message to the portal server to initiate an EAP authentication process.

  • Page 141: Portal Authentication Across Vpns

    The access device sends an authentication reply to the portal server. This reply carries the EAP-Success message in the EAP-Message attribute. The portal server notifies the authentication client of the authentication success. The portal server sends an authentication reply acknowledgment to the access device. The remaining steps are for extended portal authentication.

  • Page 142

    Task Remarks Configuring a portal-free rule Configuring an authentication source subnet Controlling access of portal Optional. users Setting the maximum number of online portal users Specifying a portal authentication domain Specifying NAS-Port-Type for an interface Configuring RADIUS related Optional. Specifying the NAS-Port-ID for an interface attributes Specifying a NAS ID profile for an interface Specifying a source IP address for outgoing portal packets...

  • Page 143: Specifying The Portal Server

    Specifying the portal server Perform this task to specify portal server parameters for Layer 3 portal authentication, including the portal server IP address, shared encryption key, server port, and the URL address for Web authentication. To specify a portal server for Layer 3 authentication: Step Command Remarks...

  • Page 144: Controlling Access Of Portal Users

    Configuration procedure To enable Layer 3 portal authentication: Step Command Remarks Enter system view. system-view interface interface-type The interface must be a Layer 3 Enter interface view. interface-number Ethernet interface. Enable Layer 3 portal portal server server-name method authentication on the Not enabled by default.

  • Page 145: Configuring An Authentication Source Subnet

    Step Command Remarks • To configure an IPv4 portal-free rule: portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | mask } | any } } | source { any | [ interface interface-type interface-number | ip { ip-address mask { mask-length | mask } | any } | mac mac-address | vlan vlan-id ] Configure a Configure at least one...

  • Page 146: Specifying A Portal Authentication Domain

    Step Command Remarks Enter system view. system-view The default maximum number of Set the maximum number of portal max-user max-number online portal users allowed is online portal users. 6000. The maximum number of online portal users the switch actually assigns depends on the ACL resources on the switch.

  • Page 147: Specifying The Nas-port-id For An Interface

    a wireless client using portal authentication, the access port type obtained by the BAS may be the type of the wired port that authenticates the user. To make sure the BAS delivers the right access port information to the RADIUS server, specify the NAS-Port-Type according to the practical access environment.

  • Page 148: Specifying A Source Ip Address For Outgoing Portal Packets

    IP address of outgoing portal packets. outgoing portal ipv6 ipv6-address } packets. In NAT environments, HP recommends that you specify the interface's public IP address as the source IP address of outgoing portal packets. Specifying an auto redirection URL for...

  • Page 149: Configuring Portal Detection Functions

    Step Command Remarks Enter system view. system-view By default, an authenticated user is Specify an auto redirection redirected to the URL the user typed URL for authenticated portal portal redirect-url url-string in the address bar before portal users. authentication. NOTE: To use this feature for remote Layer 3 portal authentication, the portal server must be an IMC portal server that supports the page auto-redirection function.

  • Page 150: Configuring Portal User Information Synchronization

    IMC portal server and make sure the product of interval and retry is greater than or equal to the portal server heartbeat interval. HP recommends that you configure the interval to be greater than the portal server heartbeat interval configured on the portal server.

  • Page 151: Logging Off Portal Users

    HP recommends that you configure the interval to be greater than the portal user heartbeat interval configured on the portal server.

  • Page 152: Portal Configuration Examples

    Task Command Remarks display portal interface interface-type Display the portal configuration of Available in any interface-number [ | { begin | exclude | include } a specific interface. view. regular-expression ] Display information about a display portal server [ server-name ] [ | { begin | Available in any specific portal server or all portal exclude | include } regular-expression ]...

  • Page 153

    Figure 55 Network diagram Before configuring direct portal authentication, complete the following settings: Configure IP addresses for the host, switch, and servers as shown in Figure 55 and make sure they • can reach each other. • Configure the RADIUS server properly to provide authentication and accounting functions for users. Configuring the portal server (IMC PLAT 5.0) NOTE: This example assumes that the portal server runs on IMC PLAT 5.0(E0101) and IMC UAM 5.0(E0101).

  • Page 154

    Figure 56 Portal server configuration Configure the IP address group: Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.

  • Page 155

    Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the user. Enter the key, which must be the same as that configured on the switch.

  • Page 156: Configure The Switch

    Figure 60 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configure the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...

  • Page 157: Configuring Re-dhcp Portal Authentication

    # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Switch] domain default enable dm1 Configure portal authentication: # Configure a portal server on the switch, specifying the portal server name as newpt, IP address as 192.168.0.111, key as plaintext string portal, port number as 50100, and URL as...

  • Page 158

    IP address). For information about DHCP relay agent configuration, see Layer 3—IP Services Configuration Guide. Make sure the IP address of the portal device added on the portal server is the public IP address of • the interface connecting users (20.20.20.1 in this example), the private IP address range for the IP address group associated with the portal device is the private network segment where the users reside (10.0.0.0/24 in this example), and the public IP address range for the IP address group is the public network segment 20.20.20.0/24.

  • Page 159: Configuring Cross-subnet Portal Authentication

    Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal. [Switch] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the switch as a DHCP relay agent, and enable the IP address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0 [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub...

  • Page 160

    Make sure the IP address of the portal device added on the portal server is the IP address of the • interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). Perform the following configuration to configure cross-subnet portal authentication on Switch A: Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.

  • Page 161: Configuring Direct Portal Authentication With Extended Functions

    On Switch B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown.) Configuring direct portal authentication with extended functions Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for direct extended portal •...

  • Page 162

    [Switch-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [Switch-radius-rs1] security-policy-server 192.168.0.113 [Switch-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...

  • Page 163: Configuring Re-dhcp Portal Authentication With Extended Functions

    Configuring re-DHCP portal authentication with extended functions Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for re-DHCP authentication. • The host is assigned with an IP address through the DHCP server. Before passing portal authentication, the host uses an assigned private IP address.

  • Page 164

    Perform the following configuration to configure re-DHCP portal authentication with extended functions on the switch: Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended.

  • Page 165: Configuring Cross-subnet Portal Authentication With Extended Functions

    Name: newpt IP address: 192.168.0.1 1 1 Key: portal, in plain text Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal. [Switch] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the switch as a DHCP relay agent, and enable the IP address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100...

  • Page 166

    Configuration procedure Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). Configure IP addresses for the switch and servers as shown in Figure 65 and make sure the host, switch,...

  • Page 167: Configuring Portal Server Detection And Portal User Information Synchronization

    [SwitchA-acl-adv-3000] rule deny ip [SwitchA-acl-adv-3000] quit [SwitchA] acl number 3001 [SwitchA-acl-adv-3001] rule permit ip [SwitchA-acl-adv-3001] quit Configure portal authentication: # Configure the portal server as follows: Name: newpt IP address: 192.168.0.1 1 1 Key: portal, in plain text Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal.

  • Page 168

    Figure 66 Network diagram The following are summary steps for configuring portal server detection and portal user information synchronization: Configure the portal server and enable portal server heartbeat function and the portal user heartbeat function. Configure the RADIUS server to implement authentication and accounting. Configure direct portal authentication on interface VLAN-interface 100, which is connected to the user host.

  • Page 169

    Figure 67 Portal server configuration Configure the IP address group: Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.

  • Page 170

    Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the user. Enter the key, which must be the same as that configured on the switch.

  • Page 171: Configuring The Switch

    Figure 71 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. <Switch>...

  • Page 172

    The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and HP recommends that you configure the interval as a value greater than the portal server heartbeat interval configured on the portal server.

  • Page 173: Cross-subnet Portal Authentication Across Vpns

    authentication on the access interface, so the client can access the external network without authentication. Cross-subnet portal authentication across VPNs Network requirements As shown in Figure 72, Switch A (as the PE device connecting the user side) provides cross-subnet portal authentication for hosts in VPN 1 through communication with the RADIUS server and portal server in VPN 3.

  • Page 174

    [SwitchA-radius-rs1] nas-ip 3.3.0.3 [SwitchA-radius-rs1] quit IMPORTANT: Use the nas-ip command to specify the source IP address for RADIUS packets to be sent, and make sure the source IP address is consistent with the IP address of the access device specified on the server to avoid authentication failures.

  • Page 175: Troubleshooting Portal

    Vlan Interface ---------------------------------------------------------------------------- 000d-88f7-c268 3.3.0.1 Vlan-interface3 Total 1 user(s) matched, 1 listed. Troubleshooting portal This section provides the techniques for troubleshooting portal authentication configuration. Inconsistent keys on the access device and the portal server Symptom When a user is forced to access the portal server, the portal server displays a blank webpage, rather than the portal authentication page or an error message.

  • Page 176: Configuring Port Security

    This automatic mechanism enhances network security and reduces human intervention. NOTE: For scenarios that require only 802.1X authentication or MAC authentication, HP recommends that you use the 802.1X authentication or MAC authentication feature rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...

  • Page 177

    MAC learning control—Includes autoLearn and secure. MAC address learning is permitted on • ports in autoLearn mode and disabled on ports in secure mode. Authentication—Implement MAC authentication, 802.1X authentication, or a combination of the • two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.

  • Page 178

    Controlling MAC address learning autoLearn • A port in this mode can learn MAC addresses and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 179: Working With Guest Vlan And Auth-fail Vlan

    macAddressOrUserLoginSecureExt • This mode is similar to the macAddressOrUserLoginSecure mode except that this mode supports multiple 802.1X and MAC authentication users. macAddressElseUserLoginSecure • This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. For wired users, the port performs MAC authentication upon receiving non-802.1X frames.

  • Page 180: Enabling Port Security

    Enabling port security Enabling or disabling port security resets the following security settings to the default: 802.1X access control mode is MAC-based, and the port authorization state is auto. • Port security mode is noRestrictions. • When port security is enabled, you cannot manually enable 802.1X or MAC authentication or change the access control mode or port authorization state.

  • Page 181: Setting The Port Security Mode

    Setting the port security mode After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode.

  • Page 182: Configuring Ntk

    Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is discarded. Not all port security modes support triggering the NTK feature. For more information, Table The NTK feature supports the following modes: •...

  • Page 183: Enabling Port Security Traps

    Step Command Remarks Return to system view. quit Set the silence timeout period Optional. port-security timer disableport during which a port remains time-value 20 seconds by default. disabled. Enabling port security traps You can configure the port security module to send traps for the following categories of events: addresslearned—Learning of new MAC addresses.

  • Page 184

    Can be saved and Type Address sources Aging mechanism survive a device reboot? Sticky MAC addresses by default do not age out, but you can configure an aging timer or use Manually added, the aging timer together with the inactivity aging converted from function to delete old sticky MAC addresses: dynamic secure MAC...

  • Page 185: Ignoring Authorization Information From The Server

    Step Command Remarks • Approach 1 (in system view): port-security mac-address security [sticky] mac-address interface interface-type interface-number vlan vlan-id Use either approach. • Approach 2 (in interface view): Configure a secure No secure MAC address exists by MAC address. interface interface-type default.

  • Page 186: Port Security Configuration Examples

    Task Command Remarks display port-security mac-address security Display information about secure [ interface interface-type interface-number ] [ vlan Available in any MAC addresses. vlan-id ] [ count ] [ | { begin | exclude | include } view. regular-expression ] display port-security mac-address block [ interface Display information about blocked interface-type interface-number ] [ vlan vlan-id ]...

  • Page 187

    [Device-GigabitEthernet1/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [Device-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Device-GigabitEthernet1/0/1] quit [Device] port-security timer disableport 30 Verifying the configuration # Display the port security configuration. <Device>...

  • Page 188: Configuring The Userloginwithoui Mode

    #Jul 14 10:39:47:135 2009 Device PORTSEC/4/VIOLATION:Trap1.3.6.1.4.1.25506.2.26.1. An intrusion occurs! IfIndex: 9437185 Port: 9437185 MAC Addr: 00:02:00:00:00:32 VLAN ID: 1 IfAdminStatus: 1 # Execute the display interface command. You can see that the port security feature has disabled the port. [Device-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: DOWN ( Port Security Disabled IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558...

  • Page 189

    Figure 74 Network diagram Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference. Configuration procedures for the host and RADIUS servers are not shown. Configuration on the device: Configure the RADIUS protocol: # Configure a RADIUS scheme named radsun.

  • Page 190

    # Add five OUI values. [Device] port-security oui 1234-0100-1111 index 1 [Device] port-security oui 1234-0200-1111 index 2 [Device] port-security oui 1234-0300-1111 index 3 [Device] port-security oui 1234-0400-1111 index 4 [Device] port-security oui 1234-0500-1111 index 5 [Device] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI. [Device-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui Verifying the configuration # Display the RADIUS scheme radsun.

  • Page 191

    # Display the configuration of the ISP domain sun. <Device> display domain sun Domain : sun State : Active Access-limit : 30 Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme : radius:radsun Domain User Template: Idle-cut : Disabled Self-service : Disabled...

  • Page 192

    The maximal retransmitting times EAD quick deploy configuration: EAD timeout: The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Proxy trap checker is disabled Proxy logoff checker is disabled Handshake is enabled Handshake secure is disabled...

  • Page 193: Configuring The Macaddresselseuserloginsecure Mode

    Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 74, a client is connected to the device through GigabitEthernet 1/0/1. The device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port GigabitEthernet 1/0/1 of the device as follows: Allow more than one MAC authenticated user to log on.

  • Page 194

    Trap is disabled Disableport Timeout: 20s OUI value: GigabitEthernet1/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute # Display MAC authentication information.

  • Page 195: Troubleshooting Port Security

    Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s The maximal retransmitting times EAD quick deploy configuration: EAD timeout: Total maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up...

  • Page 196: Cannot Set The Port Security Mode

    Cannot set the port security mode Symptom Cannot set the port security mode. [Device-GigabitEthernet1/0/1] port-security port-mode autolearn Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For ports operating in a port security mode other than noRestrictions, you cannot change the port security mode directly by using the port-security port-mode command.

  • Page 197

    Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode. [Device-GigabitEthernet1/0/1] quit [Device] cut connection interface gigabitethernet 1/0/1 [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] undo port-security port-mode...

  • Page 198: Configuring A User Profile

    Configuring a user profile A user profile provides a configuration template to save predefined configurations, such as a QoS policy. Different user profiles are applicable to different scenarios. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.

  • Page 199: Applying A Qos Policy

    Applying a QoS policy You can apply QoS policies in user profile view to implement traffic management functions. Follow these guidelines when you apply a QoS policy: • After a user profile is created, apply a QoS policy in user profile view to implement restrictions on online users.

  • Page 200: Displaying And Maintaining User Profiles

    Displaying and maintaining user profiles Task Command Remarks Display information about all the display user-profile [ | { begin | exclude Available in any view. created user profiles. | include } regular-expression ]...

  • Page 201: Managing Public Keys

    Managing public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 75 Encryption and decryption The keys that participate in the conversion between plain text and cipher text can be the same or different,...

  • Page 202: Creating A Local Asymmetric Key Pair

    Creating a local asymmetric key pair When you create an asymmetric key pair on the local device, follow these guidelines: Create an asymmetric key pair of the proper type to work with a target application. • After you enter the command, specify a proper modulus length for the key pair. The following table •...

  • Page 203: Destroying A Local Asymmetric Key Pair

    Displaying and recording the host public key information Task Command Remarks display public-key local rsa public [ | { begin Display the local RSA public keys Available in any view. | exclude | include } regular-expression ] Use at least one Display the local DSA host public display public-key local dsa public [ | { begin command..

  • Page 204: Specifying The Peer Public Key On The Local Device

    The recorded public key must be in intended asymmetric key pair. the correct format, or the manual configuration of a • If the peer device is an HP device, use the Manually configure format-incompliant public key will display public-key local public command the public key—input fail.

  • Page 205: Displaying Public Keys

    Step Command Remarks When you exit public key code view, the Return to public key view. public-key-code end system automatically saves the public key. Return to system view. peer-public-key end Displaying public keys Task Command Remarks display public-key local { dsa | rsa } public [ | { begin Available in any Display the local public keys | exclude | include } regular-expression ]...

  • Page 206

    ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06 2011/12/12 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F 9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD 995C...

  • Page 207: Importing A Public Key From A Public Key File

    [DeviceB-pkey-public-key] peer-public-key end # Display the host public key of Device A saved on Device B. [DeviceB] display public-key peer name devicea ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F 9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD 995C 669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC07 8B2B...

  • Page 208

    ++++++++ # Display the public keys of the local RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06 2011/12/12 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F 9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD 995C 669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC07 8B2B...

  • Page 209

    User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] get devicea.pub 227 Entering Passive Mode (10,1,1,1,5,148). 125 BINARY mode data connection already open, transfer starting for /devicea.pub. 226 Transfer complete. FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec.

  • Page 210: Configuring Ssh

    Configuring SSH This chapter describes SSH applications, how to configure SSH applications, and configuration examples. Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network. SSH uses the typical client/server model, and establishes a channel to protect data transfer based on TCP.

  • Page 211: Ssh Authentication

    Table 13 Stages involved in secure session establishment Stages Description The SSH server listens to the connection requests on port 22. After a client Connection establishment initiates a connection request, the server and the client establish a TCP connection. Version negotiation The two parties determine a version to use after negotiation.

  • Page 212

    Publickey authentication—The server authenticates the client by the digital signature. During • publickey authentication, the client sends the server a publickey authentication request that contains its username, public key, and publickey algorithm information. The server examines whether the public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates the client by the digital signature.

  • Page 213: Generating Local Dsa Or Rsa Key Pairs

    Task Remarks Generating local DSA or RSA key pairs Required. Enabling the SSH server function Required for Stelnet, SFTP, and SCP servers. Enabling the SFTP server function Required only for SFTP server. Configuring the user interfaces for SSH clients Required. Required if publickey authentication is configured for Configuring a client's host public key users and the clients directly send the public keys to...

  • Page 214: Enabling The Sftp Server Function

    To enable the SSH server function: Step Command Remarks Enter system view. system-view Enable the SSH server ssh server enable Disabled by default. function. NOTE: When the device acts as an SCP server, only one SCP user is allowed to access to the SCP server at one time.

  • Page 215: Configuring A Client's Host Public Key

    A host public key obtained in other ways might be in incorrect format and cannot be saved on the server. HP recommends that you configure a client public key by importing it from a public key file.

  • Page 216: Configuring An Ssh User

    Step Command Remarks Return to public key view and When you exit public key code save the configured host public-key-code end view, the system automatically public key. saves the public key. Return to system view. peer-public-key end Importing a client public key from a public key file Step Command Remarks...

  • Page 217: Setting The Ssh Management Parameters

    SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or • all. For an SFTP SSH user, the working folder depends on the authentication method: • If only password authentication is used, the working folder is authorized by AAA. If publickey authentication, whether with password authentication or not, is used, the working folder is set by using the ssh user command.

  • Page 218: Setting The Dscp Value For Packets Sent By The Ssh Server

    Maximum number of SSH authentication attempts. This parameter is used to prevent malicious • password cracking. SFTP connection idle timeout period. Once the idle period of an SFTP connection exceeds the • specified threshold, the system automatically tears the connection down. To set the SSH management parameters: Step Command...

  • Page 219: Stelnet Client Configuration Task List

    Stelnet server when communicating with the Stelnet server. HP recommends that you specify a loopback interface as the source interface to make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service.

  • Page 220: Establishing A Connection To An Stelnet Server

    Enabling first-time authentication Step Command Remarks Enter system view. system-view Optional. Enable first-time ssh client first-time enable authentication. Enabled by default. Disabling first-time authentication Step Command Remarks Enter system view. system-view Disable first-time undo ssh client first-time Enabled by default. authentication.

  • Page 221: Setting The Dscp Value For Packets Sent By The Stelnet Client

    Task Command Remarks • Establish a connection to an IPv4 server: In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher...

  • Page 222: Configuring The Device As An Sftp Client

    SFTP server. HP recommends that you specify a loopback interface as the source interface to make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service.

  • Page 223: Working With Sftp Directories

    After the connection is established, you can directly enter SFTP client view on the server to perform directory and file operations. To establish a connection to an SFTP server: Task Command Remarks • Establish a connection to an IPv4 SFTP server: In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |...

  • Page 224: Working With Sftp Files

    Step Command Remarks Return to the upper-level cdup Optional. directory. Display the current working Optional. directory on the SFTP server. Optional. • dir [ -a | -l ] [ remote-path ] Display files under a specified The dir command functions as the directory.

  • Page 225: Terminating The Connection With The Sftp Server

    Step Command For more information, see "Establishing a connection to an Enter SFTP client view. SFTP server." Display a list of all commands or the help help [ all | command-name ] information of an SFTP client command. Terminating the connection with the SFTP server Step Command Remarks...

  • Page 226: Transferring Files With An Scp Server

    Transferring files with an SCP server Task Command Remarks • Upload a file to the SCP server: In non-FIPS mode: scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 227: Stelnet Configuration Examples

    Task Command Remarks Display the source IP address or display ssh client source [ | { begin | exclude interface information configured for Available in any view. | include } regular-expression ] the Stelnet client. Display SSH server status display ssh server { status | session } [ | information or session information { begin | exclude | include } Available in any view.

  • Page 228

    It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.

  • Page 229: When The Switch Acts As An Stelnet Server For Publickey Authentication

    Figure 80 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the command-line interface of the server.

  • Page 230

    Configuration procedure In the server configuration, the client public key is required. Use the client software to generate the RSA key pair on the client before configuring the Stelnet server. The device supports a variety of Stelnet client software, such as PuTTY, and OpenSSH. The following is an example of configuring Stelnet client using PuTTY Version 0.58.

  • Page 231

    Figure 83 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 84 Saving a key pair on the client...

  • Page 232

    Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Transmit the public key file to the server through FTP or TFTP.

  • Page 233

    # Specify the authentication method for user client002 as publickey, and assign the public key SwitchKey to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey SwitchKey Specify the private key file and establish a connection to the Stelnet server: Launch PuTTY.exe on the Stelnet client to enter the interface as shown in Figure 85.

  • Page 234: When The Switch Acts As An Stelnet Client For Password Authentication

    Figure 86 Specifying the private key file Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client002), you can enter the command-line interface of the server.

  • Page 235

    [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 236

    [SwitchA-Vlan-interface2] quit [SwitchA] quit # Establish a connection to the Stelnet server: If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to server 192.168.1.40. <SwitchA> ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 ...

  • Page 237: When The Switch Acts As An Stelnet Client For Publickey Authentication

    [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the Stelnet server 192.168.1.40 as key1. [SwitchA] ssh client authentication server 192.168.1.40 assign publickey key1 [SwitchA] quit # Establish an SSH connection to the Stelnet server 192.168.1.40. <SwitchA>...

  • Page 238

    # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs. <SwitchB>...

  • Page 239: Sftp Configuration Examples

    # Specify the authentication method for user client002 as publickey, and assign the public key SwitchKey to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey SwitchKey Establish a connection to the Stelnet server: # Establish an SSH connection to the Stelnet server 192.168.1.40. <SwitchA>...

  • Page 240

    ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 241: When The Switch Acts As An Sftp Client For Publickey Authentication

    Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 90 SFTP client interface When the switch acts as an SFTP client for publickey authentication Network requirements As shown in Figure 91, you can log in to Switch B through the SFTP client that runs on Switch A. Switch B acts as the SFTP server, adopting publickey authentication and the RSA public key algorithm.

  • Page 242: Ssh Connection

    The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++...

  • Page 243

    # Set the authentication mode on the user interface to AAA. [SwitchB] user-interface vty 0 15 [SwitchB-ui-vty0-15] authentication-mode scheme # Set the protocol that a remote user uses to log in as SSH. [SwitchB-ui-vty0-15] protocol inbound ssh [SwitchB-ui-vty0-15] quit # Import the peer public key from the file pubkey, and name it SwitchKey. [SwitchB] public-key peer SwitchKey import sshkey pubkey # For user client001, set the service type as SFTP, authentication method as publickey, public key as SwitchKey, and working folder as flash:/...

  • Page 244

    sftp-client> mkdir new1 New directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup...

  • Page 245: Configuring Tcp Attack Protection

    Configuring TCP attack protection This chapter describes how to configure the SYN Cookie feature to prevent TCP attacks. Enabling the SYN Cookie feature TCP establishes a connection in the following steps: The client sends a SYN message to the server. After receiving the SYN message, the server establishes a TCP connection in SYN_RECEIVED state, returns a SYN ACK message, and waits for a response.

  • Page 246: Configuring Ip Source Guard

    Configuring IP source guard This chapter describes how to configure IP source guard. IP source guard overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent invalid hosts from using a valid IP address to access the network. IP source guard can filter packets according to the packet source IP address and source MAC address.

  • Page 247: Dynamic Ipv4 Source Guard Entries

    Global static binding entry A global static binding entry is a MAC-IP binding entry configured in system view. It is effective on all ports. A port forwards a packet when the packet's IP address and MAC address both match those of a global static binding entry or a static binding entry configured on the port.

  • Page 248: Configuring The Ipv4 Source Guard Function

    Configuring the IPv4 source guard function You cannot enable IPv4 source guard on a link aggregation member port or a service loopback port. If IPv4 source guard is enabled on a port, you cannot assign the port to a link aggregation group or a service loopback group.

  • Page 249: Configuring A Static Ipv4 Source Guard Entry

    NOTE: Although dynamic IPv4 source guard entries are generated based on DHCP entries, the number of dynamic IPv4 source guard entries is not necessarily the same as that of the DHCP entries. Configuring a static IPv4 source guard entry Static IPv4 binding entries take effect only on the ports configured with the IPv4 source guard function (see "Enabling IPv4 source guard on a port").

  • Page 250: Setting The Maximum Number Of Ipv4 Source Guard Entries Allowed On A Port

    Step Command Remarks By default, no static IPv4 binding ip source binding { ip-address entry is configured on a port. ip-address | ip-address ip-address Configure a static IPv4 source IP source guard does not use the mac-address mac-address | guard entry on the port. VLAN information (if specified) in mac-address mac-address } [ vlan static IPv4 binding entries to filter...

  • Page 251: Configuring A Static Ipv6 Source Guard Entry

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view or port group interface-number view. IP source guard is disabled by default. The keyword specified in the ipv6 ipv6 verify source { ipv6-address | Enable the IPv6 source guard verify source command does not ipv6-address mac-address | function on the port.

  • Page 252: Setting The Maximum Number Of Ipv6 Source Guard Entries Allowed On A Port

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, no static IPv6 binding ipv6 source binding { ipv6-address entry is configured on a port. ipv6-address | ipv6-address Configure a static IPv6 IP source guard does not use the ipv6-address mac-address binding entry on a port.

  • Page 253: Ip Source Guard Configuration Examples

    Task Command Remarks display ip source binding static [ interface interface-type interface-number | Display static IPv4 source guard ip-address ip-address | mac-address Available in any view. entries (in IRF mode). mac-address ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] display ip source binding [ interface interface-type interface-number |...

  • Page 254

    On port GigabitEthernet 1/0/1 of Device B, only IP packets sourced from 192.168.0.2/24 can • pass. Host B can communicate with Host A by using this IP address even if it uses another network adapter. Figure 93 Network diagram GE1/0/2 GE1/0/1 Device A GE1/0/1...

  • Page 255: Dynamic Ipv4 Source Guard Using Dhcp Snooping

    [DeviceB-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceB-GigabitEthernet1/0/2] quit # Enable the IPv4 source guard function on GigabitEthernet 1/0/1. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address # Configure GigabitEthernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass.

  • Page 256: Dynamic Ipv4 Source Guard Using Dhcp Relay

    Configuration procedure Configure DHCP snooping: # Enable DHCP snooping. <Device> system-view [Device] dhcp-snooping # Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] dhcp-snooping trust [Device-GigabitEthernet1/0/2] quit Configure the IPv4 source guard function: # Configure the IPv4 source guard function on port GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.

  • Page 257: Static Ipv6 Source Guard Entry Configuration

    Figure 95 Network diagram Configuration procedure Configure the IPv4 source guard function: # Configure IP addresses for the interfaces. (Details not shown.) # Configure the IPv4 source guard function on VLAN-interface 100 to filter packets based on both the source IP address and MAC address. <Switch>...

  • Page 258: Global Static Ip Source Guard Configuration

    Figure 96 Network diagram Configuration procedure # Enable the IPv6 source guard function on GigabitEthernet 1/0/1. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address # Configure GigabitEthernet 1/0/1 to allow only IPv6 packets with the source MAC address of 0001-0202-0202 and the source IPv6 address of 2001::1 to pass.

  • Page 259

    Figure 97 Network diagram Configuration procedure # Create VLAN 10, and add port GigabitEthernet 1/0/2 to VLAN 10. <DeviceB> system-view [DeviceB] vlan 10 [DeviceB-vlan10] port gigabitethernet 1/0/2 [DeviceB-vlan10] quit # Create VLAN 20, and add port GigabitEthernet 1/0/3 to VLAN 20. [DeviceB] vlan 20 [DeviceB-vlan20] port gigabitethernet 1/0/3 [DeviceB-vlan20] quit...

  • Page 260: Troubleshooting Ip Source Guard

    Verifying the configuration # Display static IPv4 binding entries on Device B. [DeviceB] display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.2 Static 0001-0203-0407 192.168.1.2 Static After the configurations, Host A and Host B can ping each other successfully. Troubleshooting IP source guard Symptom Failed to configure static IP source guard entries or dynamic IP source guard on a port.

  • Page 261: Configuring Arp Attack Protection

    Configuring ARP attack protection Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways: • Acting as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.

  • Page 262: Configuring Unresolvable Ip Attack Protection

    Configuring unresolvable IP attack protection If a device receives from a host a large number of IP packets that cannot be resolved by ARP (called unresolvable IP packets), the following situations can occur: The device sends a large number of ARP requests, overloading the target subnets. •...

  • Page 263: Unresolvable Ip Attack Protection Configuration Example

    Unresolvable IP attack protection configuration example Network requirements As shown in Figure 98, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. The two areas connect to the gateway through an access switch respectively. A large number of ARP requests are detected in the office area and are considered to be the result of an IP flood attack.

  • Page 264: Configuring Arp Packet Rate Limit

    Configuring ARP packet rate limit This feature allows you to limit the rate ARP packets are delivered to the CPU. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device becomes overloaded because all of the ARP packets are redirected to the CPU for inspection.

  • Page 265: Displaying And Maintaining Source Mac-based Arp Attack Detection

    Step Command Remarks Configure the lifetime for ARP Optional. arp anti-attack source-mac attack entries. aging-time time 300 seconds by default. Optional. Configure excluded MAC arp anti-attack source-mac No MAC address is excluded by addresses. exclude-mac mac-address&<1-10> default. After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can be processed normally.

  • Page 266: Configuring Arp Active Acknowledgement

    Figure 99 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address.

  • Page 267: Configuring Arp Detection

    To configure ARP active acknowledgement: Step Command Remarks Enter system view. system-view Enable the ARP active arp anti-attack active-ack enable Disabled by default. acknowledgement function. Configuring ARP detection ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks.

  • Page 268: Configuring Arp Packet Validity Check

    To configure user validity check: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id Enable ARP detection. arp detection enable Disabled by default. Return to system view. quit Enter Layer-2 Ethernet interface view or Layer aggregate interface interface-type interface-number interface view.

  • Page 269: Configuring Arp Restricted Forwarding

    Step Command Remarks Enter Layer 2 Ethernet interface interface interface-type view or Layer 2 aggregate interface-number interface view. Configure the port as a trusted Optional. port that is excluded from ARP arp detection trust The port is an untrusted detection. port by default.

  • Page 270

    Configure Host A and Host B as 802.1X users. • Figure 100 Network diagram Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Enable DHCP on Switch A, and configure DHCP address pool 0.

  • Page 271: User Validity Check And Arp Packet Validity Check Configuration Example

    [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are checked against 802.1X entries. User validity check and ARP packet validity check configuration example Network requirements As shown in Figure...

  • Page 272: Arp Restricted Forwarding Configuration Example

    [SwitchB] dhcp-snooping [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port (a port is an untrusted port by default). [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit...

  • Page 273

    Figure 102 Network diagram Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 98. (Details not shown.) Enable DHCP on Swtich A, and configure DHCP address pool 0. <SwitchA>...

  • Page 274: Configuring Arp Automatic Scanning And Fixed Arp

    # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac # Configure port isolation. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port-isolate enable [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port-isolate enable [SwitchB-GigabitEthernet1/0/2] quit After the preceding configurations are complete, ARP packets received on interfaces...

  • Page 275

    Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You • can use this command again to change the dynamic ARP entries learned later into static ARP entries. • The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports.

  • Page 276: Configuring Nd Attack Defense

    Configuring ND attack defense Overview The IPv6 ND protocol provides many functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address auto-configuration, and redirection. However, it does not provide security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.

  • Page 277: Enabling Source Mac Consistency Check For Nd Packets

    The mapping between the source IPv6 address and the source MAC address in the Ethernet frame • header is invalid. The source MAC consistency check feature can identify forged ND packets. Enabling source MAC consistency check for ND packets CAUTION: If VRRP is used, disable source MAC consistency check for ND packets to prevent incorrect dropping of packets.

  • Page 278: Configuring Urpf

    Configuring URPF Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers do not receive response packets, they are still disruptive.

  • Page 279

    Figure 105 URPF work flow URPF works in the following steps: URPF checks source address validity: Discards packets with a source broadcast address. Discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.)

  • Page 280

    Proceeds to step 2 for other packets. URPF checks whether the source address matches a FIB entry: If yes, proceeds to step 3. If not, proceeds to step 6. URPF checks whether the check mode is loose: If yes, proceeds to step 8. If not, URPF checks whether the matching route is a direct route: if yes, proceeds to step 5;...

  • Page 281: Network Application

    Enable URPF check globally. ip urpf { loose | strict } interface by default. After you enable the URPF function on the HP 10500 device, the routing table size may decrease by half on the following MPUs and LPUs. See Table...

  • Page 282: Urpf Configuration Example

    Table 14 MPUs and LPUs Half reduction of routing table size MPU model LPU model occurs on… • SC LPU (with the last two letters of the LPU model being SC, such as LSU1TGS16SC) • SE LPU (with the last two letters of the LPU model being SE, such as LSU1TGS8SE) •...

  • Page 283: Configuring Mff

    Configuring MFF Traditional Ethernet networking solutions use VLAN technology to isolate users at Layer 2 and to allow them to communicate at Layer 3. However, when a large number of hosts need to be isolated at Layer 2, many VLAN resources are occupied, and many IP addresses are used because you have to assign a network segment for each VLAN and an IP address for each VLAN interface for Layer 3 communication.

  • Page 284: Basic Concepts

    Basic concepts An MFF-enabled device provides two types of ports: user ports and network ports. User port An MFF user port is directly connected to a host and processes packets as follows: Allows DHCP packets and multicast packets to pass. •...

  • Page 285: Mff Work Flow

    entry. If the DHCP ACK message contains multiple gateway addresses, only the first one is recorded for the entry. If the message contains no gateway IP address, the first gateway recorded by the current VLAN is used. In MFF automatic mode, a VLAN can learn and maintain up to 20 gateways. The gateway IP addresses will not be updated, and the gateway information does not age out unless MFF is disabled.

  • Page 286

    Step Command Remarks Enter system view. system-view interface interface-type Enter port view. interface-number Configure the port as a mac-forced-forwarding By default, the port is a user port. network port. network-port Enabling periodic gateway probe You can configure the MFF device to detect gateways periodically for the change of MAC addresses. This feature is supported by MFF manual mode and MFF automatic mode.

  • Page 287: Displaying And Maintaining Mff

    Displaying and maintaining MFF Task Command Remarks display mac-forced-forwarding interface [ | Display MFF port configuration { begin | exclude | include } Available in any view. information. regular-expression ] display mac-forced-forwarding vlan vlan-id Display the MFF configuration [ | { begin | exclude | include } Available in any view.

  • Page 288: Configuring Auto-mode Mff In A Ring Network

    [Device-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0 # Add the gateway's IP address into DHCP address pool 1. [Device-dhcp-pool-1] gateway-list 10.1.1.100 [Device-dhcp-pool-1] quit # Configure the IP address of GigabitEthernet 1/0/2. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] ip address 10.1.1.50 24 Configure Switch A: # Enable DHCP snooping.

  • Page 289

    Figure 110 Network diagram Switch C Switch A Gateway Vlan-int1 GE1/0/1 GE1/0/2 GE1/0/8 GE1/0/9 10.1.1.100/24 Host A GE1/0/3 GE1/0/10 DHCP server GE1/0/4 Device Vlan-int1 GE1/0/6 10.1.1.50/24 GE1/0/5 Switch B Host B GE1/0/7 Host C Configuration procedure Configure the IP address of GigabitEthernet 1/0/1 on the gateway. <Gateway>...

  • Page 290: Configuring Manual-mode Mff In A Tree Network

    [SwitchA-GigabitEthernet1/0/2] dhcp-snooping trust [SwitchA-GigabitEthernet1/0/2] quit # Configure GigabitEthernet 1/0/3 as a network port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mac-forced-forwarding network-port # Configure GigabitEthernet 1/0/3 as a DHCP snooping trusted port. [SwitchA-GigabitEthernet1/0/3] dhcp-snooping trust no-user-binding Configure Switch B: # Enable DHCP snooping. <SwitchB>...

  • Page 291

    Figure 111 Network diagram Configuration procedure Configure IP addresses of the hosts as shown in Figure 111. Configure the IP address of GigabitEthernet 1/0/1 on the gateway. <Gateway> system-view [Gateway] interface gigabitethernet 1/0/1 [Gateway-GigabitEthernet1/0/1] ip address 10.1.1.100 24 Configure Switch A: # Configure manual-mode MFF.

  • Page 292: Configuring Manual-mode Mff In A Ring Network

    Configuring manual-mode MFF in a ring network Network requirements As shown in Figure 1 12, all the devices are in VLAN 100, and the switches form a ring. Hosts A, B, and C are assigned IP addresses manually. Configure MFF to isolate the hosts at Layer 2 and allow them to communicate with each other with each other through the gateway.

  • Page 293

    Configure Switch B: # Enable STP. [SwitchB] stp enable # Configure manual-mode MFF. [SwitchB] vlan 100 [SwitchB-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchB-vlan-100] arp-snooping enable [SwitchB-vlan-100] quit # Configure GigabitEthernet 1/0/4 and GigabitEthernet 1/0/6 as network ports.

  • Page 294: Configuring Password Control

    Configuring password control Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes password control functions in detail. Minimum password length •...

  • Page 295

    With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the history passwords and the current password. The new password must be different from the used ones by at least four characters and the four characters must not be the same.

  • Page 296

    password must contain characters of one type, level 2 at least two types, and so on. (Non-FIPS means the device does not operate in FIPS mode or the device runs a software release that does not support the FIPS mode.) When a user sets or changes the password, the system checks if the password meets the composition requirement.

  • Page 297: Enabling Password Control

    Global settings in system view apply to all local user passwords and super passwords. • • Settings in user group view apply to the passwords of all local users in the user group. Settings in local user view apply to only the password of the local user. •...

  • Page 298: Setting Global Password Control Parameters

    For security purposes, the system prompts for Telnet, SSH, and terminal users to change their passwords the first time they log in to the device after the global password control is enabled. Because FTP users can only have their passwords changed by the administrator, if the administrator does not change passwords for the FTP users after the global password control is enabled, the FTP users cannot log in to the device.

  • Page 299: Setting User Group Password Control Parameters

    Step Command Remarks Optional. • In non-FIPS mode: By default, a password must contain at least one type of password-control composition characters and each type must Configure the password type-number type-number contain at least one character. composition policy. [ type-length type-length ] •...

  • Page 300: Setting Local User Password Control Parameters

    Step Command Remarks Optional. Configure the password By default, the aging time of the password-control aging aging-time aging time for the user group. user group is the same as the global password aging time. Optional. Configure the minimum By default, the minimum password password length for the user password-control length length length of the user group is the same...

  • Page 301: Setting Super Password Control Parameters

    Setting super password control parameters CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, login users fall into four levels, each corresponding to a command level. A user of a certain level can only use the commands at that level or lower levels.

  • Page 302: Password Control Configuration Example

    Task Command Remarks display password-control blacklist [ user-name name | ip Display information about users in ipv4-address | ipv6 ipv6-address ] Available in any view. the password control blacklist. [ | { begin | exclude | include } regular-expression ] Delete users from the password reset password-control blacklist Available in user view.

  • Page 303

    # Specify that a user can log in five times within 60 days after the password expires. [Sysname] password-control expired-user-login delay 60 times 5 # Set the maximum account idle time to 30 days. [Sysname] password-control login idle-time 30 # Refuse any password that contains the username or the reverse of the username. [Sysname] password-control complexity user-name check # Specify that no character of the password can be repeated three or more times consecutively.

  • Page 304

    User account idle-time: 30 days Login with aged password: 5 times in 60 day(s) Password complexity: Enabled (username checking) Enabled (repeated characters checking) # Display the password control configuration for super passwords. <Sysname> display password-control super Super password control configurations: Password aging: Enabled (30 days) Password length:...

  • Page 305: Configuring Fips

    Configuring FIPS The FIPS feature is available in Release 1208 and later versions. Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the requirements for cryptography modules. FIPS 140-2 defines four levels of security, simply named "Level 1"...

  • Page 306

    If the self-test fails, the device automatically reboots. Configuring FIPS To configure FIPS, complete the following tasks: Remove the existing key pairs and certificates. Enable the FIPS mode. Enable the password control function. Configure local user attributes (including local username, service type, password, and so on) on the switch.

  • Page 307: Displaying And Maintaining Fips

    Task Command Remarks Trigger a self-test. fips self-test Disabled by default. Displaying and maintaining FIPS Task Command Remarks Display FIPS mode state. display fips status Available in any view. FIPS configuration example Network requirements PC connects to Switch through a console port. Configure Switch to operate in FIPS mode and create a local user for PC so that PC can log in to the switch.

  • Page 308

    flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait......Saved the current configuration to mainboard device successfully. Configuration is saved to device successfully. [Sysname] quit # Reboot the switch. <Sysname> reboot CAUTION: After you enable the FIPS mode, be sure to create a local user and its password before you reboot the switch.

  • Page 309: Configuring Ipsec

    Configuring IPsec The term "router" in this document refers to both routers and Layer 3 switches. The IPsec feature is available only when the device is operating in FIPS mode. IPsec overview IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for securing IP communications.

  • Page 310

    Standard (AES), and authentication algorithms such as MD5 and SHA- 1 . The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.

  • Page 311

    Figure 114 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet.

  • Page 312: Protocols And Standards

    Protocols and standards Protocols and standards relevant to IPsec are as follows: RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload • RFC 4552, Authentication/Confidentiality for OSPFv3 • •...

  • Page 313: Configuring Acls

    Configure IPsec policies to associate data flows with IPsec transform sets and specify the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required keys, and the SA lifetime. Apply the IPsec policies to interfaces to finish IPsec configuration. Complete the following tasks to configure ACL-based IPsec: Task Remarks...

  • Page 314: Configuring An Ipsec Transform Set

    When defining ACL rules for IPsec, follow these guidelines: • Permit only data flows that need to be protected and use the any keyword with caution. With the any keyword specified in a permit statement, all outbound traffic matching the permit statement will be protected by IPsec and all inbound IPsec packets matching the permit statement will be received and processed, but all inbound non-IPsec packets will be dropped.

  • Page 315: Configuring An Ipsec Policy

    Step Command Remarks Optional. ESP by default. You can specify security algorithms Specify the security only after you specify a security protocol for the IPsec transform { ah | ah-esp | esp } protocol. For example, you can transform set. specify the ESP-specific security algorithms only when you select ESP as the security protocol.

  • Page 316

    The remote IP address configured on the local end must be the same as the IP address of the remote • end. At each end, configure parameters for both the inbound SA and the outbound SA and make sure • that different SAs use different SPIs.

  • Page 317

    Step Command Remarks • Configure an authentication key in hexadecimal for AH: sa authentication-hex { inbound | outbound } ah [ cipher | simple ] Configure keys properly for the hex-key security protocol (AH or ESP) you • Configure an authentication key in have specified.

  • Page 318

    Step Command Remark By default, an IPsec policy references no IPsec transform set. With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec Assign IPsec transform sets to transform-set transform sets. During negotiation, the IPsec policy.

  • Page 319: Applying An Ipsec Policy Group To An Interface

    NOTE: You cannot change the creation mode of an IPsec policy from manual to through IKE, or vice versa. To create an IPsec policy that uses IKE, delete the manual IPsec policy, and then use IKE to configure an IPsec policy.

  • Page 320: Enabling Acl Checking Of De-encapsulated Ipsec Packets

    Enabling ACL checking of de-encapsulated IPsec packets In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object that is specified by an ACL to be protected. For example, a forged packet is not an object to be protected. If you enable ACL checking of de-encapsulated IPsec packets, all packets failing the checking will be discarded, improving the network security.

  • Page 321: Configuring Packet Information Pre-extraction

    Step Command Remarks Optional. Set the size of the IPsec ipsec anti-replay window width anti-replay window. 32 by default. Configuring packet information pre-extraction If you apply both an IPsec policy and QoS policy to an interface, by default, the interface first uses IPsec and then QoS to process IP packets, and QoS classifies packets by the headers of IPsec-encapsulated packets.

  • Page 322: Displaying And Maintaining Ipsec

    Displaying and maintaining IPsec Task Command Remarks display ipsec policy [ brief | name Display IPsec policy information. policy-name [ seq-number ] ] [ | { begin | Available in any view. exclude | include } regular-expression ] display ipsec transform-set Display IPsec transform set [ transform-set-name ] [ | { begin | Available in any view.

  • Page 323

    <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Define an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] rule 5 permit ip source 2.2.3.1 0 destination 2.2.2.1 0 [SwitchA-acl-adv-3101] quit # Create an IPsec proposal named tran1.

  • Page 324

    [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0 [SwitchB-acl-adv-3101] rule 5 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchB-acl-adv-3101] quit # Create an IPsec proposal named tran1. [SwitchB] ipsec proposal tran1 # Specify the encapsulation mode as tunnel. [SwitchB-ipsec-proposal-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP.

  • Page 325: Configuring Ike

    Configuring IKE Unless otherwise specified, IKE in this chapter refers to IKEv1. The IKE feature is available only when the device is operating in FIPS mode. IKE overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.

  • Page 326: Ike Functions

    Figure 116 IKE exchange process in main mode As shown in Figure 1 16, the main mode of IKE negotiation in phase 1 involves three pairs of messages: SA exchange, used for negotiating the security policy. • Key exchange, used for exchanging the Diffie-Hellman public value and other values like the •...

  • Page 327: Relationship Between Ike And Ipsec

    Relationship between IKE and IPsec Figure 117 Relationship between IKE and IPsec Figure 1 17 illustrates the relationship between IKE and IPsec: IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. •...

  • Page 328: Configuring A Name For The Local Security Gateway

    Task Remarks Optional. Configuring an IKE proposal Required if you want to specify an IKE proposal for an IKE peer to reference. Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional.

  • Page 329: Configuring An Ike Peer

    Step Command Remarks Create an IKE proposal and ike proposal proposal-number enter its view. Specify an encryption Optional. encryption-algorithm aes-cbc algorithm for the IKE [ key-length ] 128-bit AES-CBC by default. proposal. Optional. Specify an authentication authentication-method { pre-share method for the IKE proposal. | rsa-signature } Pre-shared key by default.

  • Page 330

    To configure an IKE peer: Step Command Remarks Enter system view. system-view Create an IKE peer and enter IKE ike peer peer-name peer view. Optional. Specify the main IKE negotiation exchange-mode main mode for phase 1. main by default. Optional. By default, an IKE peer references Specify the IKE proposals for the proposal...

  • Page 331: Setting Keepalive Timers

    Step Command Remarks Optional. Required when a NAT gateway is Enable the NAT traversal function nat traversal present in the VPN tunnel for IPsec/IKE. constructed by IPsec/IKE Disabled by default. Optional. No DPD detector is applied to an Apply a DPD detector to the IKE IKE peer by default.

  • Page 332: Configuring A Dpd Detector

    To set the NAT keepalive timer: Step Command Remarks Enter system view. system-view Set the NAT keepalive ike sa nat-keepalive-timer interval 20 seconds by default. interval. seconds Configuring a DPD detector Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows: When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.

  • Page 333: Displaying And Maintaining Ike

    Displaying and maintaining IKE Task Command Remarks display ike dpd [ dpd-name ] [ | Display IKE DPD information. { begin | exclude | include } Available in any view. regular-expression ] display ike peer [ peer-name ] [ | Display IKE peer information.

  • Page 334

    [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-adv-3101] rule 1 permit ip source 2.2.2.2 0 destination 1.1.1.1 0 [SwitchA-acl-adv-3101] quit # Create IPsec proposal tran1. [SwitchA] ipsec proposal tran1 # Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-proposal-tran1] encapsulation-mode tunnel # Use security protocol ESP.

  • Page 335

    [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec policy map1 Configure Switch B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch B and Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0...

  • Page 336: Troubleshooting Ike

    # Reference IPsec proposal tran1. [SwitchB-ipsec-policy-isakmp-use1-10] proposal tran1 # Reference ACL 3101 to identify the protected traffic. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Reference IKE peer peer. [SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy to VLAN-interface 1. [SwitchB-Vlan-interface1] ipsec policy use1 Verifying the configuration After the above configuration, send traffic from Switch B to Switch A.

  • Page 337: Failing To Establish An Ipsec Tunnel

    got NOTIFY of type NO_PROPOSAL_CHOSEN drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN The two parties in the negotiation have no matched proposals. Solution For the negotiation in phase 1, look up the IKE proposals for a match. For the negotiation in phase 2, check whether the parameters of the IPsec policies applied on the interfaces are matched, and whether the referred IPsec transform sets have a match in protocol, encryption and authentication algorithms.

  • Page 338: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 339: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 340

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 341: Index

    Index 802.1X Message-Authentication attribute, 75 AAA for RADIUS server 802.1X user, 60 overview, 72 access control methods, 80 packet format, 73 access device as authentication initiator, 75 performing authentication (port security), 168 ACL assignment, 85 performing combined MAC/802.1X architecture, 72 authentication (port security), 168 ARP attack protection user validity and packet port authorization status, 72...

  • Page 342

    ISP domain (AAA), 40 public key management, 191 configuring RADIUS related attributes, 136 anti-replay EAP-Message (802.1X), 75 configuring IPsec anti-replay, 310 HP proprietary RADIUS subattributes, 12 any authentication (SSH), 201 Message-Authentication (802.1X), 75 application (URPF network), 271 RADIUS, 1 1 applying...

  • Page 343

    comparison of EAP relay and EAP termination re-DHCP process, 129 modes (802.1X), 76 setting 802.1X timeout timers, 89 configuring ISP domain method (AAA), 41 setting max number 802.1X authentication request configuring MAC authentication, 1 1 1, 1 13, 1 18 attempts, 88 configuring MAC authentication globally, 1 14 specifying 802.1X mandatory port authentication...

  • Page 344

    client ACL for IPsec, 303 802.1X architecture, 72 ARP attack protection, 251 802.1X authentication client timeout timer, 89 ARP attack protection active acknowledgement, 802.1X configuration, 80, 85, 98 as authentication initiator (802.1X), 75 ARP attack protection against unresolvable IP configuring device as SSH SCP client, 215 attack, 252, 253 configuring device as SSH SFTP client, 212 ARP attack protection packet rate limit, 254...

  • Page 345

    IPsec, 31 1 user profile, 188 port security, 166, 176 configuring password control, 284, 286, 292 port security autoLearn mode, 176 contacting HP, 328 port security features, 171 controlling port security intrusion protection, 172 controlled/uncontrolled port (802.1X), 72...

  • Page 346

    delay Layer 3 portal authentication process, 127 MAC authentication delay configuration, 1 17 MFF network port, 274 delimiters (802.1X domain name), 97 MFF user port, 274 detecting portal authentication modes, 126 ARP attack protection source MAC address-based re-DHCP authentication process, 129 detection, 254, 255 relay (IPv4 source guard), 246 configuring ARP detection, 257...

  • Page 347

    specifying 802.1X mandatory port authentication ACL checking for de-encapsulated IPsec packets, domain, 92 specifying 802.1X supported domain name ARP attack protection black hole routing, 252 delimiters, 97 FIPS mode, 296 specifying MAC authentication domain, 1 15 first-time SSH authentication, 209, 210 specifying portal authentication domain, 136 invalid SPI recovery, 31 1 DoS attack (URPF), 268...

  • Page 348

    enabling IPv6 ND attack defense source MAC packet consistency check, 267 802.1X implementation, 80 IP source guard configuration, 236, 243 customer support and resources, 328 IPv4 source guard configuration, 238 document conventions, 329 IPv4 source guard DHCP relay configuration, 246 documents and manuals, 328 IPv4 source guard DHCP snooping configuration, icons used, 329...

  • Page 349

    functions, 316 IP address identity authentication, 315 configuring ARP packet validity check, 258 identity protection, 315 configuring RADIUS security policy server, 29 maintaining, 323 IPv6 ND attack defense configuration, 266 operation, 315 RADIUS security policy server, 29 PFS feature, 315 specifying MFF server IP address, 276 protocols and standards, 317 specifying outgoing packet source IP address, 138...

  • Page 350

    tunnel, 301 configuring portal server detection functions, 139 IPsec policy configuring user information synchronization applying, 309 (portal), 140 configuration (manual mode), 305 controlling portal user access, 134 configuring using IKE, 307 creating domain (AAA), 39 IPsec SA cross-subnet across VPNs portal authentication IPsec tunnel, 301 configuration, 163 setup modes, 301...

  • Page 351

    portal authentication modes, 126 approaches, 1 1 1 portal authentication process, 127 configuration, 1 1 1, 1 13, 1 18 SSH MPLS L3VPN support, 202 configuration globally, 1 14 URPF configuration, 268, 271, 272 configuration on port, 1 14 local user (AAA), 16 configuring ACL assignment, 121 local user password control parameters, 290 configuring guest VLAN, 1 15...

  • Page 352

    MPLS L3VPN (SSH), 202 setting HWTACACS packet shared keys, 35 multicast trigger (802.1X authentication), 91 setting RADIUS shared keys, 23 NA (ICMPv6 neighbor advertisement message), 266 message enabling RADIUS trap function, 30 configuring NAS ID-VLAN binding (AAA), 46 exchange process (HWTACACS), 7 Port-Type (RADIUS), 136 exchange process (RADIUS), 2 specifying interface NAS ID profile (RADIUS), 137...

  • Page 353

    portal users RADIUS server port security userLoginWithOUI configuration, 178 configuration, 52 portal authentication configuration, 124 ARP attack protection configuration, 251 portal configuration, 142 ARP attack protection source MAC address-based portal server (IMC PLAT 5.0) configuration, 143, detection configuration, 255 ARP attack protection unresolvable IP attack portal server detection configuration, 157 defense configuration, 253 portal...

  • Page 354

    verifying port security specifying HWTACACS accounting server, 34 macAddressElseUserLoginSecure configuration, specifying RADIUS accounting and parameters, verifying port security userLoginWithOUI super password control parameters, 291 configuration, 180 password verifying RADIUS-based MAC authentication SSH authentication, 201 configuration, 121 SSH password-publickey authentication, 201 verifying switch configuration, 162 switch as SFTP publickey authentication client NS (ICMPv6 neighbor solicitation message), 266...

  • Page 355

    MAC authentication delay configuration, 1 17 modes, 166 MFF configuration, 273, 275, 277 need to know (NTK), 166 MFF network port, 274 performing 802.1X authentication, 168 MFF user port, 274 performing combined MAC/802.1X port security autoLearn configuration, 176 authentication, 168 port security macAddressElseUserLoginSecure...

  • Page 356

    server, 125 configuring attack protection against server (IMC PLAT 5.0) configuration, 143, 158 unresolvable IP attack, 252, 253 server detection configuration, 157 configuring ARP attack protection source MAC setting max number online users, 135 address-based detection, 254, 255 specifying auto redirect URL for users, 138 configuring attack protection...

  • Page 357

    configuring IPv4 source guard DHCP relay, 246 configuring portal server detection functions, 139 configuring IPv4 source guard DHCP snooping, configuring portal user information synchronization, 140, 157 configuring IPv4 source guard entry, 243 configuring portal-free rule, 134 configuring IPv4 source guard static entry, 239 configuring public keys, 195 configuring IPv6 ND attack defense, 266 configuring RADIUS accounting-on, 29...

  • Page 358

    creating user profile, 188 establishing SSH Stelnet server connection, 210 destroying local asymmetric key pair (public key), exporting host public key in specific format to a file, disabling first-time SSH authentication, 209, 210 exporting local host public key, 192 disabling IKE next payload check, 322 FIPS configuration, 297 displaying FIPS, 297 generating local DSA key pair (SSH), 203...

  • Page 359

    setting RADIUS traffic statistics units, 24 verifying IPv4 source guard DHCP relay setting RADIUS username format, 24 configuration, 247 setting rule timer (EAD fast deployment), 107 verifying IPv6 source guard static entry setting SSH management parameter, 207 configuration, 248 setting super password control parameters, 291 verifying local MAC authentication configuration, setting timer to control HWTACACS server 1 19...

  • Page 360

    31 resource access restriction (portal authentication), enabling trap function, 30 extended attributes, 6 restricted forwarding (ARP), 257, 259, 262 HP proprietary subattributes, 12 ring network ignoring server authorization information (port auto-mode MFF configuration, 278 security), 175 manual-mode MFF configuration, 282...

  • Page 361

    attack protection user validity check authentication and encryption algorithms (IPsec), configuration, 259 ARP restricted forwarding configuration, 262 check function (portal authentication), 124 auto-mode MFF in ring network configuration, 278 conditional self-test, 295 auto-mode MFF in tree network configuration, 277 configuring ACL for IPsec, 303 enabling ARP attack protection black hole routing, configuring IPsec, 302 configuring IPsec anti-replay, 310...

  • Page 362

    setting a local user password in interactive mode, specifying accounting (HWTACACS), 34 specifying authorization (HWTACACS), 33 super password control parameters, 291 specifying HWTACACS authentication, 33 triggering self-test, 295, 296 specifying HWTACACS server's VPN, 35 verifying EAD fast deployment configuration, 109 specifying MFF server IP address, 276 security association.

  • Page 363

    enabling server function (SSH), 204 configuring user, 206 establishing SSH SFTP server connection, 212 disabling first-time authentication, 209, 210 specifying source IP address/interface for SSH displaying, 216 SFTP client, 212 displaying SFTP help information, 214 SSH configuration, 200 enabling first-time authentication, 209, 210 switch publickey authentication...

  • Page 364

    switch password authentication server configuring for HWTACACS server Telnet user configuration, 217 (AAA), 47 switch publickey authentication client HWTACACS messge exchange process, 7 configuration, 227 level switching authentication for Telnet user switch publickey authentication server (HWTACACS), 66 configuration, 219 Stelnet (Secure Telnet), 200 strict check (URPF), 268 Stelnet configuration, 217 subnet...

  • Page 365

    cannot configure secure MAC addresses (port any authentication (SSH), 206 security), 186 configuring (SSH), 206 cannot set port security mode, 186 configuring AAA group attributes, 19 EAD fast deployment, 1 10 configuring AAA local attributes, 17 IKE, 326 configuring ARP attack protection user validity and IKE ACL configuration error, 327 packet validity checks, 261 IKE invalid user ID, 326...

  • Page 366

    troubleshooting cannot change port security mode MAC authentication ACL assignment configuration, when user online, 186 troubleshooting RADIUS accounting not normal, port security autoLearn mode configuration, 177 port security macAddressElseUserLoginSecure troubleshooting RADIUS configuration, 183 authentication/authorization fails, 69 port security userLoginWithOUI configuration, 180 validity check (ARP detection), 257 RADIUS-based MAC authentication configuration, user authentication...

  • Page 367

    configuring a portal-free rule, 134 portal configuration, 142 configuring an authentication source subnet, 135 portal server (IMC PLAT 5.0) configuration, 143, configuring portal detection functions, 139 configuring portal server detection functions, 139 portal server detection configuration, 157 configuring user information synchronization portal support for EAP, 127 (portal), 140...

Comments to this Manuals

Symbols: 0
Latest comments: