Page of 338
Download Table of ContentsContents Print This PagePrint Bookmark
HP 12500 Routing Switch Series
Security
Part number: 5998-2828
Software version: 12500-CMW520-R1825P01
Document version: 6W180-20130118

Advertising

   Related Manuals for HP 12500 Series

   Summary of Contents for HP 12500 Series

  • Page 1: Configuration Guide

    HP 12500 Routing Switch Series Security Configuration Guide Part number: 5998-2828 Software version: 12500-CMW520-R1825P01 Document version: 6W180-20130118...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3: Table Of Contents

    Contents Security overview ························································································································································· 1   Network security threats ··················································································································································· 1   Network security services ················································································································································· 1   Network security technologies ········································································································································· 1   Identity authentication ·············································································································································· 1   Access security ·························································································································································· 2   Data security ····························································································································································· 2   Connection control ··················································································································································· 3  ...

  • Page 4: Table Of Contents

    EAP relay ································································································································································ 73   EAP termination ····················································································································································· 74   Configuring 802.1X ·················································································································································· 76   HP implementation of 802.1X ······································································································································ 76   Access control methods ········································································································································ 76   Using 802.1X authentication with other features ······························································································ 76   Configuration prerequisites ··········································································································································· 79  ...

  • Page 5: Table Of Contents

    Extended portal functions ··································································································································· 103   Portal system components ··································································································································· 103   Portal authentication mode ································································································································· 105   Portal authentication process ····························································································································· 106   Portal authentication across VPNs ····················································································································· 108   Portal configuration task list ········································································································································ 108   Configuration prerequisites ········································································································································· 109  ...

  • Page 6: Table Of Contents

    Managing public keys ············································································································································ 155   Overview ······································································································································································· 155   Public key configuration task list ································································································································· 156   Configuring a local asymmetric key pair on the local device ················································································· 156   Creating a local asymmetric key pair ··············································································································· 156   Displaying or exporting the local host public key ···························································································...

  • Page 7: Table Of Contents

    IKE configuration example ·········································································································································· 204   Troubleshooting IKE ····················································································································································· 205   Invalid user ID ······················································································································································ 206   Proposal mismatch ·············································································································································· 206   Failing to establish an IPsec tunnel ···················································································································· 206   ACL configuration error ······································································································································ 207   Configuring SSH ····················································································································································· 208  ...

  • Page 8: Table Of Contents

    Configuration procedure ···································································································································· 244   Verifying the configuration ································································································································· 244   Configuring TCP and ICMP attack protection ······································································································· 246   Overview ······································································································································································· 246   Enabling the SYN Cookie feature ······························································································································ 246   Enabling protection against Naptha attacks ············································································································· 247   Disabling forwarding ICMP fragments ······················································································································...

  • Page 9: Table Of Contents

    Authorized ARP configuration example (on a DHCP server) ·········································································· 270   Authorized ARP configuration example (on a DHCP relay agent) ································································ 272   Configuring ARP detection ·········································································································································· 273   Introduction ·························································································································································· 273   Enabling ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1x security entries/OUI MAC addresses ···············································································································...

  • Page 10: Table Of Contents

    Triggering a self-test ············································································································································ 320   Displaying and maintaining FIPS ······························································································································· 321   FIPS configuration example········································································································································· 321   Support and other resources ·································································································································· 323   Contacting HP ······························································································································································ 323   Subscription service ············································································································································ 323   Related information ······················································································································································ 323   Documents ···························································································································································· 323  ...

  • Page 11: Security Overview

    Security overview Many events happened on a network may bring threats to the network resource security, such as data confidentiality, data integrity, and data availability. Network security services provide solutions to remove or reduce the network security threats. Network security threats Information disclosure—Information is leaked to an unauthorized person or entity.

  • Page 12: Access Security

    With digital certificates, the PKI system provides network communication, e-commerce and e-Government with security services. HP's PKI system provides digital certificate management for IPsec and SSL. Access security 802.1X 802.1X is a port-based network access control protocol for securing wireless LANs (WLANs), and it has...

  • Page 13: Connection Control

    Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices, such as faking a trusted user or gateway and ARP flooding attacks. HP has provided a comprehensive and effective solution against those attacks.

  • Page 14: Other Security Technologies

    Protection against Naptha attacks • Disabling ICMP fragment forwarding • Other security technologies The device also provides other network security technologies to implement a multifunctional and full range of security protection for users. For example, password control is a set of functions for enhancing the local password security, which controls user login passwords, super passwords, and user login status based on predefined policies.

  • Page 15: Configuring Aaa

    Configuring AAA FIPS compliance The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management.

  • Page 16: Radius

    You can choose the three security functions provided by AAA as needed. For example, if your company only wants employees to be authenticated before they access specific resources, you only need to configure an authentication server. If network usage information is needed, you must also configure an accounting server.

  • Page 17

    A RADIUS server supports multiple user authentication methods, such as the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Moreover, a RADIUS server can act as the client of another AAA server to provide authentication proxy services. Basic message exchange process Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.

  • Page 18

    RADIUS packet format RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.

  • Page 19

    The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator. The Attributes field (variable in length) carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response.

  • Page 20

    Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code that • is compliant to RFC 1700. The vendor ID of HP is 25506. For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS...

  • Page 21: Hwtacacs

    Figure 5 Segment of a RADIUS packet containing an extended attribute HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.

  • Page 22

    Figure 6 Basic message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login password...

  • Page 23: Domain-based User Management

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user authorization request packet to the HWTACACS server.

  • Page 24: Aaa Across Mpls L3vpns

    Portal users—Users who must pass portal authentication to access the network. • PPP users—Users who access through PPP. • In addition, AAA provides the following services for login users to enhance switch security: Command authorization—Enables the NAS to defer to the authorization server to determine •...

  • Page 25: Radius Attributes

    Maximum idle time permitted for the user before termination of the session. Identification of the user that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier...

  • Page 26

    Access-Requests. This attribute is used when RADIUS supports EAP ator authentication. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.

  • Page 27

    Sub-attribute Description Operation for the session, used for session control. It can be: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value; for retransmitted packets of different sessions, this attribute may take the same value.

  • Page 28: Aaa Configuration Considerations And Task List

    Sub-attribute Description Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name. AAA configuration considerations and task list To configure AAA, you must complete these tasks on the NAS: Configure the required AAA schemes: Local authentication—Configure local users and the related attributes, including the usernames and passwords of the users to be authenticated.

  • Page 29: Configuring Aaa Schemes

    Task Remarks schemes Complete at least one task. Configuring RADIUS schemes Configuring HWTACACS schemes Creating an ISP domain Required. Configuring ISP domain attributes Optional. Configuring AAA authentication methods for Configuring AAA an ISP domain methods for ISP domains Required. Configuring AAA authorization methods for an ISP domain Complete at least one task.

  • Page 30

    Each local user belongs to a local user group and bears all attributes of the group, such as the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group attributes." Password control attributes. •...

  • Page 31

    (password) or no authentication (none), which commands a login user can use after login depends on the level configured for the user interface (set by the user privilege level command in user interface view). For an SSH user using public key authentication, which commands are available depends on the level configured for the user interface.

  • Page 32

    Step Command Remarks Optional. By default, the local user uses password control attributes of the user group to which the local user belongs, and uses the global setting for any password • Set the password aging control attribute that is not configured in time: the user group.

  • Page 33

    Step Command Remarks Optional. Set the validity time of the validity-date time local user. Not set by default. Optional. Set the expiration time of expiration-date time the local user. Not set by default. Optional. Assign the local user to a group group-name By default, a local user belongs to the user group.

  • Page 34: Configuring Radius Schemes

    Step Command Remarks Optional. authorization-attribute { acl acl-number | callback-number By default, no authorization Configure the authorization attribute is configured for a user callback-number | idle-cut minute attributes for the user group. group. | level level | user-profile profile-name | vlan vlan-id | The switch does not support the work-directory directory-name } * user-profile keyword.

  • Page 35

    Task Remarks Specifying the RADIUS authentication/authorization servers Required. Specifying the RADIUS accounting servers and the relevant parameters Optional. Specifying the shared keys for secure RADIUS communication Optional. Specifying the VPN to which the servers belongs Optional. Setting the username format and traffic statistics units Optional.

  • Page 36

    The IP addresses of the primary and secondary authentication/authorization servers for a scheme • must be different from each other. Otherwise, the configuration fails. All servers for authentication/authorization and accounting, primary or secondary, must use IP • addresses of the same IP version. A RADIUS authentication/authorization server can simultaneously serve as the primary server in •...

  • Page 37

    RADIUS does not support accounting for FTP users. • To specify RADIUS accounting servers and set relevant parameters for a scheme: Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. • Specify the primary RADIUS accounting server: primary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher |...

  • Page 38

    Specifying the VPN to which the servers belongs After you specify a VPN for a RADIUS scheme, all the authentication/authorization/accounting servers specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server for the scheme, the server belongs to the specific VPN.

  • Page 39

    Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • Extended—Uses the proprietary RADIUS protocol of HP. • When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the RADIUS server is implemented by third-party RADIUS server software, either RADIUS server type applies.

  • Page 40

    Setting the status of RADIUS servers By setting the status of RADIUS servers to blocked or active, you can control which servers the switch will communicate with for authentication, authorization, and accounting or turn to when the current servers are not available anymore. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers.

  • Page 41

    Step Command Remarks • Set the status of the primary RADIUS authentication/authorization server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | Optional. block } Set the status of RADIUS •...

  • Page 42

    Step Command Remarks radius nas-ip { ip-address | ipv6 By default, the IP address of the Specify a source IP address ipv6-address } [ vpn-instance outbound interface is used as the for outgoing RADIUS packets. vpn-instance-name ] source IP address. To specify a source IP address for a specific RADIUS scheme: Step Command...

  • Page 43

    Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.

  • Page 44

    The NAS checks the validity of received control packets and accepts only control packets from known servers. To use a security policy server that is independent of the AAA servers, you must configure the IP address of the security policy server on the NAS. To implement all EAD functions, configure both the IP address of the IMC security policy server and that of the IMC Platform on the NAS.

  • Page 45: Displaying And Maintaining Radius

    To enable the trap function for RADIUS: Step Command Remarks Enter system view. system-view radius trap { accounting-server-down | Enable the trap authentication-error-threshold | Disabled by default. function for RADIUS. authentication-server-down } Enabling the RADIUS client service To receive and send RADIUS packets, enable the RADIUS client service on the device. If RADIUS is not required, disable the RADIUS client service to avoid attacks that exploit RADIUS packets.

  • Page 46: Configuring Hwtacacs Schemes

    Task Command Remarks display stop-accounting-buffer { radius-scheme radius-server-name | Display information about buffered session-id session-id | time-range stop-accounting requests for which no start-time stop-time | user-name Available in user view. responses have been received. (In IRF user-name } [ chassis chassis-number mode) slot slot-number ] [ | { begin | exclude | include } regular-expression ]...

  • Page 47

    Task Remarks Displaying and maintaining HWTACACS Optional. Creating an HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view: Step Command Remarks Enter system view.

  • Page 48

    NOTE: An HWTACACS server can function as the primary authentication server of one scheme and as the • secondary authentication server of another scheme at the same time. • The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

  • Page 49

    stop-accounting request until it receives a response or the number of stop-accounting attempts reaches the configured limit. In the latter case, the switch discards the packet. Follow these guidelines when you configure HWTACACS accounting servers: An HWTACACS server can function as the primary accounting server in one scheme and as a •...

  • Page 50

    NOTE: A shared key configured on the switch must be the same as that configured on the HWTACACS server. Specifying the VPN to which the servers belong After you specify a VPN for an HWTACACS scheme, all the authentication, authorization, and accounting servers specified for the scheme belong to the VPN.

  • Page 51

    NOTE: If an HWTACACS server does not support a username with the domain name, configure the switch to • remove the domain name before sending the username to the server. • For level switching authentication, the user-name-format keep-original and user-name-format without-domain commands produce the same result.

  • Page 52

    Setting timers for controlling communication with HWTACACS servers The switch uses the following timers to control the communication with an HWTACACS server: Server response timeout timer (response-timeout)—Defines HWTACACS request • retransmission interval. After sending an HWTACACS request (authentication, authorization, or accounting request), the switch starts this timer.

  • Page 53: Configuring Aaa Methods For Isp Domains

    Task Command Remarks display stop-accounting-buffer Display information about buffered hwtacacs-scheme stop-accounting requests for which no hwtacacs-scheme-name [ slot Available in any view. responses have been received. (In slot-number ] [ | { begin | exclude | standalone mode) include } regular-expression ] display stop-accounting-buffer Display information about buffered hwtacacs-scheme...

  • Page 54: Configuring Isp Domain Attributes

    structures, different service types, and different rights. To distinguish the users of different ISPs, configure ISP domains, and configure different AAA methods and domain attributes for the ISP domains. On a NAS, each user belongs to an ISP domain. A NAS can accommodate up to 16 ISP domains, including the system predefined ISP domain system.

  • Page 55: Configuring Aaa Authentication Methods For An Isp Domain

    Step Command Remarks Specify the maximum number Optional. access-limit enable of active users in the ISP max-user-number No limit by default. domain. Optional. Disabled by default. Configure the idle cut function. idle-cut enable minute [ flow ] This command is effective for only LAN users and portal users.

  • Page 56

    The authentication method specified with the authentication default command is for all types of • users and has a priority lower than that for a specific access type. With an authentication method that references a RADIUS scheme, AAA accepts only the •...

  • Page 57: Configuring Aaa Authorization Methods For An Isp Domain

    Step Command Remarks authentication super Optional. Specify the authentication { hwtacacs-scheme method for privilege level hwtacacs-scheme-name | The default authentication method switching. radius-scheme is used by default. radius-scheme-name } Configuring AAA authorization methods for an ISP domain In AAA, authorization is a separate process at the same level as authentication and accounting. Its responsibility is to send authorization requests to the specified authorization servers and to send authorization information to users after successful authorization.

  • Page 58: Configuring Aaa Accounting Methods For An Isp Domain

    If you specify only the local or none keyword in an authorization method configuration command, • the switch has no backup authorization method and performs only local authorization or does not perform any authorization. To configure AAA authorization methods for an ISP domain: Step Command Remarks...

  • Page 59

    Remote accounting (scheme)—The access device works with a RADIUS server or HWTACACS • server for accounting of users. You can configure local or no accounting as the backup method, which will be used when the remote server is not available. By default, an ISP domain uses the local accounting method.

  • Page 60: Tearing Down User Connections

    Step Command Remarks Optional. accounting lan-access { local | none | The default accounting method Specify the accounting radius-scheme radius-scheme-name is used by default. method for LAN users. [ local | none ] } The none keyword is not supported in FIPS mode. Optional.

  • Page 61: Aaa Configuration Examples

    Task Command Remarks display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type Display information about user interface-number | ip ip-address | mac connections. (In standalone Available in any view. mac-address | ucibindex ucib-index | mode) user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include }...

  • Page 62: Aaa For Telnet Users By Separate Servers

    Configuring the switch # Assign IP addresses to the interfaces. (Details not shown.) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit # Create HWTACACS scheme hwtac.

  • Page 63

    Figure 11 Network diagram Configuring the switch # Assign IP addresses to interfaces. (Details not shown.) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit...

  • Page 64: Authentication/authorization For Ssh/telnet Users By A Radius Server

    Verifying the configuration Telnet to the switch as a user and enter the username hello@bbb and the correct password. You pass authentication and log in to the switch. Issuing the display connection command on the switch, you can see information about the user connection. Authentication/authorization for SSH/Telnet users by a RADIUS server NOTE:...

  • Page 65

    Select Device Management Service as the service type. Select HP(General) as the access device type. Select the access device from the device list or manually add the device with the IP address 10.1.1.2. Click OK. NOTE: The IP address of the access device specified here must be the same as the source IP address of the RADIUS...

  • Page 66

    Figure 14 Adding an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 67: Aaa For 802.1x Users By A Radius Server

    [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert. [Switch-radius-rad] key authentication expert # Specify the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs on IMC.

  • Page 68

    Set the ports for authentication to 1812. Select LAN Access Service as the service type. Select HP(General) as the access device type. Select the access device from the device list or manually add the device with the IP address 10.1.1.2.

  • Page 69

    Figure 16 Adding an access device # Add a service. Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree. Then, click Add to configure a service as follows: Add a service named Dot1x auth, and set the service suffix to bbb, the authentication domain for the 802.1X user.

  • Page 70

    Click the User tab, and select Access User View > All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to configure a user as follows: Select the user or add a user named hello. Specify the account name as dot1x and configure the password.

  • Page 71

    [Switch-isp-bbb] authentication lan-access radius-scheme rad [Switch-isp-bbb] authorization lan-access radius-scheme rad [Switch-isp-bbb] accounting lan-access radius-scheme rad [Switch-isp-bbb] quit # Configure bbb as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at login, the authentication methods of the default domain will be used for the user.

  • Page 72: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    Port Type=Ethernet,Port Name=GigabitEthernet3/0/1 Initial VLAN=2, Authorized VLAN=4 ACL Group=Disable CAR=Disable Priority=Disable Start=2009-04-26 19:41:12 ,Current=2009-04-26 19:41:25 ,Online=00h00m14s Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in...

  • Page 73

    Configuring the switch # Configure the IP address of VLAN-interface 2, through which the Telnet user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit...

  • Page 74

    # Configure the password for local privilege level switching authentication to 654321. [Switch] super password simple 654321 [Switch] quit Configuring the HWTACACS server NOTE: The HWTACACS server in this example runs ACSv4.0. Add a user named test on the HWTACACS server and configure advanced attributes for the user as follows, as shown in Figure Select Max Privilege for any AAA Client and set the privilege level to level 3.

  • Page 75: Troubleshooting Aaa

    ****************************************************************************** * Copyright (c) 2010-2012 Hewlett-Packard Development Company, L.P. * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** Login authentication Username:test@bbb Password: <Switch> ? User view commands: cluster Run cluster command display Display current system information ping Ping function quit...

  • Page 76

    The username is not in the format of userid@isp-name or the ISP domain for the user authentication is not correctly configured on the NAS. The user is not configured on the RADIUS server. The password entered by the user is incorrect. The RADIUS server and the NAS are configured with different shared keys.

  • Page 77: Troubleshooting Hwtacacs

    Solution Check that: The accounting port number is correctly set. The authentication/authorization server and the accounting server are correctly configured on the NAS. Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS."...

  • Page 78: X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.

  • Page 79: X-related Protocols

    • Performs unidirectional traffic control to deny traffic from the client. • The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.

  • Page 80

    PAE Ethernet type—Protocol type. It takes the value 0x888E for EAPOL. Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 5 lists the types of EAPOL packets supported by HP • implementation of 802.1X. Table 5 Types of EAPOL packets Value...

  • Page 81: Eap Over Radius

    Packet body—Content of the packet. When the EAPOL packet type is EAP-Packet, the Packet body • field contains an EAP packet. EAP over RADIUS RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see "Configuring AAA."...

  • Page 82: X Authentication Procedures

    Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically • (every 30 seconds by default) to initiate 802.1X authentication. Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC • address table, the access device sends an Identity EAP-Request packet out of the receiving port to the unknown MAC address.

  • Page 83: Eap Relay

    Packet exchange method Benefits Limitations • Supports only MD5-Challenge EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an EAP termination supports PAP or CHAP authentication. iNode 802.1X client. • The processing is complex on the network access device.

  • Page 84: Eap Termination

    The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5 challenge) to encrypt the password in the entry, and sends the challenge in a RADIUS Access-Challenge packet to the network access device.

  • Page 85

    Figure 30 802.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates a random MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 86: Configuring 802.1x

    HP implementation of 802.1X Access control methods HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent •...

  • Page 87

    Guest VLAN You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources.

  • Page 88

    Auth-Fail VLAN You can configure an Auth-Fail VLAN to accommodate users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.

  • Page 89: Configuration Prerequisites

    Configuration prerequisites Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. • If RADIUS authentication is used, create user accounts on the RADIUS server. • • If local authentication is used, create local user accounts on the access device and set the service type to lan-access.

  • Page 90: Enabling Eap Relay Or Eap Termination

    • In system view: dot1x interface interface-list Enable 802.1X on a port in • In Ethernet interface view: By default, 802.1X is disabled on system or Ethernet interface a port. interface interface-type view. interface-number dot1x Enabling EAP relay or EAP termination When configuring EAP relay or EAP termination, consider the following factors: The support of the RADIUS server for EAP packets •...

  • Page 91: Specifying An Access Control Method

    auto—Places the port initially in the unauthorized state to allow only EAPOL packets to pass, and • after a user passes authentication, sets the port in the authorized state to allow access to the network. You can use this option in most scenarios. You can set authorization state for one port in interface view, or for multiple ports in system view.

  • Page 92: Setting The Maximum Number Of Concurrent 802.1x Users On A Port

    Setting the maximum number of concurrent 802.1X users on a port You can set the maximum number of concurrent 802.1X users for ports individually in interface view or in bulk in system view. If different settings are configured for a port in both views, the setting configured later takes effect.

  • Page 93: Configuring The Online User Handshake Function

    To use the online handshake security function, make sure the online user handshake function is • enabled. HP recommends that you use the iNode client software and IMC server to guarantee the normal operation of the online user handshake security function.

  • Page 94: Configuring The Authentication Trigger Function

    Step Command Remarks interface interface-type Enter Ethernet interface view. interface-number Optional. Enable the online handshake dot1x handshake function. By default, the function is enabled. Optional. Enable the online handshake dot1x handshake secure security function. By default, the function is disabled. Configuring the authentication trigger function The authentication trigger function enables the network access device to initiate 802.1X authentication when 802.1X clients cannot initiate authentication.

  • Page 95: Specifying A Mandatory Authentication Domain On A Port

    Step Command Remarks Required if you want to enable the unicast trigger. Enable an authentication dot1x { multicast-trigger | By default, the multicast trigger is trigger. unicast-trigger } enabled, and the unicast trigger is disabled. Specifying a mandatory authentication domain on a port You can place all 802.1X users in a mandatory authentication domain for authentication, authorization, and accounting on a port.

  • Page 96: Enabling The Periodic Online User Re-authentication Function

    Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL. The re-authentication interval is user configurable. To enable the periodic online user re-authentication function: Step Command Remarks...

  • Page 97: Configuring An 802.1x Auth-fail Vlan

    Feature Relationship description Reference Only the 802.1X guest VLAN take effect. A MAC authentication guest VLAN user that fails MAC authentication will not "Configuring MAC on a port that performs be assigned to the MAC authentication authentication." MAC-based access control guest VLAN.

  • Page 98: Specifying Supported Domain Name Delimiters

    Feature Relationship description Reference MAC authentication guest VLAN The 802.1X Auth-Fail VLAN has a high "Configuring MAC on a port that performs priority. authentication" MAC-based access control Before you configure an Auth-Fail VLAN, complete the following tasks: Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. •...

  • Page 99: Displaying And Maintaining 802.1x

    NOTE: If you configure the access device to include the domain name in the username sent to the RADIUS server, make sure the domain delimiter in the username can be recognized by the RADIUS server. For username Security Command Reference format configuration, see the user-name-format command in Displaying and maintaining 802.1X Task...

  • Page 100

    Figure 31 Network diagram Configuration procedure Configure the 802.1X client. If iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.) For information about the RADIUS commands used on the access device in this example, see Security Command Reference.

  • Page 101: X Guest Vlan And Vlan Assignment Configuration Example

    [Device-radius-radius1] quit NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. Configure the ISP domain: # Create the ISP domain aabbcc.net and enter its view. [Device] domain aabbcc.net # Apply the RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.

  • Page 102

    A host is connected to port GigabitEthernet 3/0/2 of the device and must pass 802.1X • authentication to access the Internet. GigabitEthernet 3/0/2 is in VLAN 1. GigabitEthernet 3/0/2 implements port-based access control. • GigabitEthernet 3/0/3 is in VLAN 5 and is for accessing the Internet. •...

  • Page 103

    [Device-vlan1] port GigabitEthernet 3/0/2 [Device-vlan1] quit [Device] vlan 10 [Device-vlan10] port GigabitEthernet 3/0/1 [Device-vlan10] quit [Device] vlan 2 [Device-vlan2] port GigabitEthernet 3/0/4 [Device-vlan2] quit [Device] vlan 5 [Device-vlan5] port GigabitEthernet 3/0/3 [Device-vlan5] quit Configure a RADIUS scheme: # Configure RADIUS scheme 2000 and enter its view. <Device>...

  • Page 104

    Verifying the configuration Use the display dot1x interface GigabitEthernet 3/0/2 command to verify the 802.1X guest VLAN configuration on GigabitEthernet 3/0/2. If no user passes authentication on the port within a specific period of time, use the display vlan 10 command to verify whether GigabitEthernet 3/0/2 is assigned to VLAN 10.

  • Page 105: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.

  • Page 106: Mac Authentication Timers

    For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle.

  • Page 107: Configuration Procedure

    For local authentication, create local user accounts, and specify the lan-access service for the • accounts. For RADIUS authentication, check that the device and the RADIUS server can reach each other, and • create user accounts on the RADIUS server. NOTE: If you are using MAC-based accounts, make sure that the username and password for each account is the same as the MAC address of the MAC authentication users.

  • Page 108: Specifying An Authentication Domain For Mac Authentication Users

    Step Command Remarks Optional. Set the maximum number of mac-authentication max-user By default, a port allows up to concurrent MAC authentication user-number 4096 concurrent MAC. users allowed on a port. Authentication users. NOTE: You cannot enable MAC authentication on a link aggregation member port. If MAC authentication is enabled on a port, you cannot assign it to a link aggregation group.

  • Page 109: Mac Authentication Configuration Examples

    Task Command Remarks Clear MAC authentication reset mac-authentication statistics Available in user view. statistics. [ interface interface-list ] MAC authentication configuration examples IMPORTANT: By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. To configure such an interface, first use the undo shutdown command to bring the interface up. Local MAC authentication configuration example Network requirements In the network in...

  • Page 110: Radius-based Mac Authentication Configuration Example

    [Device] mac-authentication interface GigabitEthernet 3/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain aabbcc.net # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lowercase.

  • Page 111

    Perform MAC authentication on port GigabitEthernet 3/0/1 to control Internet access. Make sure that: The device detects whether a user has gone offline every 180 seconds. If a user fails authentication, • the device does not authenticate the user within 180 seconds. All MAC authentication users belong to ISP domain 2000 and share the user account aaa with •...

  • Page 112

    # Specify username aaa and plaintext password 123456 for the account shared by MAC authentication users. [Device] mac-authentication user-name-format fixed account aaa password simple 123456 Verifying the configuration # Display MAC authentication settings and statistics. <Device> display mac-authentication MAC address authentication is enabled. User name format is fixed account Fixed username:aaa Fixed password:******...

  • Page 113: Configuring Portal Authentication

    Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website;...

  • Page 114

    Figure 35 Portal system components Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. A client can use a browser or portal client software for portal authentication. The security check for a client is implemented through the communications between the client and the security policy server.

  • Page 115: Portal Authentication Mode

    NAT, network address translations performed on the access device do not affect portal authentication. However, in such a case, HP recommends specifying a public IP address of an interface as the source address of outgoing portal packets.

  • Page 116: Portal Authentication Process

    In re-DHCP authentication and cross-subnet authentication mode, the client's IP address is used for client identification. After a client passes authentication, the access device generates an access control list (ACL) for the client based on the client's IP address to permit packets from the client to go through the access port.

  • Page 117

    The security policy server exchanges security check information with the authentication client to check whether the authentication client meets the security requirements. Based on the security check result, the security policy server authorizes the user to access certain resources, and sends the authorization information to the access device. The access device then controls access of the user based on the authorization information.

  • Page 118: Portal Authentication Across Vpns

    ACL assignment The device uses ACLs to control user access to network resources and limit user access rights. With authorized ACLs specified on the authentication server, when a user passes authentication, the authentication server assigns an authorized ACL to the user, and the device filters traffic from the user on the access port according to the authorized ACL.

  • Page 119

    Task Remarks users Configuring an authentication subnet Setting the maximum number of online portal users Specifying an authentication domain for portal users Configuring RADIUS related Specifying NAS-Port-Type for an interface Optional. attributes Specifying a source IP address for outgoing portal packets Optional.

  • Page 120: Specifying The Portal Server

    Specifying the portal server Perform this task to specify portal server parameters for Layer 3 portal authentication, including the portal server IP address and port number, the shared encryption key, and the URL address for Web authentication. To specify an IPv4 portal server for Layer 3 authentication: Step Command Remarks...

  • Page 121

    The destination port number that the switch uses for sending unsolicited packets to the portal server • must be the same as that the remote portal server actually uses. Cross-subnet authentication mode (portal server server-name method layer3) does not require •...

  • Page 122: Configuring An Authentication Subnet

    Step Command Enter system view. system-view portal free-rule rule-number { destination { any | ip { ipv4-address mask { mask-length | mask } | any } } | source { any | [ interface Configure a portal-free rule. interface-type interface-number | ip { ipv4-address mask { mask-length | netmask } | any } | mac mac-address | vlan vlan-id ] * } } * To configure an IPv6 portal-free rule:...

  • Page 123: Setting The Maximum Number Of Online Portal Users

    Step Command Remarks By default, the IPv6 authentication subnet is ::/0, which means that Configure an IPv6 users from any subnets must pass portal auth-network ipv6 authentication subnet. portal authentication. ipv6-network-address prefix-length You can configure multiple IPv6 authentication subnets. NOTE: Configuration of authentication subnets applies to only cross-subnet authentication.

  • Page 124: Configuring Radius Related Attributes

    Step Command Remarks Specify an authentication By default, no authentication domain for IPv4 portal users domain is specified for IPv4 portal portal domain domain-name on the interface. users. To specify an authentication domain for IPv6 portal users on an interface: Step Command Remarks...

  • Page 125: Specifying A Source Ip Address For Outgoing Portal Packets

    IP address of packets that the access device sends to the portal server, and the destination IP address of packets that the portal server sends to the access device. In NAT environments, HP recommends specifying the interface's public IP address as the source IP address of outgoing portal packets.

  • Page 126: Configuring Portal Detection Functions

    Step Command Remarks Enter system view. system-view By default, an authenticated user is redirected to the URL the user Specify an automatic entered in the address bar before portal redirect-url url-string redirection URL for portal authentication. [ wait-time period ] authenticated portal users.

  • Page 127: Configuring Portal User Information Synchronization

    IMC portal server and make sure the product of interval and retries is greater than or equal to the portal server heartbeat interval. HP recommends configuring the interval to be greater than the portal server heartbeat interval configured on the portal server.

  • Page 128: Logging Out Portal Users

    HP recommends configuring the interval to be greater than the portal user heartbeat interval configured on the portal server.

  • Page 129: Enabling Portal User Roaming

    In MAC control mode, if only IPv4 portal authentication or IPv6 portal authentication is configured, the device controls traffic on the user access port according to the ACL authorized by the server, regardless of whether the ACL is an IPv4 ACL or an IPv6 ACL. An authorized ACL can be an IPv4 basic ACL, IPv4 advanced ACL, IPv6 basic ACL, or IPv6 advanced ACL.

  • Page 130: Displaying And Maintaining Portal

    Displaying and maintaining portal Task Command Remarks display portal acl { all | dynamic | static } Display the ACLs on a specific interface interface-type interface-number Available in any view. interface. [ | { begin | exclude | include } regular-expression ] display portal connection statistics { all | Display portal connection statistics...

  • Page 131: Configuring Direct Portal Authentication

    Configuring direct portal authentication Network requirements As shown in Figure 39, the host is directly connected to the switch that is configured for direct portal authentication. The host is assigned with a public IP address either manually or through DHCP. Before passing portal authentication, users can access only the portal server.

  • Page 132

    Figure 40 Portal server configuration Configure the IP address group: Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name.

  • Page 133

    Figure 41 Adding an IP address group Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS.

  • Page 134

    As shown in Figure 43, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Click Add to enter the page shown in Figure Enter the port group name. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group.

  • Page 135: Configuring Re-dhcp Portal Authentication

    [Switch-radius-rs1] primary authentication 192.168.0.112 [Switch-radius-rs1] primary accounting 192.168.0.112 [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] key accounting simple radius # Specify that the ISP domain name should not be included in the username sent to the RADIUS server. [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view.

  • Page 136

    Figure 45 Network diagram Configuration prerequisites and guidelines Configure IP addresses for the host, switch, and servers as shown in Figure 45 and make sure they • can reach each other. Configure a public address pool (20.20.20.0/24, in this example) and a private address pool •...

  • Page 137: Configuring Cross-subnet Portal Authentication

    [Switch-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure dm1 as the default ISP domain for all users.

  • Page 138

    Figure 46 Network diagram Configuration prerequisites and guidelines • Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example).

  • Page 139: Configuring Direct Portal Authentication With Extended Functions

    # Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at login, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 Configure portal authentication: # Configure a portal server on the switch, making sure the IP address, key, port number, and URL match those of the actual portal server.

  • Page 140

    Configuration procedure Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended.

  • Page 141: Configuring Re-dhcp Portal Authentication With Extended Functions

    Key: portal, in plain text Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal [Switch] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Enable portal authentication on the interface connecting the host. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal server newpt method direct [Switch–Vlan-interface100] quit Configuring re-DHCP portal authentication with extended functions...

  • Page 142

    Make sure the IP address of the portal device added on the portal server is the public IP address of • the interface connecting users (20.20.20.1 in this example), the private IP address range for the IP address group associated with the portal device is the private network segment where the users reside (10.0.0.0/24 in this example), and the public IP address range for the IP address group is the public network segment 20.20.20.0/24.

  • Page 143: Configuring Cross-subnet Portal Authentication With Extended Functions

    [Switch] acl number 3001 [Switch-acl-adv-3001] rule permit ip [Switch-acl-adv-3001] quit Configure portal authentication: # Configure a portal server on the switch, making sure the IP address, key, port number and URL match those of the actual portal server. [Switch] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the switch as a DHCP relay agent, and enable the IP address match check function.

  • Page 144

    Configuration prerequisites and guidelines Make sure the IP address of the portal device added on the portal server is the IP address of the • interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). Configure IP addresses for the host, switches, and servers as shown in Figure 49 and make sure they...

  • Page 145: Configuring Portal Server Detection And Portal User Information Synchronization

    [SwitchA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [SwitchA-acl-adv-3000] rule deny ip [SwitchA-acl-adv-3000] quit [SwitchA] acl number 3001 [SwitchA-acl-adv-3001] rule permit ip [SwitchA-acl-adv-3001] quit Configure portal authentication: # Configure a portal server on the switch, making sure the IP address, key, port number, and URL match those of the actual portal server.

  • Page 146

    Configuration considerations Configure the portal server and enable portal server heartbeat function and the portal user heartbeat function. Configure the RADIUS server to implement authentication. Configure cross-subnet portal authentication on interface VLAN-interface 4 of the switch. Configure the portal server detection function on the switch, so that the switch can detect the status of the portal server by cooperating with the portal server heartbeat function.

  • Page 147

    Figure 51 Portal server configuration Configure the IP address group: Select Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Click Add to enter the page shown in Figure Enter the IP group name. Enter the start IP address and end IP address of the IP group.

  • Page 148

    Add a portal device: Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Click Add to enter the page shown in Figure Enter the device name NAS. Enter the IP address of the switch's interface connected to the user. Enter the key, which must be the same as that configured on the switch.

  • Page 149

    Figure 55 Adding a port group Select Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create RADIUS scheme rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Configure the server type for the RADIUS scheme.

  • Page 150

    NOTE: The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and HP recommends configuring the interval as a value greater than the portal server heartbeat interval configured on the portal server.

  • Page 151: Cross-subnet Portal Authentication Across Vpns

    The Up state of the portal server indicates that the portal server is reachable. If the access device detects that the portal server is unreachable, you can see the portal server status is Down in the output, and the access device generates a server unreachable trap "portal server newpt lost" and disables portal authentication on the access interface, so the client can access the external network without authentication.

  • Page 152

    [SwitchA-radius-rs1] user-name-format without-domain # Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. [SwitchA-radius-rs1] nas-ip 3.3.0.3 [SwitchA-radius-rs1] quit IMPORTANT: Use the nas-ip command to specify the source IP address for RADIUS packets to be sent, and make sure the source IP address is consistent with the IP address of the access device specified on the server to avoid authentication failures.

  • Page 153: Troubleshooting Portal

    Work-mode:stand-alone VPN instance:vpn1 Vlan Interface ---------------------------------------------------------------------------- 000d-88f7-c268 3.3.0.1 Vlan-interface3 Total 1 user(s) matched, 1 listed. Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom When a user is forced to access the portal server, the portal server displays neither the portal authentication page nor any error message.

  • Page 154

    Solution Use the display portal server command to display the listening port of the portal server on the access device and use the portal server command in the system view to modify it to make sure it is the actual listening port of the portal server.

  • Page 155: Configuring Password Control

    Configuring password control For more information about the FIPS mode mentioned in this chapter, see "Configuring FIPS." Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail.

  • Page 156

    Password history • With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones. The new password must be different from the used ones by at least four characters and the four characters must not be the same.

  • Page 157: Fips Compliance

    A password must contain four types of characters and each type contains at least one character in FIPS mode. When a user sets or changes the password, the system checks if the password satisfies the composition requirement. If not, the system displays an error message. Password complexity checking •...

  • Page 158

    Settings for super passwords apply to only super passwords. • The previous four types of settings have the following priorities: For local user passwords, the settings with a smaller application range have a higher priority. For super passwords, the settings configured specifically for super passwords, if any, override those configured in system view.

  • Page 159: Setting Global Password Control Parameters

    After global password control is enabled, local user passwords configured on the device are not displayed when you use the corresponding display command. Setting global password control parameters The action specified in the password-control login-attempt command takes effect immediately, and thus affects the users already in the password control blacklist.

  • Page 160: Setting User Group Password Control Parameters

    Optional. Set the maximum number of password-control days and maximum number By default, a user can log in three expired-user-login delay delay of times that a user can log in times within 30 days after the times times after the password expires. password expires.

  • Page 161: Setting Super Password Control Parameters

    Step Command Remarks Optional. By default, the setting equals that Configure the minimum for the user group to which the password length for the local password-control length length local user belongs. If no minimum user. password length is configured for the user group, the global setting applies to the local user.

  • Page 162: Displaying And Maintaining Password Control

    To set a password for a local user in interactive mode: Step Command Enter system view. system-view Create a local user and enter local user view. local-user user-name Set the password for the local user in interactive password mode. Displaying and maintaining password control Task Command Remarks...

  • Page 163

    The password must contain at least 12 characters. • The password must consist of at least two types of valid characters, five or more of each type. • The password aging time is 20 days. • Configuration procedure # Enable the password control feature globally. <Sysname>...

  • Page 164

    [Sysname-luser-test] quit Verifying the configuration # Display the global password control configuration. <Sysname> display password-control Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Password history: Enabled (max history records:4) Early notice on password expiration: 7 days...

  • Page 165: Managing Public Keys

    Managing public keys For information about FIPS mode, see "Configuring FIPS." Overview To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out, and the receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 57 Encryption and decryption...

  • Page 166: Public Key Configuration Task List

    Public key configuration task list The configuration tasks enable you to manage the local asymmetric key pairs, and configure the peer host public keys on the local device. By completing these tasks, your host is ready to work with applications such as SSH and SSL to implement data encryption/decryption, or digital signature. Complete these tasks to configure public keys: Task Remarks...

  • Page 167: Displaying Or Exporting The Local Host Public Key

    Step Command Remarks Enter system view. system-view Create a local asymmetric key By default, no asymmetric key pair public-key local create { dsa | rsa } pair. is created. NOTE: Key pairs created with the public-key local create command are saved automatically and can survive system reboots.

  • Page 168: Destroying A Local Asymmetric Key Pair

    Step Command Remarks • To display the local RSA host public key in a specific format: public-key local export rsa Display the local RSA or DSA Use at least one command. { openssh | ssh1 | ssh2 } host public key in a specific The ssh1 keyword is not available •...

  • Page 169: Displaying And Maintaining Public Keys

    The recorded public key must be in intended asymmetric key pair. the correct format, or the manual configuration of a • If the peer device is an HP device, use the Manually configure format-incompliant public key will display public-key local public the public key—input fail.

  • Page 170: Public Key Configuration Examples

    Task Command Remarks display public-key peer [ brief | name Display the specified or all peer Available in any publickey-name ] [ | { begin | exclude | include } public keys on the local device. view. regular-expression ] Public key configuration examples IMPORTANT: By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state.

  • Page 171

    Time of Key pair created: 09:50:06 2007/08/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F 9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD 995C 669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC07 8B2B AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87...

  • Page 172: Importing A Public Key From A Public Key File

    Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F 9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD 995C 669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC07 8B2B AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 The output shows that the host public key of Switch A saved on Switch B is consistent with the one created on Switch A. Importing a public key from a public key file Network requirements As shown in Figure...

  • Page 173

    Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F 9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD 995C 669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC07 8B2B AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB61 58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DA CBA3 CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F020301000 # Export the RSA host public key HOST_KEY to a file named switcha.pub.

  • Page 174

    [ftp] get switcha.pub 227 Entering Passive Mode (10,1,1,1,5,148). 125 BINARY mode data connection already open, transfer starting for /switcha.pub. 226 Transfer complete. FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec. [ftp] quit 221 Server closing. Import the host public key of Switch A to Switch B: # Import the host public key of Switch A from the key file switcha.pub to Switch B.

  • Page 175: Configuring Ipsec

    Configuring IPsec The term "router" in this chapter refers to both routers and Layer 3 switches. IPsec is available only on Ethernet interface cards. Overview IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints.

  • Page 176

    encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5 and SHA- 1 . The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger.

  • Page 177

    Figure 60 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms • Authentication algorithms: IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet.

  • Page 178: Ipsec For Ipv6 Routing Protocols

    IPsec for IPv6 routing protocols You can use IPsec to protect routing information and defend against attacks for these IPv6 routing protocols: OSPFv3, IPv6 BGP, and RIPng. IPsec enables these IPv6 routing protocols to encapsulate outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol. If an inbound protocol packet is not IPsec protected, or fails to be de-encapsulated, for example, due to decryption or authentication failure, the routing protocol discards that packet.

  • Page 179: Implementing Acl-based Ipsec

    (see "Implementing ACL-based IPsec"). By using ACLs, you can customize IPsec policies as needed, implementing IPsec flexibly. Application-based IPsec protects the packets of a service. This IPsec implementation method can be • used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the routing mechanism.

  • Page 180

    Keywords in ACL rules IPsec uses ACLs to identify data flows. An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec.

  • Page 181

    rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255 rule 1 deny ip ipsec policy test 1 isakmp security acl 3000 ike-peer aa proposal 1 ipsec policy test 2 isakmp security acl 3001 ike-peer bb proposal 1 Configure Switch B: •...

  • Page 182: Configuring An Ipsec Proposal

    The peer with the narrower rule initiates SA negotiation. If a wider ACL rule is used by the SA • initiator, the negotiation request may be rejected because the matching traffic is beyond the scope of the responder. As shown in Figure 63, the SA negotiation initiated by Host A to Host C is accepted but the SA negotiations from Host C to Host B or from Host D to Host A is rejected.

  • Page 183

    Step Command Remarks Optional. ESP by default. You can configure security algorithms for a security protocol only after you select the protocol. For example, you can specify the ESP-specific security algorithms only when you select ESP as the Specify the security protocol transform { ah | ah-esp | esp } security protocol.

  • Page 184: Configuring An Ipsec Policy

    Configuring an IPsec policy IPsec policies define which IPsec proposals should be used to protect which data flows. An IPsec policy is uniquely identified by its name and sequence number. IPsec policies fall into the following categories: Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the •...

  • Page 185

    Step Command Remarks Not needed for IPsec policies to be applied to IPv6 routing protocols and required for other applications. By default, an IPsec policy references no ACL. Assign an ACL to the security acl acl-number The ACL supports match criteria of the IPsec policy.

  • Page 186

    Step Command Remarks • Configure an authentication key in hexadecimal for AH: sa authentication-hex { inbound | outbound } ah [ cipher string-key | simple hex-key ] • Configure an authentication key in characters for AH: Configure keys properly for the security sa string-key { inbound | protocol (AH or ESP) you have specified.

  • Page 187

    Step Command Remark Enter system view. system-view By default, no IPsec policy exists. Create an IPsec policy that ipsec policy policy-name The isakmp mode is available only uses IKE and enter its view. seq-number isakmp for FIPS mode. Optional. By default, no IPsec connection Configure an IPsec connection connection-name name name is configured.

  • Page 188: Applying An Ipsec Policy Group To An Interface

    Step Command Remark Optional. 3600 seconds for time-based SA lifetime by default. ipsec sa global-duration Set the global SA lifetime. { time-based seconds | 1843200 kilobytes for traffic-based kilobytes } traffic-based SA lifetime by default. This command is available only for FIPS mode.

  • Page 189: Enabling Acl Checking Of De-encapsulated Ipsec Packets

    To set the IPsec session idle timeout: Step Command Remark Enter system view. system-view Optional. Set the IPsec session idle 300 seconds by default. ipsec session idle-time seconds timeout. This command is available only for FIPS mode. Enabling ACL checking of de-encapsulated IPsec packets In tunnel mode, the IP packet that was encapsulated in an inbound IPsec packet may not be an object that is specified by an ACL to be protected.

  • Page 190: Configuring Packet Information Pre-extraction

    IMPORTANT: IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled. • • A wider anti-replay window results in higher resource cost and more system performance degradation, which is against the original intention of the IPsec anti-replay function. Specify an anti-replay window size that is as small as possible.

  • Page 191: Configuring Ipsec Rri

    new SAs are established between the two peers. To prevent such service interruption, configure the invalid SPI recovery feature. The invalid SPI recovery feature allows the receiver to send an INVALID SPI NOTIFY message to tell the sender the invalid SPIs. Upon receiving the message, the sender immediately deletes the corresponding SAs.

  • Page 192: Configuring Ipsec For Ipv6 Routing Protocols

    destination have different preference values, the route with the highest preference forwards traffic and all other routes are backup routes. Change their tag value so the gateway can control the use of the static routes based on routing • policies. To configure IPsec RRI: Step Command...

  • Page 193: Displaying And Maintaining Ipsec

    Displaying and maintaining IPsec Task Command Remarks display ipsec policy [ brief | name Display IPsec policy information. policy-name [ seq-number ] ] [ | { begin | Available in any view. exclude | include } regular-expression ] display ipsec proposal [ proposal-name ] Display IPsec proposal [ | { begin | exclude | include } Available in any view.

  • Page 194

    Figure 64 Network diagram Configuration procedure Configure Switch A: # Define an ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. <SwitchA> system-view [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [SwitchA-acl-adv-3101] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [SwitchA-acl-adv-3101] quit...

  • Page 195

    [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the keys. [SwitchA-ipsec-policy-manual-map1-10] sa encryption-hex outbound esp abcdefabcdefabcdefabcdefabcdefab [SwitchA-ipsec-policy-manual-map1-10] sa encryption-hex inbound esp bafedcbafedcbafedcbafedcbafedcba [SwitchA-ipsec-policy-manual-map1-10] sa authentication-hex outbound esp 0123456789012345678901234567890123456789 [SwitchA-ipsec-policy-manual-map1-10] sa authentication-hex inbound esp 9876543210987654321098765432109876543210 [SwitchA-ipsec-policy-manual-map1-10] quit # Configure IP addresses for VLAN-interface 1 and VLAN-interface 2.

  • Page 196: Configuring An Ike-based Ipsec Tunnel For Ipv4 Packets

    # Apply the IPsec proposal. [SwitchB-ipsec-policy-manual-use1-10] proposal tran1 # Configure the remote IP address of the tunnel. [SwitchB-ipsec-policy-manual-use1-10] tunnel remote 2.2.2.1 # Configure the local IP address of the tunnel. [SwitchB-ipsec-policy-manual-use1-10] tunnel local 2.2.3.1 # Configure the SPIs. [SwitchB-ipsec-policy-manual-use1-10] sa spi outbound esp 54321 [SwitchB-ipsec-policy-manual-use1-10] sa spi inbound esp 12345 # Configure the keys.

  • Page 197

    [SwitchA-acl-adv-3101] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [SwitchA-acl-adv-3101] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [SwitchA-acl-adv-3101] quit # Configure a static route to Host B. [SwitchA] ip route-static 10.1.2.0 255.255.255.0 vlan-interface 1 # Create an IPsec proposal named tran1. [SwitchA] ipsec proposal tran1 # Specify the encapsulation mode as tunnel.

  • Page 198

    [SwitchB-acl-adv-3101] rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [SwitchB-acl-adv-3101] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [SwitchB-acl-adv-3101] quit # Configure a static route to Host A. [SwitchB] ip route-static 10.1.1.0 255.255.255.0 vlan-interface 1 # Create an IPsec proposal named tran1. [SwitchB] ipsec proposal tran1 # Specify the encapsulation mode as tunnel.

  • Page 199: Configuring Ipsec For Ripng

    Configuring IPsec for RIPng The IPsec configuration procedures for protecting OSPFv3 and IPv6 BGP are similar. For more information about RIPng, OSPFv3, and IPv6 BGP, see Layer 3—IP Routing Configuration Guide. Network requirements As shown in Figure 65, Switch A, Switch B, and Switch C are connected. They learn IPv6 routing information through RIPng.

  • Page 200

    [SwitchA] ipsec policy policy001 10 manual [SwitchA-ipsec-policy-manual-policy001-10] proposal tran1 [SwitchA-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [SwitchA-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [SwitchA] ripng 1 [SwitchA-ripng-1] enable ipsec-policy policy001 [SwitchA-ripng-1] quit...

  • Page 201

    # Assign an IPv6 address to each interface. (Details not shown.) # Create a RIPng process and enable it on VLAN-interface 200. <SwitchC> system-view [SwitchC] ripng 1 [SwitchC-ripng-1] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] ripng 1 enable [SwitchC-Vlan-interface200] quit # Create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to AES 128, and authentication algorithm to SHA1-HMAC-96.

  • Page 202

    Number of trigger updates sent : 1 IPsec policy name: policy001, SPI: 123456 Using the display ipsec sa command on Switch A, you will see the information about the inbound and outbound SAs. <SwitchA> display ipsec sa =============================== Protocol: RIPng =============================== ----------------------------- IPsec policy name: "policy001"...

  • Page 203

    Figure 66 Network diagram Switch A Switch B GE3/0/1 GE3/0/1 1.1.1.1/16 2.2.2.2/16 Internet GE3/0/2 GE3/0/2 10.4.4.1/24 10.5.5.1/24 Headquarter Branch Host A Host B 10.4.4.4/24 10.5.5.5/24 Configuration procedure Assign IPv4 addresses to the interfaces on the switches according to Figure 66. Make sure Switch A and Switch B can reach each other.

  • Page 204

    [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101 # Reference IKE peer peer. [SwitchA-ipsec-policy-isakmp-map1-10] ike-peer peer # Enable dynamic IPsec RRI and use 1.1.1.2 as the next hop of the static route. [SwitchA-ipsec-policy-isakmp-map1-10] reverse-route remote-peer 1.1.1.2 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to interface GigabitEthernet 3/0/1. [SwitchA] interface gigabitethernet 3/0/1 [SwitchA-GigabitEthernet3/0/1] ipsec policy map1 [SwitchA-GigabitEthernet3/0/1] quit...

  • Page 205

    # Apply IPsec policy use1 to interface GigabitEthernet 3/0/1. [SwitchB] interface gigabitethernet 3/0/1 [SwitchB-GigabitEthernet3/0/1] ipsec policy use1 Verify the configuration: # Send traffic from subnet 10.5.5.0/24 to subnet 10.4.4.0/24, or from subnet 10.4.4.0/24 to 10.5.5.0/24. IKE negotiation is triggered to establish IPsec SAs between Switch A and Switch B. # Display the routing table on Switch A.

  • Page 206: Configuring Ike

    Configuring IKE The IKE negotiation mode is available only for FIPS mode. You cannot configure IKE negotiation on tunnel interfaces or aggregation interfaces. Overview Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.

  • Page 207: Ike Functions

    Figure 67 IKE exchange process in main mode Peer 1 Peer 2 Algorithm negotiation Initiator’s policy Send local IKE policy Search for matched policy Confirmed policy Receive the SA exchange policy Key generation Initiator’s key information Generate the key Receiver’s key information Identity Key exchange...

  • Page 208: Relationship Between Ike And Ipsec

    Relationship between IKE and IPsec Figure 68 Relationship between IKE and IPsec Figure 68 illustrates the relationship between IKE and IPsec: IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. •...

  • Page 209: Configuring A Name For The Local Security Gateway

    Task Remarks Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional. Configuring a name for the local security gateway If the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation (the id-type name or id-type user-fqdn command is configured on the initiator), configure the ike local-name command in system view or the local-name command in IKE peer view on the local device.

  • Page 210: Configuring An Ike Peer

    Step Command Remarks Specify an encryption Optional. encryption-algorithm aes-cbc algorithm for the IKE [ key-length ] 128-bit AES in CBC mode by default. proposal. Specify an authentication Optional. authentication-method method for the IKE { pre-share | rsa-signature } Pre-shared key by default. proposal.

  • Page 211

    To configure an IKE peer: Step Command Remarks Enter system view. system-view Create an IKE peer and ike peer peer-name enter IKE peer view. Optional. Specify the IKE negotiation exchange-mode main mode for phase 1. The default is main. Optional. By default, an IKE peer references Specify the IKE proposals for no IKE proposals, and, when...

  • Page 212: Setting Keepalive Timers

    Step Command Remarks Optional. Required when a NAT gateway is Enable the NAT traversal nat traversal present in the VPN tunnel function for IPsec/IKE. constructed by IPsec/IKE. Disabled by default. • Set the subnet type of the local Optional. end: The default subnet type is local { multi-subnet | single-subnet.

  • Page 213: Setting The Nat Keepalive Timer

    Setting the NAT keepalive timer If IPsec traffic needs to pass through NAT security gateways, you must configure the NAT traversal function. If no packet travels across an IPsec tunnel in a certain period of time, the NAT mapping may get aged and be deleted, disabling the tunnel beyond the NAT gateway from transmitting data to the intended end.

  • Page 214: Displaying And Maintaining Ike

    payload is the last payload of the packet. However, it may be set to other values on some brands of devices. For interoperability, disable the checking of this field. To disable Next payload field checking: Step Command Remark Enter system view. system-view Disable Next payload field ike next-payload check disabled...

  • Page 215: Troubleshooting Ike

    Figure 69 Network diagram Configuration procedure Configure Switch A: # Configure an IKE peer. <SwitchA> system-view [SwitchA] ike peer peer [SwitchA-ike-peer-peer] pre-shared-key Ab12<><> [SwitchA-ike-peer-peer] remote-address 2.2.2.2 [SwitchA-ike-peer-peer] quit # Create an IKE proposal numbered 10. [SwitchA] ike proposal 10 # Set the authentication algorithm to SHA1. [SwitchA-ike-proposal-10] authentication-algorithm sha1 # Configure the authentication method as pre-shared key.

  • Page 216: Invalid User Id

    Symptom Invalid user ID. Analysis In IPsec, user IDs identify IPsec tunnels for different data flows. In the HP implementation of IPsec, a user ID comprises an IP address and a username. The following is the debugging information: got NOTIFY of type INVALID_ID_INFORMATION drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION...

  • Page 217: Acl Configuration Error

    Solution Use the display ike sa command to verify that both parties have established an SA in phase 1. • Use the display ipsec sa policy command to verify that the IPsec policy on the interface has • established IPsec SA. If the two commands show that one party has an SA but the other does not, use the reset ipsec sa •...

  • Page 218: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1 and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible.

  • Page 219: Ssh Authentication

    In this stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be no more than 2000 bytes. HP Interaction recommends you to paste commands in the same view. Otherwise, the server might not be able to execute the commands correctly.

  • Page 220: Ssh Support For Mpls L3vpn

    Any authentication—The server requires the client to pass either of password authentication or • publickey authentication. SSH support for MPLS L3VPN With this function, you can configure the device as an SSH client to establish connections with SSH servers in different MPLS L3VPNs. As shown in Figure 70, the hosts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the...

  • Page 221: Generating Local Dsa Or Rsa Key Pairs

    Task Remarks Required for publickey authentication users and Configuring an SSH user optional for password authentication users. Setting the SSH management parameters Optional. Generating local DSA or RSA key pairs DSA or RSA key pairs are required for generating the session key and session ID in the key and algorithm negotiation stage, and can also be used by a client to authenticate the server.

  • Page 222: Enabling The Sftp Server Function

    Enabling the SFTP server function This SFTP server function enables clients to log in to the SFTP server through SFTP. To enable the SFTP server function: Step Command Remarks Enter system view. system-view Enable the SFTP server sftp server enable Disabled by default.

  • Page 223

    A host public key obtained in other ways might be in incorrect format and cannot be saved on the server. HP recommends you to import a client's host public key from the public key file of the client.

  • Page 224: Configuring An Ssh User

    Configuring an SSH user To configure an SSH user that uses publickey authentication, you must perform the procedure in this section. To configure an SSH user that uses password authentication, whether together with publickey authentication or not, you must configure a local user account by using the local-user command for local authentication, or configure an SSH user account on an authentication server, for example, a RADIUS server, for remote authentication.

  • Page 225: Setting The Ssh Management Parameters

    Configuration procedure To configure an SSH user and specify the service type and authentication method: Step Command Remarks Enter system view. system-view • Create an SSH user, and specify the service type and authentication method for Stelnet users: ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign Use either command.

  • Page 226: Configuring The Device As An Stelnet Client

    To make sure that the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, HP recommends you to specify a loopback interface or dialer interface as the source interface.

  • Page 227: Enabling And Disabling First-time Authentication

    Enabling and disabling first-time authentication When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. If first-time authentication is not supported, a client not configured with the server host public key •...

  • Page 228: Configuring The Device As An Sftp Client

    SFTP clients in the authentication service, HP recommends you to specify a loopback interface or dialer interface as the source interface. To specify a source IP address or interface for the SFTP client:...

  • Page 229: Establishing A Connection To An Sftp Server

    Step Command Remarks Enter system view. system-view • Specify a source IPv4 address or interface for the SFTP client: Use either command. sftp client source { ip ip-address | By default, an SFTP client uses the interface interface-type Specify source IP address of the outbound interface-number } address or interface for...

  • Page 230: Working With Sftp Files

    Step Command Remarks For more information, see Enter SFTP client view. "Establishing a connection to an SFTP server." Change the working directory cd [ remote-path ] Optional. on the SFTP server. Return to the upper-level cdup Optional. directory. Display the current working Optional.

  • Page 231: Displaying Help Information

    Displaying help information This configuration task displays a list of all commands or the help information of an SFTP client command, such as the command format and parameters. To display a list of all commands or the help information of an SFTP client command: Step Command For more information, see...

  • Page 232: Displaying And Maintaining Ssh

    Task Command Remarks • Upload a file to the SCP server: scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | Use either command. prefer-ctos-cipher { 3des | aes128 | aes256 | des } Only SSH users whose | prefer-ctos-hmac { md5 | md5-96 | sha1 | user privilege level is 3...

  • Page 233: Password Authentication Enabled Stelnet Server Configuration Example

    IMPORTANT: By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first. Password authentication enabled Stelnet server configuration example Network requirements As shown in Figure 71, you can log in to the switch through the Stelnet client (SSH2) that runs on the host.

  • Page 234

    # Configure an IP address for VLAN-interface 2, which the Stelnet client will use as the destination address of the SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit # Set the authentication mode for the user interface to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interface to support SSH.

  • Page 235: Publickey Authentication Enabled Stelnet Server Configuration Example

    Figure 72 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the command-line interface of the server.

  • Page 236

    Configuration procedure In the server configuration, the client public key is required. Use the client software to generate the RSA key pairs on the client before configuring the Stelnet server. The device supports a variety of Stelnet client software, such as PuTTY, and OpenSSH. The following is an example of configuring Stelnet client using PuTTY Version 0.58.

  • Page 237

    Figure 75 Generating process After the key pairs are generated, click Save public key and specify the file name as key.pub to save the public key. Figure 76 Saving the key pair on the client...

  • Page 238

    Click Save private key to save the private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Transmit the public key file to the server through FTP or TFTP.

  • Page 239

    # Specify the authentication method for user client002 as publickey, and assign the public key SwitchKey to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey SwitchKey Specify the private key file and establish a connection to the Stelnet server: Launch PuTTY.exe on the Stelnet client to enter the interface as shown in Figure In the Host Name (or IP address) field, enter the IP address of the Stelnet server...

  • Page 240: Password Authentication Enabled Stelnet Client Configuration Example

    Figure 78 Specifying the private key file Click Open to connect to the server. If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the command-line interface of the server. Password authentication enabled Stelnet client configuration example Network requirements...

  • Page 241

    The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++...

  • Page 242

    [SwitchA] quit # Establish a connection to the Stelnet server. If the client supports first-time authentication, you can directly establish a connection from the client to the server. # Establish an SSH connection to server 192.168.1.40. <SwitchA> ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 ...

  • Page 243: Publickey Authentication Enabled Stelnet Client Configuration Example

    [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the Stelnet server (192.168.1.40) as key1. [SwitchA] ssh client authentication server 192.168.1.40 assign publickey key1 [SwitchA] quit # Establish an SSH connection to the Stelnet server 192.168.1.40. <SwitchA> ssh2 192.168.1.40 Username: client001 Trying 192.168.1.40 Press CTRL+K to abort...

  • Page 244

    [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048).

  • Page 245: Sftp Configuration Examples

    [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey SwitchKey Establish a connection to the Stelnet server: # Establish an SSH connection to the Stelnet server (192.168.1.40). <SwitchA> ssh2 192.168.1.40 Username: client002 Trying 192.168.1.40 ... Press CTRL+K to abort Connected to 192.168.1.40 ...

  • Page 246

    ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.

  • Page 247: Publickey Authentication Enabled Sftp Client Configuration Example

    open 192.168.1.45 Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 82 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 83, you can log in to Switch B through the SFTP client that runs on Switch A. Switch B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm.

  • Page 248: Ssh Connection

    [SwitchA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...

  • Page 249

    [SwitchB-Vlan-interface2] quit # Set the authentication mode on the user interface to AAA. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode scheme # Set the protocol that a remote user uses to log in as ssh. [SwitchB-ui-vty0-4] protocol inbound ssh [SwitchB-ui-vty0-4] quit # Import the peer public key from the file pubkey, and name it SwitchKey.

  • Page 250

    # Add a directory named new1 and check if it has been created successfully. sftp-client> mkdir new1 New directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...

  • Page 251: File Transfer With Password Authentication

    File transfer with password authentication Network requirements As shown in Figure 84, Switch A acts as the SCP client, and Switch B acts as the SCP server. A user can securely transfer files with Switch B through Switch A. Switch B uses the password authentication method and the client 's username and password are saved on Switch B.

  • Page 252

    # Enable the user interface to support SSH. [SwitchB-ui-vty0-4] protocol inbound ssh [SwitchB-ui-vty0-4] quit # Create a local user named client001 with the password as aabbcc and service type as ssh. [SwitchB] local-user client001 [SwitchB-luser-client001] password simple aabbcc [SwitchB-luser-client001] service-type ssh [SwitchB-luser-client001] quit # (Optional) Configure the SSH user client001 with service type as scp and authentication method as password.

  • Page 253: Configuring Blacklist

    Configuring blacklist This function is available only on the network management port of the device. Overview The blacklist function is an attack protection measure that filters packets by source IP address. Compared with ACL packet filtering, blacklist filtering is simpler in matching packets and therefore can filter packets at a high speed.

  • Page 254: Displaying And Maintaining The Blacklist

    Step Command Remarks Optional. blacklist ip source-ip-address The scanning attack protection Add a blacklist entry. [ timeout minutes ] function can add blacklist entries automatically. Displaying and maintaining the blacklist Task Command Remarks display blacklist { all | ip source-ip-address Display information about one or [ slot slot-number ] | slot slot-number } [ | all blacklist entries on a switch...

  • Page 255

    [Switch] display blacklist all Blacklist information ------------------------------------------------------------------------- Blacklist : enabled Blacklist items ------------------------------------------------------------------------------ Type Aging started Aging finished Dropped packets YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss 5.5.5.5 manual 2008/04/09 16:02:20 Never The output shows that Host B's IP address has been blacklisted. The switch should always drop packets from Host B unless you delete Host B's IP address from the blacklist by using the undo blacklist ip 5.5.5.5 command.

  • Page 256: Configuring Tcp And Icmp Attack Protection

    Configuring TCP and ICMP attack protection Overview An attacker can attack the device during the process of TCP connection establishment or by sending a large number of ICMP fragments. To prevent such attacks, the switch provides the following features: SYN Cookie •...

  • Page 257: Enabling Protection Against Naptha Attacks

    becomes effective. For more information about MD5 authentication, see Layer 3—IP Routing Configuration Guide. Enabling protection against Naptha attacks Naptha attacks are similar to the SYN Flood attacks. Attackers can perform Naptha attacks by using the six TCP connection states (CLOSING, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, and SYN_RECEIVED), and SYN Flood attacks by using only SYN_RECEIVED state.

  • Page 258: Disabling Forwarding Icmp Fragments

    Disabling forwarding ICMP fragments To prevent ICMP fragment attacks, you can disable the switch from forwarding ICMP fragments. To disable the switch from forwarding ICMP fragments: Step Command Remarks Enter system view. system-view Disable forwarding ICMP By default, the switch is enabled to ip icmp fragment discarding fragments.

  • Page 259: Configuring Ip Source Guard

    Configuring IP source guard In this chapter, EB cards refer to the cards suffixed with EB. Overview IP source guard is intended to improve port security by blocking illegal packets. It can, for example, prevent invalid hosts from using a valid IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address, and VLAN tag.

  • Page 260: Dynamic Ip Source Guard Entries

    A static IPv4 source guard entry filters IPv4 packets received by the port or checks the validity of users by cooperating with the ARP detection feature. A static IPv6 source guard entry filters IPv6 packets received by the port or checks the validity of users by cooperating with the ND detection feature. For information about ARP detection, see "Configuring ARP attack protection."...

  • Page 261: Configuring The Ipv4 Source Guard Function

    NOTE: You cannot enable IP source guard on a link aggregation member port. If IP source guard is enabled on • a port, you cannot assign the port to a link aggregation group. • IP source guard does not take effect if configured on a Layer 3 aggregate interface or Layer 3 aggregate subinterface.

  • Page 262: Configuring A Static Ipv4 Source Guard Entry

    Step Command Remarks interface interface-type Enter interface view. interface-number ip verify source { ip-address | Configure IPv4 source guard ip-address mac-address | Not configured by default. on the port. mac-address } Configuring a static IPv4 source guard entry Static IPv4 binding entries take effect only on the ports configured with the IPv4 source guard function (see "Configuring IPv4 source guard on a port").

  • Page 263: Configuring The Ipv6 Source Guard Function

    Step Command Remarks interface interface-type Enter interface view. interface-number Optional. By default, the maximum number allowed on a port is that allowed Set the maximum number of by the system. The maximum ip verify source max-entries IPv4 binding entries allowed number allowed by the system number on the port.

  • Page 264: Configuring A Static Ipv6 Source Guard Entry

    in such a case, IPv6 source guard usually uses the DHCPv6 snooping entries to filter packets on a port. Configuration procedure To configure the IPv6 source guard function on a port: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view.

  • Page 265: Setting The Maximum Number Of Ipv6 Source Guard Entries

    Step Command Remarks By default, no static IPv6 binding entry is configured on a port. ipv6 source binding { ipv6-address ipv6-address | ipv6-address A static IPv6 binding entry can be Configure a static IPv6 ipv6-address mac-address configured on only Layer 2 binding entry on a port.

  • Page 266

    Task Command Remarks display ip source binding static [ interface Display static IPv4 source guard interface-type interface-number | entries on a switch in standalone ip-address ip-address | mac-address Available in any view. mode. mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display ip source binding static [ interface interface-type interface-number |...

  • Page 267: Ip Source Guard Configuration Examples

    IP source guard configuration examples IMPORTANT: By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. To configure such an interface, first use the undo shutdown command to bring the interface up. Static IPv4 source guard entry configuration example Network requirements As shown in Figure...

  • Page 268

    [DeviceA-GigabitEthernet3/0/2] quit # Configure the IPv4 source guard function on GigabitEthernet 3/0/1 to filter packets based on both the source IP address and MAC address. [DeviceA] interface GigabitEthernet 3/0/1 [DeviceA-GigabitEthernet3/0/1] ip verify source ip-address mac-address # Configure GigabitEthernet 3/0/1 to allow only IP packets with the source MAC address of 0001-0203-0406 and the source IP address of 192.168.0.1 to pass.

  • Page 269: Dynamic Ipv4 Source Guard By Dhcp Snooping Configuration Example

    Dynamic IPv4 source guard by DHCP snooping configuration example Network requirements As shown in Figure 88, the device connects to the host (client) and the DHCP server through ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, respectively. The host obtains an IP address from the DHCP server.

  • Page 270: Dynamic Ipv4 Source Guard By Dhcp Relay Configuration Example

    The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= 192.168.0.1 0001-0203-0406 86335 GigabitEthernet3/0/1 The output shows that a dynamic IPv4 source guard entry has been generated based on the DHCP snooping entry.

  • Page 271: Static Ipv6 Source Guard Entry Configuration Example

    [Device] interface vlan-interface 100 [Device-Vlan-interface100] dhcp select relay # Correlate VLAN-interface 100 with DHCP server group 1. [Device-Vlan-interface100] dhcp relay server-select 1 [Device-Vlan-interface100] quit Verify the configuration: Display the generated IPv4 source guard entries. [Device] display ip source binding Total entries found: 1 MAC Address IP Address VLAN...

  • Page 272: Dynamic Ipv6 Source Guard By Dhcpv6 Snooping Configuration Example

    Dynamic IPv6 source guard by DHCPv6 snooping configuration example Network requirements As shown in Figure 91, the host (DHCPv6 client) and the DHCPv6 server are connected to the device through ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, respectively. Enable DHCPv6 and DHCPv6 snooping on the device, so that the host can obtain an IP address through the DHCPv6 server and the IPv6 IP address and MAC address of the host can be recorded in a DHCPv6 snooping entry.

  • Page 273: Dynamic Ipv6 Source Guard By Nd Snooping Configuration Example

    # Display all DHCPv6 snooping entries to see whether they are consistent with the dynamic IP source guard entries generated on GigabitEthernet 3/0/1. [Device] display ipv6 dhcp snooping user-binding dynamic IP Address MAC Address Lease VLAN Interface ============================== ============== ========== ==== ================== 2001::1 040a-0000-0001 286 GigabitEthernet3/0/1...

  • Page 274: Troubleshooting Ip Source Guard

    [Device] display ipv6 nd snooping IPv6 Address MAC Address Interface Aging Status 2001::1 040a-0000-0001 2 GigabitEthernet3/0/1 Bound ---- Total entries: 1 ---- The output shows that a dynamic IPv6 source guard entry has generated on port GigabitEthernet 3/0/1 based on the ND snooping entry. Troubleshooting IP source guard Neither static binding entries nor the dynamic binding function can be configured...

  • Page 275: Configuring Arp Attack Protection

    Configuring ARP attack protection Overview Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. An attacker may send: ARP packets by acting as a trusted user or gateway, so that the receiving switch obtains incorrect •...

  • Page 276: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks Optional. Configuring ARP detection Configure this function on access devices (recommended). Configuring ARP defense against IP packet attacks Introduction If a switch receives a large number of IP packets from a host to unreachable destinations, the following situations can occur: The switch sends a large number of ARP requests to the destination subnets, and thus the load of the •...

  • Page 277: Displaying And Maintaining Arp Defense Against Ip Packet Attacks

    CPU for checking. As a result, the switch fails to deliver other functions properly or even crashes. To solve this problem, you can configure ARP packet rate limit. HP recommends that you configure this feature after the ARP detection feature is configured, or use this feature to prevent ARP flood attacks.

  • Page 278: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    You can exclude the MAC addresses of some gateways and servers from detection. This feature does not inspect ARP packets from those devices even if they are attackers. Only the ARP packets delivered to the CPU are checked. To configure source MAC address based ARP attack detection: Step Command Remarks...

  • Page 279: Configuring Arp Packet Source Mac Address Consistency Check

    Configuring ARP packet source MAC address consistency check Introduction The ARP packet source MAC address consistency check feature enables a gateway device to filter out ARP packets that have a different source MAC address in the Ethernet header from the sender MAC address in the message, so that the gateway device can learn correct ARP entries.

  • Page 280: Configuring Authorized Arp

    Configuring authorized ARP This feature is only supported on Ethernet interfaces that are operating in Layer 3 mode. For more information about the operating mode of Ethernet interfaces, see Interface Configuration Guide. Introduction Authorized ARP entries are generated based on the DHCP clients’ address leases on the DHCP server or dynamic bindings on the DHCP relay agent.

  • Page 281: Network Requirements

    Network requirements As shown in Figure 93, Switch A acts as a DHCP server with an IP address pool of 10.1.1.0/24. Enable authorized ARP on GigabitEthernet 3/0/1 of Switch A. The host is a DHCP client that obtains IP address 10.1.1.2/24 from the DHCP server.

  • Page 282: Authorized Arp Configuration Example (on A Dhcp Relay Agent)

    Authorized ARP configuration example (on a DHCP relay agent) Network requirements As shown in Figure 94, Switch A acts as a DHCP server with an IP address pool of 10.10.1.0/24. Switch B is a DHCP relay agent, which conveys the IP address from the DHCP server to the DHCP client (Host). Enable authorized ARP on GigabitEthernet 3/0/2 of Switch B.

  • Page 283: Configuring Arp Detection

    [SwitchB-GigabitEthernet3/0/1] quit [SwitchB] interface GigabitEthernet 3/0/2 [SwitchB-GigabitEthernet3/0/2] port link-mode route [SwitchB-GigabitEthernet3/0/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on GigabitEthernet 3/0/2. [SwitchB-GigabitEthernet3/0/2] dhcp select relay [SwitchB-GigabitEthernet3/0/2] quit # Add the DHCP server 10.1.1.1 to DHCP server group 1. [SwitchB] dhcp relay server-group 1 ip 10.1.1.1 # Correlate GigabitEthernet 3/0/2 to DHCP server group 1.

  • Page 284: Security Entries/oui Mac Addresses

    Enabling ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1x security entries/OUI MAC addresses With this feature enabled, the switch compares the sender IP and MAC addresses of an ARP packet received from the VLAN against the static IP source guard binding entries, DHCP snooping entries, 802.1X security entries, or OUI MAC addresses to prevent spoofing.

  • Page 285: Configuring Arp Detection Based On Specified Objects

    Step Command Remarks Enter Layer 2 Ethernet interface view interface interface-type or Layer 2 aggregate interface view. interface-number Configure the port as a trusted port Optional. on which ARP detection does not arp detection trust The port is an untrusted port by default. apply.

  • Page 286: Configuring Arp Restricted Forwarding

    Configuring ARP restricted forwarding ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted ports and have passed ARP detection as follows: If the packets are ARP requests, they are forwarded through the ARP-trusted ports. • If the packets are ARP responses, they are forwarded according to their destination MAC address.

  • Page 287

    Figure 95 Network diagram Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure DHCP address pool 0 on Switch A as a DHCP server. <SwitchA>...

  • Page 288: Arp Detection Configuration Example 2

    [SwitchB-vlan10] interface GigabitEthernet 3/0/3 [SwitchB-GigabitEthernet3/0/3] arp detection trust [SwitchB-GigabitEthernet3/0/3] quit After the preceding configurations are complete, when ARP packets arrive at interfaces GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, they are checked against 802.1X security entries. ARP detection configuration example 2 IMPORTANT: By default, Ethernet, VLAN, and aggregate interfaces are down.

  • Page 289: Arp Restricted Forwarding Configuration Example

    # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp-snooping [SwitchB] interface GigabitEthernet 3/0/3 [SwitchB-GigabitEthernet3/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet3/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default).

  • Page 290

    Figure 97 Network diagram Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in the above figure. (Details not shown.) Configure DHCP address pool 0 for the DHCP server on Switch A. <SwitchA>...

  • Page 291

    # Enable the checking of the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac # Create isolation group 2. [SwitchB] port-isolate group 2 # Add GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to isolation group 2. [SwitchB] interface GigabitEthernet 3/0/1 [SwitchB-GigabitEthernet3/0/1] port-isolate enable group 2 [SwitchB-GigabitEthernet3/0/1] quit...

  • Page 292: Configuring Nd Attack Defense

    Configuring ND attack defense Overview The IPv6 Neighbor Discovery (ND) protocol uses five types of ICMPv6 messages to implement five functions: address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. For more information about the five functions of the ND protocol, see Layer 3—IP Services Configuration Guide.

  • Page 293: Enabling Source Mac Consistency Check For Nd Packets

    The source MAC address in the Ethernet frame header is inconsistent with that carried in the source • link layer address option of the ND packet. The mapping between the source IPv6 address and the source MAC address in the Ethernet frame •...

  • Page 294: Configuration Guidelines

    source IPv6 address, the ND detection function continues to look up the DHCPv6 snooping table and the ND snooping table. If a match is found in either the DHCPv6 snooping or ND snooping table, the ND packet is • considered legal and forwarded. If no match is found in either table, the packet is considered illegal and discarded directly.

  • Page 295: Nd Detection Configuration Example

    Task Command Remarks Display the ND detection display ipv6 nd detection [ | { begin | Available in any view. configuration. exclude | include } regular-expression ] display ipv6 nd detection statistics Display the statistics of discarded [ interface interface-type packets when the ND detection checks Available in any view.

  • Page 296

    Configuration procedure Configure Switch A: # Enable IPv6. <SwitchA> system-view [SwitchA] ipv6 # Create VLAN 10. [SwitchA] vlan 10 [SwitchA-vlan10] quit # Configure port GigabitEthernet 3/0/3 to permit the traffic of VLAN 10 to pass through. [SwitchA] interface GigabitEthernet 3/0/3 [SwitchA-GigabitEthernet3/0/3] port link-type trunk [SwitchA-GigabitEthernet3/0/3] port trunk permit vlan 10 [SwitchA-GigabitEthernet3/0/3] quit...

  • Page 297

    [SwitchB-vlan 10] ipv6 nd detection enable [SwitchB-vlan 10] quit # Configure the uplink port GigabitEthernet 3/0/3 as an ND-trusted port, while the downlink ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 as ND-untrusted ports (the default). [SwitchB] interface GigabitEthernet 3/0/3 [SwitchB-GigabitEthernet3/0/3] ipv6 nd detection trust After the configuration is complete, incoming ND packets on ports GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 will be checked based on the address entries in the ND snooping table.

  • Page 298: Configuring Urpf

    Configuring URPF Overview Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers send packets with forged source addresses to access a system that uses IP-address-based authentication in the name of authorized users, or even the administrator.

  • Page 299

    URPF does a reverse route lookup for routes to the source address of the packet. If at least one outgoing interface of such a route matches the receiving interface, the packet passes the check. Otherwise, the packet is discarded. The reverse route lookup refers to searching the outgoing interface whose destination IP address is the source IP address of the packet.

  • Page 300

    to pass. Enable strict URPF check on VLAN-interface 10 of Switch A to allow use of the default route for URPF check. Figure 101 Network diagram Configuration procedure Configure Switch B: # Create VLAN 10. <SwitchB> system-view [SwitchB] vlan 10 [SwitchB-vlan10] quit # Specify the IP address for VLAN-interface 10.

  • Page 301: Configuring Pki

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for IP Security (IPsec), Secure Sockets Layer (SSL), and WLAN Authentication and Privacy Infrastructure (WAPI).

  • Page 302: Pki Architecture

    CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email.

  • Page 303: Pki Operation

    PKI operation In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificates. Here is how it operates: An entity submits a certificate request to the RA. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA.

  • Page 304: Configuring An Entity Dn

    Task Remarks Optional. Destroying a local RSA or ECDSA key pair Optional. Deleting a certificate Optional. Configuring an access control policy Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN).

  • Page 305: Configuring A Pki Domain

    The RA only checks the application qualification of an entity; it does not issue any certificate. Sometimes, the registration management function is provided by the CA, in which case no independent RA is required. HP recommends you to deploy an independent RA. •...

  • Page 306: Submitting A Pki Certificate Request

    content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate. To configure a PKI domain: Step Command Remarks Enter system view.

  • Page 307: Submitting A Certificate Request In Auto Mode

    Online certificate request falls into manual mode and auto mode. Submitting a certificate request in auto mode In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate for an application working with PKI. For example, when PKI certificate authentication is used, if no local certificate is available during IKE negotiation, the entity automatically requests one, and saves the local certificate after retrieving it from the CA.

  • Page 308: Retrieving A Certificate Manually

    Make sure that the entity and the CA are synchronous in system time. Otherwise, the validity period • of the certificate is abnormal. The pki request-certificate domain configuration is not saved in the configuration file. • Configuration procedure To submit a certificate request in manual mode: Step Command Remarks...

  • Page 309: Configuring Pki Certificate Verification

    Step Command Remarks Enter system view. system-view • In online mode: pki retrieval-certificate { ca | local } domain domain-name Retrieve a certificate • Use either command. In offline mode: manually. pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] Configuring PKI certificate verification A certificate needs to be verified before being used.

  • Page 310: Configuring Pki Certificate Verification Without Crl Checking

    Step Command Remarks pki retrieval-crl domain The pki retrieval-crl domain Retrieve CRLs. domain-name command cannot be saved in the configuration file. Verify the validity of a pki validate-certificate { ca | local } certificate. domain domain-name Configuring PKI certificate verification without CRL checking Step Command Remarks...

  • Page 311: Configuring An Access Control Policy

    Step Command Enter system view. system-view Delete certificates. pki delete-certificate { ca | local } domain domain-name Configuring an access control policy By configuring a certificate attribute access control policy, you can further control access to the server, providing additional security for the server. To configure a certificate attribute access control policy: Step Command...

  • Page 312: Pki Configuration Examples

    PKI configuration examples The SCEP add-on is required when you use the Windows Server as the CA. In this case, when you configure the PKI domain, you must the certificate request from ra command to specify that the entity requests a certificate from an RA. The SCEP add-on is not required when RSA Keon is used.

  • Page 313

    [Switch-pki-entity-aaa] quit # Create PKI domain torsa and enter its view. [Switch] pki domain torsa # Configure the name of the trusted CA as myca. [Switch-pki-domain-torsa] ca identifier myca # Configure the URL of the registration server in the format of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.

  • Page 314

    [Switch] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait..[Switch] Enrolling the local certificate,please wait a while..Certificate request Successfully! Saving the local certificate to device..Done! Verifying the configuration # Display information about the local certificate acquired. [Switch] display pki certificate local domain torsa Certificate: Data:...

  • Page 315: Certificate Request From A Windows 2003 Ca Server

    9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands, for example, display pki certificate ca domain and display pki crl domain commands, to view detailed information about the CA certificate and CRLs. For more information about the commands, see Security Command Reference.

  • Page 316

    To avoid conflict with existing services, specify an available port number as the TCP port number of the default website. After completing the configuration, check that the system clock of the switch is synchronous to that of the CA server, so that the switch can request a certificate normally. Configuring the switch: # Configure the entity name as aaa and the common name as switch.

  • Page 317

    CA certificates retrieval success. # Request a local certificate manually. [Switch] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait..[Switch] Enrolling the local certificate,please wait a while..Certificate request Successfully! Saving the local certificate to device..Done! Verifying the configuration # Display information about the retrieved local certificate.

  • Page 318: Certificate Attribute Access Control Policy Configuration

    URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B (Omitted) You can also use some other display commands to view more information about the CA certificate. For more information about the display pki certificate ca domain command, see Security Command Reference.

  • Page 319: Troubleshooting Pki

    # Create certificate attribute group mygroup1 and add two attribute rules. The first rule defines that the DN of the subject name includes the string aabbcc, and the second rule defines that the IP address of the certificate issuer is 10.0.0.1. [Switch] pki certificate attribute-group mygroup1 [Switch-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc [Switch-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1...

  • Page 320: Failed To Request A Local Certificate

    Solution Make sure that the network connection is physically proper. Check that the required commands are configured properly. Use the ping command to check that the RA server is reachable. Specify the authority for certificate request. Synchronize the system clock of the switch with that of the CA. Failed to request a local certificate Symptom Failed to request a local certificate.

  • Page 321

    Solution Make sure that the network connection is physically proper. Retrieve a CA certificate. Specify the IP address of the LDAP server. Specify the CRL distribution URL. Re-configure the LDAP version. Configure the correct DNS server that can resolve the domain name of the CRL distribution point.

  • Page 322: Configuring Ssl

    Configuring SSL For information about FIPS mode, see "Configuring FIPS." Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online bank fields to ensure secure data transmission over the Internet.

  • Page 323: Ssl Protocol Stack

    SSL protocol stack As shown in Figure 107, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 107 SSL protocol stack •...

  • Page 324

    To configure an SSL server policy: Step Command Remarks Enter system view. system-view Create an SSL server policy ssl server-policy policy-name and enter its view. By default, no PKI domain is specified for an SSL server policy. If SSL clients authenticate the server Specify a PKI domain for the through a digital certificate, you pki-domain domain-name...

  • Page 325: Ssl Server Policy Configuration Example

    SSL server policy configuration example Network requirements As shown in Figure 108, users can need to access and control the switch through webpages. For security of the switch and to protect data from being eavesdropped or tampered with, configure the switch properly so that the users must use HTTPS (HTTP Secure, which uses SSL) to log in to the Web interface of the device.

  • Page 326: Configuring An Ssl Client Policy

    # Create the local RSA key pairs. [Switch] public-key local create rsa # Retrieve the CA certificate. [Switch] pki retrieval-certificate ca domain 1 # Request a local certificate for Switch. [Switch] pki request-certificate domain 1 # Create an SSL server policy named myssl. [Switch] ssl server-policy myssl # Specify the PKI domain for the SSL server policy as 1.

  • Page 327: Displaying And Maintaining Ssl

    Step Command Remarks Optional. No PKI domain is configured by default. If the SSL server authenticates the SSL client through a digital Specify a PKI domain for the certificate, you must use this pki-domain domain-name SSL client policy. command to specify a PKI domain and request a local certificate for the SSL client in the PKI domain.

  • Page 328: Troubleshooting Ssl

    Troubleshooting SSL SSL handshake failure Symptom As the SSL server, the device fails to handshake with the SSL client. Analysis SSL handshake failure may result from the following causes: The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the •...

  • Page 329: Configuring Fips

    Configuring FIPS Overview The Federal Information Processing Standard (FIPS) 140-2, developed by the National Institute of Standard and Technology (NIST) of the United States, specifies the security requirements for cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high.

  • Page 330

    Configuring FIPS After you enable FIPS mode, the system has strict security requirements, and performs self-test on cryptography modules to make sure that they work normally. For Common Criteria (CC) evaluation in FIPS mode, the switch also works in a working mode that complies with the CC standard. Before enabling FIPS mode, complete the following tasks: Configure the login username and password.

  • Page 331: Displaying And Maintaining Fips

    Step Command Remarks Trigger a self-test. fips self-test Displaying and maintaining FIPS Task Command Remarks Display FIPS state. display fips status Available in any view. FIPS configuration example Network requirements Configure the switch to work in FIPS mode and create a local user for the PC so that PC can log in to the switch in FIPS mode.

  • Page 332

    Validating file. Please wait......Saved the current configuration to mainboard device successfully. Configuration is saved to device successfully. [Sysname] quit # Reboot the switch. <Sysname> reboot CAUTION: After you enable the FIPS mode, be sure to create a local user and its password before you reboot the switch.

  • Page 333: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...

  • Page 334: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...

  • Page 335

    Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 336: Index

    Configuring the quiet timer,85 Configuring AAA methods for ISP domains,43 Configuring URPF,289 Configuring AAA schemes,19 Contacting HP,323 Configuring an 802.1X Auth-Fail VLAN,87 Controlled/uncontrolled port and port authorization Configuring an 802.1X guest VLAN,86 status,68 Configuring an access control policy,301 Controlling access of portal...

  • Page 337

    FIPS self-tests,319 Setting the NAT keepalive timer,203 Setting the port authorization state,80 HP implementation of 802.1X,76 SFTP configuration examples,235 Specifying a mandatory authentication domain on a port,85 IKE configuration example,204 Specifying a source IP address for outgoing portal...

  • Page 338

    Tearing down user connections,50 Troubleshooting SSL,318 Troubleshooting AAA,65 Troubleshooting IKE,205 URPF configuration example,289 Troubleshooting IP source guard,264 Using MAC authentication with VLAN assignment,96 Troubleshooting PKI,309 Troubleshooting portal,143...

Comments to this Manuals

Symbols: 0
Latest comments: