HPE FlexNetwork 10500 Series Security Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Switch
  5. FlexNetwork 10500 SERIES
  6. Security configuration manual

HPE FlexNetwork 10500 Series Security Configuration Manual

Hide thumbs Also See for FlexNetwork 10500 Series:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, Configuration Manual
HPE FlexNetwork 10500 Switch Series
Security Configuration Guide
Part number: 5200-1910a
Software version: 10500-CMW710-R7557P01
Document version: 6W101-20171020

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FlexNetwork 10500 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for HPE FlexNetwork 10500 Series

Summary of Contents for HPE FlexNetwork 10500 Series

  • Page 1 HPE FlexNetwork 10500 Switch Series Security Configuration Guide Part number: 5200-1910a Software version: 10500-CMW710-R7557P01 Document version: 6W101-20171020...
  • Page 2 © Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring AAA ···························································································· 1 Overview ···························································································································································· 1 RADIUS ······················································································································································ 2 HWTACACS ··············································································································································· 6 LDAP ·························································································································································· 9 AAA implementation on the device ·········································································································· 12 AAA for MPLS L3VPNs ···························································································································· 14 RADIUS server feature of the device ······································································································· 14 Protocols and standards ·························································································································· 15 RADIUS attributes ····································································································································...
  • Page 4 802.1X-related protocols ·································································································································· 85 Packet formats ········································································································································· 85 EAP over RADIUS ··································································································································· 86 802.1X authentication initiation ························································································································ 87 802.1X client as the initiator ····················································································································· 87 Access device as the initiator ··················································································································· 87 802.1X authentication procedures ··················································································································· 88 Comparing EAP relay and EAP termination ····························································································· 88 EAP relay ·················································································································································...
  • Page 5 Configuring an 802.1X critical VLAN ·············································································································· 115 Configuration restrictions and guidelines ······························································································· 115 Configuration prerequisites ···················································································································· 115 Configuration procedure ························································································································· 115 Enabling the 802.1X critical voice VLAN ········································································································ 116 Configuration restrictions and guidelines ······························································································· 116 Configuration prerequisites ···················································································································· 116 Configuration procedure ························································································································· 116 Configuring an 802.1X guest VSI ···················································································································...
  • Page 6 Configuration prerequisites ···························································································································· 144 General guidelines and restrictions ················································································································ 144 Configuration task list ····································································································································· 145 Enabling MAC authentication ························································································································· 145 Specifying a MAC authentication domain ······································································································ 146 Configuring the user account format ·············································································································· 146 Configuring MAC authentication timers·········································································································· 147 Setting the maximum number of concurrent MAC authentication users on a port ········································· 147 Enabling MAC authentication multi-VLAN mode on a port ············································································...
  • Page 7 Configuration restrictions and guidelines ······························································································· 177 Configuration procedure ························································································································· 178 Specifying a portal Web server ······················································································································ 178 Controlling portal user access ························································································································ 179 Configuring a portal-free rule ················································································································· 179 Configuring an authentication source subnet ························································································· 180 Configuring an authentication destination subnet ·················································································· 181 Setting the maximum number of portal users ························································································...
  • Page 8 Enabling port security····································································································································· 244 Setting port security's limit on the number of secure MAC addresses on a port ············································ 244 Setting the port security mode ······················································································································· 245 Configuring port security features ·················································································································· 246 Configuring NTK ····································································································································· 246 Configuring intrusion protection ············································································································· 247 Configuring secure MAC addresses ··············································································································...
  • Page 9 Displaying and maintaining keychain ············································································································· 277 Keychain configuration example ···················································································································· 277 Network requirements ···························································································································· 277 Configuration procedure ························································································································· 278 Verifying the configuration ······················································································································ 279 Managing public keys ················································································ 283 Overview ························································································································································ 283 FIPS compliance ············································································································································ 283 Creating a local key pair································································································································· 283 Distributing a local host public key ·················································································································...
  • Page 10 Failed to import the CA certificate ·········································································································· 327 Failed to import a local certificate··········································································································· 328 Failed to export certificates ···················································································································· 328 Failed to set the storage path ················································································································· 329 Configuring IPsec ······················································································ 330 Overview ························································································································································ 330 Security protocols and encapsulation modes························································································· 330 Security association ·······························································································································...
  • Page 11 Main mode IKE with pre-shared key authentication configuration example··········································· 369 Aggressive mode with RSA signature authentication configuration example ········································ 371 Troubleshooting IKE······································································································································· 375 IKE negotiation failed because no matching IKE proposals were found ················································ 375 IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·················· 376 IPsec SA negotiation failed because no matching IPsec transform sets were found ····························...
  • Page 12 Specifying the source IP address for SFTP packets ·············································································· 414 Establishing a connection to an SFTP server ························································································ 414 Deleting server public keys saved in the public key file on the SFTP client··········································· 416 Establishing a connection to an SFTP server based on Suite B ···························································· 417 Working with SFTP directories ···············································································································...
  • Page 13 Configuring an attack defense policy ············································································································· 476 Creating an attack defense policy ·········································································································· 476 Configuring a single-packet attack defense policy ················································································· 477 Configuring a scanning attack defense policy ························································································ 479 Configuring a flood attack defense policy ······························································································ 479 Configuring attack detection exemption ································································································· 484 Applying an attack defense policy to an interface ··················································································...
  • Page 14 Configuring authorized ARP··························································································································· 517 Configuration procedure ························································································································· 517 Configuration example (on a DHCP server)··························································································· 517 Configuration example (on a DHCP relay agent) ··················································································· 518 Configuring ARP attack detection ·················································································································· 519 Configuring user validity check ·············································································································· 520 Configuring ARP packet validity check ·································································································· 521 Configuring ARP restricted forwarding ···································································································...
  • Page 15 IPv6 uRPF configuration example ················································································································· 548 Configuring MFF ························································································ 550 Overview ························································································································································ 550 Basic concepts ······································································································································· 551 MFF operation mode ······························································································································ 551 MFF working mechanism ······················································································································· 552 Protocols and standards ························································································································ 552 Configuration procedure································································································································· 552 Enabling MFF ········································································································································· 552 Configuring a network port ····················································································································· 552 Enabling periodic gateway probe ···········································································································...
  • Page 16 MACsec configuration examples···················································································································· 577 Client-oriented MACsec configuration example (host as client)····························································· 577 Client-oriented MACsec configuration example (device as client) ························································· 579 Device-oriented MACsec configuration example ··················································································· 583 Troubleshooting MACsec ······························································································································· 586 Cannot establish MKA sessions between MACsec devices ·································································· 586 Configuring 802.1X client ···········································································...
  • Page 17 Accessing updates ········································································································································· 619 Websites ················································································································································ 620 Customer self repair ······························································································································· 620 Remote support ······································································································································ 620 Documentation feedback ······················································································································· 620 Index ·········································································································· 622...

  • Page 18: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.

  • Page 19: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
  • Page 20 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host access the resources...
  • Page 21 Figure 4 RADIUS packet format Code Identifier Length Authenticator (16bytes) Attributes Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Code Packet type...
  • Page 22 Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. For more information, see "Commonly used standard RADIUS attributes." Table 2 Commonly used RADIUS attributes Attribute Attribute User-Name Acct-Authentic User-Password Acct-Session-Time CHAP-Password Acct-Input-Packets NAS-IP-Address Acct-Output-Packets NAS-Port Acct-Terminate-Cause...

  • Page 23: Hwtacacs

    Attribute Attribute Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes. The extended attributes can implement functions that the standard RADIUS protocol does not provide.
  • Page 24 authentication and obtaining authorized rights, a user logs in to the device and performs operations. The HWTACACS server records the operations that each user performs. Differences between HWTACACS and RADIUS HWTACACS and RADIUS have many features in common, such as using a client/server model, using shared keys for data encryption, and providing flexibility and scalability.
  • Page 25 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 26: Ldap

    10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
  • Page 27 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
  • Page 28 The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound.

  • Page 29: Aaa Implementation On The Device

    The LDAP client sends an authorization search request with the username of the Telnet user to the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes.
  • Page 30 • No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method. • Local authentication—The NAS authenticates users by itself, based on the locally configured user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.

  • Page 31: Aaa For Mpls L3Vpns

    AAA for MPLS L3VPNs You can deploy AAA across VPNs in an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated. The deployment enables forwarding of RADIUS and HWTACACS packets across MPLS VPNs. For example, as shown in Figure 10, you can deploy AAA across the VPNs.

  • Page 32: Protocols And Standards

    The RADIUS server feature supports the following operations: • Manages RADIUS user data, which is generated from local user information and includes user name, password, description, authorization ACL, authorization VLAN, and expiration time. • Allows you to add, modify, and delete RADIUS clients. A RADIUS client is identified by the IP address and includes attribute information such as the shared key.
  • Page 33 User identification that the NAS sends to the server. For the LAN Calling-Station-Id access service provided by an HPE device, this attribute includes the MAC address of the user. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
  • Page 34 Attribute Description Type of the physical port of the NAS that is authenticating the user. Possible values include: • 15—Ethernet. • 16—Any type of ADSL. • 17—Cable. (With cable for cable TV.) NAS-Port-Type • 19—WLAN-IEEE 802.11. • 201—VLAN. • 202—ATM. If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201.
  • Page 35 Subattribute Description Connect_ID Index of the user connection. FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this Ftp_Directory attribute is used to set the working directory for an FTP, SFTP, or SCP user on the RADIUS client.

  • Page 36: Fips Compliance

    Subattribute Description Vendor-specific attribute pair. Available attribute pairs include: • Dynamically assigned WEP key in the format of leap:session-key=xxx. • Server-assigned voice VLAN in the format of device-traffic-class=voice. • Server-assigned user role in the format of shell:role=xxx. • Av-Pair Server-assigned ACL in the format of url-redirect-acl=xxx. •...

  • Page 37: Aaa Configuration Considerations And Task List

    AAA configuration considerations and task list To configure AAA, complete the following tasks on the NAS: Configure the required AAA schemes: Local authentication—Configure local users and the related attributes, including the  usernames and passwords, for the users to be authenticated. Remote authentication—Configure the required RADIUS, HWTACACS, and LDAP ...

  • Page 38: Configuring Aaa Schemes

    Tasks at a glance (Optional.) Configuring the RADIUS attribute translation feature (Optional.) Setting the maximum number of concurrent login users (Optional.) Configuring a NAS-ID profile (Optional.) Configuring the device ID (Optional.) Configuring the RADIUS server feature Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes, and LDAP schemes.
  • Page 39 The attribute configured in user group view takes effect on all local users in the user group.  The attribute configured in local user view takes effect only on the local user.  • Password control attributes—Password control attributes help control password security for device management users.
  • Page 40 Step Command Remarks • For a network access user: The default settings are as follows: password { cipher | simple } • In non-FIPS mode, no password is string configured for a local user. A local • For a device management (Optional.) Configure user can pass authentication after user:...
  • Page 41 Step Command Remarks • Set the password aging time: password-control aging aging-time • Set the minimum password length: password-control length length • Configure the password composition policy: password-control composition type-number By default, the local user uses password 10. (Optional.) Configure type-number [ type-length control attributes of the user group to password control...
  • Page 42 Step Command Remarks Specify the phone number of By default, no phone number is phone phone-number the local guest. specified for a local guest. By default, no email address is specified for a local guest. Specify the email address of email email-string The device sends email notifications the local guest.
  • Page 43 Step Command Remarks • Set the password aging time: password-control aging aging-time • Set the minimum password length: password-control length length • Configure the password composition policy: password-control composition type-number By default, the user group uses (Optional.) Configure type-number [ type-length the global password control password control attributes type-length ]...
  • Page 44 Step Command Remarks Specify an SMTP server for local-guest email smtp-server By default, no SMTP server is sending email notifications of url-string specified. local guests. local-user-import class network (Optional.) Import guest guest url url-string account information from validity-datetime start-date a .csv file in the specified start-time to expiration-date path to create local guests expiration-time...

  • Page 45: Configuring Radius Schemes

    Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters. The device uses the parameters to exchange information with the RADIUS servers, including the server host names, IP addresses, UDP port numbers, shared keys, and server types. Configuration task list If the authentication server in a RADIUS scheme is provided by the RADIUS server feature on the device, the RADIUS scheme only includes the following settings:...
  • Page 46 • If the device does not receive any response from the server within the interval, it sets the server to the blocked state. The device refreshes the RADIUS server status at each detection interval according to the detection result. The device stops detecting the status of the RADIUS server when one of the following operations is performed: •...
  • Page 47 Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. • Specify the primary RADIUS By default, no authentication authentication server: servers are specified. primary authentication { host-name | ipv4-address | ipv6 To support server status detection, ipv6-address } [ port-number | specify an existing test profile for key { cipher | simple } string |...
  • Page 48 Step Command Remarks • Specify the primary RADIUS accounting server: By default, no accounting primary accounting { host-name servers are specified. | ipv4-address | ipv6 Two accounting servers in a ipv6-address } [ port-number | key scheme, primary or { cipher | simple } string | secondary, cannot have the vpn-instance vpn-instance-name same combination of host...
  • Page 49 To specify a VPN instance for a scheme: Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name By default, a RADIUS Specify a VPN instance for the vpn-instance vpn-instance-name scheme belongs to the public RADIUS scheme. network.
  • Page 50 Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name Set the maximum number of RADIUS request transmission retry retries The default setting is 3. attempts. Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active.
  • Page 51 number of currently served users for each active server, and then determines the most appropriate server in performance to receive an AAA request. In RADIUS server load sharing, once the device sends a start-accounting request to a server for a user, it forwards all subsequent accounting requests of the user to the same server.
  • Page 52 Step Command Remarks Enter RADIUS scheme radius scheme view. radius-scheme-name Enable the RADIUS server load sharing server-load-sharing enable By default, this feature is disabled. feature. Specifying the source IP address for outgoing RADIUS packets The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS configured on the RADIUS server.
  • Page 53 Step Command Remarks By default, the source IP address specified by using the radius nas-ip command in Specify a source IP address nas-ip { ipv4-address | ipv6 system view is used. If the for outgoing RADIUS ipv6-address } source IP address is not packets.
  • Page 54 Configuring the RADIUS accounting-on feature When the accounting-on feature is enabled, the device automatically sends an accounting-on packet to the RADIUS server after the entire device reboots. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device. Without this feature, users cannot log in again after the reboot, because the RADIUS server considers them to come online.
  • Page 55 An Access-Accept packet received for a user must contain the matching attribute value. Otherwise, the user cannot log in to the device. Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users. To configure the Login-Service attribute check method for SSH, FTP, and terminal users: Step Command...

  • Page 56: Configuring Hwtacacs Schemes

    Enabling SNMP notifications for RADIUS When SNMP notifications are enabled for RADIUS, the SNMP agent supports the following notifications generated by RADIUS: • RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it does not receive a response to an accounting or authentication request within the specified number of RADIUS request transmission attempts.
  • Page 57 Tasks at a glance (Optional.) Specifying the HWTACACS accounting servers (Required.) Specifying the shared keys for secure HWTACACS communication (Optional.) Specifying an MPLS L3VPN instance for the scheme (Optional.) Setting the username format and traffic statistics units (Optional.) Specifying the source IP address for outgoing HWTACACS packets (Optional.) Setting HWTACACS timers Creating an HWTACACS scheme...
  • Page 58 Specifying the HWTACACS authorization servers You can specify one primary authorization server and a maximum of 16 secondary authorization servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
  • Page 59 Step Command Remarks Enter system view. system-view Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS accounting server: primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no accounting servers single-connection | are specified.
  • Page 60 Step Command Remarks By default, no shared key is specified for secure HWTACACS Specify a shared key for communication. secure HWTACACS key { accounting | authentication, authorization, authentication | authorization } The shared key configured on the or accounting { cipher | simple } string device must be the same as the communication.
  • Page 61 Specifying the source IP address for outgoing HWTACACS packets The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. When the HWTACACS server receives a packet, it checks whether the source IP address of the packet is the IP address of a managed NAS.
  • Page 62 response from the server within the timer, it sets the server to blocked. Then, the device sends the request to another HWTACACS server. • Real-time accounting timer (realtime-accounting)—Defines the interval at which the device sends real-time accounting packets to the HWTACACS accounting server for online users. •...

  • Page 63: Configuring Ldap Schemes

    Step Command Remarks By default, the real-time accounting interval is 12 minutes. A short interval helps improve Set the real-time accounting timer realtime-accounting accounting precision but requires interval. minutes many system resources. When there are 1000 or more users, set a longer interval.
  • Page 64 Creating an LDAP server Step Command Remarks Enter system view. system-view Create an LDAP server and enter LDAP server ldap server server-name By default, no LDAP servers exist. view. Configuring the IP address of the LDAP server Step Command Remarks Enter system view.
  • Page 65 Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name By default, no administrator DN is specified. Specify the administrator The administrator DN specified on login-dn dn-string the device must be the same as the administrator DN configured on the LDAP server.
  • Page 66 Step Command Remarks By default, no user object class is specified, and the default user object class on the LDAP server is user-parameters (Optional.) Specify the user used. user-object-class object class. object-class-name The default user object class for this command varies by server model.

  • Page 67: Configuring Aaa Methods For Isp Domains

    Specifying the LDAP authorization server Step Command Remarks Enter system view. system-view Enter LDAP scheme view. ldap scheme ldap-scheme-name Specify the LDAP authorization-server By default, no LDAP authorization authorization server. server-name server is specified. Specifying an LDAP attribute map for LDAP authorization Specify an LDAP attribute map for LDAP authorization to convert LDAP attributes obtained from the LDAP authorization server to device-recognizable AAA attributes.

  • Page 68: Creating An Isp Domain

    Creating an ISP domain In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. These users can have different user attributes, such as different username and password structures, different service types, and different rights. To manage users of different ISPs, configure AAA methods and domain attributes for each ISP domain as needed.
  • Page 69 • Authorization attributes—The device assigns the authorization attributes in the ISP domain to the authenticated users who do not receive these attributes from the server. However, if the idle cut attribute is configured in the ISP domain, the device assigns the attribute to the authenticated users.

  • Page 70: Configuring Authentication Methods For An Isp Domain

    Step Command Remarks authorization-attribute { acl The default settings are as acl-number | car inbound cir follows: committed-information-rate [ pir • The idle cut feature is peak-information-rate ] outbound disabled. cir committed-information-rate • [ pir peak-information-rate ] | An IPv4 user can idle-cut minutes [ flow ] [ traffic concurrently join a maximum Configure authorization...

  • Page 71: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default radius-scheme-name ] [ local ] [ none ] | authentication method is Specify default ldap-scheme ldap-scheme-name [ local ] local.

  • Page 72: Configuring Accounting Methods For An Isp Domain

    Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme hwtacacs-scheme-name By default, the authorization Specify default [ radius-scheme radius-scheme-name ] method is local. authorization methods for [ local ] [ none ] | local [ none ] | none | The none keyword is not...
  • Page 73 • Local accounting counts and controls the number of concurrent users who use the same local user account. The threshold is configured by using the access-limit command. Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks Enter system view.

  • Page 74: Configuring The Radius Session-Control Feature

    Configuring the RADIUS session-control feature The RADIUS session-control feature can only work with the RADIUS server running on IMC. Enable this feature for the RADIUS server to dynamically change the user authorization information or forcibly disconnect users by using session-control packets. This task enables the device to receive RADIUS session-control packets on UDP port 1812.

  • Page 75: Changing The Dscp Priority For Radius Packets

    • Change of Authorization Messages (CoA Messages)—The DAC sends CoA requests to the DAS to change the authorization information of specific online users. To configure the RADIUS DAS feature: Step Command Remarks Enter system view. system-view Enable the RADIUS DAS By default, the RADIUS DAS feature and enter RADIUS radius dynamic-author server...
  • Page 76 To identify proprietary RADIUS attributes, you can define the attributes as extended RADIUS attributes, and then convert the extended RADIUS attributes to device-supported attributes. To configure the RADIUS attribute translation feature for a RADIUS scheme: Step Command Remarks Enter system view. system-view By default, no user-defined radius attribute extended...

  • Page 77: Setting The Maximum Number Of Concurrent Login Users

    Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users who can log on to the device through a specific protocol, regardless of their authentication methods. The authentication methods include no authentication, local authentication, and remote authentication. To set the maximum number of concurrent login users: Step Command...

  • Page 78: Configuring The Radius Server Feature

    Step Command Remarks Enter system view. system-view Configure the device ID. aaa device-id device-id By default, the device ID is 0. Configuring the RADIUS server feature Restrictions and guidelines When you configure the RADIUS server feature, follow these restrictions and guidelines: •...

  • Page 79: Activating The Radius Server Configuration

    Step Command Remarks radius-server client ip ipv4-address By default, no RADIUS clients Specify a RADIUS client. key { cipher | simple } string are specified. Activating the RADIUS server configuration At the device startup, the RADIUS server configuration is automatically activated, including RADIUS users and RADIUS clients.
  • Page 80 • Use expert as the shared keys for secure HWTACACS communication. Figure 13 Network diagram HWTACACS server 10.1.1.1/24 Vlan-int3 10.1.1.2/24 Vlan-int2 192.168.1.70/24 Internet SSH user Switch Configuration procedure Configure the HWTACACS server: # Set the shared keys to expert for secure communication with the switch. (Details not shown.) # Add an account for the SSH user and specify the password.

  • Page 81: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users

    # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator. [Switch] role default-role enable Verifying the configuration # Initiate an SSH connection to the switch, and enter the correct username and password.
  • Page 82 [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Configure an HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 [Switch-hwtacacs-hwtac] key authorization simple expert...

  • Page 83: Authentication And Authorization For Ssh Users By A Radius Server

    Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 15, configure the switch to meet the following requirements: • Use the RADIUS server for SSH user authentication and authorization. • Include domain names in the usernames sent to the RADIUS server. •...
  • Page 84 Figure 16 Adding the switch as an access device # Add an account for device management: Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows: a.
  • Page 85 Figure 17 Adding an account for device management Configure the switch: # Configure IP addresses for interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service.

  • Page 86: Authentication For Ssh Users By An Ldap Server

    # Create an ISP domain named bbb and configure authentication, authorization, and accounting methods for login users. [Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] accounting login none [Switch-isp-bbb] quit Verifying the configuration # Initiate an SSH connection to the switch, and enter username hello@bbb and the correct password.
  • Page 87 e. Enter logon name aaa and click Next. Figure 19 Adding user aaa In the dialog box, enter password ldap!123456, select options as needed, and click Next. Figure 20 Setting the user's password Click OK. # Add user aaa to group Users: h.
  • Page 88 Figure 21 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 22 Adding user aaa to group Users # Set the administrator password to admin!123456: a.

  • Page 89: Aaa For 802.1X Users By A Radius Server

    # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...
  • Page 90 • Use MAC-based access control on GigabitEthernet 1/0/1 to authenticate all 802.1X users on the port separately. • Include domain names in the usernames sent to the RADIUS server. On the RADIUS server, perform the following tasks: • Add a service that assigns authenticated users to VLAN 4. •...
  • Page 91 Figure 24 Adding the switch as an access device # Add a service: Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree. Then, click Add to configure a service as follows: a. Add a service named Dot1x auth, and set the service suffix to bbb, the authentication domain for the 802.1X user.
  • Page 92 # Add a user: Click the User tab, and select Access User View > All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to configure a user as follows: a. Select the user or add a user named hello. b.

  • Page 93: Local Guest Configuration And Management Example

    [Switch-isp-bbb] quit c. Configure 802.1X authentication: # Enable 802.1X globally. [Switch] dot1x # Enable 802.1X for GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] dot1x # Configure the access control method. By default, an 802.1X-enabled port uses the MAC-based access control. [Switch-GigabitEthernet1/0/1] dot1x port-method macbased Verifying the configuration On the host, use account dot1x@bbb to pass 802.1X authentication:...
  • Page 94 Figure 27 Network diagram Internet Guest Switch Configuration procedure Configure 802.1X settings. Make sure the guest can pass 802.1X authentication to access the network. (Details not shown.) Manage local guests: # Enable the local user auto-delete feature for expired local guests. <Switch>...

  • Page 95: Authentication And Authorization Of 802.1X Users By The Device As A Radius Server

    [Switch-luser-network(guest)-user1] validity-datetime from 2015/4/1 08:00:00 to 2015/4/3 18:00:00 # Specify the guest sponsor name as Sam. [Switch-luser-network(guest)-user1] sponsor-full-name Sam # Configure the email address of the guest sponsor. [Switch-luser-network(guest)-user1] sponsor-email Sam@aa.com # Configure the department of the guest sponsor as security. [Switch-luser-network(guest)-user1] sponsor-department security [Switch-luser-network(guest)-user1] quit [Switch] quit...
  • Page 96 • The shared key is expert and the authentication port is 1812. • Exclude domain names from the usernames sent to the RADIUS server. • The user name for 802.1X authentication is dot1x. • After the user passes authentication, the RADIUS server authorizes VLAN 4 to the NAS port that the user is connecting to.
  • Page 97 # Enable 802.1X globally. [SwitchA] dot1x Configure the RADIUS server: # Create a network access user named dot1x. <SwitchB> system-view [SwitchB] local-user dot1x class network # Configure the password as 123456 in plaintext form. [SwitchB-luser-network-dot1x] password simple 123456 # Configure VLAN 4 as the authorization VLAN. [SwitchB-luser-network-dot1x] authorization-attribute vlan 4 [SwitchB-luser-network-dot1x] quit # Configure the IP address of the RADIUS client as 10.1.1.2 and the shared key as expert in...

  • Page 98: Troubleshooting Radius

    Troubleshooting RADIUS RADIUS authentication failure Symptom User authentication always fails. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The username is not in the userid@isp-name format, or the ISP domain is not correctly configured on the NAS.

  • Page 99: Radius Accounting Error

    The authentication and accounting UDP port numbers configured on the NAS are the same  as those of the RADIUS server. The RADIUS server's authentication and accounting port numbers are available.  If the problem persists, contact Hewlett Packard Enterprise Support. RADIUS accounting error Symptom A user is authenticated and authorized, but accounting for the user is not normal.
  • Page 100 Solution To resolve the problem: Verify the following items: The NAS and the LDAP server can ping each other.  The IP address and port number of the LDAP server configured on the NAS match those of  the server. The username is in the correct format and the ISP domain for the user authentication is ...

  • Page 101: 802.1X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed for securing WLANs. The protocol has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.

  • Page 102: 802.1X-Related Protocols

    Figure 30 Authorization state of a controlled port Authenticator system 1 Authenticator system 2 Controlled port Uncontrolled port Controlled port Uncontrolled port Port authorized Port unauthorized 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server.

  • Page 103: Eap Over Radius

    • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field. EAPOL packet format Figure 32 shows the EAPOL packet format.

  • Page 104: 802.1X Authentication Initiation

    Figure 33 EAP-Message attribute format Length Value Type=79 EAP packets Message-Authenticator As shown in Figure 34, RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum is different from the Message-Authenticator attribute value.

  • Page 105: 802.1X Authentication Procedures

    802.1X authentication procedures 802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode depending on support of the RADIUS server for EAP packets and EAP authentication methods. • EAP relay mode. EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure Figure 35 EAP relay...

  • Page 106: Eap Relay

    Packet exchange Benefits Limitations method • Supports only the following EAP authentication methods: MD5-Challenge EAP  authentication. Works with any RADIUS server EAP termination that supports PAP or CHAP The username and password  authentication. EAP authentication initiated by an iNode 802.1X client. •...

  • Page 107: Eap Termination

    In response to the EAP-Request/Identity packet, the client sends the username in an EAP-Response/Identity packet to the access device. The access device relays the EAP-Response/Identity packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database.
  • Page 108 Figure 38 802.1X authentication procedure in EAP termination mode Client Device Authentication server RADIUS EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) EAP-Request/MD5-Challenge (5) EAP-Response/MD5-Challenge (6) RADIUS Access-Request (CHAP-Response/MD5-Challenge) (7) RADIUS Access-Accept (CHAP-Success) (8) EAP-Success Port authorized (9) EAP-Request/Identity (10) EAP-Response/Identity (11) EAPOL-Logoff Port unauthorized (12) EAP-Failure...

  • Page 109: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port.
  • Page 110 VLAN ID with suffix.  The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members. NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.

  • Page 111: Guest Vlan

    Table 7 VLAN manipulation Port access control VLAN manipulation method The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. Port-based If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID.
  • Page 112 The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation The device assigns the 802.1X guest VLAN to the port as the PVID. All A user accesses the 802.1X users on this port can access only resources in the guest VLAN.

  • Page 113: Auth-Fail Vlan

    Auth-Fail VLAN The 802.1X Auth-Fail VLAN on a port accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates users with wrong passwords entered. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download antivirus software and system patches.

  • Page 114: Critical Vlan

    Critical VLAN The 802.1X critical VLAN on a port accommodates 802.1X users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable. Users in the critical VLAN can access a limited set of network resources depending on the configuration. The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers.

  • Page 115: Critical Voice Vlan

    Authentication status VLAN manipulation A user accesses the port and fails 802.1X The device maps the MAC address of the user to the authentication because all the RADIUS 802.1X critical VLAN. The user can access only servers are unreachable. resources in the 802.1X critical VLAN. A user in the 802.1X critical VLAN fails authentication because all the RADIUS The user is still in the critical VLAN.

  • Page 116: 802.1X Vsi Manipulation

    • If port-based access control is used, the device removes the port from the critical voice VLAN. The port sends a multicast EAP-Request/Identity packet to all 802.1X voice users on the port to trigger authentication. • If MAC-based access control is used, the device removes 802.1X voice users from the critical voice VLAN.

  • Page 117: Authorization Vsi

    Authorization VSI An authorization VSI is associated with a VXLAN that has network resources inaccessible to unauthenticated users. 802.1X supports remote VSI authorization. When a user passes remote 802.1X authentication, the remote server assigns the authorization VSI information of the user to the user's access port. Upon receiving the authorization VSI information, the VTEP performs the following operations: Dynamically creates an AC based on the user's access port, VLAN, and MAC address.

  • Page 118: Critical Vsi

    Authentication status VSI manipulation A user accesses the port The VTEP maps the user's MAC address and access VLAN to the 802.1X and fails 802.1X Auth-Fail VSI on the port. The user can access only resources in the VXLAN authentication. associated with the Auth-Fail VSI.

  • Page 119: Ead Assistant

    After receiving an ACl from the server, the device will check the following parameters defined in the ACL rules: • Source MAC address. • Source IP address. • Destination IP address. • Protocol type. • Ethernet type. • Source port. •...

  • Page 120: Redirect Url Assignment

    Redirect URL assignment The device supports the URL attribute assigned by a RADIUS server when the 802.1X-enabled port performs MAC-based access control and the port authorization state is auto. During authentication, the HTTP or HTTPS requests of an 802.1X user are redirected to the Web interface specified by the server-assigned URL attribute.

  • Page 121: 802.1X Configuration Task List

    • If local authentication is used, create local user accounts on the access device and set the service type to lan-access. 802.1X configuration task list Tasks at a glance (Required.) Enabling 802.1X (Required.) Enabling EAP relay or EAP termination (Optional.) Setting the port authorization state (Optional.) Specifying an access control method...

  • Page 122: Enabling Eap Relay Or Eap Termination

    • If the PVID is a voice VLAN, the 802.1X feature cannot take effect on the port. For more information about voice VLANs, see Layer 2—LAN Switching Configuration Guide. • Do not enable 802.1X on a port that is in a link aggregation or service loopback group. To enable 802.1X: Step Command...

  • Page 123: Setting The Port Authorization State

    Setting the port authorization state The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: • authorized-force—Places the port in the authorized state, enabling users on the port to access the network without authentication.

  • Page 124: Setting The Maximum Number Of Authentication Request Attempts

    Step Command Remarks Enter Ethernet interface interface interface-type view. interface-number Set the maximum number of The default setting is concurrent 802.1X users on dot1x max-user max-number 4294967295. a port. Setting the maximum number of authentication request attempts The access device retransmits an authentication request if it does not receive any responses to the request from the client within a period of time.

  • Page 125: Configuring Online User Handshake

    Configuring online user handshake The online user handshake feature checks the connectivity status of online 802.1X users. The access device sends handshake requests (EAP-Request/Identity) to online users at the interval specified by the dot1x timer handshake-period command. If the device does not receive any EAP-Response/Identity packets from an online user after it has made the maximum handshake attempts, the device sets the user to offline state.

  • Page 126: Configuring The Authentication Trigger Feature

    Configuring the authentication trigger feature The authentication trigger feature enables the access device to initiate 802.1X authentication when 802.1X clients cannot initiate authentication. This feature provides the multicast trigger and unicast trigger (see 802.1X authentication initiation in "802.1X overview"). Configuration restrictions and guidelines When you configure the authentication trigger feature, follow these restrictions and guidelines: •...

  • Page 127: Setting The Quiet Timer

    Setting the quiet timer The quiet timer enables the access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can edit the quiet timer, depending on the network conditions. •...

  • Page 128: Configuring 802.1X Periodic Reauthentication

    • You can set the periodic reauthentication timer either in system view or in interface view by using the dot1x timer reauth-period command. A change to the periodic reauthentication timer applies to online users only after the old timer expires. The device selects a periodic reauthentication timer for 802.1X reauthentication in the following order: a.

  • Page 129: Configuring An 802.1X Guest Vlan

    Step Command Remarks By default, this feature is disabled. The device logs off online 802.1X users if no authentication server is reachable for 802.1X reauthentication, either manually or periodically. dot1x re-authenticate Enable the keep-online Use the keep-online feature server-unreachable feature for 802.1X users. according to the actual network keep-online condition.

  • Page 130: Configuration Procedure

    • If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port: Configure the port as a hybrid port.  Enable MAC-based VLAN on the port. For more information about MAC-based VLANs, see  Layer 2—LAN Switching Configuration Guide. Assign the port to the 802.1X guest VLAN as an untagged member.

  • Page 131: Configuring An 802.1X Auth-Fail Vlan

    Configuring an 802.1X Auth-Fail VLAN Configuration restrictions and guidelines When you configure an 802.1X Auth-Fail VLAN, follow these restrictions and guidelines: • Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X Auth-Fail VLAN on a port. The assignment makes sure the port can correctly process VLAN-tagged incoming traffic.

  • Page 132: Configuring An 802.1X Critical Vlan

    Configuring an 802.1X critical VLAN Typically, when a client user is assigned to the 802.1X critical VLAN on a port, the device sends an EAP-Failure packet to the client. Some 802.1X clients, such as Windows built-in 802.1X clients, cannot respond to the EAP-Request/Identity packets of the device if they have received an EAP-Failure packet.

  • Page 133: Enabling The 802.1X Critical Voice Vlan

    Enabling the 802.1X critical voice VLAN Configuration restrictions and guidelines The feature does not take effect if the voice user has been in the 802.1X Auth-Fail VLAN. Configuration prerequisites Before you enable the 802.1X critical voice VLAN on a port, complete the following tasks: •...

  • Page 134: Configuration Procedure

    Configuration procedure To configure the 802.1X guest VSI on a port: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the 802.1X guest By default, no 802.1X guest VSI dot1x guest-vsi guest-vsi-name VSI on the port. exists.

  • Page 135: Configuring An 802.1X Auth-Fail Vsi

    Configuring an 802.1X Auth-Fail VSI Configuration restrictions and guidelines You can configure only one 802.1X Auth-Fail VSI on a port. The 802.1X Auth-Fail VSIs on different ports can be different. Only ports that perform MAC-based access control support the 802.1X Auth-Fail VSI. Configuration prerequisites Before you configure the 802.1X Auth-Fail VSI on an 802.1X-enabled port, complete the following tasks:...

  • Page 136: Configuration Procedure

    Configuration procedure To configure the 802.1X critical VSI on a port: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the 802.1X critical dot1x critical vsi By default, no 802.1X critical VSI VSI on the port. critical-vsi-name exists.

  • Page 137: Sending 802.1X Protocol Packets Out Of A Port Without Vlan Tags

    To enable 802.1X user IP freezing: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Enable 802.1X user IP By default, 802.1X user IP freezing is dot1x user-ip freeze freezing. disabled. Sending 802.1X protocol packets out of a port without VLAN tags This feature enables the device to send 802.1X protocol packets out of an 802.1X-enabled port without VLAN tags.

  • Page 138: Configuring 802.1X Mac Address Binding

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Set the maximum number By default, the number of 802.1X of 802.1X authentication dot1x after-mac-auth authentication attempts for MAC attempts for MAC max-attempt max-attempts authenticated users is not limited on a authenticated users on port.

  • Page 139: Configuring The Ead Assistant Feature

    Step Command Remarks (Optional.) Manually By default, no 802.1X add an 802.1X MAC dot1x mac-binding mac-address MAC address binding address binding entries exist on a port. entry. Configuring the EAD assistant feature When you configure the EAD assistant feature, follow these restrictions and guidelines: •...

  • Page 140: Enabling Logging For 802.1X Users

    Enabling logging for 802.1X users Overview This feature enables the device to generate logs for 802.1X users and send the logs to the information center. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see the network management and monitoring configuration guide for the device.

  • Page 141: 802.1X Authentication Configuration Examples

    802.1X authentication configuration examples Basic 802.1X authentication configuration example Network requirements As shown in Figure 40, the access device performs 802.1X authentication for users that connect to GigabitEthernet 1/0/1. Implement MAC-based access control on the port, so the logoff of one user does not affect other online 802.1X users.
  • Page 142 Configure a RADIUS scheme: # Create a RADIUS scheme named radius1 and enter RADIUS scheme view. [Device] radius scheme radius1 # Specify the IP addresses of the primary authentication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers.

  • Page 143: Guest Vlan And Authorization Vlan Configuration Example

    802.1X guest VLAN and authorization VLAN configuration example Network requirements As shown in Figure 41, use RADIUS servers to perform authentication, authorization, and accounting for 802.1X users that connect to GigabitEthernet 1/0/2. Implement port-based access control on the port. Configure VLAN 10 as the 802.1X guest VLAN on GigabitEthernet 1/0/2. The host and the update server are both in VLAN 10, and the host can access the update server and download the 802.1X client software.
  • Page 144 [Device-vlan10] port gigabitethernet 1/0/1 [Device-vlan10] quit [Device] vlan 2 [Device-vlan2] port gigabitethernet 1/0/4 [Device-vlan2] quit [Device] vlan 5 [Device-vlan5] port gigabitethernet 1/0/3 [Device-vlan5] quit Configure a RADIUS scheme on the access device: # Create RADIUS scheme 2000 and enter RADIUS scheme view. [Device] radius scheme 2000 # Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.

  • Page 145: 802.1X With Acl Assignment Configuration Example

    Verifying the configuration # Verify the 802.1X guest VLAN configuration on GigabitEthernet 1/0/2. [Device] display dot1x interface gigabitethernet 1/0/2 # Verify that GigabitEthernet 1/0/2 is assigned to VLAN 10 before any user passes authentication on the port. [Device] display vlan 10 # After a user passes authentication, display information on GigabitEthernet 1/0/2.
  • Page 146 # Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.1.1.2 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device. [Device-radius-2000] key authentication simple abc # Set the shared key to abc in plain text for secure communication between the accounting server and the device.

  • Page 147: Guest Vsi And Authorization Vsi Configuration Example

    Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 is active on the user, and the user cannot access the FTP server. 802.1X guest VSI and authorization VSI configuration example Network requirements As shown in...
  • Page 148 Create VSIs and the corresponding VXLANs. [Device] vsi vpn10 [Device-vsi-vpn10] vxlan 10 [Device-vsi-vpn10-vxlan-10] quit [Device-vsi-vpn10] quit [Device] vsi vpn5 [Device-vsi-vpn5] vxlan 5 [Device-vsi-vpn5-vxlan-5] quit [Device-vsi-vpn5] quit Configure a RADIUS scheme on the access device: # Create RADIUS scheme 2000 and enter RADIUS scheme view. [Device] radius scheme 2000 # Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.

  • Page 149: With Ead Assistant Configuration Example (With Dhcp Relay Agent)

    # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify that GigabitEthernet 1/0/2 is assigned to VSI vpn10 before any user passes authentication on the port. [Device] display l2vpn forwarding ac verbose # Verify that GigabitEthernet 1/0/2 is assigned to VSI vpn5 after a user passes authentication on the port.
  • Page 150 Configure an IP address for each interface. (Details not shown.) Configure DHCP relay: # Enable DHCP. <Device> system-view [Device] dhcp enable # Enable the DHCP relay agent on VLAN-interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select relay # Specify the DHCP server 192.168.2.2 on the relay agent interface VLAN-interface 2. [Device-Vlan-interface2] dhcp relay server-address 192.168.2.2 [Device-Vlan-interface2] quit Configure a RADIUS scheme:...

  • Page 151: With Ead Assistant Configuration Example (With Dhcp Server)

    [Device-GigabitEthernet1/0/1] dot1x [Device-GigabitEthernet1/0/1] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify the 802.1X configuration. [Device] display dot1x # Verify that you can ping an IP address on the free IP subnet from a host. C:\>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128...
  • Page 152 Figure 45 Network diagram Internet Free IP: WEB server 192.168.2.3/24 Device GE1/0/3 192.168.1.0/24 GE1/0/1 192.168.2.1/24 192.168.2.0/24 Vlan-int 2 192.168.1.1/24 DHCP server GE1/0/2 10.1.1.10/24 Authentication servers 10.1.1.1/10.1.1.2 Configuration procedure Make sure the Web server and the authentication servers have been configured correctly. (Details not shown.) Configure an IP address for each interface.
  • Page 153 # Set the shared key to abc in plain text for secure communication between the authentication server and the device. [Device-radius-2000] key authentication simple abc # Set the shared key to abc in plain text for secure communication between the accounting server and the device.

  • Page 154: Troubleshooting 802.1X

    Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access the free IP subnet before passing 802.1X authentication. # Verify that you are redirected to the Web server when you enter in your Web browser an IP address not on the free IP.

  • Page 155: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.

  • Page 156: Vlan Assignment

    VLAN assignment Authorization VLAN The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources. The device supports the following VLAN authorization methods: • Remote VLAN authorization—The authorization VLAN information of a MAC authentication user is assigned by a remote server.

  • Page 157: Guest Vlan

    Guest VLAN The MAC authentication guest VLAN on a port accommodates users that have failed MAC authentication for any reason other than server unreachable. For example, the VLAN accommodates users with invalid password entered. You can deploy a limited set of network resources in the MAC authentication guest VLAN. For example, a software server for downloading software and system patches.

  • Page 158: Vsi Manipulation

    Authentication status VLAN manipulation The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. A user in the MAC authentication critical VLAN If no authorization VLAN is configured for the user on the passes MAC authentication.

  • Page 159: Guest Vsi

    resources in any VXLAN after passing authentication. If the VTEP receives authorization VSI information for the user from the remote server, it performs the following operations: Dynamically creates an attachment circuit (AC) based on the user's access port, VLAN, and MAC address.

  • Page 160: Acl Assignment

    Table 14 VSI manipulation Authentication status VSI manipulation The VTEP maps the MAC address and the access VLAN of the user to the MAC authentication critical VSI. The user is still in the MAC authentication critical VSI if the A user fails MAC authentication because all the user fails MAC reauthentication because all the RADIUS RADIUS servers are unreachable.

  • Page 161: Configuration Prerequisites

    records the MAC address of the user and uses a DM (Disconnect Message) to log off the user. When the user initiates MAC authentication again, it will pass the authentication and come online successfully. To redirect the HTTPS requests of MAC authentication users, specify the HTTPS redirect listening port on the device.

  • Page 162: Configuration Task List

    • To ensure successful MAC authentication, do not configure both the VSI assignment feature and the feature of including user IP addresses in MAC authentication requests on a port. • Do not delete a Layer 2 aggregate interface if the interface has online MAC authentication users.

  • Page 163: Specifying A Mac Authentication Domain

    Step Command Remarks Enable MAC authentication on By default, MAC authentication mac-authentication the port. is disabled on a port. Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can use one of the following methods to specify authentication domains for MAC authentication users: •...

  • Page 164: Configuring Mac Authentication Timers

    Configuring MAC authentication timers MAC authentication uses the following timers: • Offline detect timer—Sets the interval that the device waits for traffic from a user before the device regards the user as idle. When the offline detection feature is enabled, the device logs off the user and requests to stop accounting for the user after the timer expires.

  • Page 165: Configuring Mac Authentication Delay

    This feature improves transmission of data that is vulnerable to delay and interference. It is typically applicable to IP phone users. To enable MAC authentication multi-VLAN mode on a port: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, this feature is disabled on a port.

  • Page 166: Configuration Restrictions And Guidelines

    • If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result. Configuration restrictions and guidelines When you enable parallel processing of MAC authentication and 802.1X authentication on a port, follow these restrictions and guidelines: •...

  • Page 167: Configuration Restrictions And Guidelines

    • Enable MAC authentication globally and on the port. • Enable MAC-based VLAN on the port. • Create the VLAN to be specified as the MAC authentication guest VLAN. • Configure the VLAN as an untagged member on the port. Configuration restrictions and guidelines The following table shows the relationships of the MAC authentication guest VLAN with other security features:...

  • Page 168: Enabling The Mac Authentication Critical Voice Vlan

    • Create the VLAN to be specified as the MAC authentication critical VLAN. • Configure the VLAN as an untagged member on the port. When you configure the MAC authentication critical VLAN on a port, follow the guidelines in Table Table 15 Relationships of the MAC authentication critical VLAN with other security features Feature Relationship description...

  • Page 169: Configuration Procedure

    For information about voice VLANs, see Layer 2—LAN Switching Configuration Guide. Configuration procedure To enable the MAC authentication critical voice VLAN feature on a port: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable the MAC By default, the MAC mac-authentication authentication critical voice...

  • Page 170: Configuring A Mac Authentication Critical Vsi

    Step Command Remarks (Optional.) Set the authentication interval mac-authentication for users in the MAC guest-vsi auth-period The default setting is 30 seconds. authentication guest period-value VSI. Configuring a MAC authentication critical VSI Configuration restrictions and guidelines When you configure the MAC authentication critical VSI on a port, follow these restrictions and guidelines: •...

  • Page 171: Configuration Restrictions And Guidelines

    status of online users and updates the authorization attributes assigned by the server. The attributes include the ACL and VLAN. By default, the device logs off online MAC authentication users if no server is reachable for MAC reauthentication. The keep-online feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication.

  • Page 172: Including User Ip Addresses In Mac Authentication Requests

    Step Command Remarks By default, no periodic (Optional.) Set the periodic mac-authentication timer reauthentication timer is set on reauthentication timer on the reauth-period a port. The port uses the global port. reauth-period-value periodic MAC reauthentication timer. (Optional.) Enable the keep-online feature for mac-authentication By default, the keep-online authenticated MAC...

  • Page 173: Enabling Mac Authentication Offline Detection

    Enabling MAC authentication offline detection This feature logs a user out of the device if the device does not receive any packets from the user within the offline detect timer. The device also requests to stop accounting for the user at the same time.

  • Page 174: Mac Authentication Configuration Examples

    Task Command display mac-authentication [ interface interface-type Display MAC authentication information. interface-number ] display mac-authentication connection [ open ] (In standalone mode.) Display MAC [ interface interface-type interface-number | slot authentication connections. slot-number | user-mac mac-address | user-name user-name ] display mac-authentication connection [ open ] (In IRF mode.) Display MAC authentication [ chassis chassis-number slot slot-number | interface...
  • Page 175 Figure 47 Network diagram Host A GE1/0/1 MAC: 00-e0-fc-12-34-56 IP network Device Host B MAC: 00-e0-fc-11-11-11 Configuration procedure # Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc-12-34-56. <Device>...

  • Page 176: Radius-Based Mac Authentication Configuration Example

    Server timeout : 100 s Reauth period : 3600 s Authentication domain : bbb Online MAC-auth users Silent MAC users: MAC address VLAN ID From port Port index 00e0-fc11-1111 GE1/0/1 GigabitEthernet1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer...
  • Page 177 Figure 48 Network diagram RADIUS servers Auth:10.1.1.1 Acct:10.1.1.2 GE1/0/1 IP network Host Device Configuration procedure Make sure the RADIUS server and the access device can reach each other. (Details not shown.) Configure the RADIUS servers: # Create a shared account for MAC authentication users. (Details not shown.) # Set username aaa and password 123456 for the account.

  • Page 178: Acl Assignment Configuration Example

    [Device] mac-authentication Verifying the configuration # Verify the MAC authentication configuration. [Device] display mac-authentication Global MAC authentication parameters: MAC authentication : Enabled Username format : Fixed account Username : aaa Password : ****** Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s...
  • Page 179 • Use RADIUS servers to perform authentication, authorization, and accounting for users. • Perform MAC authentication on GigabitEthernet 1/0/1 to control Internet access. • Use MAC-based user accounts for MAC authentication users. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. •...
  • Page 180 [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] mac-authentication [Device-GigabitEthernet1/0/1] quit # Enable MAC authentication globally. [Device] mac-authentication Configure the RADIUS servers: # Add a user account with 00-e0-fc-12-34-56 as both the username and password on each RADIUS server. (Details not shown.) # Specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) Verifying the configuration # Verify the MAC authentication configuration.

  • Page 181: Mac Authentication Authorization Vsi Assignment Configuration Example

    MAC address Auth state 00e0-fc12-3456 Authenticated # Verify that you cannot ping the FTP server from the host. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has been assigned to GigabitEthernet 1/0/1 to deny access to the FTP server.
  • Page 182 [Device] radius scheme bbb [Device-radius-bbb] primary authentication 10.1.1.1 [Device-radius-bbb] primary accounting 10.1.1.2 [Device-radius-bbb] key authentication simple bbb [Device-radius-bbb] key accounting simple bbb [Device-radius-bbb] user-name-format without-domain [Device-radius-bbb] quit # Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.
  • Page 183 Authentication domain: 2000 Initial VLAN: 1 Authorization untagged VLAN: N/A Authorization tagged VLAN: N/A Authorization VSI name: bbb Authorization ACL ID: N/A Authorization user profile: N/A Authorization URL: Termination action: N/A Session timeout period: N/A Online from: 2016/06/13 09:06:37 Online duration: 0h 0m 35s Total connections: 1 # Verify that a dynamic AC is created for MAC address d485-64be-c63e.

  • Page 184: Configuring Portal Authentication

    Users can access more network resources after passing security check. Security check must cooperate with the HPE IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device,...
  • Page 185 Figure 51 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.

  • Page 186: Portal System Using The Local Portal Web Server

    Web browser. When receiving the HTTP or HTTPS request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HPE iNode client for extended portal functions.

  • Page 187: Portal Authentication Modes

    Re-DHCP authentication saves public IP addresses. For example, an ISP can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. Only the HPE iNode client supports re-DHCP authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding devices to exist between the authentication client and the access device.

  • Page 188: Portal Authentication Process

    EAP authentication. NOTE: • To use portal authentication that supports EAP, the portal authentication server and client must be the HPE IMC portal server and the HPE iNode portal client. • Local portal authentication does not support EAP authentication.
  • Page 189 The portal Web server submits the user authentication information to the portal authentication server. The portal authentication server and the access device exchange CHAP messages. This step is skipped for PAP authentication. The portal authentication server decides the method (CHAP or PAP) to use.

  • Page 190: Portal Filtering Rules

    After receiving the authentication success packet, the client obtains a public IP address through DHCP. The client then notifies the portal authentication server that it has a public IP address. The portal authentication server notifies the access device that the client has obtained a public IP address.

  • Page 191: Portal Configuration Task List

    The access device sends a MAC binding query to the MAC binding server. The MAC binding server checks whether the MAC address of the user is bound with a portal user account. If yes, the MAC binding server sends the user authentication information to the access ...

  • Page 192: Configuration Prerequisites

    Tasks at a glance (Optional.) Configuring Web redirect Web redirect does not work when both Web redirect and portal authentication are enabled. (Optional.) Applying a NAS-ID profile to an interface (Optional.) Configuring the local portal Web server feature (Optional.) Configuring the Rule ARP or ND entry feature for portal clients (Optional.) Configuring HTTPS redirect (Optional.)

  • Page 193: Configuring A Portal Web Server

    Do not delete a portal authentication server in use. Otherwise, users authenticated by that server cannot log out normally. To configure a portal authentication server: Step Command Remarks Enter system view. system-view Create a portal By default, no portal authentication server, and portal server server-name authentication servers exist.

  • Page 194: Enabling Portal Authentication

    Step Command Remarks Create a portal Web server By default, no portal Web servers portal web-server server-name and enter its view. exist. Specify the VPN instance to By default, the portal Web server which the portal Web server vpn-instance vpn-instance-name belongs to the public network.

  • Page 195: Configuration Procedure

    forwarding device exists between the authentication client and the access device, you must use the cross-subnet portal authentication mode. • With re-DHCP portal authentication, configure authorized ARP on the interface as a best practice to make sure only valid users can access the network. With authorized ARP configured on the interface, the interface learns ARP entries only from the users who have obtained a public address from DHCP.

  • Page 196: Controlling Portal User Access

    Controlling portal user access Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. The matching items for a portal-free rule include the host name, source/destination IP address, TCP/UDP port number, source MAC address, access interface, and VLAN. Packets matching a portal-free rule will not trigger portal authentication, so users sending the packets can directly access the specified external websites.

  • Page 197: Configuring An Authentication Source Subnet

    Step Command Remarks Enter system view. system-view Configure a portal free-rule rule-number By default, no destination-based destination-based destination host-name portal-free rule exists. portal-free rule. Configuring an authentication source subnet By configuring authentication source subnets, you specify that only HTTP packets from users on the authentication source subnets can trigger portal authentication.

  • Page 198: Configuring An Authentication Destination Subnet

    Configuring an authentication destination subnet By configuring authentication destination subnets, you specify that users trigger portal authentication only when they accessing the specified subnets (excluding the destination IP addresses and subnets specified in portal-free rules). Users can access other subnets without portal authentication. If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnets take effect.

  • Page 199: Specifying A Portal Authentication Domain

    Step Command Remarks Enter system view. system-view By default, no limit is set on the Set the maximum number portal max-user max-number number of portal users in the of total portal users. system. To set the maximum number of portal users on an interface: Step Command Remarks...

  • Page 200: Specifying A Preauthentication Domain

    Step Command Remarks By default, no ISP domain is Specify an IPv6 portal portal ipv6 domain specified for IPv6 portal users on authentication domain. domain-name the interface. Specifying a preauthentication domain The preauthentication domain takes effect only on portal users with IP addresses obtained through DHCP or DHCPv6.

  • Page 201: Specifying A Preauthentication Ip Address Pool For Portal Users

    Specifying a preauthentication IP address pool for portal users You must specify a preauthentication IP address pool on a portal-enabled interface in the following situation: • Portal users access the network through a subinterface of the portal-enabled interface. • The subinterface does not have an IP address. •...

  • Page 202: Enabling Strict-Checking On Portal Authorization Information

    If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover Web proxy servers, you must perform the following tasks on the device: • Specify port numbers of the Web proxy servers. • Configure portal-free rules to allow user packets destined for the WPAD server to pass without authentication.

  • Page 203: Allowing Only Users With Dhcp-Assigned Ip Addresses To Pass Portal Authentication

    Allowing only users with DHCP-assigned IP addresses to pass portal authentication This feature allows only users with DHCP-assigned IP addresses to pass portal authentication. Users with static IP addresses cannot pass portal authentication to come online. Use this feature to ensure that only users with valid IP addresses can access the network.

  • Page 204: Configuring Portal Authentication Server Detection

    • ICMP or ICMPv6 detection—Sends ICMP or ICMPv6 requests to the user at configurable intervals to detect the user status. If the device receives a reply within the maximum number of detection attempts, it considers  that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires.

  • Page 205: Configuring Portal Web Server Detection

    the device considers the portal authentication server to be reachable. Otherwise, the device considers the portal authentication server to be unreachable. Portal packets include user login packets, user logout packets, and heartbeat packets. Heartbeat packets are periodically sent by a server. By detecting heartbeat packets, the device can detect the server's actual status more quickly than by detecting other portal packets.

  • Page 206: Configuring Portal User Synchronization

    • Sending a log message, which contains the name, the current state, and the original state of the portal Web server. • Enabling portal fail-permit. When the portal Web server is unreachable, the portal fail-permit feature on an interface allows users on the interface to have network access. When the server recovers, it resumes portal authentication on the interface.

  • Page 207: Configuring The Portal Fail-Permit Feature

    Step Command Remarks Configure portal user By default, portal user user-sync timeout timeout synchronization. synchronization is disabled. Configuring the portal fail-permit feature Perform this task to configure the portal fail-permit feature on an interface. When the access device detects that the portal authentication server or portal Web server is unreachable, it allows users on the interface to have network access without portal authentication.

  • Page 208: Enabling Portal Roaming

    To configure the BAS-IP attribute for unsolicited portal packets sent to the portal authentication server: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default: • The BAS-IP attribute of an IPv4 portal response packet sent to the Configure BAS-IP for IPv4 portal authentication server is the portal packets sent to the...

  • Page 209: Specifying A Format For The Nas-Port-Id Attribute

    Specifying a format for the NAS-Port-Id attribute RADIUS servers from different vendors might require different formats of the NAS-Port-Id attribute in the RADIUS packets. You can specify the NAS-Port-Id attribute format as required. The device supports the NAS-Port-Id attribute in format 1, format 2, format 3, and format 4. For more information about the formats, see Security Command Reference.

  • Page 210: Applying A Nas-Id Profile To An Interface

    • After the specified redirect interval, a user is redirected to the specified URL regardless of whether the user is online or not. This process does not cause online users to be offline. When you configure Web redirect, follow these restrictions and guidelines: •...

  • Page 211: Customizing Authentication Pages

    • Configure a local portal Web server. • Configure a name for the portal Web server and specify a local IP address of the device as the server's URL. • Enable portal authentication on the user access interface. • Specify the portal Web server on the portal-enabled interface. During local portal authentication, the local Web portal server pushes authentication pages to users.
  • Page 212 Post request attribute rules Observe the following requirements when editing a form of an authentication page: An authentication page can have multiple forms, but there must be one and only one form  whose action is logon.cgi. Otherwise, user information cannot be sent to the local portal Web server.

  • Page 213: Configuring A Local Portal Web Server

    See the contents in gray: <html> <head> <title>LogonSuccessed</title> <script type="text/javascript" language="javascript" src="pt_private.js"></script> </head> <body onload="pt_init();" onbeforeunload="return pt_unload();"> ..</body> </html> Configuring a local portal Web server Perform the following tasks for the local portal Web server to support HTTPS: •...

  • Page 214: Configuring Https Redirect

    To configure the Rule ARP or ND entry feature for portal clients: Step Command Remarks Enter system view. system-view Enable the Rule ARP or ND By default, the Rule ARP or ND entry feature for portal portal refresh { arp | nd } enable entry feature is enabled for portal clients.

  • Page 215: Specifying A Mac Binding Server On An Interface

    Step Command Remarks Enter system view. system-view Create a MAC binding server portal mac-trigger-server By default, no MAC binder servers and enter its view. server-name exist. ip ipv4-address [ vpn-instance By default, the IP address of a Specify the IP address of the ipv4-vpn-instance-name ] [ key MAC binding server is not MAC binding server.

  • Page 216: Enabling Logging For User Logins And Logouts

    Enabling logging for user logins and logouts This feature logs information about user login and logout events, including the username, IP address, user's MAC address, interface name, VLAN, and reason for login failure. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

  • Page 217: Portal Configuration Examples

    Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure 56, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server portal...
  • Page 218 Figure 57 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
  • Page 219 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the switch's interface connected to the host. e.
  • Page 220 Figure 61 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...
  • Page 221 # Configure a portal authentication server. [Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method direct # Specify portal Web server newpt on VLAN-interface 100.

  • Page 222: Configuring Re-Dhcp Portal Authentication

    IP address Prefix length A user can perform portal authentication by using the HPE iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
  • Page 223 Figure 62 Network diagram Portal Server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 10.0.0.1/24 sub 192.168.0.100/24 DHCP server Host Switch 192.168.0.112/24 automatically obtains an IP address RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 62 and make sure the host, switch, and servers can reach each other.
  • Page 224 [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
  • Page 225 IP address Prefix length Before passing the authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.

  • Page 226: Configuring Cross-Subnet Portal Authentication

    [Switch] display portal user interface vlan-interface 100 Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0015-e9a6-7cfe 20.20.20.2 Vlan-interface100 Authorization information: DHCP IP pool: N/A ACL: N/A CAR: N/A Configuring cross-subnet portal authentication Network requirements As shown in Figure...
  • Page 227 [SwitchA] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.112 [SwitchA-radius-rs1] primary accounting 192.168.0.112 [SwitchA-radius-rs1] key authentication simple radius [SwitchA-radius-rs1] key accounting simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.
  • Page 228 IP address Prefix length A user can perform portal authentication by using the HPE iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the...

  • Page 229: Configuring Extended Direct Portal Authentication

    # After the user passes authentication, use the following command to display information about the portal user. [SwitchA] display portal user interface vlan-interface 4 Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0000-0000-0000 8.8.8.2 Vlan-interface4...
  • Page 230 <Switch> system-view [Switch] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.112 [Switch-radius-rs1] primary accounting 192.168.0.112 [Switch-radius-rs1] key accounting simple radius [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] user-name-format without-domain # Enable RADIUS session control.
  • Page 231 [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method direct # Specify portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 2.2.2.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

  • Page 232: Configuring Extended Re-Dhcp Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 233 Figure 65 Network diagram Portal server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 DHCP server 10.0.0.1/24 sub 192.168.0.100/24 192.168.0.112/24 Host Switch automatically obtains an IP address RADIUS server 192.168.0.113/24 Security policy server 192.168.0.114/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 65 and make sure the host, switch, and servers can reach each other.
  • Page 234 [Switch] radius session-control enable # Specify a session-control client with IP address 192.168.0.113 and shared key 12345 in plaintext form. [Switch] radius session-control client ip 192.168.0.113 key simple 12345 Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain.
  • Page 235 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method redhcp # Specify portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

  • Page 236: Configuring Extended Cross-Subnet Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 237 Figure 66 Network diagram Switch A Vlan-int2 Portal server 192.168.0.100/24 192.168.0.111/24 Vlan-int4 20.20.20.1/24 Vlan-int4 RADIUS server 20.20.20.2/24 Vlan-int2 192.168.0.112/24 8.8.8.1/24 Switch B Host 8.8.8.2/24 Security policy server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 66 and make sure the host, switch, and servers can reach each other.
  • Page 238 # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
  • Page 239 Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...

  • Page 240: Configuring Portal Server Detection And Portal User Synchronization

    Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0000-0000-0000 8.8.8.2 Vlan-interface4 Authorization information: DHCP IP pool: N/A ACL: 3001 CAR: N/A Configuring portal server detection and portal user synchronization Network requirements As shown in Figure 67, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP.
  • Page 241 Configure portal authentication server detection, so that the switch can detect the  reachability of the portal authentication server by cooperating with the portal server heartbeat function. Configure portal user synchronization, so that the switch can synchronize portal user  information with the portal authentication server by cooperating with the portal user heartbeat function.
  • Page 242 Figure 69 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure c.
  • Page 243 b. Click Add to open the page as shown in Figure c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group.
  • Page 244 # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...

  • Page 245: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns

    Verifying the configuration # Use the following command to display information about the portal authentication server. [Switch] display portal server newpt Portal server: newpt : 192.168.0.111 VPN instance : Not configured Port : 50100 Server Detection : Timeout 40s Action: log User synchronization : Timeout 600s Status...
  • Page 246 # For the RADIUS scheme, specify the VPN instance that is bound to the interface connected to the portal/RADIUS server. This example uses VPN instance vpn3. (For information about the VPN instance, see the MPLS L3VPN configuration on Switch A.) [SwitchA-radius-rs1] vpn-instance vpn3 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 247: Configuring Direct Portal Authentication With A Preauthentication Domain

    # Configure the BAS-IP as 3.3.0.3 for portal packets sent from VLAN-interface 3 to the portal authentication server. [SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3 [SwitchA–Vlan-interface3] quit Verifying the configuration # Verify the portal configuration by executing the display portal interface command. (Details not shown.) # After the user passes authentication, execute the display portal user command to display the portal user information.
  • Page 248 Configuration procedure Perform the following tasks on the switch. Configure a preauthentication IP address pool: # Configure DHCP address pool pre to assign IP addresses and other configuration parameters to clients on subnet 2.2.2.0/24. <Switch> system-view [Switch] dhcp server ip-pool pre [Switch-dhcp-pool-pre] gateway-list 2.2.2.1 [Switch-dhcp-pool-pre] network 2.2.2.0 24 [Switch-dhcp-pool-pre] quit...

  • Page 249: Configuring Re-Dhcp Portal Authentication With A Preauthentication Domain

    Verifying the configuration # Verify the portal configuration by executing the display portal interface command. (Details not shown.) # Display information about preauthentication portal users. [Switch] display portal user pre-authenticate interface vlan-interface 100 VLAN Interface 0015-e9a6-7cfe 10.10.10.4 Vlan-interface100 State: Online VPN instance: -- Authorization information: DHCP IP pool: N/A...
  • Page 250 • For re-DHCP portal authentication: The switch must be configured as a DHCP relay agent.  The portal-enabled interface must be configured with a primary IP address (a public IP  address) and a secondary IP address (a private IP address). For information about DHCP relay agent configuration, see Layer 3—IP Services Configuration Guide.

  • Page 251: Configuring Direct Portal Authentication Using Local Portal Web Server

    [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] portal enable method redhcp # Specify portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.
  • Page 252 Figure 76 Network diagram Vlan-int100 Vlan-int2 2.2.2.1/24 192.168.0.100/24 Switch Host RADIUS server 2.2.2.2/24 192.168.0.112/24 Gateway: 2.2.2.1 Configuration prerequisites and guidelines • Configure IP addresses for the host, switch, and server as shown in Figure 76 and make sure they can reach each other. •...
  • Page 253 [Switch–portal-local-websvr-http] default-logon-page abc.zip # Set the HTTP service listening port number to 2331 for the local portal Web server. [Switch–portal-local-webserver-http] tcp-port 2331 [Switch–portal-local-websvr-http] quit # Configure the portal Web server name as newpt and URL as the IP address of the portal authentication-enabled interface or a loopback interface (except 127.0.0.1).

  • Page 254: Troubleshooting Portal

    Pre-auth IP pool: Not configured Max Portal users: Not configured Bas-ipv6: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication through a Web page.

  • Page 255: Cannot Log Out Portal Users On The Access Device

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.

  • Page 256: Re-Dhcp Portal Authenticated Users Cannot Log In Successfully

    Analysis When you execute the portal delete-user command on the access device to log out a user, the access device sends an unsolicited logout notification to the portal authentication server. If the BAS-IP or BAS-IPv6 address carried in the logout notification is different from the portal device IP address specified on the portal authentication server, the portal authentication server discards the logout notification.

  • Page 257: Configuring Port Security

    Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port. Port security provides the following functions: •...
  • Page 258 Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action, or sends SNMP notifications.
  • Page 259 A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 260: General Guidelines And Restrictions

    In this mode, the port performs 802.1X authentication first. By default, if 802.1X authentication fails, MAC authentication is performed. However, the port in this mode processes authentication differently when the following conditions exist: The port is enabled with parallel processing of MAC authentication and 802.1X ...

  • Page 261: Enabling Port Security

    Tasks at a glance Remarks (Required.) Setting the port security mode (Required.) Configuring port security features: Configure one or more port security • Configuring NTK features according to the network • requirements. Configuring intrusion protection (Optional.) Configuring secure MAC addresses (Optional.) Setting port security's limit on the number of MAC addresses for specific VLANs on a port...

  • Page 262: Setting The Port Security Mode

    • Controlling the number of concurrent users on the port. For a port operating in a security mode (except for autoLearn and secure), the upper limit equals the smaller of the following values: The limit of the secure MAC addresses that port security allows. ...

  • Page 263: Configuring Port Security Features

    During authentication, the HTTP or HTTPS requests of a user are redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the user and uses a DM (Disconnect Message) to log off the user.

  • Page 264: Configuring Intrusion Protection

    • ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses. The NTK feature drops any unicast frame with an unknown destination MAC address. Not all port security modes support triggering the NTK feature. For more information, see Table To configure the NTK feature: Step...

  • Page 265: Configuring Secure Mac Addresses

    Configuring secure MAC addresses Secure MAC addresses are configured or learned in autoLearn mode. If the secure MAC addresses are saved, they can survive a device reboot. You can bind a secure MAC address only to one port in a VLAN. Secure MAC addresses include static, sticky, and dynamic secure MAC addresses.

  • Page 266: Configuration Procedure

    • Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. Make sure the VLAN already exists. Configuration procedure To configure a secure MAC address: Step Command Remarks Enter system view. system-view (Optional.) Set the port-security timer autolearn aging...

  • Page 267: Configuration Restrictions And Guidelines

    Configuration restrictions and guidelines On a port, the maximum number of MAC addresses in a VLAN cannot be smaller than the number of existing MAC addresses in the VLAN. If the specified maximum number is smaller, the setting does not take effect. Configuration procedure To set port security's limit on the number of MAC addresses for specific VLANs on a port: Step...

  • Page 268: Enabling The Authorization-Fail-Offline Feature

    Enabling the authorization-fail-offline feature Overview The authorization-fail-offline feature logs off port security users that fail ACL authorization. A user fails ACL authorization in the following situations: • The device fails to authorize the specified ACL to the user. • The server assigns a nonexistent ACL to the user. This feature does not apply to users that fail VLAN authorization.

  • Page 269: Configuration Restrictions And Guidelines

    This feature does not affect the access of users that use correct user information. Configuration restrictions and guidelines When you configure open authentication mode, follow these restrictions and guidelines: • If global open authentication mode is enabled, all ports are enabled with open authentication mode regardless of the port-specific open authentication mode setting.

  • Page 270: Applying A Nas-Id Profile To Port Security

    Do not configure free VLANs together with the feature of including user IP addresses in MAC authentication requests on a port. For information about including user IP addresses in MAC authentication requests, see "Configuring MAC authentication." To configure free VLANs for port security: Step Command Remarks...

  • Page 271: Enabling Logging For Port Security Users

    To enable SNMP notifications for port security: Step Command Remarks Enter system system-view view. snmp-agent trap enable port-security Enable SNMP By default, SNMP [ address-learned | dot1x-failure | dot1x-logoff | notifications for notifications are disabled dot1x-logon | intrusion | mac-auth-failure | port security.

  • Page 272: Port Security Configuration Examples

    Port security configuration examples autoLearn configuration example Network requirements As shown in Figure 77, configure GigabitEthernet 1/0/1 on the device to meet the following requirements: • Accept up to 64 users without authentication. • Be permitted to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes.
  • Page 273 Authorization fail : Online NAS-ID profile : Not configured Dot1x-failure trap : Disabled Dot1x-logon trap : Disabled Dot1x-logoff trap : Disabled Intrusion trap : Disabled Address-learned trap : Disabled Mac-auth-failure trap : Disabled Mac-auth-logon trap : Disabled Mac-auth-logoff trap : Disabled Open authentication : Disabled OUI value list...

  • Page 274: Userloginwithoui Configuration Example

    # After the port is re-enabled, delete several secure MAC addresses. [Device] undo port-security mac-address security sticky 0002-0000-0015 vlan 1 [Device] undo port-security mac-address security sticky 0002-0000-0014 vlan 1 … # Verify that the port security mode of the port changes to autoLearn, and the port can learn MAC addresses again.

  • Page 275: Configure Port Security

    [Device-radius-radsun] key accounting simple money [Device-radius-radsun] timer response-timeout 5 [Device-radius-radsun] retry 5 [Device-radius-radsun] timer realtime-accounting 15 [Device-radius-radsun] user-name-format without-domain [Device-radius-radsun] quit # Configure ISP domain sun. [Device] domain sun [Device-isp-sun] authentication lan-access radius-scheme radsun [Device-isp-sun] authorization lan-access radius-scheme radsun [Device-isp-sun] accounting lan-access radius-scheme radsun [Device-isp-sun] quit Configure 802.1X: # Set the 802.1X authentication method to CHAP.

  • Page 276: Macaddresselseuserloginsecure Configuration Example

    Intrusion trap : Disabled Address-learned trap : Disabled Mac-auth-failure trap : Disabled Mac-auth-logon trap : Disabled Mac-auth-logoff trap : Disabled Open authentication : Disabled OUI value list Index : Value : 123401 Index : Value : 123402 Index : Value : 123403 Index : Value : 123404 Index :...
  • Page 277 • Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses. Figure 79 Network diagram Authentication servers (192.168.1.2/24 192.168.1.3/24) GE1/0/1 Internet Host Device Configuration procedure Make sure the host and the RADIUS server can reach each other. Configure RADIUS authentication/accounting and ISP domain settings.
  • Page 278 NAS-ID profile : Not configured Dot1x-failure trap : Disabled Dot1x-logon trap : Disabled Dot1x-logoff trap : Disabled Intrusion trap : Disabled Address-learned trap : Disabled Mac-auth-failure trap : Disabled Mac-auth-logon trap : Disabled Mac-auth-logoff trap : Disabled Open authentication : Disabled OUI value list GigabitEthernet1/0/1 is link-up Port mode...
  • Page 279 Periodic reauth : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Guest VLAN auth-period : 30 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Single VLAN Offline detection : Enabled Authentication order : Default Guest VSI : Not configured...

  • Page 280: Troubleshooting Port Security

    Authorization mode : Auto Port access control : MAC-based Multicast trigger : Enabled Mandatory auth domain : sun Guest VLAN : Not configured Auth-Fail VLAN : Not configured Critical VLAN : Not configured Critical voice VLAN : Disabled Add Guest VLAN delay : Disabled Re-auth server-unreachable : Logoff Max online users...

  • Page 281: Cannot Configure Secure Mac Addresses

    Solution To resolve the issue: Set the port security mode to noRestrictions. [Device-Ten-GigabitEthernet2/1/1] undo port-security port-mode Set a new port security mode for the port, for example, autoLearn. [Device-Ten-GigabitEthernet2/1/1] port-security port-mode autolearn If the issue persists, contact Hewlett Packard Enterprise Support. Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses.

  • Page 282: Configuring Password Control

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.

  • Page 283: Password Updating And Expiration

    Character name Symbol Character name Symbol Slash Tilde Underscore Vertical bar Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown in Table Table 20 Password composition policy Password combination...

  • Page 284: User Login Control

    Telnet users, SSH users, and console users can change their own passwords. The administrator must change passwords for FTP users. Early notice on pending password expiration When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified notification period.

  • Page 285: Password Not Displayed In Any Form

    • Disables the user account for a period of time. The user can use the account to log in when either of the following conditions exists: The locking timer expires.  The account is manually removed from the password control blacklist before the locking ...

  • Page 286: Enabling Password Control

    Tasks at a glance (Optional.) Setting local user password control parameters (Optional.) Setting super password control parameters Enabling password control To successfully enable the global password control feature and allow device management users to log in to the device, the device must have sufficient storage space. Enabling the global password control feature is the prerequisite for all password control configurations to take effect.

  • Page 287: Setting User Group Password Control Parameters

    Step Command Remarks Enter system view. system-view Set the password expiration password-control aging The default setting is 90 days. time. aging-time Set the minimum password password-control update The default setting is 24 hours. update interval. interval interval • In non-FIPS mode, the default setting is 10 Set the minimum password characters.

  • Page 288: Setting Local User Password Control Parameters

    Step Command Remarks By default, no user groups exist. Create a user group and For information about how to user-group group-name enter its view. configure a user group, see "Configuring AAA." By default, the password Configure the password password-control aging expiration time of the user group expiration time for the user aging-time...

  • Page 289: Setting Super Password Control Parameters

    Step Command Remarks By default, the settings equal those for the user group to which Configure the password password-control composition the local user belongs. If no composition policy for the type-number type-number password composition policy is local user. [ type-length type-length ] configured for the user group, the global settings apply to the local user.

  • Page 290: Displaying And Maintaining Password Control

    Displaying and maintaining password control Execute display commands in any view and reset commands in user view. Task Command Display password control configuration. display password-control [ super ] Display information about users in the display password-control blacklist [ user-name password control blacklist. user-name | ip ipv4-address | ipv6 ipv6-address ] reset password-control blacklist [ user-name Delete users from the password control...

  • Page 291: Configuration Procedure

    Configuration procedure # Enable the password control feature globally. <Sysname> system-view [Sysname] password-control enable # Disable a user account permanently if a user fails two consecutive login attempts on the user account. [Sysname] password-control login-attempt 2 exceed lock # Set all passwords to expire after 30 days. [Sysname] password-control aging 30 # Globally set the minimum password length to 16 characters.

  • Page 292: Verifying The Configuration

    [Sysname-luser-manage-test] password Password: Confirm : Updating user information. Please wait ..[Sysname-luser-manage-test] quit Verifying the configuration # Display the global password control configuration. <Sysname> display password-control Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (16 characters) Password composition: Enabled (4 types, 4 characters per type)

  • Page 293: Configuring Keychains

    Configuring keychains Overview A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption. Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime.

  • Page 294: Displaying And Maintaining Keychain

    Step Command Remarks By default, the algorithm ID is 3 for the MD5 authentication algorithm, and is 5 for the HMAC-MD5 authentication algorithm. When the local device uses TCP (Optional.) Set an tcp-algorithm-id { hmac-md5 | md5 } to communicate with a peer algorithm ID for a TCP algorithm-id device from another vendor,...

  • Page 295: Configuration Procedure

    Figure 80 Network diagram Vlan-int100 Vlan-int100 192.1.1.1/24 192.1.1.2/24 Switch A Switch B Configuration procedure Configuring Switch A # Configure IP addresses for interfaces. (Details not shown.) # Configure OSPF. <SwitchA> system-view [SwitchA] ospf 1 router-id 1.1.1.1 [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1] quit # Create a keychain named abc, and specify the absolute time mode for it.

  • Page 296: Verifying The Configuration

    [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] quit # Create a keychain named abc, and specify the absolute time mode for it. [SwitchB] keychain abc mode absolute # Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
  • Page 297 Key ID Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg== Algorithm : md5 Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Send status : Active Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Active Key ID Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06...
  • Page 298 [SwitchA]display keychain Keychain name : abc Mode : absolute Accept tolerance TCP kind value : 254 TCP algorithm value HMAC-MD5 Default send key ID : None Active send key ID Active accept key IDs: 2 Key ID Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg== Algorithm : md5 Send lifetime...
  • Page 299 Accept status : Inactive Key ID Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Active Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Active...

  • Page 300: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 81.
  • Page 301 • When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, the longer the key generation time. When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve determines the ECDSA key length.

  • Page 302: Distributing A Local Host Public Key

    Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...

  • Page 303: Destroying A Local Key Pair

    Task Command display public-key local dsa public [ name key-name ] Display local DSA public keys. NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs: •...

  • Page 304: Entering A Peer Host Public Key

    Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key." Use the display public-key local public command to display the public key on the peer device.
  • Page 305 Figure 82 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).

  • Page 306: Example For Importing A Public Key From A Public Key File

    [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the peer host public key configured on Device B is the same as the key displayed on Device A.
  • Page 307 # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 308 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred...

  • Page 309: Configuring Pki

    Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.

  • Page 310: Pki Architecture

    • The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.

  • Page 311: Pki Applications

    The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.

  • Page 312: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)

  • Page 313: Configuring A Pki Domain

    Step Command Remarks By default, no PKI entities exist. Create a PKI entity and pki entity entity-name To create multiple PKI entities, repeat enter its view. this step. Set a common name for the common-name By default, the common name is not entity.
  • Page 314 Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be Specify the trusted provided. The trusted CA name ca identifier name uniquely identifies the CA to be used if multiple CAs exist on the same CA server.

  • Page 315: Requesting A Certificate

    Step Command Remarks By default, the certificate can be used by all supported applications, including IKE, SSL client, and SSL server. 11. (Optional.) Specify the intended use for the usage { ike | ssl-client | ssl-server } * The extension options contained certificate.

  • Page 316: Configuring Automatic Certificate Request

    Do not use the public-key local destroy command to destroy the key pair contained in the  certificate. • A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA, ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain can have one local certificate for signature, and one local certificate for encryption.

  • Page 317: Aborting A Certificate Request

    Step Command Remarks Return to system view. quit Obtain a CA certificate. "Obtaining certificates." This command is not saved in the configuration file. This command triggers the PKI Submit a certificate entity to automatically generate pki request-certificate domain request or generate a a key pair if the key pair domain-name [ password password ] certificate request in...

  • Page 318: Configuration Guidelines

    Configuration guidelines • To import a local certificate containing an encrypted key pair, you must provide the challenge password. Contact the CA administrator to obtain the password. • If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first.

  • Page 319: Verifying Certificates With Crl Checking

    Repeats the previous steps for upper-level certificates in the CA certificate chain until the root CA certificate is reached. Verifies that each CA certificate in the certificate chain is issued by the named parent CA, starting from the root CA. Verifying certificates with CRL checking CRL checking checks whether a certificate is in the CRL.

  • Page 320: Specifying The Storage Path For The Certificates And Crls

    Step Command Remarks Manually verify the validity of pki validate-certificate domain This command is not saved in the the certificates. domain-name { ca | local } configuration file. Specifying the storage path for the certificates and CRLs CAUTION: If you change the storage path, save the configuration before you reboot or shut down the device to avoid loss of the certificates or the CRLs.

  • Page 321: Removing A Certificate

    Step Command Remarks If you do not specify a file name when you export a certificate in PEM format, this • Export certificates in DER format: command displays the pki export domain domain-name der { all certificate content on the | ca | local } filename filename terminal.

  • Page 322: Displaying And Maintaining Pki

    attribute rules, each defining a matching criterion for an attribute in the certificate issuer name, subject name, or alternative subject name field. If a certificate matches all attribute rules in a certificate attribute group associated with an access control rule, the system determines that the certificate matches the access control rule. In this scenario, the match process stops, and the system performs the access control action defined in the access control rule.

  • Page 323: Pki Configuration Examples

    Task Command Display certificate attribute group display pki certificate attribute-group [ group-name ] information. Display certificate-based access control display pki certificate access-control-policy [ policy-name ] policy information. PKI configuration examples You can use different software applications, such as Windows server, RSA Keon, and OpenCA, to act as the CA server.
  • Page 324 <Device> system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name Device [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named torsa and enter its view. [Device] pki domain torsa # Specify the name of the trusted CA. The setting must be the same as CA name configured on the CA server.
  • Page 325 Verifying the configuration # Display information about the local certificate in PKI domain torsa. [Device] display pki certificate domain torsa local Certificate: Data: Version: 3 (0x2) Serial Number: 15:79:75:ec:d2:33:af:5e:46:35:83:bc:bd:6e:e3:b8 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=myca Validity Not Before: Jan 6 03:10:58 2013 GMT Not After : Jan 6 03:10:58 2014 GMT Subject: CN=Device...

  • Page 326: Requesting A Certificate From A Windows Server 2003 Ca Server

    Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA server. Figure 87 Network diagram PKI entity Internet Host Device CA server Configuring the Windows Server 2003 CA server Install the certificate service component: a.
  • Page 327 [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named winserver and enter its view. [Device] pki domain winserver # Set the name of the trusted CA to myca. [Device-pki-domain-winserver] ca identifier myca # Configure the certificate request URL. The URL format is http://host:port/certsrv/mscep/mscep.dll, where host:port is the host IP address and port number of the CA server.
  • Page 328 Serial Number: (Negative)01:03:99:ff:ff:ff:ff:fd:11 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=sec Validity Not Before: Dec 24 07:09:42 2012 GMT Not After : Dec 24 07:19:42 2013 GMT Subject: CN=test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:b5:23:a0:2d:46:0b:68:2f:71:d2:14:e1:5a: 55:6e:c5:5e:26:86:c1:5a:d6:24:68:02:bf:29:ac: dc:31:41:3f:5d:5b:36:9e:53:dc:3a:bc:0d:11:fb: d6:7d:4f:94:3c:c1:90:4a:50:ce:db:54:e0:b3:27: a9:6a:8e:97:fb:20:c7:44:70:8f:f0:b9:ca:5b:94:...

  • Page 329: Requesting A Certificate From An Openca Server

    CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03: bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27: 90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a: 00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47: 6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06: 7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14: 02:09:ad:08 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server.
  • Page 330 [Device-pki-entity-aaa] organization test [Device-pki-entity-aaa] organization-unit software [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named openca and enter its view. [Device] pki domain openca # Set the name of the trusted CA to myca. [Device-pki-domain-openca] ca identifier myca # Configure the certificate request URL.
  • Page 331 Version: 3 (0x2) Serial Number: 21:1d:b8:d2:e4:a9:21:28:e4:de Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=mysubUnit, CN=sub-ca, DC=pki-subdomain, DC=mydomain-sub, DC=com Validity Not Before: Jun 30 09:09:09 2011 GMT Not After : May 1 09:09:09 2012 GMT Subject: CN=rnd, O=test, OU=software, C=CN Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)

  • Page 332: Ike Negotiation With Rsa Digital Signature From A Windows Server 2003 Ca Server

    X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 5c:4c:ba:d0:a1:35:79:e6:e5:98:69:91:f6:66:2a:4f:7f:8b: 0e:80:de:79:45:b9:d9:12:5e:13:28:17:36:42:d5:ae:fc:4e: ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57: 8f:d4:3e:4f:51:c1:34:e6:c1:1e:71:b5:0d:85:86:a5:ed:63: 1e:08:7f:d2:50:ac:a0:a3:9e:88:48:10:0b:4a:7d:ed:c1:03: 9f:87:97:a3:5e:7d:75:1d:ac:7b:6f:bb:43:4d:12:17:9a:76: b0:bf:2f:6a:cc:4b:cd:3d:a1:dd:e0:dc:5a:f3:7c:fb:c3:29: b0:12:49:5c:12:4c:51:6e:62:43:8b:73:b9:26:2a:f9:3d:a4: 81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. IKE negotiation with RSA digital signature from a Windows Server 2003 CA server Network requirements...
  • Page 333 Figure 89 Network diagram PKI certificate system CA 1 1.1.1.101/32 LDAP 1 RA 1 1.1.1.102/32 1.1.1.100/32 Device A Device B GE1/0/1 GE1/0/1 3.3.3.1/24 2.2.2.1/24 Internet Host A Host B 10.1.1.2/24 11.1.1.2/24 Configuring the Windows Server 2003 CA server "Requesting a certificate from a Windows Server 2003 CA server."...
  • Page 334 Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ........++++++ Create the key pair successfully. # Obtain the CA certificate and save it locally. [DeviceA] pki retrieve-certificate domain 1 ca The trusted CA's finger print is: fingerprint:5C41 E657 A0D6 ECB4 6BD6 1823 7473 AABC SHA1 fingerprint:1616 E7A5 D89A 2A99 9419 1C12 D696 8228 87BC C266 Is the finger print correct?(Y/N):y...

  • Page 335: Certificate-Based Access Control Policy Configuration Example

    Generating Keys......++++++ ........++++++ Create the key pair successfully. # Obtain the CA certificate and save it locally. [DeviceB] pki retrieve-certificate ca domain 1 # Submit a certificate request manually. [DeviceB] pki request-certificate domain 1 # Create IKE proposal 1, and configure the authentication method as RSA digital signature. [DeviceB] ike proposal 1 [DeviceB-ike-proposal-1] authentication-method rsa-signature [DeviceB-ike-proposal-1] quit...

  • Page 336: Certificate Import And Export Configuration Example

    # Apply SSL server policy abc to the HTTPS server. [Device] ip https ssl-server-policy abc # Enable the HTTPS server. <Device> system-view [Device] ip https enable Configure certificate attribute groups: # Create a certificate attribute group named mygroup1 and add two attribute rules. The first rule defines that the DN in the subject DN contains the string of aabbcc.
  • Page 337 the certificates are still valid after Device B replaces Device A, copy the certificates on Device A to Device B as follows: Export the certificates in PKI domain exportdomain on Device A to .pem certificate files. During the export, encrypt the private key in the local certificates using 3DES_CBC with the password 11111.
  • Page 338 localKeyID: 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89 Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZtjSjfslJCoCAggA … -----END ENCRYPTED PRIVATE KEY----- # Display the local certificate file pkilocal.pem-encryption. <DeviceA>...
  • Page 339 Please input the password:****** # Display the imported local certificate information on Device B. [DeviceB] display pki certificate domain importdomain local Certificate: Data: Version: 3 (0x2) Serial Number: 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT...
  • Page 340 DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d:...
  • Page 341 94:71:f3:10:e9:ec:81:00:28:60:a9:02:bb:35:8b: bf:85:75:6f:24:ab:26:de:47:6c:ba:1d:ee:0d:35: 75:58:10:e5:e8:55:d1:43:ae:85:f8:ff:75:81:03: 8c:2e:00:d1:e9:a4:5b:18:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com...

  • Page 342: Troubleshooting Pki Configuration

    79:05:cd:c3 To display detailed information about the CA certificate, use the display pki certificate domain command. Troubleshooting PKI configuration This section provides troubleshooting information for common problems with PKI. Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis •...

  • Page 343: Failed To Request Local Certificates

    • The system time of the device is not synchronized with the CA server. Solution Check for and fix any network connection problems. Obtain or import the CA certificate. Configure the correct LDAP server. Specify the key pair used for certificate request in the PKI domain, or remove the existing key pair and submit a certificate request again.

  • Page 344: Failed To Obtain Crls

    10. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. •...

  • Page 345: Failed To Import A Local Certificate

    Solution Use undo crl check enable to disable CRL checking. Make sure the format of the imported file is correct. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis •...

  • Page 346: Failed To Set The Storage Path

    Solution If the PKI domain does not have local certificates, obtain or request local certificates first. Use mkdir to create the required path. Specify a correct export path. Configure the correct key pair in the PKI domain. Clear up the storage space of the device. If the problem persists, contact Hewlett Packard Enterprise Support.

  • Page 347: Configuring Ipsec

    Configuring IPsec Overview IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
  • Page 348 algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.

  • Page 349: Security Association

    Security association A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers. An SA includes the following parameters for data protection: • Security protocols (AH, ESP, or both). • Encapsulation mode (transport mode or tunnel mode). •...

  • Page 350: Ipsec Implementation

    • AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest security strength and is slower than 3DES. Crypto engine The IPsec feature is resource intensive for its complex encryption/decryption and authentication algorithms. To improve processing performance, you can use crypto engine to offload IPsec tasks. The crypto engine processes all IPsec protected packets and hands the processed packets back to the device for forwarding.

  • Page 351: Ipsec Rri

    Application-based IPsec Application-based IPsec does not require an ACL. You can implement application-based IPsec by binding an IPsec profile to an application protocol. All packets of the application protocol are encapsulated with IPsec. This method can be used to protect IPv6 routing protocols. The supported IPv6 routing protocols include OSPFv3, IPv6 BGP, and RIPng.

  • Page 352: Protocols And Standards

    IPsec RRI is applicable to gateways that must provide many IPsec tunnels (for example, a headquarters gateway). Protocols and standards • RFC 2401, Security Architecture for the Internet Protocol • RFC 2402, IP Authentication Header • RFC 2406, IP Encapsulating Security Payload •...

  • Page 353: Configuring An Acl

    Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and the encapsulation mode. Configure an IPsec policy to associate data flows with the IPsec transform sets, specify the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec tunnel), the required keys, and the SA lifetime.

  • Page 354: Configuring An Ipsec Transform Set

    Non-IPsec packets that match a permit statement are dropped.  IPsec packets destined for the device itself are de-encapsulated. By default, the  de-encapsulated packets are compared against the ACL rules. Only those that match a permit statement are processed. Other packets are dropped. If ACL checking for de-encapsulated IPsec packets is disabled, the de-encapsulated packets are not compared against the ACL rules and are directly processed by other modules.
  • Page 355 Step Command Remarks • (In non-FIPS mode.) Specify the encryption algorithm for ESP: esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | Configure at least one command. aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | By default, no security algorithm is camellia-cbc-192 | specified.

  • Page 356: Configuring A Manual Ipsec Policy

    Step Command Remarks By default, the PFS feature is not used for SA negotiation. For more information about PFS, • "Configuring IKE." In non-FIPS mode: pfs { dh-group1 | dh-group2 | The security level of the dh-group5 | dh-group14 | Diffie-Hellman (DH) group of the (Optional.) Enable the dh-group24 | dh-group19 |...
  • Page 357 Step Command Remarks (Optional.) Configure a description for the IPsec description text By default, no description is configured. policy. By default, no ACL is specified for an IPsec policy. Specify an ACL for the security acl { acl-number | name IPsec policy.

  • Page 358: Configuring An Ike-Based Ipsec Policy

    Configuring an IKE-based IPsec policy In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE. To configure an IKE-based IPsec policy, use one of the following methods: • Directly configure it by configuring the parameters in IPsec policy view. •...
  • Page 359 Step Command Remarks By default, no IKE profile is specified for an IPsec policy. Specify an IKE profile for the You can specify only one IKE ike-profile profile-name IPsec policy. profile for an IPsec policy. For more information about IKE profiles, see "Configuring IKE."...
  • Page 360 IPsec policy template. Except the IPsec transform sets and the IKE profile, all other parameters are optional. A device using an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator.

  • Page 361: Applying An Ipsec Policy To An Interface

    Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied.

  • Page 362: Enabling Acl Checking For De-Encapsulated Packets

    de-encapsulated packet matches a permit rule of the ACL, the device processes the packet. If the de-encapsulated packet does not match any permit rule of the ACL, the device drops the packet. To apply an IPsec policy to an interface: Step Command Remarks...

  • Page 363: Configuring Ipsec Anti-Replay Redundancy

    IMPORTANT: • Failure to detect anti-replay attacks might result in denial of services. If you want to disable IPsec anti-replay, make sure you understand the impact of the operation on network security. • Set the anti-replay window size as small as possible to reduce the impact on system performance.

  • Page 364: Enabling Qos Pre-Classify

    respectively. When one interface fails and a link failover occurs, the other interface needs to take some time to renegotiate SAs, resulting in service interruption. To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces.

  • Page 365: Enabling Logging Of Ipsec Packets

    Step Command Remarks By default, QoS pre-classify is Enable QoS pre-classify. qos pre-classify disabled. Enabling logging of IPsec packets Perform this task to enable the logging of IPsec packets that are discarded because of reasons such as IPsec SA lookup failure, AH-ESP authentication failure, and ESP encryption failure. The log information includes the source and destination IP addresses, SPI value, and sequence number of a discarded IPsec packet, and the reason for the discard.

  • Page 366: Configuring Ipsec Rri

    Step Command Remarks Enter system view. system-view By default, IPsec copies the DF Configure the DF bit of ipsec global-df-bit { clear | copy | bit in the original IP header to the IPsec packets globally. set } new IP header. Configuring IPsec RRI Configuration guidelines When you enable or disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs created...

  • Page 367: Configuring Ipsec For Ipv6 Routing Protocols

    Configuring IPsec for IPv6 routing protocols Configuration task list Complete the following tasks to configure IPsec for IPv6 routing protocols: Tasks at a glance (Required.) Configuring an IPsec transform set (Required.) Configuring a manual IPsec profile (Required.) Applying the IPsec profile to an IPv6 routing protocol (see Layer 3—IP Routing Configuration Guide) (Optional.) Enabling logging of IPsec packets...

  • Page 368: Configuring Snmp Notifications For Ipsec

    Step Command Remarks By default, no IPsec transform set is specified in an IPsec profile. Specify an IPsec transform-set transform-set-name transform set. The specified IPsec transform set must use the transport mode. Configure an SPI for an sa spi { inbound | outbound } { ah | By default, no SPI is configured esp } spi-number for an SA.

  • Page 369: Configuring Ipsec Fragmentation

    Step Command Remarks snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | Enable SNMP encrypt-failure | invalid-sa-failure | By default, SNMP notifications for notifications for the no-sa-failure | policy-add | all failure and event types are specified failure or event policy-attach | policy-delete | disabled.

  • Page 370: Ipsec Configuration Examples

    Task Command display ipsec { ipv6-policy | policy } [ policy-name Display IPsec policy information. [ seq-number ] ] display ipsec { ipv6-policy-template | Display IPsec policy template information. policy-template } [ template-name [ seq-number ] ] Display IPsec profile information. display ipsec profile [ profile-name ] display ipsec transform-set [ transform-set-name ] Display IPsec transform set information.
  • Page 371 Apply the IPsec profile to a RIPng process or to an interface. Configuration procedure Configure Switch A: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. <SwitchA> system-view [SwitchA] ripng 1 [SwitchA-ripng-1] quit [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ripng 1 enable [SwitchA-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1.
  • Page 372 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create and configure the IPsec profile named profile001. [SwitchB] ipsec profile profile001 manual [SwitchB-ipsec-profile-profile001] transform-set tran1 [SwitchB-ipsec-profile-profile001] sa spi outbound esp 123456 [SwitchB-ipsec-profile-profile001] sa spi inbound esp 123456 [SwitchB-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [SwitchB-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1.
  • Page 373 # Use the display ripng command to display the RIPng configuration. The output shows that IPsec profile profile001 has been applied to RIPng process 1. [SwitchA] display ripng 1 RIPng process : 1 Preference : 100 Checkzero : Enabled Default Cost : 0 Maximum number of balanced paths : 8 Update time 30 sec(s)

  • Page 374: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec. IKE provides the following benefits for IPsec: •...

  • Page 375: Ike Security Mechanism

    Figure 98 IKE exchange process in main mode Peer 1 Peer 2 Algorithm negotiation Initiator’s policy Send local IKE policy Search for matched policy Confirmed policy Receive the SA exchange confirmed policy Key generation Initiator’s keying data Generate the key Receiver’s keying data Identity...

  • Page 376: Protocols And Standards

    DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.

  • Page 377: Configuring An Ike Profile

    Tasks at a glance Remarks (Optional.) Configuring the global identity information (Optional.) Configuring the IKE keepalive feature (Optional.) Configuring the IKE NAT keepalive feature (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring an IKE IPv4 address pool (Optional.)
  • Page 378 b. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority number has a higher priority. c. If a tie still exists, the device prefers an IKE profile configured earlier. 10. Enable client authentication. Client authentication enables an IPsec gateway to perform extended (XAUTH) authentication on remote users through AAA after IKE phase-1 negotiation.

  • Page 379: Configuring An Ike Proposal

    Step Command Remarks By default, no local ID is configured for an IKE profile, and an IKE profile uses the local ID configured in system local-identity { address view. If the local ID is not { ipv4-address | ipv6 ipv6-address } | Configure the local ID.

  • Page 380: Configuring An Ike Keychain

    • The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found mismatching, the two peers use their default IKE proposals to establish the IKE SA.

  • Page 381: Configuring The Global Identity Information

    You can specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for the IKE keychain to be applied. If no local address is configured, specify the IP address of the interface that uses the IPsec policy. You can specify a priority number for the IKE keychain.

  • Page 382: Configuring The Ike Keepalive Feature

    Step Command Remarks ike identity { address By default, the IP address of the { ipv4-address | ipv6 Configure the global identity interface to which the IPsec policy or ipv6-address } | dn | fqdn to be used by the local end. IPsec policy template is applied is [ fqdn-name ] | user-fqdn used as the IKE identity.

  • Page 383: Configuring Ike Dpd

    Step Command Remarks Enter system view. system-view Set the IKE NAT keepalive ike nat-keepalive seconds The default interval is 20 seconds. interval. Configuring IKE DPD DPD detects dead peers. It can operate in periodic mode or on-demand mode. • Periodic DPD—Sends a DPD message at regular intervals. It features an earlier detection of dead peers, but consumes more bandwidth and CPU.

  • Page 384: Setting The Maximum Number Of Ike Sas

    sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic. The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent.

  • Page 385: Configuring Snmp Notifications For Ike

    Step Command Remarks ike address-group Configure an IKE IPv4 group-name start-ipv4-address By default, no IKE IPv4 address address pool. end-ipv4-address [ mask | pool exists. mask-length ] Configuring SNMP notifications for IKE After you enable SNMP notifications for IKE, the IKE module notifies the NMS of important module events.

  • Page 386: Ike Configuration Examples

    IKE configuration examples Main mode IKE with pre-shared key authentication configuration example Network requirements As shown in Figure 99, configure an IKE-based IPsec tunnel between Switch A and Switch B to secure the communication in between. Configure Switch A and Switch B to use the default IKE proposal for the IKE negotiation to set up the IPsec SAs.
  • Page 387 # Create an IKE profile named profile1. [SwitchA] ike profile profile1 # Specify IKE keychain keychain1. [SwitchA-ike-profile-profile1] keychain keychain1 # Configure the local ID with the identity type as IP address and the value as 1.1.1.1. [SwitchA-ike-profile-profile1] local-identity address 1.1.1.1 # Configure a peer ID with the identity type as IP address and the value as 2.2.2.2/24.

  • Page 388: Aggressive Mode With Rsa Signature Authentication Configuration Example

    # Specify 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 1.1.1.1. [SwitchB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key simple 123456TESTplat&! [SwitchB-ike-keychain-keychain1] quit # Create an IKE profile named profile1. [SwitchB] ike profile profile1 # Specify IKE keychain keychain1 [SwitchB-ike-profile-profile1] keychain keychain1 # Configure the local ID with the identity type as IP address and the value as 2.2.2.2.
  • Page 389 Figure 100 Network diagram CA server CA server Vlan-int1 Vlan-int1 1.1.1.1/16 2.2.2.2/16 Internet Switch A Switch B Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-vlan-interface1] ip address 1.1.1.1 255.255.255.0 [SwitchA-vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch A and Switch B.
  • Page 390 [SwitchA-pki-domain-domain1] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7 # Specify the CA to accept certificate requests. [SwitchA-pki-domain-domain1] certificate request from ca # Specify the PKI entity for certificate request as entity1. [SwitchA-pki-domain-domain1] certificate request entity entity1 # Specify the RSA key pair rsa1 with the general purpose for certificate request. [SwitchA-pki-domain-domain1] public-key rsa general name rsa1 [SwitchA-pki-domain-domain1] quit # Create an IKE profile named profile1.
  • Page 391 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch B and Switch A. [SwitchB] acl advanced 3101 [SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0 [SwitchB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.

  • Page 392: Troubleshooting Ike

    # Configure a peer ID with the identity type of FQDN name and the value of www.switcha.com. [SwitchB-ike-profile-profile2] match remote identity fqdn www.switcha.com [SwitchB-ike-profile-profile2] quit # Create an IKE proposal named 10. [SwitchB] ike proposal 10 # Specify the authentication algorithm as HMAC-MD5. [SwitchB-ike-proposal-10] authentication-algorithm md5 # Specify the RSA signature authentication method.

  • Page 393: Ike Negotiation Failed Because No Ike Proposals Or Ike Keychains Are Specified Correctly

    Construct notification packet: NO_PROPOSAL_CHOSEN. Analysis Certain IKE proposal settings are incorrect. Solution Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals. Modify the IKE proposal configuration to make sure the two ends have matching IKE proposals. IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly Symptom...

  • Page 394: Ipsec Sa Negotiation Failed Due To Invalid Identity Information

    The attributes are unacceptable. Construct notification packet: NO_PROPOSAL_CHOSEN. Analysis Certain IPsec policy settings are incorrect. Solution Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec SA negotiation failed due to invalid identity information Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is...
  • Page 395 Life duration(sec): 86400 Remaining key duration(sec): 85847 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Verify that the IPsec policy is using an IKE profile. [Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1 Interface: GigabitEthernet1/0/1 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: ISAKMP -----------------------------...
  • Page 396 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: ISAKMP ----------------------------- Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution If the IPsec policy specifies an IKE profile but no matching IKE profiles was found in IKE negotiation, perform one of the following tasks on the responder: Remove the specified IKE profile from the IPsec policy.

  • Page 397: Configuring Ikev2

    Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.

  • Page 398: New Features In Ikev2

    New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.

  • Page 399: Configuring An Ikev2 Profile

    • The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
  • Page 400 Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
  • Page 401 Step Command Remarks authentication-method { local | Configure the local and remote } { dsa-signature | By default, no local or remote identity remote identity ecdsa-signature | pre-share | authentication method is configured. authentication methods. rsa-signature } By default, no keychain is specified for an IKEv2 profile.

  • Page 402: Configuring An Ikev2 Policy

    Step Command Remarks 14. (Optional.) Set the By default, the global IKEv2 NAT IKEv2 NAT keepalive nat-keepalive seconds keepalive setting is used. interval. 15. (Optional.) Enable the config-exchange { request | set By default, all configuration configuration exchange { accept | send } } exchange options are disabled.

  • Page 403: Configuring An Ikev2 Proposal

    Configuring an IKEv2 proposal An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority. A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

  • Page 404: Configuring An Ikev2 Keychain

    Step Command Remarks In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } By default, an IKEv2 proposal does Specify the integrity not have any integrity protection protection algorithms. algorithms. In FIPS mode: integrity { sha1 | sha256 | sha384 | sha512 } * In non-FIPS mode:...

  • Page 405: Configure Global Ikev2 Parameters

    Step Command Remarks • To configure a host name for the peer: hostname host-name • To configure a host IP address or address range for the peer: By default, no hostname, host IP address { ipv4-address address, address range, or identity [ mask | mask-length ] | ipv6 information is configured for an Configure the information...

  • Page 406: Configuring The Ikev2 Nat Keepalive Feature

    Step Command Remarks Enter system view. system-view Configure global IKEv2 ikev2 dpd interval interval [ retry By default, global DPD is DPD. seconds ] { on-demand | periodic } disabled. Configuring the IKEv2 NAT keepalive feature Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.

  • Page 407: Ikev2 Configuration Examples

    Task Command display ikev2 policy [ policy-name | default ] Display the IKEv2 policy configuration. display ikev2 profile [ profile-name ] Display the IKEv2 profile configuration. display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance Display the IKEv2 SA information.
  • Page 408 [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create an IKEv2 keychain named keychain1. [SwitchA] ikev2 keychain keychain1 # Create an IKEv2 peer named peer1.
  • Page 409 # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify the traffic between Switch B and Switch A. [SwitchB] acl advanced 3101 [SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0 [SwitchB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1.

  • Page 410: Ikev2 With Rsa Signature Authentication Configuration Example

    # Specify ACL 3101 to identify the traffic to be protected. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Specify IPsec transform set tran1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # # Specify IKEv2 profile profile1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp-use1-10] ikev2-profile profile1 [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply IPsec policy use1 to VLAN-interface 1.
  • Page 411 # Use the ESP protocol for the IPsec transform set. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create a PKI entity named entity1. [SwitchA] pki entity entity1 # Set the common name to switcha for the PKI entity.
  • Page 412 # Specify the integrity protection algorithm as HMAC-MD5. [SwitchA-ikev2-proposal-10] integrity md5 # Specify the encryption algorithm as 3DES-CBC. [SwitchA-ikev2-proposal-10] encryption 3des-cbc # Specify the DH group as Group 1. [SwitchA-ikev2-proposal-10] dh group1 # Specify the PRF algorithm as HMAC-MD5. [SwitchA-ikev2-proposal-10] prf md5 [SwitchA-ikev2-proposal-10] quit # Create an IKEv2 policy named 1.
  • Page 413 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create a PKI entity named entity2. [SwitchB] pki entity entity2 # Set the common name to switchb for the PKI entity. [SwitchB-pki-entity-entity2] common-name switchb [SwitchB-pki-entity-entity2] quit # Create a PKI domain named domain2. [SwitchB] pki domain domain2 # Set the certificate request mode to auto and set the password to 123 for certificate revocation.

  • Page 414: Troubleshooting Ikev2

    # Specify the PRF algorithm as HMAC-MD5. [SwitchB-ikev2-proposal-10] prf md5 [SwitchB-ikev2-proposal-10] quit # Create an IKEv2 policy named 1. [SwitchB] ikev2 policy 1 # Specify IKEv2 proposal 10 for the IKEv2 policy. [SwitchB-ikev2-policy-1] proposal 10 [SwitchB-ikev2-policy-1] quit # Create an IPsec policy template entry. Specify the template name as template1 and set the sequence number to 1.

  • Page 415: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found

    Solution Examine the IKEv2 proposal configuration to see whether the two ends have matching IKEv2 proposals. Modify the IKEv2 proposal configuration to make sure the two ends have matching IKEv2 proposals. IPsec SA negotiation failed because no matching IPsec transform sets were found Symptom The display ikev2 sa command shows that the IKEv2 SA negotiation succeeded and the IKEv2 SA is in EST status.

  • Page 416: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.

  • Page 417: Ssh Authentication Methods

    Stages Description SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation • Encryption algorithm for encrypting data. • Public key algorithm for the digital signature and authentication. •...

  • Page 418: Ssh Support For Suite B

    Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name. If the digital certificate of the client is required in authentication, the client also encapsulates the digital certificate in the authentication request.

  • Page 419: Configuring The Device As An Ssh Server

    Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks (Required.) Generating local key pairs (Required.) Enabling the Stelnet server Required only for Stelnet servers. (Required.) Enabling the SFTP server Required only for SFTP servers. (Required.) Enabling the SCP server Required only for SCP servers.

  • Page 420: Enabling The Stelnet Server

    • Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs. • To support SSH clients that use different types of key pairs, generate DSA, ECDSA, and RSA key pairs on the SSH server. •...

  • Page 421: Enabling The Scp Server

    Enabling the SCP server After you enable the SCP server on the device, a client can log in to the device through SCP. When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients. To enable the SCP server: Step Command...

  • Page 422: Configuring A Client's Host Public Key

    Configuring a client's host public key In publickey authentication, the server compares the SSH username and the client's host public key received from the client with the locally saved SSH username and the client's host public key. If they are the same, the server checks the digital signature that the client sends. The client generates the digital signature by using the private key that is paired with the client's host public key.

  • Page 423: Configuring An Ssh User

    Configuring an SSH user Configure an SSH user and a local user depending on the authentication method. • If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.

  • Page 424: Configuring The Ssh Management Parameters

    Configuration procedure To configure an SSH user, and specify the service type and authentication method: Step Command Enter system view. system-view • In non-FIPS mode: ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } [ assign { pki-domain Create an SSH user, and domain-name | publickey keyname } ] }...

  • Page 425: Specifying A Pki Domain For The Ssh Server

    Step Command Remarks By default, logging is disabled for logins that are denied by the SSH login control ACL. This command enables SSH to Enable logging for SSH send a log message to the logins that are denied by the ssh server acl-deny-log enable information center when an SSH SSL login control ACL.

  • Page 426: Disconnecting Ssh Sessions

    If you set the SSH port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024. To specify the SSH service port: Step Command Remarks...

  • Page 427: Specifying The Source Ip Address For Ssh Packets

    • The key modulus length must be less than 2048 bits when you generate a DSA key pair. Configuration procedure To generate local key pairs on the Stelnet client: Step Command Remarks Enter system view. system-view public-key local create { dsa | By default, no local key pairs exist Generate local key pairs.
  • Page 428 Task Command Remarks • In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 |...

  • Page 429: Deleting Server Public Keys Saved In The Public Key File On The Stelnet Client

    Task Command Remarks • In non-FIPS mode: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm |...

  • Page 430: Establishing A Connection To An Stelnet Server Based On Suite B

    Step Command Enter system view. system-view Delete server public keys saved in the public delete ssh client server-public-key [ server-ip key file on the Stelnet client. ip-address ] Establishing a connection to an Stelnet server based on Suite Task Command Remarks •...

  • Page 431: Generating Local Key Pairs

    Generating local key pairs Generate local key pairs on the SFTP client when the SFTP server uses the authentication method publickey, password-publickey, or any. Configuration restrictions and guidelines When you generate local key pairs on an SFTP client, follow these restrictions and guidelines: •...
  • Page 432 • If you choose to continue, the device accesses the server and downloads the server's host public key. • If you choose to not continue, the connection cannot be established. As a best practice, configure the server's host public key on the device in an insecure network. After the connection is established, you are in SFTP client view of the server and can perform file or directory operations.

  • Page 433: Deleting Server Public Keys Saved In The Public Key File On The Sftp Client

    Task Command Remarks • In non-FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } |...

  • Page 434: Establishing A Connection To An Sftp Server Based On Suite B

    Step Command Delete server public keys saved in the public delete ssh client server-public-key [ server-ip key file on the SFTP client. ip-address ] Establishing a connection to an SFTP server based on Suite After the connection is established, you are in SFTP client view of the server and can perform file or directory operations.

  • Page 435: Working With Sftp Files

    Working with SFTP files Task Command Remarks Change the name of a file on the rename old-name new-name Available in SFTP client view. SFTP server. Download a file from the SFTP get remote-file [ local-file ] Available in SFTP client view. server and save it locally.

  • Page 436: Generating Local Key Pairs

    Generating local key pairs Generate local key pairs on the SCP client when the SCP server uses the authentication method publickey, password-publickey, or any. Configuration restrictions and guidelines When you generate local key pairs on an SCP client, follow these restrictions and guidelines: •...
  • Page 437 Task Command Remarks • In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr |...

  • Page 438: Deleting Server Public Keys Saved In The Public Key File On The Scp Client

    Task Command Remarks • In non-FIPS mode: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |...

  • Page 439: Establishing A Connection To An Scp Server Based On Suite B

    To delete server public keys saved in the public key file on the SCP client: Step Command Enter system view. system-view Delete server public keys saved in the public delete ssh client server-public-key [ server-ip key file on the SCP client. ip-address ] Establishing a connection to an SCP server based on Suite B Task...

  • Page 440: Specifying Public Key Algorithms For Ssh2

    Step Command Remarks • In non-FIPS mode: By default, SSH2 uses the • In non-FIPS mode: key exchange algorithms ssh2 algorithm ecdh-sha2-nistp256, key-exchange ecdh-sha2-nistp384, { dh-group-exchange-sha1 dh-group-exchange-sha1, | dh-group1-sha1 | dh-group14-sha1, and dh-group14-sha1 | dh-group1-sha1 in ecdh-sha2-nistp256 | Specify key exchange descending order of priority ecdh-sha2-nistp384 } * algorithms for SSH2.

  • Page 441: Specifying Mac Algorithms For Ssh2

    Step Command Remarks • In non-FIPS mode: By default, SSH2 uses the encryption algorithms • aes128-ctr, aes192-ctr, In non-FIPS mode: ssh2 algorithm cipher aes256-ctr, aes128-gcm, { 3des-cbc | aes128-cbc | aes256-gcm, aes128-cbc, aes128-ctr | aes128-gcm | 3des-cbc, aes256-cbc, and aes192-ctr | aes256-cbc | des-cbc in descending order aes256-ctr | aes256-gcm | of priority for algorithm...

  • Page 442: Stelnet Configuration Examples

    Task Command display public-key local { dsa | ecdsa | rsa } public Display the public keys of the local key pairs. [ name publickey-name ] Display server public key information saved in display ssh client server-public-key [ server-ip the public key file on the SSH client ip-address ] Display information about peer public keys.
  • Page 443 Create the key pair successfully. # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 444: Publickey Authentication Enabled Stelnet Server Configuration Example

    Figure 105 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server.
  • Page 445 Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
  • Page 446 Figure 108 Generating process a. After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 109 Saving a key pair on the client a. Enter a file name (key.pub in this example), and click Save.
  • Page 447 b. On the page shown in Figure 109, click Save private key to save the private key. A confirmation dialog box appears. c. Click Yes. A file saving window appears. d. Enter a file name (private.ppk in this example), and click Save. e.
  • Page 448 # Import the client's public key from the public key file key.pub and name it switchkey. [Switch] public-key peer switchkey import sshkey key.pub # Create an SSH user named client002. Specify the authentication method as publickey for the user, and assign the public key switchkey to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user named client002.
  • Page 449 Figure 111 Specifying the preferred SSH version e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 112 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.

  • Page 450: Password Authentication Enabled Stelnet Client Configuration Example

    a. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in...
  • Page 451 # Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the Stelnet server. [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the destination address of the SSH connection.
  • Page 452 65BE6C265854889DC1EDBD13EC8B274 [SwitchA-pkey-public-key-key1]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B 6FD60FE01941DDD77FE6B12893DA76E [SwitchA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B 68950387811C7DA33021500C773218C [SwitchA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009 14EC474BAF2932E69D3B1F18517AD95 [SwitchA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D0 492B3959EC6499625BC4FA5082E22C5 [SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C 9B09EEF0381840002818000AF995917 [SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5 F257523777D033BEE77FC378145F2AD [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA>...

  • Page 453: Publickey Authentication Enabled Stelnet Client Configuration Example

    <SwitchA> ssh2 192.168.1.40 Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:y client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent,...
  • Page 454 Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to a public key file named key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP.

  • Page 455: Stelnet Configuration Example Based On 128-Bit Suite B Algorithms

    # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 63 [SwitchB-line-vty0-63] authentication-mode scheme [SwitchB-line-vty0-63] quit # Import the peer public key from the public key file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user named client002.
  • Page 456 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an Stelnet Suite B client. # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file ssh-client-ecdsa256.p12 to the Stelnet client through FTP or TFTP.
  • Page 457 04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52: 6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef: 0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81: 3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e: c7:61:4a:52:51 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b # Create a PKI domain named client256 for the client's certificate and enter its view.
  • Page 458 Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5: 96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39: b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34: 29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16: 12:d0:b4:8a:92 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1:...

  • Page 459: Sftp Configuration Examples

    [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Create a local device management user named client001.
  • Page 460 • The switch acts as the SFTP server and uses password authentication. • The username and password of the client are saved on the switch. Establish an SFTP connection between the host and the switch, so you can log in to the switch to manage and transfer files.
  • Page 461 [Switch-Vlan-interface2] quit # Create a local device management user named client002. [Switch] local-user client002 class manage # Set the password to aabbcc in plain text for local user client002. [Switch-luser-manage-client002] password simple aabbcc # Authorize local user client002 to use the SSH service. [Switch-luser-manage-client002] service-type ssh # Assign the network-admin user role and working directory flash:/ to local user client002.

  • Page 462: Publickey Authentication Enabled Sftp Client Configuration Example

    Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 118, Switch B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm. Establish an SFTP connection between Switch A and Switch B, so you can log in to Switch B to manage and transfer files.
  • Page 463 Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 464 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n sftp> # Display files under the current directory of the server, delete file z, and verify the result. sftp>...

  • Page 465: Sftp Configuration Example Based On 192-Bit Suite B Algorithms

    NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SFTP client. # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server384 for verifying the server's certificate and enter its view.
  • Page 466 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: server384]: # Display information about local certificates in PKI domain server384.
  • Page 467 #Disable CRL checking. [SwitchA-pki-domain-client384] undo crl check enable [SwitchA-pki-domain-client384] quit # Import local certificate file ssh-client-ecdsa384.p12 to PKI domain client384. [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters.
  • Page 468 33:71:75:5e:11:c9:a6:51:4b:3e:7c:eb:2a:4d:87:2b:71:7c: 30:64:fe:14:ce:06:d5:0a:e2:cf:9a:69:19:ff # Assign an IP address to VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit Configure the SFTP server: # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP server through FTP or TFTP. (Details not shown.) # Create a PKI domain named client384 for verifying the client's certificate and import the file of the client's certificate to this domain.

  • Page 469: Scp Configuration Examples

    Connecting to 192.168.0.1 port 22. sftp> SCP configuration examples Unless otherwise noted, devices in the configuration examples operate in non-FIPS mode. When the device acts as an SCP server and is operating in FIPS mode, only ECDSA and RSA key pairs are supported.
  • Page 470 ..+..+..+........+ ...+....+..+...+. Create the key pair successfully. # Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the SCP server. [SwitchB] scp server enable # Configure an IP address for VLAN-interface 2. The client uses this address as the destination for SCP connection.

  • Page 471: Scp Configuration Example Based On Suite B Algorithms

    NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client. # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP.
  • Page 472 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=abc, L=abc, O=abc, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:39:51 2015 GMT Not After : Aug 20 08:39:51 2016 GMT Subject: C=CN, ST=abc, O=abc, OU=Software, CN=SSH Server secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52:...
  • Page 473 Certificate: Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=abc, L=abc, O=abc, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:41:09 2015 GMT Not After : Aug 20 08:41:09 2016 GMT Subject: C=CN, ST=abc, O=abc, OU=Software, CN=SSH Client secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit)
  • Page 474 Please enter the key pair name[default name: server384]: # Display information about local certificates in PKI domain server384. [SwitchA] display pki certificate domain server384 local Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=abc, L=abc, O=abc, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:08:41 2015 GMT Not After : Aug 19 10:08:41 2016 GMT...
  • Page 475 [SwitchA-pki-domain-client384] quit # Import local certificate file ssh-client-ecdsa384.p12 to PKI domain client384. [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
  • Page 476 # Assign an IP address to VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit Configure the SCP server: # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP server through FTP or TFTP. (Details not shown.) # Create a PKI domain named client256 for verifying the client's certificate ecdsa256 and import the file of this certificate to this domain.

  • Page 477: Netconf Over Ssh Configuration Example With Password Authentication

    # Create an SSH user client001. Specify the publickey authentication method for the user and specify client256 as the PKI domain for verifying the client's certificate. [Switch] ssh user client001 service-type scp authentication-type publickey assign pki-domain client256 # Establish an SCP connection to the SCP server at 192.168.0.1 based on the 128-bit Suite B algorithms.

  • Page 478: Configuration Procedure

    Figure 122 Network diagram NETCONF-over-SSH NETCONF-over-SSH client server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 479: Verifying The Configuration

    [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Create a local device management user named client001. [Switch] local-user client001 class manage # Set the password to aabbcc in plain text for local user client001. [Switch-luser-manage-client001] password simple aabbcc # Authorize local user client001 to use the SSH service. [Switch-luser-manage-client001] service-type ssh # Assign the network-admin user role to local user client001.

  • Page 480: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...

  • Page 481: Fips Compliance

    Figure 124 SSL protocol stack Application layer protocol (e.g. HTTP) SSL handshake protocol SSL change cipher spec protocol SSL alert protocol SSL record protocol The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data.
  • Page 482 Step Command Remarks By default: • In non-FIPS mode, the • In non-FIPS mode: SSL server supports ssl version { ssl3.0 | tls1.0 | (Optional.) Disable the SSL SSL 3.0, TLS 1.0, TLS tls1.1 } * disable server from using specific SSL 1.1, and TLS 1.2.
  • Page 483 Step Command Remarks • In non-FIPS mode: ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha25 dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha25 ecdhe_ecdsa_aes_128_cbc_ sha256 | ecdhe_ecdsa_aes_128_gcm_ sha256 | ecdhe_ecdsa_aes_256_cbc_ sha384 | ecdhe_ecdsa_aes_256_gcm_ sha384 | ecdhe_rsa_aes_128_cbc_sha 256 | ecdhe_rsa_aes_128_gcm_sh a256 | ecdhe_rsa_aes_256_cbc_sha 384 | ecdhe_rsa_aes_256_gcm_sh a384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |...

  • Page 484: Configuring An Ssl Client Policy

    Step Command Remarks By default, SSL client authentication is disabled. The SSL server does not perform digital certificate-based authentication on SSL clients. (Optional.) Enable mandatory When authenticating a client or optional SSL client client-verify { enable | optional } by using the digital authentication.
  • Page 485 Step Command Remarks • In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_s ha | dhe_rsa_aes_128_cbc_sh a256 | dhe_rsa_aes_256_cbc_sh dhe_rsa_aes_256_cbc_sh a256 | ecdhe_ecdsa_aes_128_c bc_sha256 | ecdhe_ecdsa_aes_128_g cm_sha256 | ecdhe_ecdsa_aes_256_c bc_sha384 | ecdhe_ecdsa_aes_256_g cm_sha384 | ecdhe_rsa_aes_128_cbc_ sha256 | ecdhe_rsa_aes_128_gcm _sha256 | ecdhe_rsa_aes_256_cbc_ sha384 | ecdhe_rsa_aes_256_gcm _sha384 | exp_rsa_des_cbc_sha |...

  • Page 486: Displaying And Maintaining Ssl

    Step Command Remarks • In non-FIPS mode: By default, an SSL client policy version { ssl3.0 | tls1.0 | uses TLS 1.0. Specify the SSL protocol tls1.1 | tls1.2 } version for the SSL client To ensure security, do not •...
  • Page 487 Configuration procedure Make sure the device, the host, and the CA server can reach each other. (Details not shown.) Configure the HTTPS server on the device: # Create a PKI entity named en. Set the common name and FQDN for the entity. <Device>...
  • Page 488 [Device-ssl-server-policy-myssl] pki-domain 1 # Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure the HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable the HTTPS service. [Device] ip https enable # Create a local user named usera. Set the password to 123, service type to https, and user role to network-admin.

  • Page 489: Configuring Attack Detection And Prevention

    Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, and blacklisting. Attacks that the device can prevent This section describes the attacks that the device can detect and prevent.

  • Page 490: Scanning Attacks

    Single-packet attack Description An attacker sends IP datagrams in which the IP options are abnormal. This IP options attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets. An attacker sends the victim an IP datagram with an offset smaller than 5, IP fragment which causes the victim to malfunction or crash.

  • Page 491: Flood Attacks

    Flood attacks An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time. The victim is too busy responding to these forged requests to provide services for legal users, and a DoS attack occurs. The device can detect and prevent the following types of flood attacks: •...

  • Page 492: Tcp Fragment Attack

    An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services. • UDP flood attack. A UDP flood attacker sends UDP packets to a host at a fast rate. These packets consume a large amount of the target host's bandwidth, so the host cannot provide other services.

  • Page 493: User Blacklist

    User blacklist The user blacklist feature is an attack prevention method that filters packets by source users in blacklist entries. Compared with IP blacklist filtering, user blacklist filtering performs access control on the user level and improves the filtering usability. The user blacklist feature must be used together with the user identification feature.

  • Page 494: Configuring A Single-Packet Attack Defense Policy

    Configuring a single-packet attack defense policy Apply the single-packet attack defense policy to the interface that is connected to the external network. Single-packet attack detection inspects incoming packets based on the packet signature. If an attack packet is detected, the device can take the following actions: •...
  • Page 495 Step Command Remarks • signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ] •...

  • Page 496: Configuring A Scanning Attack Defense Policy

    Step Command Remarks The default action is logging for single-packet attacks of the (Optional.) Specify the informational and low levels. signature level { high | info | low | actions against medium } action { { drop | logging } * | The default actions are single-packet attacks of a none }...
  • Page 497 You can configure flood attack detection and prevention for a specific IP address. For non-specific IP addresses, the device uses the global attack prevention settings. Configuring a SYN flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view.
  • Page 498 Step Command Remarks Set the global trigger syn-ack-flood threshold threshold for SYN-ACK The default setting is 1000. threshold-value flood attack prevention. Specify global actions By default, no global action is syn-ack-flood action { drop | against SYN-ACK flood specified for SYN-ACK flood logging } * attacks.
  • Page 499 Configuring an ICMP flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view. policy-name Enable global ICMP flood By default, global ICMP flood attack icmp-flood detect non-specific attack detection. detection is disabled. Set the global trigger icmp-flood threshold threshold for ICMP flood...
  • Page 500 Step Command Remarks Specify global actions udp-flood action { drop | By default, no global action is against UDP flood attacks. logging } * specified for UDP flood attacks. udp-flood detect { ip ipv4-address | ipv6 Configure IP By default, IP address-specific UDP ipv6-address } [ vpn-instance address-specific UDP flood flood attack detection is not...

  • Page 501: Configuring Attack Detection Exemption

    Step Command Remarks http-flood detect { ip ipv4-address | ipv6 Configure IP ipv6-address } [ vpn-instance By default, IP address-specific address-specific HTTP vpn-instance-name ] [ port HTTP flood attack detection is not flood attack detection. port-list ] [ threshold configured. threshold-value ] [ action { { drop | logging } * | none } ] Configuring attack detection exemption...

  • Page 502: Applying An Attack Defense Policy To The Device

    Applying an attack defense policy to the device An attack defense policy applied to the device itself rather than the interfaces detects packets destined for the device and prevents attacks targeted at the device. The device uses hardware to implement packet forwarding and uses software to process packets if the packets are destined for the device.

  • Page 503: Configuring The Ip Blacklist Feature

    Step Command Remarks Enter system view. system-view By default, TCP fragment attack prevention is enabled. Enable TCP fragment attack attack-defense tcp fragment prevention. enable TCP fragment attack prevention is typically used alone. Configuring the IP blacklist feature The IP blacklist feature filters packets sourced from IP addresses in blacklist entries. IP blacklist entries can be manually added or dynamically learned: •...

  • Page 504: Configuring Login Attack Prevention

    Step Command Remarks Enter system view. system-view Enable the global blacklist By default, the global blacklist blacklist global enable feature. feature is disabled. blacklist user user-name [ timeout By default, no user blacklist Add a user blacklist entry. minutes ] entries exist.

  • Page 505: Displaying And Maintaining Attack Detection And Prevention

    Displaying and maintaining attack detection and prevention Use the display commands in any view and the reset commands in user view. To display and maintain attack detection and prevention: Task Command (In standalone mode.) Display attack detection display attack-defense statistics interface and prevention statistics on an interface.
  • Page 506 Task Command display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip (In IRF mode.) Display flood attack detection and [ ip-address [ vpn vpn-instance-name ] ] [ interface prevention statistics for an IPv4 address.

  • Page 507: Attack Detection And Prevention Configuration Examples

    Task Command reset blacklist ipv6 { source-ipv6-address Clear dynamic IPv6 blacklist entries. [ vpn-instance vpn-instance-name ] | all } Clear blacklist statistics. reset blacklist statistics Attack detection and prevention configuration examples Interface-based attack detection and prevention configuration example Network requirements As shown in Figure 126, the device is the gateway for the internal network.
  • Page 508 [Device-attack-defense-policy-a1] signature detect smurf action logging # Configure low-level scanning attack detection, specify logging and block-source as the prevention actions, and set the blacklist entry aging time to 10 minutes. [Device-attack-defense-policy-a1] scan detect level low action logging block-source timeout 10 # Configure SYN flood attack detection for 10.1.1.2, set the attack prevention triggering threshold to 5000, and specify logging and drop as the prevention actions.
  • Page 509 UDP Bomb Disabled medium UDP Snork Disabled medium UDP Fraggle Disabled medium IP option record route Disabled info IP option internet timestamp Disabled info IP option security Disabled info IP option loose source routing Disabled info IP option stream ID Disabled info IP option strict source routing...

  • Page 510: Ip Blacklist Configuration Example

    DNS flood 1000(default) Disabled HTTP flood 1000(default) Disabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 10.1.1.2 SYN-FLOOD 5000 # Verify that the attack detection and prevention takes effect on GigabitEthernet 1/0/2. [Device] display attack-defense statistics interface gigabitethernet 1/0/2 Attack policy name: a1 Scan attack defense statistics: AttackType...

  • Page 511: User Blacklist Configuration Example

    # Add an IPv4 blacklist entry for Host D. [Device] blacklist ip 5.5.5.5 # Add an IPv4 blacklist entry for Host C and set the blacklist entry aging time to 50 minutes. [Device] blacklist ip 192.168.1.4 timeout 50 Verifying the configuration # Verify that the IPv4 blacklist entries are successfully added.
  • Page 512 Configure the user blacklist feature: # Enable the global blacklist feature. [Device] blacklist global enable # Add a user blacklist entry for user userc and set the blacklist entry aging time to 50 minutes. [Device] blacklist user userc timeout 50 Verifying the configuration # Verify that the user blacklist entry is successfully added.

  • Page 513: Configuring Tcp Attack Prevention

    Configuring TCP attack prevention Overview TCP attack prevention can detect and prevent attacks that exploit the TCP connection establishment process. Configuring Naptha attack prevention Naptha is a DDoS attack that targets operating systems. It exploits the resources consuming vulnerability in TCP/IP stack and network application process. The attacker establishes a large number of TCP connections in a short period of time and leaves them in certain states without requesting any data.

  • Page 514: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface. The IPSG binding table can include global and interface-specific bindings.

  • Page 515: Dynamic Ipsg Bindings

    • Interface-specific static binding—Binds the IP address, MAC address, or any combination of the items in interface view. The binding takes effect only on the interface to check the validity of users who are attempting to access the interface. Dynamic IPSG bindings IPSG automatically obtains user information from other modules to generate dynamic bindings.

  • Page 516: Ipsg Configuration Task List

    IPSG configuration task list To configure IPv4SG, perform the following tasks: Tasks at a glance (Required.) Enabling IPv4SG on an interface (Optional.) Configuring a static IPv4SG binding (Optional.) Excluding IPv4 packets from IPSG filtering To configure IPv6SG, perform the following tasks: Tasks at a glance (Required.) Enabling IPv6SG on an interface...

  • Page 517: Configuring A Static Ipv4Sg Binding

    Configuring a static IPv4SG binding You can configure global static and interface-specific static IPv4SG bindings. Global static bindings take effect on all interfaces. Interface-specific static bindings take priority over global static bindings. An interface first uses the static bindings on the interface to match packets. If no match is found, the interface uses the global bindings.

  • Page 518: Configuring The Ipv6Sg Feature

    Step Command Remarks Enter system view. system-view By default, no excluded source items are configured. Exclude IPv4 packets with the specified ip verify source exclude vlan You can execute this command multiple source items from start-vlan-id [ to end-vlan-id ] times to specify multiple excluded VLANs.

  • Page 519: Displaying And Maintaining Ipsg

    Configuring a global static IPv6SG binding Step Command Remarks Enter system view. system-view Configure a global ipv6 source binding ip-address ipv6-address No global static IPv6SG static IPv6SG mac-address mac-address bindings exist. binding. Configuring a static IPv6SG binding on an interface Step Command Remarks...

  • Page 520: Ipsg Configuration Examples

    Task Command display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] (In IRF mode.) Display [ dhcpv6-relay | dhcpv6-snooping | nd-snooping ] ] [ ip-address IPv6 address bindings. ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] display ipv6 source binding pd [ vpn-instance vpn-instance-name ] [ prefix (In standalone mode.)

  • Page 521: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example

    [DeviceA-GigabitEthernet1/0/2] quit # Enable IPv4SG on GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] ip verify source ip-address mac-address # On GigabitEthernet 1/0/1, configure a static IPv4SG binding for Host A. [DeviceA-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceA-GigabitEthernet1/0/1] quit Configure Device B: # Configure an IP address for each interface.

  • Page 522: Dynamic Ipv4Sg Using Dhcp Relay Agent Configuration Example

    • Enable DHCP snooping on the device to make sure the DHCP client obtains an IP address from the authorized DHCP server. To generate a DHCP snooping entry for the DHCP client, enable recording of client information in DHCP snooping entries. •...

  • Page 523: Static Ipv6Sg Configuration Example

    Figure 132 Network diagram DHCP client DHCP relay agent DHCP server Vlan-int200 Vlan-int100 Host Switch 10.1.1.1/24 MAC: 0001-0203-0406 Configuration procedure Configure dynamic IPv4SG: # Configure IP addresses for the interfaces. (Details not shown.) # Enable IPv4SG on VLAN-interface 100 and verify the source IP address and MAC address for dynamic IPSG.

  • Page 524: Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example

    Configuration procedure # Enable IPv6SG on GigabitEthernet 1/0/1. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address # On GigabitEthernet 1/0/1, configure a static IPv6SG binding for the host. [Device-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202 [Device-GigabitEthernet1/0/1] quit Verifying the configuration # Verify that the static IPv6SG binding is configured successfully on the device.

  • Page 525: Dynamic Ipv6Sg Using Dhcpv6 Relay Agent Configuration Example

    [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address # Enable recording of client information in DHCPv6 snooping entries on GigabitEthernet 1/0/1. [Device-GigabitEthernet1/0/1] ipv6 dhcp snooping binding record [Device-GigabitEthernet1/0/1] quit Verifying the configuration # Verify that a dynamic IPv6SG binding is generated based on a DHCPv6 snooping entry. [Device] display ipv6 source binding dhcpv6-snooping Total entries found: 1 IPv6 Address...
  • Page 526 Enable IPv6SG on VLAN-interface 3 and verify the source IP address and MAC address for dynamic IPv6SG. <Switch> system-view [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ipv6 verify source ip-address mac-address [Switch-Vlan-interface3] quit Verifying the configuration # Verify that a dynamic IPv6SG binding is generated based on a DHCPv6 relay entry. [Switch] display ipv6 source binding dhcpv6-relay Total entries found: 1 IP Address...

  • Page 527: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 528: Configuring Arp Source Suppression

    After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request. If the resolution fails, the device continues probing according to the probe settings. If the IP address resolution succeeds in a probe, the device converts the blackhole route to a normal route.

  • Page 529: Configuring Arp Packet Rate Limit

    A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets. To prevent the attack, configure ARP source suppression or ARP blackhole routing. Figure 136 Network diagram IP network ARP attack protection Gateway Device...

  • Page 530: Configuration Procedure

    Configuration procedure This task sets a rate limit for ARP packets received on an interface. When the receiving rate of ARP packets on the interface exceeds the rate limit, those packets are discarded. You can enable sending notifications to the SNMP module or enable logging for ARP packet rate limit.

  • Page 531: Configuring Source Mac-Based Arp Attack Detection

    Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address.

  • Page 532: Configuration Example

    Task Command (In standalone mode.) Display ARP attack display arp source-mac { slot slot-number | interface entries detected by source MAC-based ARP interface-type interface-number } attack detection. (In IRF mode.) Display ARP attack entries display arp source-mac { chassis chassis-number slot detected by source MAC-based ARP attack slot-number | interface interface-type interface-number } detection.

  • Page 533: Configuring Arp Packet Source Mac Consistency Check

    # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection. [Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet...

  • Page 534: Configuring Authorized Arp

    Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide. With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries.

  • Page 535: Configuration Example (On A Dhcp Relay Agent)

    # Enter Layer 3 Ethernet interface view. [DeviceA] interface gigabitethernet 1/0/1 # Enable authorized ARP. [DeviceA-GigabitEthernet1/0/1] port link-mode route [DeviceA-GigabitEthernet1/0/1] arp authorized enable [DeviceA-GigabitEthernet1/0/1] quit Configure Device B: <DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address dhcp-alloc [DeviceB-GigabitEthernet1/0/1] quit Verifying the configuration # Display authorized ARP entry information on Device A.

  • Page 536: Configuring Arp Attack Detection

    [DeviceA] dhcp enable [DeviceA] dhcp server ip-pool 1 [DeviceA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0 [DeviceA-dhcp-pool-1] gateway-list 10.10.1.1 [DeviceA-dhcp-pool-1] quit [DeviceA] ip route-static 10.10.1.0 24 10.1.1.2 Configure Device B: # Enable DHCP. <DeviceB> system-view [DeviceB] dhcp enable # Specify the IP addresses of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [DeviceB-GigabitEthernet1/0/1] quit...

  • Page 537: Configuring User Validity Check

    ARP attack detection provides the following features: • User validity check. • ARP packet validity check. • ARP restricted forwarding. • ARP attack detection logging. • ARP packet ingress port ignoring during user validity check. • ARP attack detection for a VSI. If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies.

  • Page 538: Configuring Arp Packet Validity Check

    Step Command Remarks Enter system view. system-view arp detection rule rule-id { deny | permit } ip (Optional.) Configure a user By default, no user validity check { ip-address [ mask ] | any } validity check rule. rule is configured. mac { mac-address [ mask ] | any } [ vlan vlan-id ] Enter VLAN view.

  • Page 539: Configuring Arp Restricted Forwarding

    Step Command Remarks (Optional.) Configure the interface as a trusted By default, an interface is arp detection trust interface excluded from ARP untrusted. attack detection. Configuring ARP restricted forwarding NOTE: ARP restricted forwarding does not apply to ARP packets with multiport MAC as their destination MAC addresses.

  • Page 540: Configuring Arp Attack Detection For A Vsi

    Configuring ARP attack detection for a VSI In VXLAN networks, you can configure a VTEP to perform ARP attack detection in a VSI. ARP attack detection performs user validity check and ARP packet validity check on ARP packets from ARP untrusted ACs.

  • Page 541: Enabling Arp Attack Detection Logging

    Step Command Remarks Enable ARP attack By default, ARP attack detection arp detection enable detection. is disabled. Return to system view. quit Enable ARP packet validity arp detection validate { dst-mac By default, ARP packet validity check and specify the | ip | src-mac } * check is disabled.

  • Page 542: User Validity Check And Arp Packet Validity Check Configuration Example

    User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 140, configure Device B to perform ARP packet validity check and user validity check based on static IP source guard bindings and DHCP snooping entries for connected hosts. Figure 140 Network diagram Gateway DHCP server...

  • Page 543: Configuring Arp Scanning And Fixed Arp

    # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface. [DeviceB-vlan10] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] arp detection trust [DeviceB-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.

  • Page 544: Configuring Arp Gateway Protection

    Step Command Enter system view. system-view Enter interface view. interface interface-type interface-number Trigger an ARP scanning. arp scan [ start-ip-address to end-ip-address ] Return to system view. quit Convert existing dynamic ARP entries to arp fixup static ARP entries. Configuring ARP gateway protection Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.

  • Page 545: Configuring Arp Filtering

    Figure 141 Network diagram Gateway Device A 10.1.1.1/24 GE1/0/3 Device B GE1/0/1 GE1/0/2 Host A Host B Configuration procedure # Configure ARP gateway protection on Device B. <DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] arp filter source 10.1.1.1 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] arp filter source 10.1.1.1 Verifying the configuration...

  • Page 546: Configuration Example

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface or Layer 2 aggregate interface-number interface view. Enable ARP filtering and arp filter binding ip-address By default, ARP filtering is configure a permitted entry. mac-address disabled. Configuration example Network requirements As shown in...

  • Page 547: Configuring Arp Sender Ip Address Checking

    Configuring ARP sender IP address checking This feature allows a gateway to check the sender IP address of an ARP packet in a VLAN before ARP learning. If the sender IP address is within the allowed IP address range, the gateway continues ARP learning.

  • Page 548: Configuring Nd Attack Defense

    Configuring ND attack defense Overview IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks. The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An attacker can send the following forged ICMPv6 messages to perform ND attacks: •...

  • Page 549: Configuring Nd Attack Detection

    The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

  • Page 550: Configuration Procedure

    To make the bindings effective for ND attack detection, you must specify the vlan vlan-id option in the ipv6 source binding command, and enable ND attack detection for the same VLAN. • DHCPv6 snooping. • ND snooping. Configuration procedure To configure ND attack detection: Step Command Remarks...
  • Page 551 Figure 143 Network diagram Internet Gateway Device A GE1/0/3 Vlan-int10 10::1/64 VLAN 10 ND snooping GE1/0/3 Device B GE1/01 GE1/0/2 Host A Host B 10::5/64 10::6/64 0001-0203-0405 0001-0203-0607 Configuration procedure Configure Device A: # Create VLAN 10. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit # Configure GigabitEthernet 1/0/3 to trunk VLAN 10.

  • Page 552: Configuring Ra Guard

    [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type access [DeviceB-GigabitEthernet1/0/2] port access vlan 10 [DeviceB-GigabitEthernet1/0/2] quit [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] port link-type trunk [DeviceB-GigabitEthernet1/0/3] port trunk permit vlan 10 [DeviceB-GigabitEthernet1/0/3] quit # Enable ND attack detection for VLAN 10. [DeviceB] vlan 10 [DeviceB-vlan10] ipv6 nd detection enable # Enable ND snooping for IPv6 global unicast addresses and ND snooping for IPv6 link-local addresses in VLAN 10.

  • Page 553: Configuring An Ra Guard Policy

    Step Command Remarks By default, the role of the device attached to the port is not Specify the role of the device ipv6 nd raguard role { host | specified. attached to the port. router } Make sure your setting is consistent with the device type.

  • Page 554: Displaying And Maintaining Ra Guard

    • Number of RA messages dropped on the interface. The RA guard logging feature sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
  • Page 555 Figure 144 Network diagram Device A VLAN 10 GE1/0/3 Device B GE1/0/1 GE1/0/2 Device C Host Configuration procedure # Create an RA guard policy named policy1. <DeviceB> system-view [DeviceB] ipv6 nd raguard policy policy1 # Set the maximum router preference to high for the RA guard policy. [DeviceB-raguard-policy-policy1] if-match router-preference maximum high # Specify on as the M flag match criterion for the RA guard policy.
  • Page 556 # Specify host as the role of the device attached to GigabitEthernet 1/0/1. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ipv6 nd raguard role host [DeviceB-GigabitEthernet1/0/1] quit # Specify router as the role of the device attached to GigabitEthernet 1/0/3. [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] ipv6 nd raguard role router [DeviceB-GigabitEthernet1/0/3] quit Verifying the configuration...

  • Page 557: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 558: Urpf Operation

    uRPF operation Figure 146 shows how uRPF works. Figure 146 uRPF work flow Checks the received packet Multicast destination address? Broadcast All-zero source destination address? address? Uses source address to look up the FIB table Matching FIB entry found? InLoop interface InLoop receiving found? interface?

  • Page 559: Network Application

    255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.) The packet is discarded if it has a non-broadcast destination address. uRPF proceeds to step 2 for other packets.  uRPF checks whether the source address matches a unicast route: If yes, uRPF proceeds to step 3.

  • Page 560: Enabling Urpf

    Enabling uRPF uRPF checks only incoming packets on interfaces. You can enable uRPF globally. Global uRPF takes effect on all interfaces of the device. Follow these guidelines when you enable uRPF: • uRPF is not supported on the LSUM1TGS48SG0(JH197A, JH205A) modules. •...
  • Page 561 [SwitchB] ip urpf strict Configure strict uRPF check on Switch A and allow using the default route for uRPF check. <SwitchA> system-view [SwitchA] ip urpf strict allow-default-route...

  • Page 562: Configuring Ipv6 Urpf

    Configuring IPv6 uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 563: Ipv6 Urpf Operation

    IPv6 uRPF operation Figure 150 shows how IPv6 uRPF works. Figure 150 IPv6 uRPF work flow Checks the received packet Multicast destination address? Uses source address to look up the IPv6 FIB table Matching IPv6 FIB entry found? InLoop interface InLoop receiving found? interface?

  • Page 564: Network Application

    If no, IPv6 uRPF discards the packet. A non-unicast source address matches a non-unicast  route. IPv6 uRPF checks whether the matching route is to the host itself: If yes, the output interface of the matching route is an InLoop interface. IPv6 uRPF checks ...

  • Page 565: Enabling Ipv6 Urpf

    Enabling IPv6 uRPF IPv6 uRPF checks only incoming packets on interfaces. You can enable IPv6 uRPF globally. Global IPv6 uRPF takes effect on all interfaces of the device. Follow these guidelines when you enable IPv6 uRPF: • IPv6 uRPF is not supported on the LSUM1TGS48SG0(JH197A, JH205A) modules. •...
  • Page 566 <SwitchB> system-view [SwitchB] ipv6 urpf strict Configure strict uRPF check on Switch A and allow using the default route for IPv6 uRPF check. <SwitchA> system-view [SwitchA] ipv6 urpf strict allow-default-route...

  • Page 567: Configuring Mff

    Configuring MFF Overview MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain. An MFF-enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.

  • Page 568: Basic Concepts

    Basic concepts An MFF-enabled device has two types of ports: user port and network port. User port An MFF user port is directly connected to a host and processes the following packets differently: • Allows DHCP packets and multicast packets to pass. •...

  • Page 569: Mff Working Mechanism

    MFF working mechanism An MFF-enabled device implements Layer 3 communication between hosts by intercepting ARP requests from the hosts and replies with the MAC address of a gateway. This mechanism helps reduce the number of broadcast messages. The MFF device processes ARP packets as follows: •...

  • Page 570: Enabling Periodic Gateway Probe

    Enabling periodic gateway probe You can configure the MFF device to detect gateways every 30 seconds for the change of MAC addresses by sending forged ARP packets. The ARP packets use 0.0.0.0 as the sender IP address and bridge MAC address as the sender MAC address. This feature is supported by MFF manual mode.

  • Page 571: Mff Configuration Examples

    Task Command display mac-forced-forwarding interface Display MFF port configuration. display mac-forced-forwarding vlan vlan-id Display the MFF configuration for a VLAN. MFF configuration examples Manual-mode MFF configuration example in a tree network Network requirements As shown in Figure 154, all the devices are in VLAN 100. Hosts A, B, and C are assigned IP addresses manually.

  • Page 572: Manual-Mode Mff Configuration Example In A Ring Network

    [SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchB-vlan100] arp snooping enable [SwitchB-vlan100] quit # Configure GigabitEthernet 1/0/2 as a network port. [SwitchB] interface gigabitethernet 1/0/2 1/0/6 [SwitchB-GigabitEthernet1/0/2] mac-forced-forwarding network-port Manual-mode MFF configuration example in a ring network Network requirements...
  • Page 573 [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port [SwitchA-GigabitEthernet1/0/2] quit [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mac-forced-forwarding network-port Configure Switch B: # Enable STP globally to make sure STP is enabled on interfaces. [SwitchB] stp global enable # Configure manual-mode MFF on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server.

  • Page 574: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.

  • Page 575: Configuring Fips Mode

    e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.

  • Page 576: Configuration Changes In Fips Mode

    A username.  A password that complies with the password control policies as described in step 2 and step  A user role of network-admin or mdc-admin.  A service type of terminal.  Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode.

  • Page 577: Exiting Fips Mode

    The password for a device management local user and password for switching user roles depend on password control policies. By default, the passwords must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters.

  • Page 578: Power-Up Self-Tests

    NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests The power-up self-test examines the availability of FIPS-allowed cryptographic algorithms. The device supports the following types of power-up self-tests: • Known-answer test (KAT) A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer.

  • Page 579: Triggering Self-Tests

    • Continuous random number generator test—This test is run when a random number is generated. Each subsequent generation of a random number will be compared with the previously generated number. The test fails if any two compared numbers are the same. This test can also be run when a DSA/RSA asymmetrical key-pair is generated.

  • Page 580: Entering Fips Mode Through Manual Reboot

    Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters.
  • Page 581 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal. [Sysname] local-user test class manage [Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB [Sysname-luser-manage-test] authorization-attribute user-role network-admin...

  • Page 582: Exiting Fips Mode Through Automatic Reboot

    … <Sysname> # Display the FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode. Configuration procedure # Disable FIPS mode.
  • Page 583 The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to mainboard device successfully. Slot 1: Save next configuration file successfully.

  • Page 584: Configuring Macsec

    Configuring MACsec Overview Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec provides services such as data encryption, frame integrity check, and data origin validation for frames on the MAC sublayer of the Data Link Layer. Basic concepts Connectivity association (CA) is a group of participants that use the same key and key algorithm.

  • Page 585: Macsec Applications

    MACsec applications MACsec supports the following application modes: • Client-oriented mode—Secures data transmission between the client and the access device. The client can be a user terminal seeking access to the LAN or a device that supports the 802.1X client feature. In this mode, the authentication server generates and distributes the CAK to the client and the access device.
  • Page 586 Figure 158 MACsec interactive process in client-oriented mode Client Device Authentication server RADIUS EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity Identity RADIUS Access-Request authentication RADIUS Access-Accept EAP-Success EAPOL-MKA: key server EAPOL-MKA: MACsec capable Session negotiation EAPOL-MKA: key name, SAK EAPOL-MKA: SAK installed Secured frames Secure...

  • Page 587: Protocols And Standards

    Operating mechanism for device-oriented mode As shown in Figure 159, the devices use the configured preshared keys to start the session negotiation. In this mode, the session negotiation, secure communication, and session termination processes are the same as the processes in client-oriented mode. However, MACsec performs a key server selection in this mode.

  • Page 588: Macsec Configuration Task List

    • In client-oriented mode, do not enable the spanning tree feature on MACsec-enabled ports. For information about spanning tree commands, see Layer 2–LAN Switching Command Reference. • MACsec is not supported on an aggregate interface, but it is supported on the member ports of an aggregation group.

  • Page 589: Enabling Macsec Desire

    Enabling MACsec desire The MACsec desire feature expects MACsec protection for outbound frames. The key server determines whether MACsec protects the outbound frames. MACsec protects the outbound frames of a port when the following requirements are met: • The key server is MACsec capable. •...

  • Page 590: Configuring The Mka Key Server Priority

    Configuring the MKA key server priority Configure an MKA key server priority for key server selection. The lower the priority value, the higher the priority. In client-oriented mode, the access device port automatically becomes the key server. You do not have to configure the MKA key server priority.

  • Page 591: Configuring Macsec Replay Protection

    Step Command Remarks The default setting is 0, and the entire frame needs to be Set the MACsec macsec confidentiality-offset encrypted. confidentiality offset. offset-value The offset value can be 0, 30, or Configuring MACsec replay protection The MACsec replay protection feature allows a MACsec port to accept a number of out-of-order or repeated inbound frames.

  • Page 592: Configuring Macsec Protection Parameters By Mka Policy

    Configuring MACsec protection parameters by MKA policy Configuring an MKA policy Step Command Remarks Enter system view. system-view By default, a system-defined MKA policy exists. The policy name is default-policy. The settings for parameters in the default policy are the same as the Create an MKA policy and default settings for the parameters mka policy policy-name...

  • Page 593: Enabling Mka Session Logging

    Step Command Remarks interface interface-type Enter interface view. interface-number By default, no MKA policy is Apply an MKA policy. mka apply policy policy-name applied to the port. Enabling MKA session logging Overview This feature enables the device to generate logs for MKA session changes, such as peer aging and SAK updates.

  • Page 594: Macsec Configuration Examples

    MACsec configuration examples Client-oriented MACsec configuration example (host as client) Network requirements As shown in Figure 160, the host accesses the network through GigabitEthernet 1/0/1. The device performs RADIUS-based 802.1X authentication for the host to control user access to the Internet. To ensure secure communication between the host and device, perform the following tasks on the device: •...
  • Page 595 [Device-isp-bbb] authorization lan-access radius-scheme radius1 [Device-isp-bbb] accounting lan-access radius-scheme radius1 [Device-isp-bbb] quit Configure 802.1X: # Enable 802.1X on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x # Implement port-based access control on GigabitEthernet 1/0/1. [Device-GigabitEthernet1/0/1] dot1x port-method portbased # Specify bbb as the mandatory authentication domain for 802.1X users on GigabitEthernet 1/0/1.

  • Page 596: Client-Oriented Macsec Configuration Example (Device As Client)

    Cipher suite : GCM-AES-128 Transmit secure channel: : 00E00100000A0006 Elapsed time: 00h:02m:07s Current SA : AN 0 PN 1 Receive secure channels: : 00E0020000000106 Elapsed time: 00h:02m:03s Current SA : AN 0 LPN 1 Previous SA : AN N/A LPN N/A # Display MKA session information on GigabitEthernet 1/0/1 after a user logs in.
  • Page 597 • Configure the 802.1X client feature, so that the switch acts as an 802.1X client and can use 802.1X-generated CAKs for MAcsec. Figure 161 Network diagram VLAN 2 GE1/0/2 Permit: VLAN 1,2 GE1/0/3 Permit: VLAN 1,3 Switch Device RADIUS server (802.1X Client) VLAN 3 Configuration procedure...
  • Page 598 [Switch-GigabitEthernet1/0/2] mka enable [Switch-GigabitEthernet1/0/2] quit # Create VLAN 3. [Switch] vlan 3 [Switch-vlan3] quit # Configure GigabitEthernet 1/0/3 as a trunk port, and assign the port to VLAN 3. [Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] port link-type trunk [Switch-GigabitEthernet1/0/3] port trunk permit vlan 3 # Configure the 802.1X client username as bbbb, and set the password to 654321 in plaintext form on GigabitEthernet 1/0/3.
  • Page 599 Protect frames : Yes Replay protection : Enabled Replay window size : 0 frames Confidentiality offset : 0 bytes Validation mode : Check Included SCI : No SCI conflict : No Cipher suite : GCM-AES-128 Transmit secure channel: : A087100801000103 Elapsed time: 00h:00m:55s Current SA : AN 0...

  • Page 600: Device-Oriented Macsec Configuration Example

    CKN for participant: 7B8784F16F85ED8F9D0130AA9B93D0F0 Key server : No MI (MN) : D3F6D374598C8FD1F1819D6C (78) Live peers Potential peers Principal actor : Yes MKA session status : Secured Confidentiality offset: 0 bytes Current SAK status : Rx & Tx Current SAK AN Current SAK KI (KN) : FCA71854FCAE51398EC2DA7900000001 (1) Previous SAK status...
  • Page 601 [DeviceA-GigabitEthernet1/0/1] macsec confidentiality-offset 30 # Enable MACsec replay protection. [DeviceA-GigabitEthernet1/0/1] macsec replay-protection enable # Set the MACsec replay protection window size to 100. [DeviceA-GigabitEthernet1/0/1] macsec replay-protection window-size 100 # Set the MACsec validation mode to strict. [DeviceA-GigabitEthernet1/0/1] macsec validation mode strict # Enable MKA on GigabitEthernet 1/0/1.
  • Page 602 Elapsed time: 00h:05m:00s Current SA : AN 0 PN 1 Receive secure channels: : 00E0020000000106 Elapsed time: 00h:03m:18s Current SA : AN 0 LPN 1 Previous SA : AN N/A LPN N/A # Display MKA session information on GigabitEthernet 1/0/1 of Device A. [DeviceA] display mka session interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Tx-SCI...

  • Page 603: Troubleshooting Macsec

    Current SA : AN 0 LPN 1 Previous SA : AN N/A LPN N/A # Display MKA session information on GigabitEthernet 1/0/1 of Device B. [DeviceB] display mka session interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Tx-SCI : 00E0020000000106 Priority : 10 Capability: 3 CKN for participant: E9AC Key server...
  • Page 604 If a preshared key is not configured or the preshared key is different from the peer, use the  mka psk command to configure a preshared key. Make sure the preshared key is the same as the preshared key on the peer. If the problem persists, contact Hewlett Packard Enterprise Support.

  • Page 605: Configuring 802.1X Client

    Configuring 802.1X client As shown in Figure 163, the 802.1X client feature allows the access device to act as the supplicant in the 802.1X architecture. For information about the 802.1X architecture, see "802.1X overview." Figure 163 802.1X client network diagram Authentication server Supplicant Authenticator...

  • Page 606: Configuring An 802.1X Client Username And Password

    Configuring an 802.1X client username and password An 802.1X client-enabled device uses the configured username and password for 802.1X authentication. Make sure the username and password configured on the device is consistent with the username and password configured on the authentication server. If any inconsistency occurs, the device cannot pass 802.1X authentication to access the network.

  • Page 607: Specifying An 802.1X Client Eap Authentication Method

    Specifying an 802.1X client EAP authentication method An 802.1X client-enabled device supports the following EAP authentication methods: • MD5-Challenge. • PEAP-MSCHAPv2. • PEAP-GTC. • TTLS-MSCHAPv2. • TTLS-GTC. An 802.1X authenticator supports both the EAP relay and EAP termination modes. Support of the EAP authentication methods for the two modes varies.

  • Page 608: Specifying An Ssl Client Policy

    Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers. To configure an 802.1X client anonymous identifier on an interface: Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number Configure an 802.1X dot1x supplicant anonymous...

  • Page 609: Configuring Web Authentication

    Configuring Web authentication Overview Web authentication is deployed on Layer 2 Ethernet interfaces of the access device to control user access to networks. The access device redirects unauthenticated users to the website provided by the local portal Web server. The users can access the resources on the website without authentication.

  • Page 610: Web Authentication Process

    Local portal Web server The access device acts as the local portal Web server. The local portal Web server pushes the Web authentication page to authentication clients and forwards user authentication information (username and password) to the AAA module of the access device. For more information about AAA, "Configuring AAA."...

  • Page 611: Web Authentication Support For Authorization Acls

    To deploy Web authentication on a trunk or hybrid port, make sure the port PVID, the authorization VLAN ID, and the user VLAN ID are the same. Auth-Fail VLAN An Auth-Fail VLAN is a VLAN assigned to users who fail authentication. The Auth-Fail VLAN provides network resources such as the patch server, virus definitions server, client software server, and anti-virus software server to the users.

  • Page 612: Configuration Prerequisites

    Configuration prerequisites The device supports two methods for Web authentication, which are local authentication and RADIUS authentication. To use the local authentication method, configure usernames and passwords on the access device. User authentication is performed on the access device directly. When using the RADIUS authentication method, the device acts as a RADIUS client and cooperates with the RADIUS server to perform authentication for users.

  • Page 613: Enabling Web Authentication

    Enabling Web authentication For Web authentication to operate correctly, do not enable port security or configure the port security mode on the Layer 2 Ethernet interface enabled with Web authentication. To enable Web authentication: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view.

  • Page 614: Configuring A Web Authentication-Free Subnet

    Step Command Remarks Enter system view. system-view Create a Web authentication By default, no Web authentication web-auth server server-name server and enter its view. servers exist. By default, the redirection wait Set the redirection wait time. redirect-wait-time period time is 5 seconds. Configuring a Web authentication-free subnet You can configure a Web authentication-free subnet so that users can freely access the network resources in the subnet without being authenticated.

  • Page 615: Configuring An Auth-Fail Vlan

    To avoid invalid detection, make sure the detection interval is less than or equal to the aging time of MAC address entries. To configure online Web authentication user detection: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Enable online Web By default, online Web...

  • Page 616: Displaying And Maintaining Web Authentication

    • Configure authentication-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication. For Web authentication to support Web proxy: • You must add the port numbers of the Web proxy servers on the device. •...
  • Page 617 Figure 166 Network diagram Loop0 20.20.0.1/24 Vlan-int100 2.2.2.1/24 Internet GE1/0/1 Device Host 2.2.2.2/24 Configuration prerequisites • Assign IP addresses to the host and the device as shown in Figure 166, and make sure the host and the device can reach each other. •...

  • Page 618: Web Authentication Using The Radius Authentication Server

    [Device] web-auth server user # Configure the redirection URL for the Web authentication server as http://20.20.0.1/portal/. [Device-web-auth-server-user] url http://20.20.0.1/portal/ # Specify 20.20.0.1 as the IP address and 80 as the port number for the Web authentication server. [Device-web-auth-server-user] ip 20.20.0.1 port 80 [Device-web-auth-server-user] quit # Specify ISP domain local as the Web authentication domain.
  • Page 619 Figure 167 Network diagram RADIUS server 192.168.0.112/24 Vlan-int2 192.168.0.100/24 Vlan-int100 2.2.2.1/24 Internet GE1/0/1 Device Host 2.2.2.2/24 20.20.0.1/24 Loop0 Configuration prerequisites • Assign IP addresses to the host, the device, and the RADIUS server as shown in Figure 167 and make sure they can reach each other. •...

  • Page 620: Troubleshooting Web Authentication

    # Configure a local port Web server to use HTTP to exchange authentication information with clients. [Device] portal local-web-server http # Specify the file abc.zip as the default authentication page file for the local portal Web server. (This file must exist in the directly root directory of the storage medium.) [Device-portal-local-websvr-http] default-logon-page abc.zip # Specify 80 as the port number listened by the portal Web server for HTTP.

  • Page 621: Failure To Come Online (Local Authentication Interface Using The Default Isp Domain)

    The display this command displays that Web authentication settings have been correctly configured, including the local user, Web authentication server, authentication domain, loopback and VLAN interface settings. The display this command displays that Web authentication is enabled both on the user access interface and the RADIUS server-facing interface.

  • Page 622: Configuring Triple Authentication

    Configuring triple authentication Overview Triple authentication enables an access port to perform Web, MAC, and 802.1X authentication. A terminal can access the network if it passes one type of authentication. Triple authentication is suitable for a LAN that comprises terminals that require different authentication services, as shown in Figure 168.

  • Page 623: Extended Triple Authentication Features

    terminal. If the terminal fails 802.1X authentication, the user stays online as a MAC authentication user, and only 802.1X authentication can be triggered again. • If the terminal first passes 802.1X or Web authentication, the other types of authentication are terminated immediately and cannot be triggered again.

  • Page 624: Configuration Restrictions And Guidelines

    Authorization ACL After a user passes authentication, the authentication server assigns an authorization ACL to the access port for the user. The access port uses the ACL to filter traffic for the user. To use ACL assignment, you must specify authorization ACLs on the authentication server and configure the ACLs on the access device.
  • Page 625 • Use the remote RADIUS server to perform authentication, authorization, and accounting. Configure the device to send usernames carrying no ISP domain names to the RADIUS server. • Configure the local Web authentication server on the device to use listening IP address 4.4.4.4. Configure the device to send a default authentication page to the Web user and forward authentication data by using HTTP.
  • Page 626 [Device] web-auth server webserver # Configure the redirection URL for the Web authentication server as http://4.4.4.4/portal/. [Device-web-auth-server-webserver] url http://4.4.4.4/portal/ # Set the IP address and port number of Web authentication server to 4.4.4.4 and 80. [Device-web-auth-server-webserver] ip 4.4.4.4 port 80 [Device-web-auth-server-webserver] quit # Enable Web authentication on GigabitEthernet 1/0/1, and specify the Web authentication server webserver for the port.
  • Page 627 # Configure domain triple as the default domain. If a username entered by a user includes no ISP domain name, the AAA method of the default domain is used. [Device] domain default enable triple Verifying the configuration Verify that the Web user can pass Web authentication. # On the Web user terminal, use a Web browser to access an external network and then enter the correct username and password on the authentication page http://4.4.4.4/portal/logon.html.

  • Page 628: Triple Authentication Supporting Authorization Vlan And Authentication Failure Vlan Configuration

    Access interface: GigabitEthernet1/0/1 Username: userdot User access state: Successful Authentication domain: triple IPv4 address: 192.168.1.2 Authentication method: CHAP Initial VLAN: 14 Authorization untagged VLAN: 14 Authorization tagged VLAN list: N/A Authorization VSI: N/A Authorization ACL ID: N/A Authorization user profile: N/A Authorization URL: N/A Termination action: Default Session timeout period: N/A...
  • Page 629 Figure 170 Network diagram Loop0 4.4.4.4/32 802.1X client GE1/0/1 Vlan-int8 Vlan-int3 3.3.3.1/24 192.168.1.1/24 IP network Device Vlan-int2 Vlan-int1 2.2.2.1/24 Printer 1.1.1.1/24 Web user Update server RADIUS server 2.2.2.2/24 1.1.1.2/24 Configuration prerequisites and guidelines • Make sure the terminals, the servers, and the device can reach each other. •...
  • Page 630 [Device-dhcp-pool-1] quit # Configure DHCP address pool 2 to assign IP address and other configuration parameters to clients on subnet 2.2.2.0. [Device] dhcp server ip-pool 2 [Device-dhcp-pool-2] network 2.2.2.0 mask 255.255.255.0 [Device-dhcp-pool-2] expired day 0 hour 0 minute 1 [Device-dhcp-pool-2] gateway-list 2.2.2.1 [Device-dhcp-pool-2] quit # Configure DHCP address pool 3 to assign IP address and other configuration parameters to clients on subnet 3.3.3.0.
  • Page 631 [Device–GigabitEthernet1/0/1] quit Configure 802.1X authentication: # Enable 802.1X authentication globally. [Device] dot1x # Enable 802.1X authentication (MAC-based access control required) on GigabitEthernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN. [Device] interface gigabitethernet 1/0/1 [Device–GigabitEthernet1/0/1] dot1x port-method macbased [Device–GigabitEthernet1/0/1] dot1x [Device–GigabitEthernet1/0/1] dot1x auth-fail vlan 2 [Device–GigabitEthernet1/0/1] quit Configure MAC authentication:...
  • Page 632 # Use the display web-auth user command to display information about online users. [Device] display web-auth user Total online web-auth users: 1 User Name: userpt MAC address: 6805-ca17-4a0b Access interface: GigabitEthernet1/0/1 Initial VLAN: 14 Authorization VLAN: 3 Authorization ACL ID: N/A Authorization user profile: N/A Verify that the printer can pass MAC authentication.
  • Page 633 Authorization untagged VLAN: 3 Authorization tagged VLAN list: N/A Authorization VSI: N/A Authorization ACL ID: N/A Authorization user profile: N/A Authorization URL: N/A Termination action: Default Session timeout period: N/A Online from: 2015/01/04 18:13:01 Online duration: 0h 0m 14s Verify that users that pass authentication have been assigned authorization VLANs. # Display MAC-VLAN entries of online users.

  • Page 634: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.

  • Page 635: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 636: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 637: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 638 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 639: Index

    Index configuration, Numerics configuration restrictions, 3DES controlled/uncontrolled port, IPsec encryption algorithm, critical VLAN, critical VLAN configuration, MACsec configuration, 567, 571, 577 critical VLAN configuration restrictions, 802.1X, See also under 802 critical voice VLAN, 802.1X protocol packet sending rule, critical voice VLAN enable, 802.1X user logging configuration restrictions, critical voice VLAN enable restrictions, critical VSI,...
  • Page 640 online user handshake configuration HWTACACS accounting server, restrictions, HWTACACS authentication server, overview, HWTACACS authorization server, packet format, HWTACACS display, periodic reauthentication, HWTACACS implementation, port authorization state, HWTACACS maintain, port authorization status, HWTACACS outgoing packet source IP address, port security authentication control mode, port security client HWTACACS scheme, macAddressElseUserLoginSecure,...
  • Page 641 RADIUS accounting-on configuration, direct portal authentication configuration, RADIUS attribute translation, direct portal authentication configuration (local portal Web server), 195, 234 RADIUS attributes, extended cross-subnet portal authentication RADIUS authentication server, configuration, RADIUS client, extended direct portal authentication RADIUS DAS, configuration, RADIUS display, extended re-DHCP portal authentication RADIUS implementation, configuration,...
  • Page 642 portal authentication type, IPsec policy to interface, Web authentication type, MACsec MKA policy, address port security NAS-ID profile, Address Resolution Protocol. Use portal authentication interface NAS ID profile, IPv6 uRPF configuration, 545, 548 architecture IPv6 uRPF enable, 802.1X, uRPF configuration, 540, 543 PKI, uRPF enable,...
  • Page 643 assigning display, 802.1X guest VSI assignment delay, flood attack, 802.1X redirect URL assignment, IP blacklist, 802.1Xauthentication+ACL assignment, IP blacklist configuration, 486, 493 MAC authentication ACL, log non-aggregation enable, MAC authentication authorization VSI, login attack prevention configuration, assignment login delay, 802.1X guest VLAN assignment delay, login dictionary attack, associating login DoS attack,...
  • Page 644 portal authentication NAS-Port-Id attribute IPsec IKE configuration (aggressive mode+RSA format, signature authentication), authenticating IPsec IKE configuration (main mode+pre-shared key authentication), 802.1X access device initiated authentication, IPsec IKE DSA signature authentication, 802.1X authentication, IPsec IKE pre-shared key authentication, 802.1X authentication attempts max number IPsec IKE RSA signature authentication, for MAC authenticated users, IPsec IKEv2+pre-shared key authentication,...
  • Page 645 Authentication, Authorization, and Accounting. PKI certificate request (automatic), port security MAC address autoLearn, Auth-Fail VLAN 802.1X authentication, BAS-IP 802.1X configuration, portal authentication BAS-IP, Auth-Fail VSI binding 802.1X authentication, IP source guard (IPSG) dynamic binding, 802.1X configuration, IP source guard (IPSG) static binding, authorization VLAN IPsec source interface to policy, 802.1X configuration,...
  • Page 646 CAK (MACsec), 802.1X authorization VSI configuration, 802.1X basic configuration, AAA RADIUS class attribute as CAR 802.1X client anonymous identifier configuration, parameter, 802.1X client configuration, 588, 588 certificate authority. Use 802.1X client MAC address configuration, PKI certificate verification (CRL checking), 802.1X client SSL client policy, 802.1X client username+password configuration, PKI certificate verification (w/o CRL checking), 802.1X configuration,...
  • Page 647 802.1X EAD assistant, AAA RADIUS session-control, 802.1X guest VLAN, 112, 126 AAA scheme, 802.1X guest VSI, 116, 130 AAA SSH user local authentication+HWTACACS authorization+RADIUS accounting, 802.1X MAC address binding, AAA user group attributes, 802.1X manual reauthentication, ARP active acknowledgement, 802.1X online user handshake, ARP attack detection, 802.1X periodic reauthentication, ARP attack detection (source MAC-based),...
  • Page 648 attack D&P defense policy (SYN flood attack), IPsec IKE (main mode+pre-shared key authentication), attack D&P defense policy (SYN-ACK flood IPsec IKE DPD, attack), IPsec IKE global identity information, attack D&P defense policy (UDP flood attack), IPsec IKE IPv4 address pool, IPsec IKE keepalive, attack D&P detection exemption, IPsec IKE keychain,...
  • Page 649 MAC authentication guest VSI, port security MAC address autoLearn, MAC authentication timer, port security NTK feature, MAC authentication user account format, port security secure MAC addresses, MACsec, 567, 571, 577 portal authentication, 167, 174, 200 MACsec (device client-oriented), portal authentication destination subnet, MACsec (device-oriented), portal authentication detection features, MACsec (host client-oriented),...
  • Page 650 SSH SFTP (192-bit Suite B), AAA RADIUS scheme, SSH SFTP client (publickey attack D&P defense policy, authentication-enabled), local key pair, SSH SFTP server (password security LDAP server, authentication-enabled), critical VLAN SSH user, 802.1X authentication, SSH2 algorithms (encryption ), 802.1X configuration, SSH2 algorithms (key exchange), MAC authentication, SSH2 algorithms (MAC),...
  • Page 651 MACsec configuration (host client-oriented), destroying local key pair, SSL configuration, 463, 464 detecting data encryption AAA RADIUS server status detection test profile, PKI configuration, 292, 295, 306 default ARP attack detection (source MAC-based), 514, IPv6 uRPF default route, ARP attack detection configuration, uRPF route, ARP attack detection configuration (VSI), defending...
  • Page 652 AAA LDAP scheme, local portal Web server, AAA LDAP server SSH user authentication, MAC authentication, 145, 157 MAC authentication (local), AAA LDAP server timeout period, MAC authentication (RADIUS-based), AAA local guest management, MAC authentication ACL assignment, AAA local user, MAC authentication authorization VSI assignment, AAA MPLS L3VPN implementation, AAA RADIUS accounting server parameters, MAC authentication configuration,...
  • Page 653 SSH Secure Telnet server connection re-DHCP portal authentication configuration, establishment based on Suite B, re-DHCP portal authentication+preauthentication SSH Secure Telnet server enable, domain configuration, SSH server configuration, troubleshooting portal authentication users cannot log in (re-DHCP), SSH SFTP client, dictionary SSH SFTP client configuration (publickey authentication-enabled), attack D&P login delay, SSH SFTP configuration,...
  • Page 654 AAA RADIUS, Web authentication domain, AAA RADIUS users/clients, Don't Fragment bit. See DF bit ARP attack detection, ARP attack detection (source MAC-based), attack D&P login attack prevention, attack D&P login DoS attack, ARP attack protection (unresolvable IP attack), IPsec IKE DPD, attack D&P, IPsec IKEv2 DPD, FIPS,...
  • Page 655 802.1X relay termination mode authentication, MACsec MKA, MACsec MKA session logging, 802.1X relay/termination authentication, MFF, portal support, MFF periodic gateway probe, EAP authentication NETCONF-over-SSH, 802.1X client EAP authentication method, parallel processing with 802.1X authentication, EAPOL 802.1X authentication (access device password control, initiated), port security, 802.1X authentication (client-initiated),...
  • Page 656 SSL services, file entering portal authentication file name rules, FIPS mode (automatic reboot), 558, 562 SSH SCP file transfer+password authentication, FIPS mode (manual reboot), 558, 563 SSH SFTP, peer host public key, 287, 287 filtering SSH client host public key, ARP packet filtering configuration, 528, 529 attack D&P blacklist,...
  • Page 657 attack D&P defense policy (RST flood attack), frame port security configuration, 240, 243 attack D&P defense policy (SYN flood attack), AAA RADIUS Login-Service attribute check attack D&P defense policy (SYN-ACK flood method, attack), local host public key distribution, attack D&P defense policy (UDP flood attack), SSH SCP server connection establishment, SSH SFTP client configuration (publickey attack D&P device-preventable attacks,...
  • Page 658 802.1X authentication, protocols and standards, 802.1X configuration, 112, 126 scheme configuration, MAC authentication, scheme creation, MAC authentication configuration, scheme VPN instance, guest VSI shared keys, 802.1X authentication, SSH user local authentication+HWTACACS authorization+RADIUS accounting, 802.1X configuration, 116, 130 timer set), MAC authentication, traffic statistics units, MAC authentication configuration, troubleshooting,...
  • Page 659 NAT keepalive configuration, importing negotiation, peer host public key from file, PFS, PKI certificate import/export configuration, profile configuration, public key from file, proposal configuration, SSH client host public key, protocols and standards, troubleshooting PKI CA certificate import failure, SA max, troubleshooting PKI local certificate import failure, security mechanism, SNMP notification,...
  • Page 660 attack D&P blacklist, IKE identity authentication, attack D&P IP blacklist, 475, 486 IKE invalid SPI recovery, authorized ARP configuration (DHCP relay IKE IPv4 address pool, agent), IKE keepalive, authorized ARP configuration (DHCP server), IKE keychain configuration, IKE NAT keepalive, IPv6 uRPF configuration, 545, 548 IKE negotiation, MFF server IP address,...
  • Page 661 source interface policy bind, portal authentication server, transform set configuration, portal authentication Web server, troubleshoot IKE, source guard. See IPv6 source guard troubleshoot IKE negotiation failure (no SSH SCP client device, proposal match), SSH SCP server connection establishment, troubleshoot IKE negotiation failure (no SSH SCP server connection establishment based proposal or keychain specified correctly), on Suite B,...
  • Page 662 IPsec configuration, 330, 353 AAA device implementation, IPsec RIPng configuration, AAA ISP domain accounting method, IPsec RRI configuration, AAA ISP domain attribute, PKI MPLS L3VPN support, AAA ISP domain authentication method, LDAP AAA ISP domain authorization method, AAA configuration, 1, 20, 62 AAA ISP domain creation, AAA implementation, AAA ISP domain method,...
  • Page 663 host public key distribution, SSL services, key pair creation, triple authentication configuration, key pair destruction, MAC address MAC authentication (local), 802.1X authentication (client-initiated), MAC authentication method, 802.1X client MAC address, password control parameters (local user), MAC addressing PKI digital certificate, 802.1X authentication (access device initiated), portal authentication local portal Web server, 169, 193...
  • Page 664 authorization VSI assignment, redirect URL assignment, concurrent port users max, timer configuration, configuration, 138, 145, 157 triple authentication configuration, configuration restrictions, user account format, critical VLAN, user account policies, critical VLAN configuration, user logging enable, critical voice VLAN enable, VLAN assignment, critical VSI, VSI manipulation, VXLAN support,...
  • Page 665 IP source guard (IPSG), mirroring IPsec, IPsec mirror image ACLs, IPsec IKE, IPsec non-mirror image ACLs, IPsec IKEv2, IPv4 source guard (IPv4SG), MACsec enable, IPv6 ND attack defense RA guard, MACsec MKA key server priority, IPv6 source guard (IPv6SG), MACsec MKA session logging enable, MAC authentication, policy application, policy configuration,...
  • Page 666 uRPF loose check, Secure Telnet client user line configuration, uRPF strict check, SSH, userLogin 802.1X authentication, SSH client user line configuration, userLoginSecure 802.1X authentication, SSH+password authentication configuration, userLoginSecureExt 802.1X authentication, network 802.1X access control method, userLoginWithOUI 802.1X authentication, 802.1X architecture, MPLS L3VPN 802.1X authentication, AAA implementation,...
  • Page 667 802.1X+ACL assignment configuration, ARP attack detection restricted forwarding, 802.1X+EAD assistant configuration (DHCP ARP attack detection user validity check, relay agent), ARP attack detection user validity check (VSI), 802.1X+EAD assistant configuration (DHCP server), ARP attack protection (unresolvable IP attack), AAA device ID configuration, 510, 511 AAA device implementation, ARP attack protection blackhole routing...
  • Page 668 IPsec application-based implementation, IPv6 uRPF check modes, IPsec crypto engine, IPv6 uRPF configuration, IPsec fragmentation, IPv6 uRPF enable, IPsec IKE configuration (aggressive IPv6 uRPF operation, mode+RSA signature authentication), MAC authentication (local), IPsec IKE configuration (main MAC authentication (RADIUS-based), mode+pre-shared key authentication), MAC authentication ACL assignment, 143, 161 IPsec IKE IPv4 address pool,...
  • Page 669 NETCONF-over-SSH client user line, port security user logging enable, NETCONF-over-SSH enable, portal authentication AAA server, NETCONF-over-SSH+password portal authentication BAS-IP, authentication configuration, portal authentication client, parallel processing with 802.1X authentication, portal authentication client Rule ARP entry feature, password control parameters (global), portal authentication client Rule ND entry feature, password control parameters (local user), password control parameters (super),...
  • Page 670 SSH SCP server connection establishment, static IPv6 source guard (IPv6SG) configuration, SSH SCP server connection establishment TCP Naptha attack prevention, based on Suite B, uRPF application, SSH SCP server enable, uRPF check modes, SSH Secure Telnet client configuration uRPF enable, (password authentication-enabled), uRPF operation, SSH Secure Telnet client configuration...
  • Page 671 SSL configuration, 463, 464 packet SSL services, 802.1X EAP format, TCP attack prevention configuration, 802.1X EAPOL format, triple authentication basic configuration, 802.1X format, triple authentication configuration, 605, 607, 802.1X protocol packet sending rule, 607, 607 AAA HWTACACS outgoing packet source IP triple authentication extended features, address, triple authentication supporting authorization...
  • Page 672 dynamic IPv4 source guard (IPv4SG)+DHCP password control snooping configuration, configuration, 265, 268, 273 dynamic IPv6 source guard display, (IPv6SG)+DHCPv6 relay agent configuration, enable, event logging, dynamic IPv6 source guard expired password login, (IPv6SG)+DHCPv6 snooping configuration, FIPS compliance, maintain, IP source guard (IPSG) configuration, 497, max user account idle time, 499, 503...
  • Page 673 certificate verification, IPsec policy (IKE-based/direct), certificate verification (CRL checking), IPsec policy (IKE-based/template), certificate verification (w/o CRL checking), IPsec policy configuration (IKE-based), IPsec QoS pre-classify enable, certificate-based access control policy, 304, IPsec source interface policy bind,346 IPsec transform set configuration, configuration, 292, 295, 306 IPv6 ND attack defense RA guard logging enable, CRL,...
  • Page 674 MAC authentication multi-VLAN mode, MAC address port limit per VLAN, MACsec protection parameter (interface view), MAC authentication, MAC move enable, MACsec protection parameter (MKA policy), MAC+802.1X authentication, mode set, MFF network port, 551, 552 NAS-ID profile application, MFF user port, NTK configuration, portal authentication configuration, 167, 174,...
  • Page 675 extended cross-subnet configuration, troubleshoot users logged out still exist on server, extended direct configuration, types, extended functions, user access control, extended re-DHCP configuration, user online detection, fail-permit configuration, user setting max, file name rules, user synchronization configuration, filtering rules, Web redirect configuration, HTTPS redirect, Web server, interface NAS-ID profile,...
  • Page 676 configuring 802.1X critical VSI, configuring AAA RADIUS Login-Service attribute check method, configuring 802.1X EAD assistant, configuring AAA RADIUS scheme, configuring 802.1X guest VLAN, 112, 126 configuring AAA RADIUS server, configuring 802.1X guest VSI, 116, 130 configuring AAA RADIUS server 802.1X user, configuring 802.1X MAC address binding, configuring AAA RADIUS server 802.1X user by configuring 802.1X manual reauthentication,...
  • Page 677 configuring attack D&P defense policy (DNS configuring extended cross-subnet portal flood attack), authentication, configuring attack D&P defense policy (FIN configuring extended direct portal authentication, flood attack), configuring attack D&P defense policy (flood configuring extended re-DHCP portal attack), authentication, configuring attack D&P defense policy (HTTP configuring FIPS mode, flood attack), configuring fixed ARP,...
  • Page 678 configuring IPsec RRI, configuring MACsec protection parameters (interface view), configuring IPsec SNMP notification, configuring MACsec protection parameters (MKA configuring IPsec transform set, policy), configuring IPv4 source guard (IPv4SG), configuring MACsec replay protection, configuring IPv4 source guard (IPv4SG) static configuring MACsec validation mode, binding, configuring MFF, configuring IPv6 ND attack defense,...
  • Page 679 configuring portal authentication destination configuring SSH management parameters, subnet, configuring SSH SCP client device, configuring portal authentication detection, configuring SSH SCP file transfer+password authentication, configuring portal authentication fail-permit, configuring SSH Secure Telnet client (password authentication-enabled), configuring portal authentication HTTPS configuring SSH Secure Telnet client (publickey redirect, authentication-enabled), configuring portal authentication local portal...
  • Page 680 displaying 802.1X, enabling 802.1X user IP freezing, displaying 802.1X client, enabling 802.1X user logging, displaying AAA, enabling AAA RADIUS server load sharing, displaying AAA HWTACACS, enabling AAA RADIUS SNMP notification, displaying AAA LDAP, enabling ARP attack detection logging, displaying AAA local users/user groups, enabling attack D&P log non-aggregation, displaying AAA RADIUS, enabling attack D&P login delay,...
  • Page 681 enabling portal logging for user login/logout, limiting port security secure MAC addresses, logging out portal authentication online users, enabling security portal authentication maintaining 802.1X, roaming, maintaining AAA HWTACACS, enabling SSH SCP server, maintaining AAA RADIUS, enabling SSH Secure Telnet server, maintaining ARP attack detection, enabling SSH SFTP server, maintaining attack D&P,...
  • Page 682 setting password control parameters (local specifying portal authentication MAC binding user), server (interface), setting password control parameters (super), specifying portal authentication NAS-Port-Id attribute format, setting password control parameters (user specifying portal authentication Web server, group), specifying portal preauthentication domain, setting port security mode, specifying portal user preauthentication IP setting portal authentication users max, address pool,...
  • Page 683 troubleshooting PKI local certificate import troubleshooting IPsec IKEv2 negotiation failure failure, (no proposal match), troubleshooting PKI local certificate obtain protecting failure, ARP attack protection configuration, troubleshooting PKI local certificate request ARP gateway protection, failure, MACsec protection parameter (MKA policy), troubleshooting PKI storage path set failure, MACsec replay protection, 567, 574 protocol...
  • Page 684 MAC authentication method, maintain, outgoing packet source IP address, IPsec QoS pre-classify enable, packet DSCP priority change, quiet packet exchange process, 802.1X timer, packet format, MAC authentication quiet timer, port security macAddressWithRadius, port security NAS-ID profile, portal authentication interface NAS-ID profile, IPv6 ND attack defense device role, portal authentication NAS-Port-Id attribute format, IPv6 ND attack defense RA guard...
  • Page 685 IPsec IKE invalid SPI recovery, 802.1X critical VSI configuration, re-DHCP 802.1X guest VLAN configuration, portal authentication mode, 802.1X guest VSI configuration, portal authentication mode (CHAP/PAP 802.1X MAC address binding configuration, authentication), 802.1X online user handshake configuration, portal authentication+preauthentication 802.1X reauthentication configuration, domain configuration, 802.1X user logging configuration, redirect URL...
  • Page 686 802.1X+EAD assistant configuration (DHCP S/MIME (PKI secure email), relay agent), 802.1X+EAD assistant configuration (DHCP IPsec IKEv2 SA rekeying, server), IPsec transform set configuration, IPsec IPv6 routing protocol profile (manual), security IKE SA max, troubleshooting IPsec SA negotiation failure IPsec IPv6 routing protocols configuration, (invalid identity info), troubleshooting IPsec SA negotiation failure (no MFF configuration,...
  • Page 687 server configuration (password 802.1X critical VSI configuration restrictions, authentication-enabled), 802.1X display, server configuration (publickey 802.1X EAD assistant, authentication-enabled), 802.1X EAP relay enable, server connection establishment, 802.1X EAP termination enable, server connection establishment based on 802.1X enable, Suite B, 802.1X guest VLAN, 94, 112 SSH application, 802.1X guest VLAN assignment delay,...
  • Page 688 AAA ISP domain attribute, ARP attack detection packet validity check (VSI), AAA ISP domain authentication method, ARP attack detection restricted forwarding, AAA ISP domain authorization method, ARP attack detection user validity check AAA ISP domain creation, configuration, AAA ISP domain method, ARP attack detection user validity check AAA LDAP implementation, configuration (VSI),...
  • Page 689 dynamic IPv4 source guard (IPv4SG)+DHCP IPsec IKEv2 configuration, 380, 381, 390 relay agent configuration, IPsec IKEv2 display, dynamic IPv4 source guard (IPv4SG)+DHCP IPsec IKEv2 maintain, snooping configuration, IPsec IKEv2 policy configuration, dynamic IPv6 source guard IPsec IKEv2 profile configuration, (IPv6SG)+DHCPv6 relay agent configuration, IPsec IKEv2 protocols and standards, IPsec IPv6 routing protocols, dynamic IPv6 source guard...
  • Page 690 MAC authentication authorization VSI MACsec MKA key server priority, assignment, MACsec preshared key, MAC authentication concurrent port users MACsec protection parameter (interface view), max, MAC authentication configuration, MACsec protocols and standards, MAC authentication configuration restrictions, MACsec secure association (SA), MACsec secure association key (SAK), MAC authentication critical VLAN, MACsec services, MAC authentication critical voice VLAN,...
  • Page 691 peer host public key import from file, portal authentication enable restrictions, periodic MAC reauthentication, portal authentication fail-permit, PKI applications, portal authentication filtering rules, PKI architecture, portal authentication HTTPS redirect, PKI CA policy, portal authentication local portal Web server, 169, PKI certificate export, portal authentication local portal Web server PKI certificate import/export configuration, configuration,...
  • Page 692 SSH local key pair configuration restrictions, SSH SFTP server connection establishment, SSH SFTP server connection establishment SSH management parameters, based on Suite B, SSH SCP client device, SSH SFTP server connection termination, SSH SFTP server enable, SSH SCP client local key pair generation, SSH SCP configuration, SSH user configuration, SSH SCP configuration (Suite B),...
  • Page 693 troubleshooting PKI local certificate import AAA RADIUS server configuration activation, failure, AAA RADIUS server feature, troubleshooting PKI local certificate request AAA RADIUS server load sharing, failure, local portal Web server, troubleshooting PKI storage path set failure, MAC authentication server timeout timer, MACsec MKA key server priority, uRPF configuration, 540, 543...
  • Page 694 AAA RADIUS server status, AAA RADIUS notifications, AAA RADIUS timer, IPsec IKE SNMP notification, AAA RADIUS traffic statistics unit, IPsec SNMP notification, AAA RADIUS username format, SNMP notifications IPsec IKE SA max, enable (port security), IPsec packet DF bit set, source IPsec tunnel max, ARP attack detection (source MAC-based),...
  • Page 695 portal preauthentication domain, SCP file transfer+password authentication, portal user preauthentication IP address pool, SCP server connection establishment, SCP server connection establishment based on SSH Secure Telnet packet source IP address, Suite B, SCP server enable, SSH server PKI domain, Secure Copy. Use SSH server port, Secure FTP.
  • Page 696 SSH2 algorithms (public key), cross-subnet portal authentication configuration for MPLS L3VPN, support for Suite B, extended cross-subnet portal authentication user configuration, configuration, user configuration restrictions, portal authentication cross-subnet mode, versions, portal authentication destination subnet, X.509v3 certificate, portal authentication direct/cross-subnet SSH2 authentication process (CHAP/PAP algorithms, authentication),...
  • Page 697 attack D&P TCP fragment attack prevention, configuration, Naptha attack prevention, attack D&P user blacklist, Telnet attack D&P user blacklist configuration, SSH Secure Telnet client configuration (password FIPS configuration, 557, 562 authentication-enabled), FIPS mode configuration, SSH Secure Telnet client configuration (publickey authentication-enabled), FIPS mode entry (automatic reboot), SSH Secure Telnet client device,...
  • Page 698 MFF configuration (manual-mode in ring failure to come online (local authentication network), interface using the default ISP domain), MFF configuration (manual-mode in tree failure to come online (Web authentication network), configuration correct), traffic IPsec IKE, AAA HWTACACS traffic statistics units, IPsec IKE negotiation failure (no proposal match), AAA RADIUS traffic statistics units, IPsec IKE negotiation failure (no proposal or...
  • Page 699 IPsec RIPng configuration, ARP packet ingress port ignore (ARP attack detection user validity check), IPsec RRI, attack D&P user blacklist, 476, 486 IPsec RRI configuration, direct portal authentication+preauthentication IPsec tunnel establishment, domain configuration, troubleshooting IPsec SA negotiation failure MAC authentication user logging enable, (tunnel failure), port security client userLoginWithOUI, port security user logging enable,...
  • Page 700 password event logging, 802.1X guest VLAN configuration, password expiration, 266, 266 802.1X VLAN manipulation, password expiration early notification, 802.1X VSI manipulation, password expired login, 802.1X+ACL assignment configuration, password history, IP source guard (IPSG) configuration, 497, 499, password max user account idle time, IPv6 ND attack defense configuration, password not displayed, IPv6 ND attack defense RA guard configuration,...
  • Page 701 MAC authentication critical VSI, Web authentication configuration, 594, 599 MAC authentication critical VSI configuration, Web authentication system components, Web authentication using the local authentication MAC authentication guest VSI, 142, 152 server, MAC authentication manipulation, Web authentication using the RADIUS authentication server, VXLAN Web authentication 802.1X,...
  • Page 702 port security client userLoginWithOUI, port security configuration, 240, 243, 255 port security MAC address autoLearn, working with SSH SFTP directories, SSH SFTP files, X.500 AAA LDAP implementation,...

Table of Contents