HP 5500 HI Series Configuration Manual

HP 5500 HI Series Configuration Manual

Security
Hide thumbs Also See for 5500 HI Series:
Table of Contents

Advertisement

HP 5500 HI Switch Series
Security

Configuration Guide

Part number: 5998-2383
Software version: Release 5203 and Release 5206
Document version: 6W102-20140228

Advertisement

Table of Contents
loading

Summary of Contents for HP 5500 HI Series

  • Page 1: Configuration Guide

    HP 5500 HI Switch Series Security Configuration Guide Part number: 5998-2383 Software version: Release 5203 and Release 5206 Document version: 6W102-20140228...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
  • Page 3: Table Of Contents

    Contents Configuring AAA ························································································································································· 1   AAA overview ··································································································································································· 1   RADIUS ······································································································································································ 2   HWTACACS ····························································································································································· 7   Domain-based user management ··························································································································· 9   RADIUS server feature of the switch ···················································································································· 10   AAA for MPLS L3VPNs ········································································································································· 11  ...
  • Page 4 EAP relay ································································································································································ 69   EAP termination ····················································································································································· 70   Configuring 802.1X ·················································································································································· 72   HP implementation of 802.1X ······································································································································ 72   Access control methods ········································································································································ 72   Using 802.1X authentication with other features ······························································································ 72   Configuration prerequisites ··········································································································································· 77  ...
  • Page 5 Verifying the configuration ··································································································································· 96   802.1X with ACL assignment configuration example ······························································································· 96   Network requirements ··········································································································································· 96   Configuration procedure ······································································································································ 97   Verifying the configuration ··································································································································· 97   Configuring EAD fast deployment ···························································································································· 99   Overview ········································································································································································· 99  ...
  • Page 6 Portal stateful failover ·········································································································································· 127   Portal authentication across VPNs ····················································································································· 129   Portal configuration task list ········································································································································ 129   Configuration prerequisites ········································································································································· 130   Specifying the portal server ········································································································································ 131   Specifying the local portal server for Layer 2 portal authentication ······························································ 131  ...
  • Page 7 Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ·············· 189   Configuring port security ········································································································································ 195   Overview ······································································································································································· 195   Port security features ··········································································································································· 195   Port security modes ············································································································································· 195   Working with guest VLAN and Auth-Fail VLAN ······························································································ 198  ...
  • Page 8 Configuring the HABP server ····························································································································· 232   Configuring an HABP client ······························································································································· 232   Displaying and maintaining HABP ····························································································································· 233   HABP configuration example ······································································································································ 233   Managing public keys ············································································································································ 236   Overview ······································································································································································· 236   FIPS compliance ··························································································································································· 236  ...
  • Page 9 Protocols and standards ····································································································································· 270   FIPS compliance ··························································································································································· 270   Configuring IPsec ························································································································································· 270   Implementing ACL-based IPsec ··································································································································· 270   Feature Restrictions ·············································································································································· 270   ACL-based IPsec configuration task list ············································································································· 271   Configuring ACLs ················································································································································ 271   Configuring an IPsec proposal ··························································································································...
  • Page 10 Configuring an SSH user ···································································································································· 307   Setting the SSH management parameters ········································································································ 308   Setting the DSCP value for packets sent by the SSH server ············································································ 309   Configuring the switch as an SSH client ··················································································································· 309   SSH client configuration task list ························································································································ 309  ...
  • Page 11 Enabling the SYN Cookie feature ······························································································································ 349   Displaying and maintaining TCP attack protection ·································································································· 349   Configuring IP source guard ·································································································································· 351   Overview ······································································································································································· 351   Static IP source guard entries ····························································································································· 351   Dynamic IP source guard binding entries ········································································································· 352  ...
  • Page 12 User validity check configuration example ······································································································· 380   User validity check and ARP packet validity check configuration example ·················································· 381   ARP restricted forwarding configuration example ··························································································· 383   Configuring ARP automatic scanning and fixed ARP ······························································································· 384   Configuration guidelines ···································································································································· 385  ...
  • Page 13 Network requirements ········································································································································· 423   Configuration procedure ···································································································································· 423   Verifying the configuration ································································································································· 424   Support and other resources ·································································································································· 426   Contacting HP ······························································································································································ 426   Subscription service ············································································································································ 426   Related information ······················································································································································ 426   Documents ···························································································································································· 426  ...
  • Page 14: Configuring Aaa

    Configuring AAA AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and •...
  • Page 15: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol.
  • Page 16 Figure 3 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user’s username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
  • Page 17 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
  • Page 18 The Attributes field (variable in length) carries the specific authentication, authorization, and • accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with three sub-fields: Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
  • Page 19 Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0, and the other three bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...
  • Page 20: Hwtacacs

    Figure 5 Segment of a RADIUS packet containing an extended attribute Type Length Vendor-ID Vendor-ID (continued) Vendor-Type Vendor-Length Vendor-Data (Specified attribute value……) …… HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
  • Page 21 Figure 6 Basic HWTACACS message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...
  • Page 22: Domain-Based User Management

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. The HWTACACS client sends the user an authorization request packet to the HWTACACS server.
  • Page 23: Radius Server Feature Of The Switch

    Portal users—Users who must pass portal authentication to access the network. • In addition, AAA provides the following services for login users to enhance switch security: Command authorization—Enables the NAS to defer to the authorization server to determine • whether a command entered by a login user is permitted for the user, making sure that login users execute only commands they are authorized to execute.
  • Page 24: Aaa For Mpls L3Vpns

    A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an HP switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an HP switch as the RADIUS server.
  • Page 25: Radius Attributes

    Maximum idle time permitted for the user before termination of the session. User identification that the NAS sends to the server. For the LAN access service Calling-Station-Id provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier...
  • Page 26 Access-Requests. This attribute is used when RADIUS supports EAP ator authentication. NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
  • Page 27 Sub-attribute Description Remaining, available total traffic of the connection, in different units for Remanent_Volume different server types. Operation for the session, used for session control. It can be: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value.
  • Page 28: Fips Compliance

    Sub-attribute Description Output-Interval-Gigawords Result of bytes output within an accounting interval divided by 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. Product_ID Product name. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
  • Page 29: Configuring Aaa Schemes

    Table 4 AAA configuration task list Task Remarks Configuring local users Required. Configuring AAA Configuring RADIUS schemes schemes Complete at least one task. Configuring HWTACACS schemes Creating an ISP domain Required. Configuring ISP domain attributes Optional. Configuring AAA authentication methods for Configuring AAA an ISP domain methods for ISP domains...
  • Page 30 Validity time and expiration time. • Indicates the validity time and expiration time of a local user account. A user must use a valid local user account to pass local authentication. For temporary network access requirements, you can create a guest account and specify a validity time and an expiration time for the account to control the validity of the account.
  • Page 31 If the user interface authentication mode (set by the authentication-mode command in user • interface view) is AAA (scheme), which commands a login user can use after login depends on the privilege level authorized to the user. If the user interface authentication mode is password (password) or no authentication (none), which commands a login user can use after login depends on the level configured for the user interface (set by the user privilege level command in user interface view).
  • Page 32 Step Command Remarks Optional. By default, there is no limit to the Set the maximum number of maximum number of concurrent concurrent users of the local access-limit max-user-number users of a local user account. user account. The limit is effective only for local accounting, and is not effective for FTP users.
  • Page 33 Configuring user group attributes User groups simplify local user configuration and management. A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group.
  • Page 34: Configuring Radius Schemes

    Task Command Remarks display user-group [ group-name ] [ | Display the user group configuration { begin | exclude | include } Available in any view information. regular-expression ] Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the switch can cooperate with and defines a set of parameters that the switch uses to exchange information with the RADIUS servers.
  • Page 35 Step Command Remarks Enter system view. system-view Create a RADIUS scheme and radius scheme No RADIUS scheme exists by enter RADIUS scheme view. radius-scheme-name default. NOTE: A RADIUS scheme can be referenced by multiple ISP domains at the same time. Specifying the RADIUS authentication/authorization servers You can specify one primary authentication/authorization server and up to 16 secondary authentication/authorization servers for a RADIUS scheme.
  • Page 36 Step Command Remarks • Specify the primary RADIUS authentication/authorization server: primary authentication { ip-address | ipv6 ipv6-address } [ port-number | key Configure at least one [ cipher | simple ] key | probe command. username name [ interval interval ] | Specify RADIUS vpn-instance vpn-instance-name ] * authentication/authorization...
  • Page 37 Step Command Remarks • Specify the primary RADIUS accounting server: primary accounting { ip-address | ipv6 ipv6-address } [ port-number | key [ cipher Configure at least one | simple ] key | vpn-instance command. vpn-instance-name ] * Specify RADIUS accounting servers.
  • Page 38 The supported RADIUS server type determines the type of the RADIUS protocol that the switch uses to communicate with the RADIUS server. It can be standard or extended: Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • • Extended—Uses the proprietary RADIUS protocol of HP.
  • Page 39 When the RADIUS server runs on IMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies. For the switch to function as a RADIUS server to authenticate login users, you must set the RADIUS server type to standard.
  • Page 40 are no longer available. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers functioning as the backup of the primary servers. Generally, the switch chooses servers based on these rules: • When the primary server is in active state, the switch communicates with the primary server.
  • Page 41 Step Command Remarks • Set the status of the primary RADIUS authentication/authorization server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active | block } Optional. •...
  • Page 42 To specify a source IP address for a specific RADIUS scheme: Step Command Remarks Enter system view. system-view radius scheme Enter RADIUS scheme view. radius-scheme-name By default, the IP address of the Specify a source IP address nas-ip { ip-address | ipv6 outbound interface is used as the for outgoing RADIUS packets.
  • Page 43 NOTE: The backup source IP address specified for outgoing RADIUS packets takes effect only when stateful failover is configured, and it must be the source IP address for outgoing RADIUS packets that is configured on the standby switch. Setting timers for controlling communication with RADIUS servers The switch uses the following types of timers to control the communication with a RADIUS server: •...
  • Page 44 Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
  • Page 45 Step Command Remarks Enter RADIUS scheme radius scheme radius-scheme-name view. Specify a security policy No security policy server is security-policy-server ip-address server. specified by default. Configuring interpretation of RADIUS class attribute as CAR parameters According to RFC 2865, a RADIUS server assigns the RADIUS class attribute (attribute 25) to a RADIUS client.
  • Page 46 Step Command Remarks Enter system view. system-view radius trap { accounting-server-down | Enable the trap authentication-error-threshold | Disabled by default. function for RADIUS. authentication-server-down } Enabling the RADIUS client service To receive and send RADIUS packets, enable the RADIUS client service on the device. If RADIUS is not required, disable the RADIUS client service to avoid attacks that exploit RADIUS packets.
  • Page 47: Configuring Hwtacacs Schemes

    Task Command Remarks reset stop-accounting-buffer Clear the buffered stop-accounting { radius-scheme radius-scheme-name | requests for which no responses have session-id session-id | time-range Available in user view been receive. start-time stop-time | user-name user-name } [ slot slot-number ] Configuring HWTACACS schemes NOTE: You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use.
  • Page 48 Specifying the HWTACACS authentication servers For versions earlier than Release 5206, you can specify one primary authentication server and one secondary authentication server for an HWTACACS scheme. When the primary server is not available, the secondary server is used. For Release 5206 and later versions, you can specify one primary authentication server and up to 16 secondary authentication servers for an HWTACACS scheme.
  • Page 49 An HWTACACS server can function as the primary authorization server of one scheme and as the • secondary authorization server of another scheme at the same time. The IP addresses of the primary and secondary authorization servers cannot be the same. •...
  • Page 50 HWTACACS does not support accounting for FTP users. • To specify HWTACACS accounting servers and set relevant parameters for an HWTACACS scheme: Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS accounting server: primary accounting ip-address Configure at least one...
  • Page 51 Specifying the VPN to which the servers belong After you specify a VPN for an HWTACACS scheme, all the authentication, authorization, and accounting servers specified for the scheme belong to the VPN. However, if you also specify a VPN when specifying a server for the scheme, the server belongs to the specific VPN.
  • Page 52 Specifying a source IP address for outgoing HWTACACS packets The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS.
  • Page 53 server, and tries to communicate with another server in active state. After this timer expires, the switch changes the status of the server back to active. Real-time accounting timer (realtime-accounting)—Defines the interval at which the switch sends • real-time accounting updates to the HWTACACS accounting server for online users. To implement real-time accounting, the switch must send real-time accounting packets to the accounting server for online users periodically.
  • Page 54: Configuring Aaa Methods For Isp Domains

    Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain view. Each ISP domain has a set of default AAA methods, which are local authentication, local authorization, and local accounting by default and can be customized. If you do not configure any AAA methods for an ISP domain, the switch uses the system default AAA methods for authentication, authorization, and accounting of the users in the domain.
  • Page 55 Domain status—By placing the ISP domain to the active or blocked state, you allow or deny • network service requests from users in the domain. Maximum number of online users—The switch controls the number of online users in a domain to •...
  • Page 56: Configuring Aaa Authentication Methods For An Isp Domain

    Configuring AAA authentication methods for an ISP domain In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the interactive authentication process of username/password/user information during an access or service request. The authentication process does not send authorization information to a supplicant or trigger accounting.
  • Page 57: Configuring Aaa Authorization Methods For An Isp Domain

    For example, if user user1 of domain aaa wants to switch the privilege level to 3, the system uses $enab3@aaa$ for authentication when the domain name is required and uses $enab3$ for authentication when the domain name is not required. To configure AAA authentication methods for an ISP domain: Step Command...
  • Page 58 Before configuring authorization methods, complete the following tasks: For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS authentication scheme. Otherwise, it does not take effect. Determine the access type or service type to be configured.
  • Page 59: Configuring Aaa Accounting Methods For An Isp Domain

    Configuring AAA accounting methods for an ISP domain In AAA, accounting is a separate process at the same level as authentication and authorization. This process sends accounting start/update/end requests to the specified accounting server. Accounting is optional. AAA supports the following accounting methods: •...
  • Page 60: Tearing Down User Connections

    Step Command Remarks Optional. Disabled by default. With the accounting optional Enable the accounting feature, a switch allows users to accounting optional optional feature. use network resources when no accounting server is available or communication with all accounting servers fails. accounting default { hwtacacs-scheme Optional.
  • Page 61: Specifying The Device Id Used In Stateful Failover Mode

    Follow these guidelines when you specify the device ID used in stateful failover mode: Configuring or changing the device ID of a switch logs out all online users of the switch. • HP recommends to save the configuration and reboot the switch after configuring or changing the • device ID.
  • Page 62: Specifying A Radius Client

    and user description. After completing this task, the specified RADIUS user can use the username and password for RADIUS authentication on the switch. You can use the authorization-attribute command to specify an authorization ACL and authorized VLAN, which is assigned by the RADIUS server to the RADIUS client (the NAS) after the RADIUS user passes authentication.
  • Page 63: Displaying And Maintaining Aaa

    Displaying and maintaining AAA Task Command Remarks Display the configuration display domain [ isp-name ] [ | { begin | Available in any view information of ISP domains. exclude | include } regular-expression ] display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type Display information about user...
  • Page 64: Aaa For Telnet Users By Separate Servers

    # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit # Create HWTACACS scheme hwtac. [Switch] hwtacacs scheme hwtac # Specify the primary authentication server. [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server.
  • Page 65 Figure 12 Network diagram Configuration procedure Configure the switch: # Assign IP addresses to interfaces. (Details not shown.) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme [Switch-ui-vty0-4] quit...
  • Page 66: Authentication/Authorization For Ssh/Telnet Users By A Radius Server

    Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select Device Management Service as the service type. Select HP(A-Series) as the access device type. Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2.
  • Page 67 NOTE: The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch, which is the IP address of the outbound interface by default, or otherwise the IP address specified with the nas-ip or radius nas-ip command on the switch.
  • Page 68 Figure 15 Adding an account for device management Configuring the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.
  • Page 69: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    # Create RADIUS scheme rad. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure authentication communication to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs on IMC.
  • Page 70 Figure 16 Network diagram Configuration considerations Configure the switch to use AAA, particularly, local authentication for Telnet users: Create ISP domain bbb and configure it to use local authentication for Telnet users. Create a local user account, configure the password, and assign the user privilege level. On the switch, configure the authentication method for user privilege level switching: Specify to use HWTACACS authentication and, if HWTACACS authentication is not available, use local authentication for user level switching authentication.
  • Page 71 # Use HWTACACS authentication for user level switching authentication and, if HWTACACS authentication is not available, use local authentication. [Switch] super authentication-mode scheme local # Create an HWTACACS scheme named hwtac. [Switch] hwtacacs scheme hwtac # Specify the IP address for the primary authentication server as 10.1.1.1 and the port for authentication as 49.
  • Page 72 Figure 17 Configuring advanced attributes for the Telnet user Verify the configuration: After you complete the configuration, the Telnet user should be able to telnet to the switch and use username test@bbb and password aabbcc to enter the user interface of the switch, and access all level 0 commands.
  • Page 73: Radius Authentication And Authorization For Telnet Users By A Switch

    super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function When switching to user privilege level 3, the Telnet user only needs to enter password enabpass as prompted. <Switch> super 3 Password: User privilege level is 3, and only those commands can be used whose level is equal or less than this.
  • Page 74 [SwitchA-ui-vty0-4] authentication-mode scheme [SwitchA-ui-vty0-4] quit # Create RADIUS scheme rad. [SwitchA] radius scheme rad # Specify the IP address for the primary authentication server as 10.1.1.2, the port for authentication as 1645, and the shared key for secure authentication communication as abc. [SwitchA-radius-rad] primary authentication 10.1.1.2 1645 key abc # Configure the scheme to remove the domain name from a username before sending the username to the RADIUS server.
  • Page 75: Troubleshooting Aaa

    IPv6=N/A Total 1 connection(s) matched. Troubleshooting AAA Troubleshooting RADIUS Symptom 1 User authentication/authorization always fails. Analysis A communication failure exists between the NAS and the RADIUS server. The username is not in the format of userid@isp-name or the ISP domain for the user authentication is not correctly configured on the NAS.
  • Page 76: Troubleshooting Hwtacacs

    The port numbers of the RADIUS server for authentication, authorization and accounting are available. Symptom 3 A user is authenticated and authorized, but accounting for the user is not normal. Analysis The accounting port number is not correct. Configuration of the authentication/authorization server and the accounting server are not correct on the NAS.
  • Page 77: 802.1X Overview

    802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. 802.1X architecture 802.1X operates in the client/server model.
  • Page 78: 802.1X-Related Protocols

    Performs bidirectional traffic control to deny traffic to and from the client. Performs unidirectional traffic control to deny traffic from the client. • The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server.
  • Page 79 • Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 5 lists the types of EAPOL packets supported by HP • implementation of 802.1X. Table 5 EAPOL packet types Value Type...
  • Page 80: Eap Over Radius

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client, the HP iNode 802.1X client for example, that can send broadcast EAPOL-Start packets.
  • Page 81: 802.1X Authentication Procedures

    Multicast trigger mode—The access device multicasts Identity EAP-Request packets periodically • (every 30 seconds by default) to initiate 802.1X authentication. Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC • address table, the access device sends an Identity EAP-Request packet out of the receiving port to the unknown MAC address.
  • Page 82: Eap Relay

    • Supports only MD5-Challenge EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an HP EAP termination supports PAP or CHAP authentication. iNode 802.1X client. • The processing is complex on the network access device.
  • Page 83: Eap Termination

    The network access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5 challenge) to encrypt the password in the entry, and sends the challenge in a RADIUS Access-Challenge packet to the network access device.
  • Page 84 Figure 28 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4). The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
  • Page 85: Configuring 802.1X

    HP implementation of 802.1X Access control methods HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. Port-based access control—Once an 802.1X user passes authentication on a port, any subsequent •...
  • Page 86 Table 7 VLAN assignment in MAC-based access control mode Link type VLAN assignment Sets the VLAN ID assigned through the Tunnel attributes to the first authenticated user as the PVID on the port. Access If a different VLAN is assigned to a subsequent user, the user cannot pass the authentication.
  • Page 87 For more information about VLAN configuration and MAC-based VLAN, see Layer 2 LAN Switching — Configuration Guide. On a port that performs port-based access control Authentication status VLAN manipulation Assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on No 802.1X user has this port can access only resources in the guest VLAN.
  • Page 88 Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
  • Page 89 Critical VLAN You configure an 802.1X critical VLAN on a port to accommodate 802.1X users that fail authentication because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the critical VLAN can access a limit set of network resources depending on your configuration. The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers.
  • Page 90: Configuration Prerequisites

    Authentication status VLAN manipulation A user in the 802.1X critical VLAN fails authentication because all the RADIUS The user is still in the critical VLAN. servers are unreachable. A user in the critical VLAN fails 802.1X If an Auth-Fail VLAN has been configured, re-maps the MAC authentication for any other reason than address of the user to the Auth-Fail VLAN ID.
  • Page 91: 802.1X Configuration Task List

    If RADIUS authentication is used, create user accounts on the RADIUS server. • • If local authentication is used, create local user accounts on the access device and set the service type to lan-access. 802.1X configuration task list Task Remarks Enabling 802.1X Required Enabling EAP relay or EAP termination...
  • Page 92: Configuration Procedure

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...
  • Page 93: Setting The Port Authorization State

    Setting the port authorization state The port authorization state determines whether the client is granted access to the network. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: authorized-force—Places the port in the authorized state, enabling users on the port to access the •...
  • Page 94: Setting The Maximum Number Of Concurrent 802.1X Users On A Port

    Step Command Remarks • In system view: dot1x port-method { macbased | Optional. portbased } [ interface interface-list ] • In Ethernet interface view: Specify an access Use either method. control method. interface interface-type By default, MAC-based access interface-number control applies. dot1x port-method { macbased | portbased } Setting the maximum number of concurrent 802.1X...
  • Page 95: Setting The 802.1X Authentication Timeout Timers

    To use the online handshake security function, make sure the online user handshake function is • enabled. HP recommends that you use the iNode client software and IMC server to guarantee the normal operation of the online user handshake security function.
  • Page 96: Configuration Procedure

    If the network has 802.1X clients that cannot exchange handshake packets with the network access • device, disable the online user handshake function to prevent their connections from being inappropriately torn down. Configuration procedure To configure the online user handshake function: Step Command Remarks...
  • Page 97: Configuration Procedure

    Configuration procedure To configure the authentication trigger function on a port: Step Command Remarks Enter system view. system-view Optional. Set the username request dot1x timer tx-period timeout timer. tx-period-value The default is 30 seconds. interface interface-type Enter Ethernet interface view. interface-number Required if you want to enable the unicast trigger.
  • Page 98: Enabling The Periodic Online User Re-Authentication Function

    Step Command Remarks Enter system view. system-view Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. Optional. dot1x timer quiet-period Set the quiet timer. quiet-period-value The default is 60 seconds. Enabling the periodic online user re-authentication function Periodic online user re-authentication tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS.
  • Page 99: Configuring A Port To Send Eapol Frames Untagged

    Configuring a port to send EAPOL frames untagged EAPOL frames exchanged between the 802.1X client and the network access device must not contain VLAN tags. If any 802.1X user attached to a port is assigned a tagged VLAN, you must enable the port to send EAPOL frames untagged to 802.1X clients.
  • Page 100: Configuring An 802.1X Guest Vlan

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HP iNode client does not have this problem. Table 8 when configuring multiple security features on a port.
  • Page 101: Configuration Prerequisites

    802.1X authentication is complete. As a solution, remind the 802.1X users to release their IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HP iNode client does not have this problem. •...
  • Page 102: Configuration Prerequisites

    Feature Relationship description Reference MAC authentication guest VLAN The 802.1X Auth-Fail VLAN has a high "Configuring MAC on a port that performs priority. authentication" MAC-based access control The 802.1X Auth-Fail VLAN function has Port intrusion protection on a port higher priority than the block MAC action "Configuring port that performs MAC-based access but lower priority than the shut down port...
  • Page 103: Configuration Prerequisites

    IP addresses or repair their network connections for a DHCP reassignment after 802.1X authentication is complete. The HP iNode client does not have this problem. Configuration prerequisites • Create the VLAN to be specified as a critical VLAN.
  • Page 104: Displaying And Maintaining 802.1X

    Step Command Remarks Optional. Specify a set of domain name dot1x domain-delimiter string By default, only the at sign (@) delimiters for 802.1X users. delimiter is supported. NOTE: If you configure the access device to include the domain name in the username sent to the RADIUS server, make sure the domain delimiter in the username can be recognized by the RADIUS server.
  • Page 105: Configuration Procedure

    Figure 29 Network diagram Configuration procedure Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. For information about the RADIUS commands used on the access device in this example, see Security Command Reference.
  • Page 106: Verifying The Configuration

    [Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. Configure the ISP domain: # Create the ISP domain aabbcc.net and enter its view.
  • Page 107: With Guest Vlan And Vlan Assignment Configuration Example

    802.1X with guest VLAN and VLAN assignment configuration example Network requirements As shown in Figure A host is connected to port GigabitEthernet 1/0/2 of the device and must pass 802.1X • authentication to access the Internet. GigabitEthernet 1/0/2 is in VLAN 1. •...
  • Page 108: Configuration Procedure

    Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands on the device. The configuration on the 802.1X client and RADIUS server are not shown. For more information about AAA/RADIUS configuration commands, see Security Command Reference. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or a server-assigned VLAN.
  • Page 109: Verifying The Configuration

    # Enable 802.1X globally. [Device] dot1x # Enable 802.1X for port GigabitEthernet 1/0/2. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] dot1x # Implement port-based access control on the port. [Device-GigabitEthernet1/0/2] dot1x port-method portbased # Set the port authorization mode to auto. This step is optional. By default, the port is in auto mode. [Device-GigabitEthernet1/0/2] dot1x port-control auto [Device-GigabitEthernet1/0/2] quit # Set VLAN 10 as the 802.1X guest VLAN for port GigabitEthernet 1/0/2.
  • Page 110: Configuration Procedure

    Configuration procedure The following configuration procedure provides the major AAA and RADIUS configuration on the access device. The configuration procedures on the 802.1X client and RADIUS server are beyond the scope of this configuration example. For information about AAA and RADIUS configuration commands, see Security Command Reference.
  • Page 111 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has taken effect on the user, and the user cannot access the FTP server.
  • Page 112: Configuring Ead Fast Deployment

    Configuring EAD fast deployment Overview Endpoint Admission Defense (EAD) is an HP integrated endpoint access control solution, which enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
  • Page 113: Configuring The Redirect Url

    To configure a free IP: Step Command Remarks Enter system view. system-view dot1x free-ip ip-address Configure a free IP. By default, no free IP is configured. { mask-address | mask-length } Configuring the redirect URL Follow these guidelines when you configure the redirect URL: •...
  • Page 114: Ead Fast Deployment Configuration Example

    Task Command Remarks Display 802.1X session display dot1x [ sessions | statistics ] information, statistics, or [ interface interface-list ] [ | { begin | Available in any view configuration information. exclude | include } regular-expression ] EAD fast deployment configuration example Network requirements As shown in Figure...
  • Page 115: Configuration Procedure

    Configure the authentication server to provide authentication, authorization, and accounting • services. Configuration procedure Configure an IP address for each interface. (Details not shown.) Configure DHCP relay: # Enable DHCP. <Device> system-view [Device] dhcp enable # Configure a DHCP server for a DHCP server group. [Device] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent on VLAN interface 2.
  • Page 116: Troubleshooting Ead Fast Deployment

    Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access that segment before passing 802.1X authentication. If you use a web browser to access any external website beyond the free IP segments, you are redirected to the web server, which provides the 802.1X client software download service.
  • Page 117: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
  • Page 118: Mac Authentication Timers

    For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA." MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user idle.
  • Page 119: Critical Vlan

    If a user in the guest VLAN passes MAC authentication, that user is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
  • Page 120: Configuring Mac Authentication Globally

    MAC authentication can take effect on a port only when it is enabled globally and on the port. Configuring MAC authentication globally Step Command Remarks Enter system view. system-view Enable MAC mac-authentication Disabled by default. authentication globally. Optional. mac-authentication timer By default, the offline detect timer is Configure MAC { offline-detect offline-detect-value |...
  • Page 121: Specifying A Mac Authentication Domain

    Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways: Specify a global authentication domain in system view. This domain setting applies to all ports. •...
  • Page 122: Configuring A Mac Authentication Critical Vlan

    If MAC authentication clients in your network cannot trigger an immediate DHCP-assigned IP address renewal in response to a VLAN change, the MAC authentication users cannot access authorized network resources immediately after a MAC authentication is complete. As a solution, remind the MAC authentication users to release their IP addresses or repair their network connections for a DHCP reassignment after MAC authentication is complete.
  • Page 123: Configuring Mac Authentication Delay

    resources immediately after a MAC authentication is complete. As a solution, remind the MAC authentication users to release their IP addresses or repair their network connections for a DHCP reassignment after MAC authentication is complete. Before you configure a MAC authentication critical VLAN on a port, complete the following tasks: Enable MAC authentication.
  • Page 124: Displaying And Maintaining Mac Authentication

    For example, a MAC authentication-enabled port connects to an IP phone that can send tagged and untagged frames. The port receives tagged frames in VLAN 2 and untagged frames in VLAN 1. Before you enable the multi-VLAN mode, the port must re-authenticate the IP phone every time it receives a frame from a VLAN that is different from the recorded MAC-VLAN entry.
  • Page 125 Figure 33 Network diagram Configuration procedure # Add a local user account, set both the username and password to 00-e0-fc- 1 2-34-56, the MAC address of the user host, and enable LAN access service for the account. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit...
  • Page 126: Radius-Based Mac Authentication Configuration Example

    MAC Addr From Port Port Index Gigabitethernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 1, failed: 0 Max number of on-line users is 2048 Current online user number is 1 MAC Addr Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS # After the user passes authentication, use the display connection command to display the online user information.
  • Page 127 # Configure a RADIUS scheme. <Device> system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.
  • Page 128: Acl Assignment Configuration Example

    Max number of on-line users is 2048 Current online user number is 1 MAC ADDR Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS # After a user passes MAC authentication, use the display connection command to display online user information. <Device> display connection Slot: Index=29 ,Username=aaa@2000...
  • Page 129 Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme. [Sysname] radius scheme 2000 [Sysname-radius-2000] primary authentication 10.1.1.1 1812 [Sysname-radius-2000] primary accounting 10.1.1.2 1813 [Sysname-radius-2000] key authentication simple abc [Sysname-radius-2000] key accounting simple abc [Sysname-radius-2000] user-name-format without-domain [Sysname-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.
  • Page 130 Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),...
  • Page 131: Configuring Portal Authentication

    Configuring portal authentication Overview Portal authentication helps control access to the Internet. It is also called "Web authentication." A website implementing portal authentication is called a portal website. With portal authentication, an access device redirects all users to the portal authentication page. All users can access the free services provided on the portal website;...
  • Page 132 Figure 36 Portal system components Authentication client An authentication client is an entity seeking access to network resources. It is typically an end-user terminal, such as a PC. A client can use a browser or a portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.
  • Page 133: Portal System Using The Local Portal Server

    To implement security check, the client must be the HP iNode client. Portal authentication supports NAT traversal whether it is initiated by a Web client or an HP iNode client. When the portal authentication client is on a private network, but the portal server is on a public network and the access device is enabled with NAT, network address translations performed on the access device do not affect portal authentication.
  • Page 134: Portal Authentication Modes

    Protocols used for interaction between the client and local portal server HTTP and Hypertext Transfer Protocol Secure (HTTPS) can be used for interaction between an authentication client and an access device providing the local portal server function. If HTTP is used, there are potential security problems because HTTP packets are transferred in plain text;...
  • Page 135: Portal Support For Eap

    useful. For example, a service provider can allocate public IP addresses to broadband users only when they access networks beyond the residential community network. The local portal server does not support re-DHCP portal authentication. IPv6 portal authentication does not support the re-DHCP authentication mode. Cross-subnet authentication •...
  • Page 136: Layer 2 Portal Authentication Process

    Layer 2 portal authentication process Figure 39 Local Layer 2 portal authentication process Local Layer 2 portal authentication takes the following procedure: The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the access device redirects it to the listening IP address of the local portal server, which supports HTTP and HTTPS requests.
  • Page 137: Layer 3 Portal Authentication Process

    NOTE: After a user is added to the authorized VLAN or Auth-Fail VLAN, the IP address of the client needs to be automatically or manually updated to make sure that the client can communicate with the hosts in the VLAN. Assignment of authorized ACLs The device can use ACLs to control user access to network resources and limit user access rights.
  • Page 138 The portal server assembles the username and password into an authentication request message and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an authentication acknowledgment message. The access device and the RADIUS server exchange RADIUS packets to authenticate the user. The access device sends an authentication reply to the portal server.
  • Page 139 The portal server notifies the authentication client of logon success. The portal server sends a user IP address change acknowledgment message to the access device. With extended portal functions, the process includes additional steps: The security policy server exchanges security check information with the authentication client to check whether the authentication client meets the security requirements.
  • Page 140: Portal Stateful Failover

    After receiving the certificate request, the portal server sends an EAP authentication reply to the authentication client, carrying the EAP-Message attribute values. The authentication client sends another EAP request to continue the EAP authentication with the RADIUS server, during which there may be several portal authentication requests. The subsequent authentication processes are the same as that initiated by the first EAP request, except that the EAP request types vary with the EAP authentication phases.
  • Page 141 Figure 43 Network diagram for portal stateful failover configuration As shown in Figure 43, users have to pass portal authentication to access the Internet. To avoid portal service interruption caused by single point failures, you can deploy two access devices (Gateway A and Gateway B) and configure the portal stateful failover function on them, so that they back up the portal online user information of each other through the failover link.
  • Page 142: Portal Authentication Across Vpns

    Secondary: Indicates that the user logs in from the peer device, and the user data is synchronized • from the peer device to the local device. The local device is in synchronization state. It only receives and processes the synchronization messages and does not process packets from the server. Portal authentication across VPNs This feature is not applicable to VPNs with overlapping address spaces.
  • Page 143: Configuration Prerequisites

    Task Remarks Enabling support for portal user moving Specifying an Auth-Fail VLAN for portal authentication Optional Specifying an auto redirection URL for authenticated portal users Optional Configuring online Layer 2 portal user detection Optional Logging off portal users Optional Complete these tasks to configure Layer 3 portal authentication: Task Remarks Specifying a portal server for Layer 3 portal authentication...
  • Page 144: Specifying The Portal Server

    Layer 2 portal authentication uses the local portal server. Specify the IP address of a Layer 3 interface on the device that is routable to the portal client as the listening IP address of the local portal server. HP recommends using the IP address of a loopback interface rather than a physical Layer 3 interface, because: The status of a loopback interface is stable.
  • Page 145: Specifying A Portal Server For Layer 3 Portal Authentication

    Specifying a portal server for Layer 3 portal authentication This task allows you to specify the portal server parameters for Layer 3 portal authentication, including the portal server IP address, shared encryption key, server port, and the URL address for Web authentication.
  • Page 146 Table 12 Main authentication page file names Main authentication page File name Logon page logon.htm Logon success page logonSuccess.htm Logon failure page logonFail.htm Online page online.htm Pushed after the user gets online for online notification System busy page busy.htm Pushed when the system is busy or the user is in the logon process Logoff success page logoffSuccess.htm...
  • Page 147 The following example shows part of the script in page online.htm. <form action=logon.cgi method = post > <p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;"> </form> Rules on page file compression and saving A set of authentication page files must be compressed into a standard zip file. The name of a zip •...
  • Page 148: Configuring The Local Portal Server

    </body> </html> HP recommends using Microsoft IE 6.0 or above on the authentication clients. Make sure the browser of an authentication client permits pop-ups or permits pop-ups from the access device. Otherwise, the user cannot log off by closing the logon success or online page and can only click Cancel to return back to the logon success or online page.
  • Page 149: Enabling Portal Authentication

    Therefore, to make sure that the local portal server uses the user-defined default authentication pages, you must edit and save them properly. Otherwise, the system default authentication pages are used. Configuration procedure To configure the local portal server: Step Command Remarks Enter system view.
  • Page 150: Controlling Access Of Portal Users

    The interface is not added to any port aggregation group. • • The portal server referenced by the interface already exists. Layer 2 portal authentication is not enabled on any ports. • Follow these guidelines when you enable Layer 3 portal authentication: You cannot enable portal authentication on a Layer 3 interface in a port aggregation group.
  • Page 151: Configuring An Authentication Source Subnet

    source address to a specified destination address, users can access the specified address directly, without being redirected to the portal authentication page for portal authentication. Usually, you can configure the IP address of a server that provides certain services (such as software upgrading service) as the destination IP address of a portal-free rule, so that Layer 2 portal authentication users can access the services without portal authentication.
  • Page 152: Setting The Maximum Number Of Online Portal Users

    To configure an authentication source subnet: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Optional. By default, the source IPv4 subnet is 0.0.0.0/0, and the source IPv6 portal auth-network subnet is ::/0, meaning that users { ipv4-network-address from any IPv4 or IPv6 subnet must Configure an authentication...
  • Page 153: Configuring Layer 2 Portal Authentication To Support Web Proxy

    To specify an authentication domain for portal users on an interface: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Specify an authentication By default, no authentication portal domain [ ipv6 ] domain for portal users on the domain is specified for portal domain-name interface.
  • Page 154: Specifying An Auth-Fail Vlan For Portal Authentication

    To solve the problem described above, enable support for portal user moving on the device. Then, when a user moves from a port of the device to another, the device provides services in either of the following ways: • If the original port is still up and the two ports belong to the same VLAN, the device allows the user to continue to access the network without re-authentication, and uses the new port information for user accounting.
  • Page 155: Configuring Radius Related Attributes

    The MAC-VLAN entries generated in response to portal authentication failures do not overwrite the MAC-VLAN entries already generated in other authentication modes. Configuring RADIUS related attributes Only Layer 3 portal authentication supports this feature. Specifying NAS-Port-Type for an interface NAS-Port-Type is a standard RADIUS attribute for indicating a user access port type. With this attribute specified on an interface, when a portal user logs on from the interface, the device uses the specified NAS-Port-Type value as that in the RADIUS request to be sent to the RADIUS server.
  • Page 156: Specifying A Source Ip Address For Outgoing Portal Packets

    { ipv4-address | ipv6 source IP address of the outgoing for outgoing portal packets. ipv6-address } portal packets. In NAT environments, HP recommends specifying the interface's public IP address as the source IP address of outgoing portal packets.
  • Page 157 Specify an interface for backing up portal services, which is called portal service backup interface • in this document, and enable portal on the portal service backup interface. Specify the portal group to which the portal service backup interface belongs. Be sure to specify the •...
  • Page 158: Specifying An Auto Redirection Url For Authenticated Portal Users

    Step Command Remarks address for RADIUS packets Use either approach. to be sent. By default, no backup source IP address is specified. You do not need to specify the backup source IP address if the radius scheme device uses the virtual IP address of radius-scheme-name the VRRP group to which the uplink nas-backup-ip ip-address...
  • Page 159: Configuring Portal Detection Functions

    Step Command Remarks By default, an authenticated Specify an auto redirection user is redirected to the URL portal redirect-url url-string [ wait-time URL for authenticated portal the user typed in the address period ] users. bar before portal authentication. Configuring portal detection functions Configuring online Layer 2 portal user detection Only Layer 2 portal authentication supports this feature.
  • Page 160 Probing portal heartbeat packets—A portal server that supports the portal heartbeat function, (only the IMC portal server supports this function), sends portal heartbeat packets to portal access devices periodically. If an access device receives a portal heartbeat packet or an authentication packet within a probe interval, the access device considers that the probe succeeds and the portal server is reachable;...
  • Page 161: Configuring Portal User Information Synchronization

    HP recommends that you configure the interval to be greater than the portal user heartbeat interval configured on the portal server.
  • Page 162: Displaying And Maintaining Portal

    Step Command Enter system view. system-view portal delete-user { ipv4-address | all | interface Log off users. interface-type interface-number | ipv6 ipv6-address } Displaying and maintaining portal Task Command Remarks display portal acl { all | dynamic | static } interface interface-type Display the ACLs on an interface.
  • Page 163: Portal Configuration Examples

    Task Command Remarks reset portal server statistics { all | Clear portal server statistics on a interface interface-type Available in user view specific interface or all interfaces. interface-number } Clear TCP spoofing statistics. reset portal tcp-cheat statistics Available in user view Portal configuration examples Configuring direct portal authentication Network requirements...
  • Page 164 Figure 46 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Enter the IP group name.
  • Page 165 Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. Then, click Add to enter the page shown in Figure Enter the device name NAS. • Enter the IP address of the switch's interface connected to the user. •...
  • Page 166 Figure 50 Adding a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...
  • Page 167: Configuring Re-Dhcp Portal Authentication

    # Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without the ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [Switch] domain default enable dm1 Configure portal authentication: # Configure a portal server on the switch, making sure the IP address, port number and URL match those of the actual portal server.
  • Page 168 IP address). For information about DHCP relay agent configuration, see Layer 3—IP Services Configuration Guide. Make sure the IP address of the portal device added on the portal server is the public IP address of • the interface connecting users (20.20.20.1 in this example), the private IP address range for the IP address group associated with the portal device is the private network segment where the users reside (10.0.0.0/24 in this example), and the public IP address range for the IP address group is the public network segment 20.20.20.0/24.
  • Page 169: Configuring Cross-Subnet Portal Authentication

    Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal [Switch] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the switch as a DHCP relay agent, and enable the IP address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0 [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub...
  • Page 170 Make sure the IP address of the portal device added on the portal server is the IP address of the • interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). Perform the following configuration to configure cross-subnet portal authentication on Switch A: Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view.
  • Page 171: Configuring Direct Portal Authentication With Extended Functions

    On Switch B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. (Details not shown.) Configuring direct portal authentication with extended functions Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for direct extended portal •...
  • Page 172 [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] user-name-format without-domain # Configure the IP address of the security policy server. [Switch-radius-rs1] security-policy-server 192.168.0.113 [Switch-radius-rs1] quit Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain.
  • Page 173: Configuring Re-Dhcp Portal Authentication With Extended Functions

    Configuring re-DHCP portal authentication with extended functions Network requirements As shown in Figure The host is directly connected to the switch and the switch is configured for re-DHCP authentication. • The host is assigned with an IP address through the DHCP server. Before passing portal authentication, the host uses an assigned private IP address.
  • Page 174 Perform the following configuration to configure re-DHCP portal authentication with extended functions on the switch: Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended.
  • Page 175: Configuring Cross-Subnet Portal Authentication With Extended Functions

    IP address: 192.168.0.1 1 1 Key: portal in plain text Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal [Switch] portal server newpt ip 192.168.0.111 key simple portal port 50100 url http://192.168.0.111:8080/portal # Configure the switch as a DHCP relay agent, and enable the IP address check function. [Switch] dhcp enable [Switch] dhcp relay server-group 0 ip 192.168.0.112 [Switch] interface vlan-interface 100...
  • Page 176 Configuration procedure Make sure the IP address of the portal device added on the portal server is the IP address of the interface connecting users (20.20.20.1 in this example), and the IP address group associated with the portal device is the network segment where the users reside (8.8.8.0/24 in this example). Configure IP addresses for the host, switches, and servers as shown in Figure 55 and make sure that they...
  • Page 177: Configuring Portal Stateful Failover

    [SwitchA-acl-adv-3001] quit On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. Configure portal authentication # Configure the portal server as follows: Name: newpt IP address: 192.168.0.1 1 1 Key: portal in plain text Port number: 50100 URL: http://192.168.0.1 1 1:8080/portal [SwitchA] portal server newpt ip 192.168.0.111 key portal port 50100 url...
  • Page 178 Figure 56 Network diagram Configure IP addresses for the host, server, and switches as shown in Figure 56 and make sure that they can reach to each other. Make sure that Host can access the authentication server through Switch A and Switch B. Configure VRRP group 1 and VRRP group 2 to implement backup for downstream and upstream links, respectively.
  • Page 179 Figure 57 Portal server configuration # Configure the IP address group. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. Then, click Add to enter the page shown in Figure Enter the IP group name.
  • Page 180 Enter the device name NAS. • • Enter the virtual IP address of the VRRP group that holds the portal-enabled interface. Enter the key, which must be the same as that configured on the switch. • Set whether to enable IP address reallocation. This example uses direct portal authentication, and •...
  • Page 181: Configuring Switch A

    Figure 61 Adding a port group # Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring Switch A Configure VRRP: # Create VRRP group 1, and configure the virtual IP address of the VRRP group 1 as 9.9.1.1. <SwitchA>...
  • Page 182 # Configure the server type for the RADIUS scheme. When using the IMC server, configure the RADIUS server type as extended. [SwitchA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.111 [SwitchA-radius-rs1] primary accounting 192.168.0.111 [SwitchA-radius-rs1] key authentication simple expert...
  • Page 183: Configuring Switch B

    Configure the stateful failover function: # Configure the VLAN for stateful failover as VLAN 8. [SwitchA] dhbk vlan 8 # Enable stateful failover and configure it to support the symmetric path. [SwitchA] dhbk enable backup-type symmetric-path Configuring Switch B Configure VRRP: # Create VRRP group 1, and configure the virtual IP address of the VRRP group 1 as 9.9.1.1.
  • Page 184 # Configure domain dm1 as the default ISP domain for all users. Then, if a user enters a username without any ISP domain at logon, the authentication and accounting methods of the default domain are used for the user. [SwitchB] domain default enable dm1 Enable portal authentication on the interface connecting the host: # Configure the portal server as needed.
  • Page 185: Configuring Portal Server Detection And Portal User Information Synchronization

    State:ONLINE SubState:NONE ACL:NONE Work-mode: secondary VPN instance:NONE Vlan Interface --------------------------------------------------------------------- 000d-88f8-0eac 9.9.1.2 Vlan-interface10 Total 1 user(s) matched, 1 listed. The output shows that the information of user Host is saved on both Switch A and Switch B. The user's working mode on Switch A is primary, and that on Switch B is secondary, which indicate that the user logged in through Switch A and the user information on Switch B was synchronized from Switch A.
  • Page 186 Configure direct portal authentication on interface VLAN-interface 100, which is connected with the user host. Configure the portal server detection function on the access device, so that the access device can detect the status of the portal server by cooperating with the portal server heartbeat function. Configure the portal user information synchronization function, so that the access device can synchronize portal user information with the portal server by cooperating with the portal user heartbeat function.
  • Page 187 Enter the start IP address and end IP address of the IP group. Make sure that the host IP address is • in the IP group. Select a service group. By default, the group Ungrouped is used. • Select the IP group type Normal. •...
  • Page 188 # Associate the portal device with the IP address group. As shown in Figure 49, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 66 Device list On the port group configuration page, click Add to enter the page shown in Figure 50.
  • Page 189 40 retry 2 The product of interval and retry must be greater than or equal to the portal server heartbeat interval, and HP recommends configuring the interval as a value greater than the portal server heartbeat interval configured on the portal server.
  • Page 190: Cross-Subnet Portal Authentication Across Vpns

    [Switch] portal server newpt user-sync interval 600 retry 2 The product of interval and retry must be greater than or equal to the portal user heartbeat interval, and HP recommends configuring the interval as a value greater than the portal user heartbeat interval configured on the portal server.
  • Page 191 # Set the server type for the RADIUS scheme. When using the IMC server, set the server type to extended. [SwitchA-radius-rs1] server-type extended # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.111 [SwitchA-radius-rs1] primary accounting 192.168.0.111 [SwitchA-radius-rs1] key accounting simple radius...
  • Page 192: Configuring Layer 2 Portal Authentication

    Verifying the configuration Execute the display portal interface command to check whether the portal configuration has taken effect. After Host passes portal authentication, perform the display portal user command to view information about online portal users on Switch A. [SwitchA] display portal user all Index:2 State:ONLINE SubState:NONE...
  • Page 193 Figure 69 Network diagram DHCP server RADIUS server 1.1.1.3/24 1.1.1.2/24 Vlan-int1 1.1.1.1 Vlan-int8 Switch (DHCP relay) 192.168.1.1/24 IP network Vlan-int3 GE1/0/1 3.3.3.1 Vlan-int2 Host 2.2.2.1/24 Update server 2.2.2.2/24 Configuration procedures Follow these guidelines to configure Layer 2 portal authentication: • Make sure that the host, switch, and servers can reach each other before portal authentication is enabled.
  • Page 194 # Configure the local portal server to support HTTPS and reference SSL server policy sslsvr. [Switch] portal local-server https server-policy sslsvr # Configure the IP address of loopback interface 12 as 4.4.4.4. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify IP address 4.4.4.4 as the listening IP address of the local portal server for Layer 2 portal authentication.
  • Page 195 # Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group. [Switch] dhcp relay server-group 1 ip 1.1.1.3 # Enable the DHCP relay agent on VLAN-interface 8. [Switch] interface vlan-interface 8 [Switch-Vlan-interface8] dhcp select relay # Correlate DHCP server group 1 with VLAN-interface 8. [Switch-Vlan-interface8] dhcp relay server-select 1 [Switch-Vlan-interface8] quit # Enable the DHCP relay agent on VLAN-interface 2.
  • Page 196: Troubleshooting Portal

    S:Static D:Dynamic MAC ADDR MASK VLAN ID PRIO STATE -------------------------------------------------------- 0015-e9a6-7cfe ffff-ffff-ffff Total MAC VLAN address count:1 If a client fails authentication, it is added to VLAN 2. Use the previously mentioned commands to view the assigned IP address and the generated MAC-VLAN entry for the client. Troubleshooting portal Inconsistent keys on the access device and the portal server Symptom...
  • Page 197 Solution Use the display portal server command to display the listening port of the portal server configured on the access device and use the portal server command in the system view to modify it to make sure that it is the actual listening port of the portal server.
  • Page 198: Configuring Triple Authentication

    Configuring triple authentication Overview Triple authentication enables a Layer 2 access port to perform portal, MAC, and 802.1X authentication. A terminal can access the network if it passes one type of authentication. Triple authentication is suitable for a LAN that comprises terminals that require different authentication services.
  • Page 199: Using Triple Authentication With Other Features

    If a terminal passes 802.1X or portal authentication, no other types of authentication will be • triggered for the terminal. If the terminal passes MAC authentication, no portal authentication can be triggered for the • terminal, but 802.1X authentication can be triggered. When the terminal passes 802.1X authentication, the 802.1X authentication information will overwrite the MAC authentication information for the terminal.
  • Page 200: Triple Authentication Configuration Examples

    Step Command Remarks MAC-based access control. Configure Layer-2 portal "Configuring portal HP does not recommend you authentication. authentication" configure 802.1X guest VLANs for triple authentication. Triple authentication configuration examples Triple authentication basic function configuration example Network requirements As shown in Figure 71, the terminals are connected to a switch to access the IP network.
  • Page 201 # Configure the local portal server to support HTTP. <Switch> system-view [Switch] portal local-server http # Configure the IP address of interface loopback 0 as 4.4.4.4. [Switch] interface loopback 0 [Switch-LoopBack0] ip address 4.4.4.4 32 [Switch-LoopBack0] quit # Specify the listening IP address of the local portal server for Layer-2 portal authentication as 4.4.4.4.
  • Page 202: Triple Authentication Supporting Vlan Assignment And Auth-Fail Vlan Configuration Example

    [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain. If a username input by a user includes no ISP domain name, the authentication scheme of the default domain is used.
  • Page 203 802.1X terminals use IP addresses in 192.168.1.0/24 before authentication, and request IP • addresses in 3.3.3.0/24 through DHCP after passing authentication. If the terminal fails authentication, it uses an IP address in 2.2.2.0/24. • After passing authentication, the printer obtains the IP address 3.3.3.1 1 1/24 that is bound with its MAC address through DHCP.
  • Page 204 # Configure VLANs and IP addresses for the VLAN interfaces, and add ports to specific VLANs. (Details not shown.) # Enable DHCP. <Switch> system-view [Switch] dhcp enable # Exclude the IP address of the update server from assignment. [Switch] dhcp server forbidden-ip 2.2.2.2 # Configure IP address pool 1, including the address range, lease and gateway address.
  • Page 205 [Switch] portal local-server https server-policy sslsvr # Configure IP address 4.4.4.4 for interface loopback 12. [Switch] interface loopback 12 [Switch-LoopBack12] ip address 4.4.4.4 32 [Switch-LoopBack12] quit # Specify the listening IP address of the local portal server as 4.4.4.4. [Switch] portal local-server ip 4.4.4.4 # Enable Layer-2 portal authentication on GigabitEthernet 1/0/1 and specify VLAN 2 as the Auth-Fail VLAN, to which terminals failing authentication are added.
  • Page 206 [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit Configure an ISP domain: # Create an ISP domain named triple. [Switch] domain triple # Configure the default AAA methods for all types of users in the domain. [Switch-isp-triple] authentication default radius-scheme rs1 [Switch-isp-triple] authorization default radius-scheme rs1 [Switch-isp-triple] accounting default radius-scheme rs1 [Switch-isp-triple] quit # Configure domain triple as the default domain.
  • Page 207 0002-0002-0001 ffff-ffff-ffff 0015-88f8-0dd7 ffff-ffff-ffff Total MAC VLAN address count:3 Use the display dhcp server ip-in-use command to view the IP addresses assigned to online users. [Switch] display dhcp server ip-in-use all Pool utilization: 0.59% IP address Client-identifier/ Lease expiration Type Hardware address 3.3.3.111 0015-88f8-0dd7...
  • Page 208: Configuring Port Security

    NOTE: For scenarios that require only 802.1X authentication or MAC authentication, HP recommends you configure 802.1X authentication or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
  • Page 209 MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is • permitted on a port in autoLearn mode and disabled in secure mode. Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address.
  • Page 210 Controlling MAC address learning autoLearn • A port in this mode can learn MAC addresses, and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
  • Page 211: Working With Guest Vlan And Auth-Fail Vlan

    This mode is similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. macAddressElseUserLoginSecure • This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs MAC authentication and then, if the authentication fails, 802.1X authentication upon receiving 802.1X frames.
  • Page 212: Enabling Port Security

    Enabling port security Enabling or disabling port security resets the following security settings to the default: 802.1X access control mode is MAC-based, and the port authorization state is auto. • Port security mode is noRestrictions. • When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state.
  • Page 213: Setting The Port Security Mode

    Setting the port security mode After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode.
  • Page 214: Configuring Port Security Features

    Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address is discarded. Not all port security modes support triggering the NTK feature. For more information, Table The NTK feature supports the following modes: ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.
  • Page 215: Enabling Port Security Traps

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number port-security intrusion-mode Configure the intrusion By default, intrusion protection is { blockmac | disableport | protection feature. disabled. disableport-temporarily } Return to system view. quit Set the silence timeout period Optional.
  • Page 216: Configuration Prerequisites

    Table 14 A comparison of static, sticky, and dynamic secure MAC addresses Can be saved and Type Address sources Aging mechanism survive a device reboot? Not available. They never age out unless you manually remove Static Manually added Yes. them, change the port security mode, or disable the port security feature.
  • Page 217: Ignoring Authorization Information

    Step Command Remarks • In system view: port-security mac-address security [ sticky] mac-address interface interface-type interface-number vlan vlan-id Use either method. • In interface view: Configure a secure MAC No secure MAC address exists by address. interface interface-type default. interface-number port-security mac-address security [ sticky] mac-address vlan vlan-id...
  • Page 218: Port Security Configuration Examples

    Task Command Remarks Display port security configuration display port-security [ interface information, operation interface-list ] [ | { begin | exclude Available in any view information, and statistics about | include } regular-expression ] one or more ports or all ports. display port-security mac-address security [ interface interface-type Display information about secure...
  • Page 219 # Set port security's limit on the number of MAC addresses to 64 on the port. [Device-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Device-GigabitEthernet1/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [Device-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Device-GigabitEthernet1/0/1] quit [Device] port-security timer disableport 30...
  • Page 220: Configuring The Userloginwithoui Mode

    Execute the display port-security interface command after the number of MAC addresses learned by the port reaches 64, and you can see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you can see the following trap message.
  • Page 221 Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values • to access the port in addition to an 802.1X user. Figure 74 Network diagram Configuration procedure Configurations on the host and RADIUS servers are not shown. The following configuration steps cover some AAA/RADIUS configuration commands.
  • Page 222 [Device] port-security enable # Add five OUI values. [Device] port-security oui 1234-0100-1111 index 1 [Device] port-security oui 1234-0200-1111 index 2 [Device] port-security oui 1234-0300-1111 index 3 [Device] port-security oui 1234-0400-1111 index 4 [Device] port-security oui 1234-0500-1111 index 5 [Device] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI.
  • Page 223 # Display the configuration of the ISP domain sun. <Device> display domain sun Domain : sun State : Active Access-limit : 30 Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme : radius:radsun Domain User Template: Idle-cut : Disabled Self-service : Disabled...
  • Page 224 EAD timeout: The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based...
  • Page 225: Configuring The Macaddresselseuserloginsecure Mode

    Configuring the macAddressElseUserLoginSecure mode Network requirements As shown in Figure 74, a client is connected to the Device through GigabitEthernet 1/0/1. The Device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port GigabitEthernet 1/0/1 of the Device: Allow more than one MAC authenticated user to log on.
  • Page 226 Trap is disabled Disableport Timeout: 20s OUI value: GigabitEthernet1/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute # Display MAC authentication information.
  • Page 227: Troubleshooting Port Security

    Supp Timeout 30 s, Server Timeout 100 s The maximal retransmitting times EAD quick deploy configuration: EAD timeout: Total maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled...
  • Page 228: Cannot Configure Secure Mac Addresses

    Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly. Solution Set the port security mode to noRestrictions first.
  • Page 229 [Device-GigabitEthernet1/0/1] undo port-security port-mode...
  • Page 230: Configuring A User Profile

    Configuring a user profile Overview A user profile provides a configuration template to save predefined configurations, such as a Quality of Service (QoS) policy. The user profile implements service applications on a per-user basis. Every time a user accesses the device, the device automatically applies the configurations in the user profile that is associated only with this user.
  • Page 231: Applying A Qos Policy

    Step Command Remarks Enter system view. system-view Create a user profile, You can use the command to enter the view of user-profile profile-name and enter its view. an existing user profile. Applying a QoS policy You can apply QoS policies in user profile view to implement traffic management functions. Follow these guidelines when you apply a QoS policy: After a user profile is created, apply a QoS policy in user profile view to implement restrictions on •...
  • Page 232: Displaying And Maintaining User Profiles

    Step Command Remarks Enter system view. system-view A user profile is disabled by Enable a user profile. user-profile profile-name enable default. Displaying and maintaining user profiles Task Command Remarks Display information about all the display user-profile [ | { begin | exclude Available in any view created user profiles.
  • Page 233: Configuring Password Control

    Configuring password control Overview Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. Minimum password length •...
  • Page 234 You can allow a user to log in a certain number of times within a specific period of time after the password expires, so that the user does not need to change the password immediately. For example, if you set the maximum number of logins with an expired password to three and the time period to 15 days, a user can log in three times within 15 days after the password expires.
  • Page 235: Fips Compliance

    Depending on the system security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters that are from each type in the password. There are four password combination levels in non-FIPS mode: 1, 2, 3, and 4, each representing the number of character types that a password must at least contain.
  • Page 236: Password Control Configuration Task List

    Password control configuration task list The password control functions can be configured in several views, and different views support different functions. The settings configured in different views or for different objects have different application ranges and different priorities: Global settings in system view apply to all local user passwords and super passwords. •...
  • Page 237: Setting Global Password Control Parameters

    Step Command Remarks Enter system view. system-view Enable the password control password-control enable Disabled by default. feature. Optional. password-control { aging | Enable a password control composition | history | length } All of the four password control function individually. enable functions are enabled by default.
  • Page 238: Setting User Group Password Control Parameters

    Step Command Remarks Optional. Set the minimum password password-control length length length. 10 characters by default. Optional. • In non-FIPS mode, by default, a password must contain at least one type of characters and password-control composition each type must contain at least Configure the password type-number type-number one character.
  • Page 239: Setting Local User Password Control Parameters

    Step Command Remarks Enter system view. system-view Create a user group and enter user-group group-name user group view. Optional Configure the password By default, the aging time of the password-control aging aging-time aging time for the user group. user group is the same as the global password aging time.
  • Page 240: Setting Super Password Control Parameters

    Setting super password control parameters CLI commands fall into four levels: visit, monitor, system, and manage, in ascending order. Accordingly, login users fall into four levels, each corresponding to a command level. A user of a certain level can only use the commands at that level or lower levels.
  • Page 241: Password Control Configuration Example

    Task Command Remarks display password-control blacklist [ user-name name | ip Display information about users in ipv4-address | ipv6 ipv6-address ] Available in any view the password control blacklist. [ | { begin | exclude | include } regular-expression ] Delete users from the password reset password-control blacklist Available in user view...
  • Page 242 [Sysname] password-control aging 30 # Set the minimum password update interval to 36 hours. [Sysname] password-control password update interval 36 # Specify that a user can log in five times within 60 days after the password expires. [Sysname] password-control expired-user-login delay 60 times 5 # Set the maximum account idle time to 30 days.
  • Page 243 User authentication timeout: 60 seconds Maximum failed login attempts: 2 times Login attempt-failed action: Lock Minimum password update time: 36 hours User account idle-time: 30 days Login with aged password: 5 times in 60 day(s) Password complexity: Enabled (username checking) Enabled (repeated characters checking) # Display the password control configuration information for super passwords.
  • Page 244: Configuring Habp

    Configuring HABP Overview The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of an access device to bypass 802.1X authentication and MAC authentication configured on the access device. As shown in Figure 75, 802.1X authenticator Switch A has two switches attached to it: Switch B and Switch C.
  • Page 245: Configuring Habp

    Otherwise, the cluster management device will not be able to manage the devices attached to this member switch. For more information about the cluster function, see Network Management and Monitoring Configuration Guide. Configuring HABP Configuring the HABP server An HABP server is usually configured on the authentication device enabled with 802.1X authentication or MAC address authentication.
  • Page 246: Displaying And Maintaining Habp

    Step Command Remarks Optional By default, an HABP client belongs to VLAN 1. Specify the VLAN to which the habp client vlan vlan-id HABP client belongs. The VLAN to which an HABP client belongs must be the same as that specified on the HABP server for transmitting HABP packets.
  • Page 247 Figure 76 Network diagram Configuration procedure Configure Switch A: # Perform 802.1X related configurations on Switch A (see "Configuring 802.1X"). # Enable HABP. (HABP is enabled by default. This configuration is optional.) <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, and specify VLAN 1 for HABP packets. [SwitchA] habp server vlan 1 # Set the interval at which the switch sends HABP request packets to 50 seconds.
  • Page 248 <SwitchA> display habp Global HABP information: HABP Mode: Server Sending HABP request packets every 50 seconds Bypass VLAN: 1 # Display HABP MAC address table entries. <SwitchA> display habp table Holdtime Receive Port 001f-3c00-0030 GigabitEthernet1/0/2 001f-3c00-0031 GigabitEthernet1/0/1...
  • Page 249: Managing Public Keys

    Managing public keys Overview To protect data confidentiality during transmission, the data sender uses an algorithm and a key (a character string) to encrypt the plain text data before sending the data out, and the receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 77 Encryption and decryption The keys that participate in the conversion between the plain text and the cipher text can be the same or...
  • Page 250: Configuration Task List

    Configuration task list Public key configuration tasks enable you to manage the local asymmetric key pairs, and configure the peer host public keys on the local device. By completing these tasks, the local device is ready to work with applications such as SSH and SSL to implement data encryption/decryption, or digital signature. Complete these tasks to configure public keys: Task Remarks...
  • Page 251: Displaying Or Exporting The Local Host Public Key

    Displaying or exporting the local host public key In some applications, such as SSH, to allow your local device to be authenticated by a peer device through digital signature, you must display or export the local host public key, which will then be specified on the peer device.
  • Page 252: Destroying A Local Asymmetric Key Pair

    Exporting the host public key in a specific format to a file After you export and save the host public key in a specify format to a file, transfer the file to the peer device. To export and save the local host public key to a file: Step Command Remarks...
  • Page 253: Displaying And Maintaining Public Keys

    HP device might not be in a key. correct format. To import the host public key from a public key file to the local device:...
  • Page 254: Public Key Configuration Examples

    Task Command Remarks display public-key local { dsa | rsa } public Display the local public keys. [ | { begin | exclude | include } Available in any view regular-expression ] display public-key peer [ brief | name Display the specified or all peer publickey-name ] [ | { begin | exclude | Available in any view public keys on the local device.
  • Page 255 Time of Key pair created: 09:50:06 2012/03/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2012/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B44 90DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0...
  • Page 256: Importing A Peer Public Key From A Public Key File

    The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A. Importing a peer public key from a public key file Network requirements As shown in Figure 79, to prevent illegal access, Device B (the local device) authenticates Device A (the peer device) through a digital signature.
  • Page 257 Time of Key pair created: 09:50:07 2012/03/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87 BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B44 90DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0 203010001 # Export the RSA host public key HOST_KEY to a file named devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub On Device A, enable the FTP server function, create an FTP user with the username ftp, password 123, and user level 3.
  • Page 258 Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F 814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E7 66BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA32647 0034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 The output shows that the host public key of Device A saved on Device B is consistent with the one created on Device A.
  • Page 259: Configuring Pki

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for Secure Sockets Layer (SSL). PKI terms •...
  • Page 260: Pki Architecture

    such as phone, disk, and email. As different CAs might use different methods to examine the binding of a public key with an entity, make sure that you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository.
  • Page 261: Pki Applications

    An entity submits a certificate request to the RA. The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server or other distribution point to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
  • Page 262: Configuring An Entity Dn

    Task Remarks Optional. Deleting a certificate Optional. Configuring an access control policy Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity distinguished name (DN). A CA identifies a certificate applicant uniquely by entity DN.
  • Page 263: Configuring A Pki Domain

    Step Command Remarks Optional. Configure the locality for the locality locality-name entity. No locality is specified by default. Optional. Configure the organization organization org-name No organization is specified by name for the entity. default. Optional. Configure the unit name for organization-unit org-unit-name the entity.
  • Page 264: Configuration Guidelines

    Configuration guidelines Up to two PKI domains can be created on a switch. • The CA name is required only when you retrieve a CA certificate. It is not used when in local • certificate request. The certificate request URL does not support domain name resolution. •...
  • Page 265: Submitting A Certificate Request In Auto Mode

    An online certificate request can be submitted in manual mode or auto mode. Submitting a certificate request in auto mode IMPORTANT: In auto mode, an entity does not automatically re-request a certificate to replace a certificate that is expiring or has expired. After the certificate expires, the service using the certificate might be interrupted. In auto mode, an entity automatically requests a certificate from the CA server through SCEP if it has no local certificate for an application working with PKI, and then retrieves the certificate and saves the certificate locally.
  • Page 266: Retrieving A Certificate Manually

    request-certificate domain command with the pkcs10 keyword. To save the request information to a local file, use the pki request-certificate domain command with the pkcs10 filename filename option. • Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the certificate will be abnormal.
  • Page 267: Configuration Procedure

    The configuration made by the pki retrieval-certificate configuration is not saved in the • configuration file. Make sure the switch’s system time falls in the validity period of the certificate so that the certificate • is valid. Configuration procedure To retrieve a certificate manually: Step Command Remarks...
  • Page 268: Configuring Crl-Checking-Disabled Pki Certificate Verification

    Step Command Remarks Optional. By default, the CRL update period Set the CRL update period. crl update-period hours depends on the next update field in the CRL file. Optional. Enable CRL checking. crl check enable Enabled by default. Return to system view. quit "Retrieving a certificate Retrieve the CA certificate.
  • Page 269: Deleting A Certificate

    For more information about the public-key local destroy command, see Security Command Reference. Deleting a certificate When a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or CA certificate. To delete a certificate: Step Command...
  • Page 270: Pki Configuration Examples

    Task Command Remarks display pki certificate { { ca | local } domain domain-name | Display the contents or request request-status } [ | { begin | Available in any view status of a certificate. exclude | include } regular-expression ] display pki crl domain Display CRLs.
  • Page 271 Configure extended attributes: After configuring the basic attributes, perform configuration on the jurisdiction configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting. Configure the CRL distribution behavior: After completing the configuration, you must perform CRL related configurations.
  • Page 272 Apply for certificates: # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..
  • Page 273: Certificate Request From A Windows 2003 Ca Server

    00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE...
  • Page 274 After the SCEP add-on installation completes, a URL is displayed, which you must configure on the switch as the URL of the server for certificate registration. Modify the certificate service attributes: Select Control Panel > Administrative Tools > Certificate Authority from the start menu. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.
  • Page 275 Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates: # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4...
  • Page 276: Certificate Attribute Access Control Policy Configuration Example

    Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier:...
  • Page 277 Figure 83 Network diagram Configuration procedure The configuration procedure involves SSL configuration and HTTPS configuration. For more information about SSL configuration, see "Configuring SSL." For more information about HTTPS configuration, see Fundamentals Configuration Guide. The PKI domain to be referenced by the SSL policy must exist. For how to configure a PKI domain, see "Configure the PKI domain:."...
  • Page 278: Troubleshooting Pki

    Apply the SSL server policy and certificate attribute access control policy to HTTPS service and enable HTTPS service: # Apply SSL server policy myssl to HTTPS service. [Device] ip https ssl-server-policy myssl # Apply the certificate attribute access control policy of myacp to HTTPS service. [Device] ip https certificate access-control-policy myacp # Enable HTTPS service.
  • Page 279: Failed To Retrieve Crls

    Solution Make sure the network connection is physically proper. • • Retrieve a CA certificate. Regenerate a key pair. • Specify a trusted CA. • Use the ping command to verify that the RA server is reachable. • Specify the authority for certificate request. •...
  • Page 280: Configuring Ipsec

    Configuring IPsec The term "router" in this document refers to both routers and switches. A switch in IRF mode does not support IPsec automatic negotiation. IKE configuration is available only for the switches in FIPS mode. For more information about FIPS mode, "Configuring FIPS."...
  • Page 281 encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES), and authentication algorithms such as MD5 and SHA- 1 . The authentication function is optional to ESP. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger.
  • Page 282 Figure 84 Encapsulation by security protocols in different modes Authentication algorithms and encryption algorithms Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. If the resulting digests are identical, the packet is considered intact.
  • Page 283: Ipsec For Ipv6 Routing Protocols

    IPsec for IPv6 routing protocols You can use IPsec to protect routing information and defend against attacks for these IPv6 routing protocols: OSPFv3, IPv6 BGP, and RIPng. IPsec enables these IPv6 routing protocols to encapsulate outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol. If an inbound protocol packet is not IPsec protected, or fails to be de-encapsulated, for example, due to decryption or authentication failure, the routing protocol discards that packet.
  • Page 284: Acl-Based Ipsec Configuration Task List

    protected traffic, ACL rules that match traffic forwarded through the device do not take effect. For example, an IPsec tunnel can protect log messages the device sends to a log server, but it cannot protect traffic that is forwarded by the device for two hosts, even if the host-to-host traffic matches an ACL permit rule.
  • Page 285 IP address and the source IP address specified in the rule to match the source IP address and the destination IP address of the traffic. In the outbound direction, if a permit statement is matched, IPsec considers that the packet requires •...
  • Page 286: Configuring An Ipsec Proposal

    NOTE: To use IPsec in combination with QoS, make sure IPsec's ACL classification rules match the QoS classification rules. If the rules do not match, QoS may classify the packets of one IPsec SA to different queues, causing packets to be sent out of order. When the anti-replay function is enabled, IPsec will discard the packets beyond the anti-replay window in the inbound direction, resulting in packet loss.
  • Page 287: Configuring An Ipsec Policy

    NOTE: Changes to an IPsec proposal affect only SAs negotiated after the changes. To apply the changes to • existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the updated parameters.
  • Page 288 Before you configure a manual IPsec policy, configure ACLs used for identifying protected traffic and IPsec transform sets. ACLs are not required for IPsec policies for an IPv6 protocol. To configure a manual IPsec policy: Step Command Remarks Enter system view. system-view Create a manual IPsec ipsec policy policy-name...
  • Page 289 Step Command Remarks • Configure an authentication key in hexadecimal for AH: sa authentication-hex { inbound | outbound } ah [ cipher string-key | simple hex-key ] • Configure an authentication key in characters for AH: Configure keys properly for the security sa string-key { inbound | protocol (AH or ESP) you have specified.
  • Page 290 An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy • view. When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer, whichever are smaller. •...
  • Page 291: Applying An Ipsec Policy Group To An Interface

    the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be protected will be dropped. During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is performed. If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the same DH group.
  • Page 292: Enabling Acl Checking Of De-Encapsulated Ipsec Packets

    according to the original IPsec process: search the policy group or policy at the interface, and then the matched tunnel. The session processing mechanism of IPsec saves intermediate matching procedures, improving the IPsec forwarding efficiency. To set the IPsec session idle timeout: Step Command Remark...
  • Page 293: Configuring Packet Information Pre-Extraction

    Step Command Remarks Enter system view. system-view Optional. Enable IPsec anti-replay ipsec anti-replay check checking. Enabled by default. Optional. Set the size of the IPsec ipsec anti-replay window width anti-replay window. 32 by default. CAUTION: IPsec anti-replay checking is enabled by default. Do not disable it unless it needs to be disabled. •...
  • Page 294: Displaying And Maintaining Ipsec

    Task Remarks Required Applying an IPsec policy to an IPv6 routing protocol See Layer 3—IP Routing Configuration Guide. Displaying and maintaining IPsec To do… Use the command… Remarks display ipsec policy [ brief | name Display IPsec policy information policy-name [ seq-number ] ] [ | { begin | Available in any view.
  • Page 295 Figure 85 Network diagram Configuration procedure Configure Switch A: # Assign an IP address to VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Define an ACL to identify data flows from Switch A to Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] rule 5 permit ip source 2.2.3.1 0 destination 2.2.2.1 0...
  • Page 296 [SwitchA-Vlan-interface1] ipsec policy map1 Configure Switch B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0 [SwitchB-Vlan-interface1] quit # Define an ACL to identify data flows from Switch B to Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.3.1 0 destination 2.2.2.1 0 [SwitchB-acl-adv-3101] rule 5 permit ip source 2.2.2.1 0 destination 2.2.3.1 0...
  • Page 297: Ipsec For Ripng Configuration Example

    IPsec for RIPng configuration example The IPsec configuration procedures for protecting OSPFv3 and IPv6 BGP are similar. For more information about RIPng, OSPFv3, and IPv6 BGP, see Layer 3—IP Routing Configuration Guide. Network requirements As shown in Figure 86, Switch A, Switch B, and Switch C are connected. They learn IPv6 routing information through RIPng.
  • Page 298 [SwitchA] ipsec policy policy001 10 manual [SwitchA-ipsec-policy-manual-policy001-10] proposal tran1 [SwitchA-ipsec-policy-manual-policy001-10] sa spi outbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa spi inbound esp 123456 [SwitchA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [SwitchA-ipsec-policy-manual-policy001-10] quit # Apply IPsec policy policy001 to the RIPng process. [SwitchA] ripng 1 [SwitchA-ripng-1] enable ipsec-policy policy001 [SwitchA-ripng-1] quit...
  • Page 299 # Assign an IPv6 address to each interface. (Details not shown) # Create a RIPng process and enable it on VLAN-interface 200. <SwitchC> system-view [SwitchC] ripng 1 [SwitchC-ripng-1] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] ripng 1 enable [SwitchC-Vlan-interface200] quit # Create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1-HMAC-96.
  • Page 300 IPsec policy name: policy001, SPI: 123456 Using the display ipsec sa command on Switch A, you will see the information about the inbound and outbound SAs. <SwitchA> display ipsec sa =============================== Protocol: RIPng =============================== ----------------------------- IPsec policy name: "policy001" sequence number: 10 mode: manual ----------------------------- connection id: 1...
  • Page 301: Configuring Ike

    Configuring IKE This feature is applicable only to the switches in FIPS mode. For more information about FIPS mode, see "Configuring FIPS." FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
  • Page 302: Ike Operation

    IKE operation IKE negotiates keys and establishes SAs for IPsec in two phases: Phase 1—The two peers establish an ISAKMP SA, a secure, authenticated channel for communication. Phase 2—Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPsec SAs.
  • Page 303: Relationship Between Ike And Ipsec

    Relationship between IKE and IPsec Figure 88 Relationship between IKE and IPsec Figure 88 illustrates the relationship between IKE and IPsec: IKE is an application layer protocol using UDP and functions as the signaling protocol of IPsec. • IKE negotiates SAs for IPsec and delivers negotiated parameters and generated keys to IPsec. •...
  • Page 304: Configuring A Name For The Local Security Gateway

    Task Remarks Configuring an IKE peer Required. Setting keepalive timers Optional. Setting the NAT keepalive timer Optional. Configuring a DPD detector Optional. Disabling next payload field checking Optional. Configuring a name for the local security gateway If the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation (the id-type name or id-type user-fqdn command is configured on the initiator), configure the ike local-name command in system view or the local-name command in IKE peer view on the local device.
  • Page 305: Configuring An Ike Peer

    Step Command Remarks Specify an encryption Optional. encryption-algorithm aes-cbc algorithm for the IKE [ key-length ] The default is AES-CBC-128. proposal. Optional. Specify an authentication authentication-method { pre-share method for the IKE proposal. | rsa-signature } Pre-shared key by default. Specify an authentication Optional.
  • Page 306 Step Command Remarks Enter system view. system-view Create an IKE peer and enter ike peer peer-name IKE peer view. Optional. Specify the IKE negotiation exchange-mode main mode for phase 1. The default is main. Optional. By default, an IKE peer references Specify the IKE proposals for no IKE proposals, and, when proposal proposal-number&<1-6>...
  • Page 307: Setting Keepalive Timers

    Step Command Remarks Optional. No DPD detector is applied to an Apply a DPD detector to the IKE peer by default. dpd dpd-name IKE peer. For more information about DPD configuration, see "Configuring a detector." NOTE: After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa commands to clear existing IPsec and IKE SAs.
  • Page 308: Configuring A Dpd Detector

    Step Command Remarks Set the NAT keepalive ike sa nat-keepalive-timer interval 20 seconds by default. interval. seconds Configuring a DPD detector Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows: When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.
  • Page 309: Displaying And Maintaining Ike

    Displaying and maintaining IKE Task Command Remarks display ike dpd [ dpd-name ] [ | { begin | Display IKE DPD information Available in any view. exclude | include } regular-expression ] display ike peer [ peer-name ] [ | { begin | Display IKE peer information Available in any view.
  • Page 310 [SwitchA] ipsec proposal tran1 # Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-proposal-tran1] encapsulation-mode tunnel # Use security protocol ESP. [Switch-ipsec-proposal-tran1] transform esp # Specify encryption and authentication algorithms. [SwitchA-ipsec-proposal-tran1] esp encryption-algorithm aes 128 [SwitchA-ipsec-proposal-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-proposal-tran1] quit # Create an IKE proposal numbered 10.
  • Page 311 [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic from Switch B to Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchB-acl-adv-3101] quit # Create IPsec proposal tran1.
  • Page 312: Troubleshooting Ike

    # Reference IKE peer peer. [SwitchB-ipsec-policy-isakmp-use1-10] ike-peer peer [SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy to VLAN-interface 1. [SwitchB-Vlan-interface1] ipsec policy use1 Verifying the configuration After the above configuration, send traffic from Switch B to Switch A. Switch A starts IKE negotiation with Switch B when receiving the first packet.
  • Page 313: Failing To Establish An Ipsec Tunnel

    Solution For the negotiation in phase 1, look up the IKE proposals for a match. For the negotiation in phase 2, check whether the parameters of the IPsec policies applied on the interfaces are matched, and whether the referred IPsec proposals have a match in protocol, encryption and authentication algorithms. Failing to establish an IPsec tunnel Symptom The expected IPsec tunnel cannot be established.
  • Page 314: Configuring Ssh2.0

    Configuring SSH2.0 Overview Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
  • Page 315 After receiving the packet, the client resolves the packet and compares the server’s protocol version number with that of its own. If the server’s protocol version is lower and supportable, the client uses the protocol version of the server; otherwise, the client uses its own protocol version. In either case, the client sends a packet to the server to notify the server of the protocol version that it decides to use.
  • Page 316: Ssh Connection Across Vpns

    In the interaction stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be within 2000 bytes. HP recommends you to paste commands in the same view. Otherwise, the server might not be able to execute the commands correctly.
  • Page 317: Fips Compliance

    connections with CEs in different VPNs that are enabled with the SSH server function to implement secure access to the CEs and secure transfer of log file. Figure 90 Network diagram FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
  • Page 318: Enabling The Ssh Server Function

    When an SSH user logs in to the switch, RSA key pairs can be automatically generated if no local • DSA or RSA key pairs are configured on the switch. The public-key local create rsa command generates a server RSA key pair and a host RSA key pair. •...
  • Page 319: Configuring A Client Public Key

    Before importing the public key, you must upload the public key file (in binary) to the server through FTP or TFTP. NOTE: HP recommends you to configure a client public key by importing it from a public key file. For more information about client public key configuration, see "Managing public keys."...
  • Page 320: Configuring An Ssh User

    Importing a client public key from a public key file Step Command Enter system view. system-view Import the public key from a public key file. public-key peer keyname import sshkey filename Configuring an SSH user To configure an SSH user that uses publickey authentication, you must perform the procedure in this section.
  • Page 321: Setting The Ssh Management Parameters

    Configuration procedure To configure an SSH user and specify the service type and authentication method: Step Command Remarks Enter system system-view view. • For Stelnet users: In non-FIPS mode: ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } In FIPS mode: Create an SSH...
  • Page 322: Setting The Dscp Value For Packets Sent By The Ssh Server

    Step Command Remarks Optional. By default, the SSH server supports Enable the SSH server to ssh server compatible-ssh1x SSH1 clients. support SSH1 clients. [ enable ] This command is not available in FIPS mode. Optional. By default, the interval is 0, and the Set the RSA server key pair ssh server rekey-interval hours RSA server key pair is not updated.
  • Page 323: Specifying A Source Ip Address/Interface For The Ssh Client

    Task Remarks Establishing a connection between the SSH client and server Required Setting the DSCP value for packets sent by the SSH client Optional Specifying a source IP address/interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to access the SSH server, improving service manageability.
  • Page 324: Establishing A Connection Between The Ssh Client And Server

    To disable first-time authentication: Step Command Remarks Enter system view. system-view Disable first-time By default, first-time authentication undo ssh client first-time authentication support. is supported on a client. The method for configuring the Configure the server host "Configuring a client public server host public key on the client public key.
  • Page 325: Setting The Dscp Value For Packets Sent By The Ssh Client

    Setting the DSCP value for packets sent by the SSH client A field in an IPv4 or IPv6 header contains 8 bits and is used to identify the service type of an IP packet. In an IPv4 packet, this field is called "Type of Service (ToS)." In an IPv6 packet, this field is called "Traffic class."...
  • Page 326: Ssh Server Configuration Examples

    For more information about the display public-key local and display public-key peer commands, see Security Command Reference. SSH server configuration examples Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode. When the switch acts as a server for password authentication Network requirements As shown in Figure...
  • Page 327 # Configure an IP address for VLAN-interface 1. This address will serve as the destination of the SSH connection. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 328: When The Switch Acts As A Server For Publickey Authentication

    Figure 92 Specifying the host name (or IP address) Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the configuration interface of the server.
  • Page 329 Generate the RSA key pairs on the SSH client: Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 94 Generating the key pair on the client When the generator is generating the key pair, you must move the mouse continuously and keep the mouse off the green progress bar shown in Figure 95.
  • Page 330 Figure 95 Generating process After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 96 Saving the key pair on the client...
  • Page 331 Click Save private key to save the private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). Transmit the public key file to the server through FTP or TFTP.
  • Page 332 # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Specify the private key file and establish a connection to the SSH server: Launch PuTTY.exe to enter the interface as shown in Figure In the Host Name (or IP address) text box, enter the IP address of the server 192.168.1.40.
  • Page 333: Ssh Client Configuration Examples

    Figure 98 Specifying the private key file Click Open to connect to the server. If the connection is normal, you will be prompted to enter the username. After entering the username (client002), you can enter the configuration interface of the server. SSH client configuration examples Unless otherwise noted, devices in the configuration examples are operating in non-FIPS mode.
  • Page 334 # Generate the RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 335 # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit # Establish a connection between the SSH client and the SSH server: If the client supports first-time authentication, you can directly establish a connection from the client to the server.
  • Page 336: When Switch Acts As Client For Publickey Authentication

    [SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server 10.165.87.136 as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA>...
  • Page 337 +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server: # Generate the RSA key pairs. <SwitchB>...
  • Page 338 # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Establish an SSH connection to the server 10.165.87.136. <SwitchA> ssh2 10.165.87.136 Username: client002 Trying 10.165.87.136 ...
  • Page 339: Configuring Sftp

    Configuring SFTP Overview The Secure File Transfer Protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure file transfer.
  • Page 340: Configuring The Sftp Connection Idle Timeout Period

    To enable the SFTP server: Step Command Remarks Enter system view. system-view Enable the SFTP server. sftp server enable Disabled by default. Configuring the SFTP connection idle timeout period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down.
  • Page 341: Working With Sftp Directories

    Task Command Remarks • Establish a connection to the remote IPv4 SFTP server and enter SFTP client view: In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |...
  • Page 342: Working With Sftp Files

    Step Command Remarks Display the current working directory of the remote SFTP Optional. server. Optional. • dir [ -a | -l ] [ remote-path ] Display files under a The dir command functions as the directory. • ls [ -a | -l ] [ remote-path ] ls command.
  • Page 343: Displaying Help Information

    Displaying help information This configuration task will display a list of all commands or the help information of an SFTP client command, such as the command format and parameters. To display a list of all commands or the help information of an SFTP client command: Step Command Remarks...
  • Page 344: Sftp Client Configuration Example

    SFTP client configuration example Unless otherwise noted, devices in the configuration example are operating in non-FIPS mode. Network requirements As shown in Figure 101, an SSH connection is required between Switch A and Switch B. Switch A, an SFTP client, needs to log in to Switch B for file management and file transfer. Use publickey authentication and the RSA public key algorithm.
  • Page 345 Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
  • Page 346 The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n sftp-client> # Display files under the current directory of the server, delete the file named z, and check if the file has been deleted successfully. sftp-client>...
  • Page 347: Sftp Server Configuration Example

    Remote file:/pubkey2 ---> Local file: public Downloading file successfully ended # Upload the local file pu to the server, save it as puk, and check if the file has been uploaded successfully. sftp-client> put pu puk Local file:pu ---> Remote file: /puk Uploading file successfully ended sftp-client>...
  • Page 348 Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++ ++++++++++++++ +++++ ++++++++ # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
  • Page 349 Run the psftp.exe to launch the client interface as shown in Figure 103, and enter the following command: open 192.168.1.45 Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 103 SFTP client interface...
  • Page 350: Configuring Scp

    Configuring SCP Overview Secure copy (SCP) is based on SSH2.0 and offers a secure approach to copying files. SCP uses SSH connections for copying files. The switch can act as the SCP server, allowing a user to log in to the switch for file upload and download. The switch can also act as an SCP client, enabling a user to log in from the switch to a remote server for secure file transfer.
  • Page 351: Configuring The Switch As The Scp Client

    Configuring the switch as the SCP client To upload or download files to or from an SCP server: Step Command Remarks • Upload a file to the IPv4 SCP server: In non-FIPS mode: scp server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...
  • Page 352: Scp Client Configuration Example

    Step Command Remarks • Download a file from the remote IPv4 SCP server: In non-FIPS mode: scp server [ port-number ] get source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac...
  • Page 353: Scp Server Configuration Example

    Configuration procedure # Create VLAN-interface 1 and assign an IP address to it. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface1] quit # Download the file remote.bin from the SCP server, save it locally and change the file name to local.bin. <SwitchA>...
  • Page 354 # Generate the DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 355: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as Hypertext Transfer Protocol (HTTP). It is widely used in e-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the key...
  • Page 356: Fips Compliance

    Figure 107 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and • encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.
  • Page 357 Step Command Remarks Enter system view. system-view Create an SSL server policy ssl server-policy policy-name and enter its view. Optional. By default, no PKI domain is specified for an SSL server policy. The SSL server generates a certificate itself instead of requesting one from the CA.
  • Page 358: Ssl Server Policy Configuration Example

    Step Command Remarks Enable the SSL server to Optional. perform digital client-verify enable By default, the SSL server does not certificate-based require clients to be authenticated. authentication for SSL clients. Optional. Disabled by default. Enable SSL client weak client-verify weaken This command takes effect only authentication.
  • Page 359 [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit # Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for certificate request as en. [Device] pki domain 1 [Device-pki-domain-1] ca identifier ca server [Device-pki-domain-1] certificate request url...
  • Page 360: Configuring An Ssl Client Policy

    Configuring an SSL client policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol. To configure an SSL client policy: Step Command...
  • Page 361: Troubleshooting Ssl

    Task Command Remarks display ssl server-policy Display SSL server policy { policy-name | all } [ | { begin | Available in any view information. exclude | include } regular-expression ] display ssl client-policy Display SSL client policy { policy-name | all } [ | { begin | Available in any view information.
  • Page 362: Configuring Tcp Attack Protection

    Configuring TCP attack protection Overview An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature As a general rule, the establishment of a TCP connection involves the following three handshakes. The request originator sends a SYN message to the target server.
  • Page 363 Task Command Remarks display tcp status [ | { begin | exclude | Display current TCP connection state. Available in any view include } regular-expression ]...
  • Page 364: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent illegal hosts from using a legal IP address to access the network. IP source guard can filter packets according to the packet source IP address, source MAC address. IP source guard entries fall into the following types: •...
  • Page 365: Dynamic Ip Source Guard Binding Entries

    Global static binding entry A global static binding entry is a MAC-IP binding entry configured in system view. It is effective on all ports. A port forwards a packet when the packet’s IP address and MAC address both match those of a global static binding entry or a static binding entry configured on the port.
  • Page 366: Configuring The Ipv4 Source Guard Function

    Task Remarks Configuring IPv4 source guard on a port Required Configuring a static IPv4 source guard entry Optional Setting the maximum number of IPv4 source guard binding entries Optional Complete the following tasks to configure IPv6 source guard: Task Remarks Configuring IPv6 source guard on a port Required Configuring a static IPv6 source guard entry...
  • Page 367: Configuring A Static Ipv4 Source Guard Entry

    Step Command Remarks The term "interface" collectively refers to the following types of interface interface-type Enter interface view. ports and interfaces: Bridge mode interface-number (Layer 2) Ethernet ports, VLAN interfaces, and port groups. Optional. Enable 802.1X on the port. dot1x By default, 802.1X is disabled on the port.
  • Page 368: Setting The Maximum Number Of Ipv4 Source Guard Binding Entries

    Step Command Remarks Enter system view. system-view ip source binding ip-address Configure a global static IPv4 No global static IPv4 binding entry ip-address mac-address binding entry. is configured by default. mac-address Configuring port-based static IPv4 binding entries When you configure port-based static IPv4 source guard entries, follow these guidelines: You cannot repeatedly configure the same static binding entry on one port, but you can configure •...
  • Page 369: Configuring The Ipv6 Source Guard Function

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number Optional. Configure the maximum ip verify source max-entries By default, the maximum number of number of IPv4 binding number IPv4 source guard entries allowed entries allowed on the port. on a port is 2048.
  • Page 370: Configuring A Static Ipv6 Source Guard Entry

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view, port group interface-number view. Not configured by default. The keyword specified in the ipv6 verify source command is only for instructing the generation of ipv6 verify source { ipv6-address | Configure the IPv6 source dynamic IPv6 source guard entries.
  • Page 371: Setting The Maximum Number Of Ipv6 Source Guard Entries

    IP source guard does not use the VLAN information (if specified) in static IPv6 binding entries to • filter packets. When the ND detection function is configured, be sure to specify the VLAN where ND detection is • configured in static binding entries. Otherwise, ND packets will be discarded because they cannot match any static IPv6 binding entry.
  • Page 372: Ip Source Guard Configuration Examples

    Task Command Remarks display ip source binding static [ interface interface-type interface-number | Display static IPv4 source guard ip-address ip-address | mac-address Available in any view entries. mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display ip source binding [ interface interface-type interface-number | Display IPv4 source guard entries.
  • Page 373 Figure 110 Network diagram Configuration procedure Configure Device A: # Configure the IPv4 source guard function on GigabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address. <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] ip verify source ip-address mac-address # Configure GigabitEthernet 1/0/2 to allow only IP packets with the source MAC address of 0001-0203-0405 and the source IP address of 192.168.0.3 to pass.
  • Page 374: Dynamic Ipv4 Source Guard Using Dhcp Snooping Configuration Example

    # Configure the IPv4 source guard function on GigabitEthernet 1/0/1 to filter packets based on the source IP address. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address # Configure GigabitEthernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass.
  • Page 375: Dynamic Ipv4 Source Guard Using Dhcp Relay Configuration Example

    # Enable DHCP snooping. <Device> system-view [Device] dhcp-snooping # Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port. [Device] interface gigabitethernet1/0/2 [Device-GigabitEthernet1/0/2] dhcp-snooping trust [Device-GigabitEthernet1/0/2] quit Configure the IPv4 source guard function. # Configure the IPv4 source guard function on port GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.
  • Page 376: Static Ipv6 Source Guard Configuration Example

    Figure 112 Network diagram Configuration procedure Configure the IPv4 source guard function: # Configure the IP addresses of the interfaces. (Details not shown.) # Configure the IPv4 source guard function on VLAN-interface 100 to filter packets based on both the source IP address and MAC address. <Switch>...
  • Page 377: Dynamic Ipv6 Source Guard Using Dhcpv6 Snooping Configuration Example

    Figure 113 Network diagram Configuration procedure # Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ipv6-address mac-address # Configure GigabitEthernet 1/0/1 to allow only IPv6 packets with the source MAC address of 0001-0202-0202 and the source IPv6 address of 2001::1 to pass.
  • Page 378: Dynamic Ipv6 Source Guard Using Nd Snooping Configuration Example

    Configuration procedure Configure DHCPv6 snooping: # Enable DHCPv6 snooping globally. <Device> system-view [Device] ipv6 dhcp snooping enable # Enable DHCPv6 snooping in VLAN 2. [Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable [Device-vlan2] quit # Configure the port connecting to the DHCP server as a trusted port. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Device-GigabitEthernet1/0/2] quit...
  • Page 379: Global Static Ip Source Guard Configuration Example

    Figure 115 Network diagram Configuration procedure Configure ND snooping: # In VLAN 2, enable ND snooping. <Device> system-view [Device] vlan 2 [Device-vlan2] ipv6 nd snooping enable [Device-vlan2] quit Configure the IPv6 source guard function: # Configure the IPv6 source guard function on GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.
  • Page 380 Figure 116 Network diagram Configuration procedure # Create VLAN 10, and add port GigabitEthernet 1/0/2 to VLAN 10. <DeviceB> system-view [DeviceB] vlan 10 [DeviceB-vlan10] port gigabitethernet 1/0/2 [DeviceB-vlan10] quit # Create VLAN 20, and add port GigabitEthernet 1/0/3 to VLAN 20. [DeviceB] vlan 20 [DeviceB-vlan20] port gigabitethernet 1/0/3 [DeviceB-vlan20] quit...
  • Page 381: Troubleshooting Ip Source Guard

    [DeviceB] ip source binding ip-address 192.168.1.2 mac-address 0001-0203-0407 Verifying the configuration # Display static IPv4 binding entries on Device B. [DeviceB] display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type 0001-0203-0406 192.168.0.2 Static 0001-0203-0407 192.168.1.2 Static...
  • Page 382: Configuring Arp Attack Protection

    Configuring ARP attack protection The term "interface" in this chapter collectively refers to VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2 LAN Switching Configuration Guide).
  • Page 383: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks Optional. Configuring ARP detection Configure this function on access devices (recommended). Optional. Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Optional. Configuring ARP gateway protection Configure this function on access devices (recommended). Optional. Configuring ARP filtering Configure this function on access devices (recommended).
  • Page 384: Enabling Arp Black Hole Routing

    Enabling ARP black hole routing Step Command Remarks Enter system view. system-view Optional. Enable ARP black hole routing. arp resolving-route enable Enabled by default. Displaying and maintaining ARP defense against IP packet attacks Task Command Remarks display arp source-suppression [ | Display ARP source suppression { begin | exclude | include } Available in any view...
  • Page 385: Configuring Arp Packet Rate Limit

    Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function with the following steps: Enable ARP source suppression. Set the threshold for ARP packets from the same source address to 100. If the number of ARP requests sourced from the same IP address in 5 seconds exceeds 100, the device suppresses the IP packets sourced from this IP address from triggering any ARP requests within the following 5 seconds.
  • Page 386: Configuring Source Mac Address Based Arp Attack Detection

    If you enable ARP packet rate limit on a Layer 2 aggregate interface, trap and log messages are sent when the ARP packet rate of a member port exceeds the preset threshold rate. To configure ARP packet rate limit: Step Command Remarks Enter system view.
  • Page 387: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    Step Command Remarks Enable source MAC address based ARP attack detection arp anti-attack source-mac { filter | Disabled by default. and specify the detection monitor } mode. Optional. arp anti-attack source-mac threshold Configure the threshold. threshold-value 50 by default. Configure the age timer for Optional.
  • Page 388 Figure 118 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address.
  • Page 389: Configuring Arp Packet Source Mac Address Consistency Check

    Configuring ARP packet source MAC address consistency check Introduction The ARP packet source MAC address consistency check feature enables a gateway device to filter out ARP packets that have a different source MAC address in the Ethernet header from the sender MAC address in the message, so that the gateway device can learn correct ARP entries.
  • Page 390: Configuring Arp Detection

    Configuring ARP detection Introduction ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides the following functions: User validity check. • ARP packet validity check. • • ARP restricted forwarding.
  • Page 391: Configuring Arp Packet Validity Check

    At least the configured rules, static IP source guard binding entries, DHCP snooping entries, or • 802.1X security entries must be available for user validity check. Otherwise, ARP packets received from ARP untrusted ports will be discarded, except the ARP packets with an OUI MAC address as the sender MAC address when voice VLAN is enabled.
  • Page 392: Configuring Arp Restricted Forwarding

    Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id Enable ARP detection for the arp detection enable Disabled by default. VLAN. Return to system view. quit Enable ARP packet validity arp detection validate { dst-mac | ip | check and specify the objects to Disabled by default.
  • Page 393: Displaying And Maintaining Arp Detection

    To configure the ARP detection logging function: Step Command Remarks Enter system view. system-view By default, the ARP detection logging function is enabled. Enable the ARP detection arp detection log enable logging function. This command is available only in Release 5206 and later. Displaying and maintaining ARP detection Task Command...
  • Page 394: User Validity Check And Arp Packet Validity Check Configuration Example

    Configure Switch A as a DHCP server: # Configure DHCP address pool 0. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure Host A and Host B as 802.1X clients and configure them to upload IP addresses for ARP detection.
  • Page 395 Figure 120 Network diagram Configuration procedure Add all ports on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure DHCP address pool 0 on Switch A as a DHCP server. <SwitchA>...
  • Page 396: Arp Restricted Forwarding Configuration Example

    # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries.
  • Page 397: Configuring Arp Automatic Scanning And Fixed Arp

    ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafe.
  • Page 398: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you configure ARP automatic scanning and fixed ARP: IP addresses existing in ARP entries are not scanned. • ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic •...
  • Page 399: Configuration Procedure

    If ARP gateway protection works with ARP detection, and ARP snooping, ARP gateway protection • applies first. Configuration procedure To configure ARP gateway protection: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type view/Layer 2 aggregate interface view. interface-number Enable ARP gateway protection for a arp filter source ip-address...
  • Page 400: Configuring Arp Filtering

    After the configuration is complete, Switch B will discard the ARP packets whose source IP address is that of the gateway. Configuring ARP filtering To prevent gateway spoofing and user spoofing, the ARP filtering feature controls the forwarding of ARP packets on a port.
  • Page 401 Figure 123 Network diagram Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, GigabitEthernet 1/0/1 will permit incoming ARP packets with sender IP and MAC addresses as 10.1.1.2 and 000f-e349- 1 233, and discard other ARP packets.
  • Page 402: Configuring Nd Attack Defense

    Configuring ND attack defense Overview The IPv6 Neighbor Discovery (ND) protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
  • Page 403: Enabling Source Mac Consistency Check For Nd Packets

    The mapping between the source IPv6 address and the source MAC address in the Ethernet frame • header is invalid. To identify forged ND packets, HP developed the source MAC consistency check and ND detection features. Enabling source MAC consistency check for ND...
  • Page 404: Configuration Guidelines

    Configuration guidelines Follow these guidelines when you configure ND detection: To create IPv6 static bindings with IP source guard, use the ipv6 source binding command. For more • information, see "Configuring IP source guard." • The DHCPv6 snooping table is created automatically by the DHCPv6 snooping module. For more information, see Layer 3—IP Services Configuration Guide.
  • Page 405: Nd Detection Configuration Example

    ND detection configuration example Network requirements As shown in Figure 125, Host A and Host B connect to Switch A, the gateway, through Switch B. Host A has the IPv6 address 10::5 and MAC address 0001-0203-0405. Host B has the IPv6 address 10::6 and MAC address 0001-0203-0607.
  • Page 406 [SwitchA-Vlan-interface10] ipv6 address 10::1/64 [SwitchA-Vlan-interface10] quit Configuring Switch B: # Enable IPv6 forwarding. <SwitchB> system-view [SwitchB] ipv6 # Create VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] quit # Add ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 10. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port access vlan 10 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2...
  • Page 407: Configuring Urpf

    Configuring URPF The term "router" in this feature refers to both routers and Layer 3 switches. Overview Unicast Reverse Path Forwarding (URPF) protects a network against source spoofing attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Attackers launch source spoofing attacks by creating packets with forged source addresses.
  • Page 408 Figure 127 URPF work flow Check the source address of the received packet A broadcast source address? An all-zone source address? A broadcast destination Discard addres? Does the FIB Is there a default entry match the route? source address? Loose URPF? Loose URPF? Does Is the matching...
  • Page 409 For other packets, proceeds to step 2. URPF checks whether the source address matches a FIB entry: If yes, proceeds to step 3. If not, proceeds to step 6. URPF checks whether the check mode is loose: If yes, proceeds to step 8. If not, URPF checks whether the matching route is a direct route: if yes, proceeds to step 5;...
  • Page 410: Network Application

    { loose | strict } Disabled by default NOTE: The routing table size decreases by half when URPF is enabled on the HP 5500 HI switches. • • To prevent loss of routes and packets, URPF cannot be enabled if the number of route entries the switch maintains exceeds half the routing table size.
  • Page 411 Figure 129 Network diagram Configuration procedure Enable strict URPF check on Switch A. <SwitchA> system-view [SwitchA] ip urpf strict Enable strict URPF check on Switch B. <SwitchB> system-view [SwitchB] ip urpf strict...
  • Page 412: Configuring Mff

    Configuring MFF Overview Traditional Ethernet networking solutions use the VLAN technology to isolate users at Layer 2 and to allow them to communicate at Layer 3. However, when a large number of hosts need to be isolated at Layer 2, many VLAN resources are occupied, and many IP addresses are used because you have to assign a network segment to each VLAN and an IP address to each VLAN interface for Layer 3 communication.
  • Page 413: Basic Concepts

    NOTE: An MFF-enabled device and a host cannot ping each other. Basic concepts A device with MFF enabled provides two types of ports: user port and network port. If you enable MFF for a VLAN, each port in the VLAN must be an MFF network or user port. Link aggregation is supported by network ports in an MFF-enabled VLAN, but is not supported by user ports in the VLAN.
  • Page 414: Working Mechanism

    The MFF device also forges ARP requests to get the gateway’s MAC address based on ARP snooping entries. After learning the gateway’s MAC address and then receiving an ARP packet with a different source MAC address from the default gateway, the MFF device will replace the old MAC address with the new one.
  • Page 415: Enabling Mff

    Enabling MFF To enable MFF and specify an MFF operating mode: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id Enable MFF and specify an mac-forced-forwarding { auto | Disabled by default. MFF operating mode. default-gateway gateway-ip } Configuring a network port Step Command...
  • Page 416: Displaying And Maintaining Mff

    You can specify a server’s IP address in either manual or automatic MFF mode. The server can be a DHCP server, a server providing some other service, or the real IP address of a VRRP standby group. After you specify a server’s IP address and then an ARP request from the server is received, the MFF device will search the IP-to-MAC address entries it has stored, and reply with the corresponding MAC address to the server.
  • Page 417 Figure 131 Network diagram Configuration procedure Configure the IP address of VLAN-interface 1 on the gateway. <Gateway> system-view [Gateway] interface Vlan-interface 1 [Gateway-Vlan-interface1] ip address 10.1.1.100 24 Configure the DHCP server: # Enable DHCP, and configure a DHCP address pool. <Device>...
  • Page 418: Auto-Mode Mff Configuration Example In A Ring Network

    # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp-snooping # Enable MFF in automatic mode. [SwitchB] vlan 100 [SwitchB-vlan-100] mac-forced-forwarding auto [SwitchB-vlan-100] quit # Configure GigabitEthernet 1/0/6 as a network port. [SwitchB] interface gigabitethernet 1/0/6 [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port # Configure GigabitEthernet 1/0/6 as a DHCP snooping trusted port. [SwitchB-GigabitEthernet1/0/6] dhcp-snooping trust Auto-mode MFF configuration example in a ring network Network requirements...
  • Page 419 # Add gateway’s IP address into DHCP address pool 1. [Device-dhcp-pool-1] gateway-list 10.1.1.100 [Device-dhcp-pool-1] quit # Configure the IP address of VLAN-interface 1. [Device] interface Vlan-interface 1 [Device-Vlan-interface1] ip address 10.1.1.50 24 Configure Switch A: # Enable DHCP snooping. <SwitchA> system-view [SwitchA] dhcp-snooping # Enable STP.
  • Page 420: Manual-Mode Mff Configuration Example In A Tree Network

    [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port # Configure GigabitEthernet 1/0/6 as a DHCP snooping trusted port. [SwitchB-GigabitEthernet1/0/6] dhcp-snooping trust Enable STP on Switch C. <SwitchC> system-view [SwitchC] stp enable Manual-mode MFF configuration example in a tree network Network requirements As shown in Figure 133, all the devices are in VLAN 100.
  • Page 421: Manual-Mode Mff Configuration Example In A Ring Network

    [SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port Configure Switch B: # Configure manual-mode MFF. [SwitchB] vlan 100 [SwitchB-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchB-vlan-100] arp-snooping enable [SwitchB-vlan-100] quit # Configure GigabitEthernet 1/0/6 as a network port. [SwitchB] interface gigabitethernet 1/0/6 [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port Manual-mode MFF configuration example in a ring network...
  • Page 422 # Configure manual-mode MFF. [SwitchA] vlan 100 [SwitchA-vlan-100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan-100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping. [SwitchA-vlan-100] arp-snooping enable [SwitchA-vlan-100] quit # Configure GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 as network ports. [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port [SwitchA-GigabitEthernet1/0/2] quit...
  • Page 423: Configuring Savi

    Configuring SAVI Overview Source Address Validation (SAVI) is applied on access devices. SAVI creates a table of bindings between addresses and ports through other features such as ND snooping, DHCPv6 snooping, and IP Source Guard, and uses those bindings to check the validity of the source addresses of DHCPv6 protocol packets, ND protocol packets, and IPv6 data packets.
  • Page 424: Savi Configuration In Dhcpv6-Only Address Assignment Scenario

    Step Command Remarks Optional One second by default. This command is used with the DHCPv6 snooping function. After DHCPv6 snooping Set the time to wait for a ipv6 savi dad-preparedelay detects that a client obtains an IPv6 address, it DAD NS from a value monitors whether the client detects IP address DHCPv6 client.
  • Page 425: Packet Check Principles

    Enable ND detection in VLAN 2 to check the ND packets arrived on the ports. For more information about ND detection, see "Configuring ND attack defense." Configure a static IPv6 source guard binding entry on each interface connected to a client. This step is optional.
  • Page 426: Savi Configuration In Slaac-Only Address Assignment Scenario

    [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/3] quit SAVI configuration in SLAAC-only address assignment scenario Network requirements Figure 136 Network diagram Internet Gateway Switch A GE1/0/3 Vlan-int10 10::1...
  • Page 427: Packet Check Principles

    Configure a static IPv6 source guard binding entry on each interface connected to a host. This step is optional. If this step is not performed, SAVI does not check packets against static binding entries. For more information about static IPv6 source guard binding entries, see "Configuring IP source guard."...
  • Page 428: Savi Configuration In Dhcpv6+Slaac Address Assignment Scenario

    [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/2] quit SAVI configuration in DHCPv6+SLAAC address assignment scenario Network requirements Figure 137 Network diagram As shown in Figure 137, Switch B connects to the DHCPv6 server through interface GigabitEthernet 1/0/1 and connects to the DHCPv6 client through interface GigabitEthernet 1/0/3.
  • Page 429: Packet Check Principles

    For more information about static IPv6 source guard binding entries, see "Configuring IP source guard." Configure dynamic IPv6 source guard binding on the interfaces connected to the hosts. For more information about dynamic IPv6 source guard binding, see "Configuring IP source guard."...
  • Page 430 # Configure the dynamic IPv6 source guard binding function on downlink ports GigabitEthernet 1/0/3 through GigabitEthernet 1/0/5. [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/3] quit [SwitchB] interface gigabitethernet 1/0/4 [SwitchB-GigabitEthernet1/0/4] ipv6 verify source ipv6-address mac-address [SwitchB-GigabitEthernet1/0/4] quit [SwitchB] interface gigabitethernet 1/0/5 [SwitchB-GigabitEthernet1/0/5] ipv6 verify source ipv6-address mac-address...
  • Page 431: Configuring Blacklist

    Configuring blacklist Overview The blacklist feature is an attack prevention mechanism that filters packets based on the source IP address. Compared with ACL-based packet filtering, the blacklist feature is easier to configure and fast in filtering packets sourced from particular IP addresses. The device can dynamically add and remove blacklist entries by cooperating with the login user authentication feature.
  • Page 432: Blacklist Configuration Example

    Blacklist configuration example Network requirements As shown in Figure 138, Host A, Host B, and Host C are internal users, and external user Host D is considered an attacker. Configure Device to always filter packets from Host D, and to prevent internal users from guessing passwords.
  • Page 433 Host D and Host C are on the blacklist. Host C will stay on the list for 10 minutes, and will then be able to try to log in again. The entry for Host D will never age out. When you do not consider Host D an attacker anymore, you can use the undo blacklist ip 5.5.5.5 command to remove the entry.
  • Page 434: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and Technology (NIST) of the United States, specify the requirements for cryptography modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the switch supports Level 2.
  • Page 435: Configuration Procedure

    Configuration procedure To configure FIPS, complete the following tasks: Remove the existing key pairs and certificates. Enable the FIPS mode. Enable the password control function. Configure local user attributes (including local username, service type, password, and so on) on the switch. Save the configuration.
  • Page 436: Triggering A Self-Test

    Triggering a self-test To examine whether the cryptography modules operate normally, you can use a command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots. To trigger a self-test: Step Command...
  • Page 437: Verifying The Configuration

    [Sysname-luser-test] service-type terminal [Sysname-luser-test] authorization-attribute level 3 [Sysname-luser-test] password Password:*********** Confirm :*********** Updating user(s) information, please wait... [Sysname-luser-test] quit # Save the configuration. [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file.
  • Page 438 <Sysname> display fips status FIPS mode is enabled...
  • Page 439: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
  • Page 440: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 441 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
  • Page 442: Index

    Index A B C D E F H I L M N O P R S T U Configuring an IKE peer,292 Configuring an IKE proposal,291 AAA configuration considerations and task list,15 Configuring an SSL client policy,347 AAA configuration examples,50 Configuring an SSL server policy,343 overview,1...
  • Page 443 Displaying and maintaining 802.1X,91 FIPS self-tests,421 Displaying and maintaining AAA,50 Displaying and maintaining EAD fast deployment,100 Displaying and maintaining FIPS,423 HP implementation of 802.1X,72 Displaying and maintaining HABP,233 HABP configuration example,233 Displaying and maintaining IKE,296 Displaying and maintaining IP source guard,358...
  • Page 444 Overview,246 Setting the maximum number of 802.1X authentication attempts for MAC authentication users,86 Overview,185 Setting the maximum number of authentication request Overview,1 18 attempts,81 Overview,236 Setting the maximum number of concurrent 802.1X Overview,217 users on a port,81 Overview,104 Setting the NAT keepalive timer,294 Overview,195 Setting the port authorization...

Table of Contents