Page 1 HPE FlexFabric 5940 Switch Series Security Configuration Guide Part number: 5200-1030a Software version: Release 2508 and later verison Document version: 6W101-20161101...
Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents Configuring AAA ····························································································· 1 Overview ···························································································································································· 1 RADIUS ······················································································································································ 2 HWTACACS ··············································································································································· 6 LDAP ·························································································································································· 9 AAA implementation on the device ·········································································································· 12 AAA for MPLS L3VPNs ···························································································································· 14 Protocols and standards ·························································································································· 14 ...
Page 4 Configuring 802.1X ······················································································· 79 Access control methods ··································································································································· 79 802.1X VLAN manipulation ······························································································································ 79 Authorization VLAN ·································································································································· 79 Guest VLAN ············································································································································· 81 Auth-Fail VLAN ········································································································································ 82 Critical VLAN ············································································································································ 83 Critical voice VLAN ·································································································································· 85 ...
Page 5 802.1X guest VLAN and authorization VLAN configuration example ···················································· 104 802.1X with ACL assignment configuration example ············································································· 107 802.1X with EAD assistant configuration example (with DHCP relay agent) ········································· 108 802.1X with EAD assistant configuration example (with DHCP server) ················································· 111 ...
Page 6 Controlling portal user access ························································································································ 148 Configuring a portal-free rule ················································································································· 148 Configuring an authentication source subnet ························································································· 149 Configuring an authentication destination subnet ·················································································· 150 Setting the maximum number of portal users ························································································ 150 ...
Page 7 Configuring secure MAC addresses ·············································································································· 218 Configuration prerequisites ···················································································································· 219 Configuration procedure ························································································································· 219 Ignoring authorization information from the server ························································································ 220 Enabling MAC move ······································································································································ 220 Enabling the authorization-fail-offline feature ································································································· 221 Applying a NAS-ID profile to port security ······································································································...
Page 8 Exporting a host public key ···················································································································· 258 Displaying a host public key ··················································································································· 258 Destroying a local key pair ····························································································································· 259 Configuring a peer host public key ················································································································· 259 Importing a peer host public key from a public key file ·········································································· 259 ...
Page 9 IPsec tunnel establishment ···························································································································· 303 Implementing ACL-based IPsec ···················································································································· 303 Configuring an ACL ································································································································ 304 Configuring an IPsec transform set ········································································································ 305 Configuring a manual IPsec policy ········································································································· 307 Configuring an IKE-based IPsec policy ·································································································· 308 ...
Page 10 Configuring an IKEv2 keychain ······················································································································ 354 Configure global IKEv2 parameters ··············································································································· 355 Enabling the cookie challenging feature ································································································ 355 Configuring the IKEv2 DPD feature ······································································································· 355 Configuring the IKEv2 NAT keepalive feature ························································································ 355 Displaying and maintaining IKEv2 ·················································································································...
Page 11 SFTP configuration examples ························································································································ 398 Password authentication enabled SFTP server configuration example ················································· 398 Publickey authentication enabled SFTP client configuration example ··················································· 401 SFTP configuration example based on 192-bit Suite B algorithms ························································ 404 SCP configuration examples ·························································································································· 408 ...
Page 12 Dynamic IPv4SG using DHCP snooping configuration example ··························································· 449 Dynamic IPv4SG using DHCP relay agent configuration example ························································ 450 Static IPv6SG configuration example ····································································································· 451 Dynamic IPv6SG using DHCPv6 snooping configuration example ······················································· 452 Dynamic IPv6SG using DHCPv6 relay agent configuration example ···················································· 453 Configuring ARP attack protection ······························································...
Page 13 Enabling the RA guard logging feature ·································································································· 482 Displaying and maintaining RA guard ···································································································· 483 RA guard configuration example ············································································································ 483 Configuring uRPF ······················································································· 486 Overview ························································································································································ 486 uRPF check modes ································································································································ 486 uRPF operation ······································································································································...
Page 14: Configuring Aaa
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.
Page 15: Radius
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Page 16 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 17 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
Page 18 Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. For more information, see "Commonly used standard RADIUS attributes." Table 2 Commonly used RADIUS attributes Attribute Attribute User-Name Acct-Authentic User-Password Acct-Session-Time CHAP-Password Acct-Input-Packets NAS-IP-Address Acct-Output-Packets NAS-Port Acct-Terminate-Cause...
Page 19: Hwtacacs
Attribute Attribute Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes. The extended attributes can implement functions that the standard RADIUS protocol does not provide.
Page 20 passing authentication and obtaining authorized rights, a user logs in to the device and performs operations. The HWTACACS server records the operations that each user performs. Differences between HWTACACS and RADIUS HWTACACS and RADIUS have many features in common, such as using a client/server model, using shared keys for data encryption, and providing flexibility and scalability.
Page 21 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
Page 22: Ldap
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
Page 23 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
Page 24 The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound.
Page 25: Aaa Implementation On The Device
The LDAP client sends an authorization search request with the username of the Telnet user to the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes.
Page 26 The device supports the following authentication methods: • No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method. • Local authentication—The NAS authenticates users by itself, based on the locally configured user information including the usernames, passwords, and attributes.
Page 27: Aaa For Mpls L3Vpns
AAA for MPLS L3VPNs You can deploy AAA across VPNs in an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated. The deployment enables forwarding of RADIUS and HWTACACS packets across MPLS VPNs. For example, as shown in Figure 10, you can deploy AAA across the VPNs.
Page 28 User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Page 29 Attribute Description Type of the physical port of the NAS that is authenticating the user. Possible values include: • 15—Ethernet. • 16—Any type of ADSL. • 17—Cable. (With cable for cable TV.) NAS-Port-Type • 19—WLAN-IEEE 802.11. • 201—VLAN. • 202—ATM. If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201.
Page 30 Subattribute Description Result of the Trigger-Request or SetPolicy operation, zero for success Result_Code and any other value for failure. Connect_ID Index of the user connection. PortalURL PADM redirect URL assigned to PPPoE users. FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this Ftp_Directory attribute is used to set the working directory for an FTP, SFTP, or SCP...
Page 31 Subattribute Description Bytes of IPv6 packets in the outbound direction. The measurement unit Acct_IPv6_Output_Octets depends on the configuration on the device. Number of IPv6 packets in the inbound direction. The measurement Acct_IPv6_Input_Packets unit depends on the configuration on the device. Acct_IPv6_Output_Packe Number of IPv6 packets in the outbound direction.
Page 32: Fips Compliance
Subattribute Description WEB-URL Redirect URL for users. Subscriber-ID Family plan ID. Subscriber-Profile QoS policy name for the family plan of the subscriber. Product_ID Product name. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and...
Page 33: Configuring Aaa Schemes
Tasks at a glance • Configuring HWTACACS schemes • Configuring LDAP schemes (Required.) Configure AAA methods for ISP domains: (Required.) Creating an ISP domain (Optional.) Configuring ISP domain attributes (Required.) Perform a minimum one of the following tasks to configure AAA authentication, authorization, and accounting methods for the ISP domain: Configuring authentication methods for an ISP domain Configuring authorization methods for an ISP domain...
Page 34 • Binding attributes—Binding attributes control the scope of users, and are checked during local authentication of a user. If the attributes of a user do not match the binding attributes configured for the local user account, the user cannot pass authentication. Binding attributes include the IP address, access port, MAC address, and native VLAN.
Page 35 Step Command Remarks Enter system view. system-view Add a local user and local-user user-name [ class By default, no local users exist. enter local user view. { manage | network } ] • For a network access user: The default settings are as follows: password { cipher | simple } •...
Page 36 Step Command Remarks attributes for the local aging-time control attributes of the user group to user. • which the local user belongs. Set the minimum password length: Only device management users support password-control length the password control feature. length • Configure the password composition policy: password-control...
Page 37: Configuring Radius Schemes
Step Command Remarks • Set the password aging time: password-control aging aging-time • Set the minimum password length: password-control length length • Configure the password composition policy: password-control composition type-number By default, the user group uses (Optional.) Configure type-number [ type-length the global password control password control attributes type-length ]...
Page 38 Configuration task list Tasks at a glance (Optional.) Configuring a test profile for RADIUS server status detection (Required.) Creating a RADIUS scheme (Required.) Specifying the RADIUS authentication servers (Optional.) Specifying the RADIUS accounting servers and the relevant parameters (Optional.) Specifying the shared keys for secure RADIUS communication (Optional.) Specifying an MPLS L3VPN instance for the scheme (Optional.)
Page 39 Step Command Remarks Enter system view. system-view Configure a test profile for By default, no test profiles exist. radius-server test-profile detecting the status of profile-name username name You can configure multiple test RADIUS authentication [ interval interval ] profiles in the system. servers.
Page 40 Step Command Remarks ipv6-address } [ port-number | The weight keyword takes effect key { cipher | simple } string | only when the RADIUS server load test-profile profile-name | sharing feature is enabled for the vpn-instance RADIUS scheme. vpn-instance-name | weight weight-value ] * Specifying the RADIUS accounting servers and the relevant parameters You can specify one primary accounting server and a maximum of 16 secondary accounting servers...
Page 41 Step Command Remarks number of real-time accounting attempts. (Optional.) Enable buffering of RADIUS stop-accounting By default, the buffering requests to which no stop-accounting-buffer enable feature is enabled. responses have been received. (Optional.) Set the maximum number of transmission attempts for individual retry stop-accounting retries The default setting is 500.
Page 42 RADIUS servers might not recognize usernames that contain the ISP domain names. In this case, you can configure the device to remove the domain name of each username to be sent. If two or more ISP domains use the same RADIUS scheme, configure the RADIUS scheme to keep the ISP domain name in usernames for domain identification.
Page 43 Starts a quiet timer for the server. Tries to communicate with a secondary server in active state that has the highest priority. • If the secondary server is unreachable, the device performs the following operations: Changes the server status to blocked. Starts a quiet timer for the server.
Page 44 Step Command Remarks • restarts, all servers are Set the status of a secondary restored to the active state. RADIUS authentication server: state secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block } •...
Page 45 • The IP address specified in RADIUS scheme view applies only to one RADIUS scheme. • The IP address specified in system view applies to all RADIUS schemes whose servers are in a VPN or the public network. Before sending a RADIUS packet, the NAS selects a source IP address in the following order: The source IP address specified for the RADIUS scheme.
Page 46 client rather than adjusting the RADIUS packet transmission attempts and server response timeout timer. Typically, the next attempt will succeed, because the device has blocked the unreachable servers to shorten the time to find a reachable server. • Make sure the server quiet timer is set correctly. A timer that is too short might result in frequent authentication or accounting failures.
Page 47 Interpreting the RADIUS class attribute as CAR parameters A RADIUS server may deliver CAR parameters for user-based traffic monitoring and control by using the RADIUS class attribute (attribute 25) in RADIUS packets. You can configure the device to interpret the class attribute to CAR parameters. To configure the device to interpret the RADIUS class attribute as CAR parameters: Step Command...
Page 48 Step Command Remarks { six | three } separator format for RADIUS attribute the format of separator-character { lowercase | HH-HH-HH-HH-HH-HH. The uppercase } MAC address is separated by hyphen (-) into six sections with letters in upper case. Setting the data measurement unit for the Remanent_Volume attribute The RADIUS server uses the Remanent_Volume attribute in authentication or real-time accounting responses to notify the device of the current amount of data available for online users.
Page 49: Configuring Hwtacacs Schemes
Task Command Display the RADIUS scheme display radius scheme [ radius-scheme-name ] configuration. Display RADIUS packet statistics. display radius statistics Display information about buffered display stop-accounting-buffer { radius-scheme RADIUS stop-accounting requests to radius-scheme-name | session-id session-id | time-range which no responses have been start-time end-time | user-name user-name } received.
Page 50 If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary authentication server in one scheme and as the secondary authentication server in another scheme at the same time. To specify HWTACACS authentication servers for an HWTACACS scheme: Step Command Remarks...
Page 51 Step Command Remarks vpn-instance vpn-instance-name ] * Specifying the HWTACACS accounting servers You can specify one primary accounting server and a maximum of 16 secondary accounting servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured.
Page 52 Step Command Remarks for individual HWTACACS stop-accounting requests. Specifying the shared keys for secure HWTACACS communication The HWTACACS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. The client and server must use the same key for each type of communication.
Page 53 To set the username format and traffic statistics units for an HWTACACS scheme: Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name Set the format of usernames user-name-format { keep-original By default, the ISP domain name sent to the HWTACACS | with-domain | without-domain } is included in a username.
Page 54 Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, the source IP address specified by the hwtacacs nas-ip Specify the source IP nas-ip { ipv4-address | ipv6 command in system view is used. address of outgoing ipv6-address } If the source IP address is not HWTACACS packets.
Page 55: Configuring Ldap Schemes
• When an HWTACACS server's status changes automatically, the device changes this server's status accordingly in all HWTACACS schemes in which this server is specified. To set HWTACACS timers: Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view.
Page 56 Tasks at a glance (Optional.) Configuring an LDAP attribute map (Required.) Creating an LDAP scheme (Required.) Specifying the LDAP authentication server (Optional.) Specifying the LDAP authorization server (Optional.) Specifying an LDAP attribute map for LDAP authorization Creating an LDAP server Step Command Remarks...
Page 57 Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name Set the LDAP server By default, the LDAP server timeout server-timeout time-interval timeout period. period is 10 seconds. Configuring administrator attributes To configure the administrator DN and password for binding with the LDAP server during LDAP authentication: Step Command...
Page 58 Step Command Remarks (Optional.) Specify the user search-scope { all-level | By default, the user search scope search scope. single-level } is all-level. user-parameters (Optional.) Specify the By default, the username attribute user-name-attribute username attribute. is cn. { name-attribute | cn | uid } user-parameters (Optional.) Specify the user-name-format...
Page 59: Configuring Aaa Methods For Isp Domains
Specifying the LDAP authentication server Step Command Remarks Enter system view. system-view Enter LDAP scheme view. ldap scheme ldap-scheme-name Specify the LDAP authentication-server By default, no LDAP authentication authentication server. server is specified. server-name Specifying the LDAP authorization server Step Command Remarks Enter system view.
Page 60: Configuration Prerequisites
Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device first. See "Configuring local user attributes." To use remote authentication, authorization, and accounting, create the required RADIUS, HWTACACS, or LDAP schemes. For more information about the scheme configuration, see "Configuring RADIUS schemes,"...
Page 61: Configuring Isp Domain Attributes
Step Command Remarks nonexistent domains. Configuring ISP domain attributes In an ISP domain, you can configure the following attributes: • Domain status—By placing the ISP domain in active or blocked state, you allow or deny network service requests from users in the domain. •...
Page 62: Configuring Authentication Methods For An Isp Domain
Step Command Remarks Enter ISP domain view. domain isp-name By default, an ISP domain is in Place the ISP domain in active state, and users in the state { active | block } active or blocked state. domain can request network services.
Page 63: Configuring Authorization Methods For An Isp Domain
Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default radius-scheme-name ] [ local ] [ none ] | authentication method is Specify the default ldap-scheme ldap-scheme-name [ local ] local.
Page 64: Configuring Accounting Methods For An Isp Domain
Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme hwtacacs-scheme-name By default, the authorization Specify the default [ radius-scheme radius-scheme-name ] method is local. authorization method for [ local ] [ none ] | local [ none ] | none | The none keyword is not...
Page 65 • Local accounting does not provide statistics for charging. It only counts and controls the number of concurrent users who use the same local user account. The threshold is configured by using the access-limit command. Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks...
Page 66: Configuring The Radius Session-Control Feature
Configuring the RADIUS session-control feature The RADIUS session-control feature can only work with the RADIUS server running on IMC. Enable this feature for the RADIUS server to dynamically change the user authorization information or forcibly disconnect users by using session-control packets. This task enables the device to receive RADIUS session-control packets on UDP port 1812.
Page 67: Changing The Dscp Priority For Radius Packets
DAE defines the following types of packets: • Disconnect Messages (DMs)—The DAE client sends DM requests to the DAE server to log off specific online users. • Change of Authorization Messages (CoA Messages)—The DAE client sends CoA requests to the DAE server to change the authorization information of specific online users or shut down or reboot the users' access ports.
Page 68 • For the received RADIUS packets: Ignores the rejected attributes in the packets. Interprets the attributes that match RADIUS attribute conversion rules as the destination RADIUS attributes. To identify proprietary RADIUS attributes, you can define the attributes as extended RADIUS attributes, and then convert the extended RADIUS attributes to device-supported attributes.
Page 69: Setting The Maximum Number Of Concurrent Login Users
Step Command Remarks { { coa-ack | coa-request } * | attribute rejection rule. rejection rules exist. { received | sent } * } Repeat this command to add multiple RADIUS attribute rejection rules. Setting the maximum number of concurrent login users Perform this task to set the maximum number of concurrent users who can log on to the device through a specific protocol, regardless of their authentication methods.
Page 70: Configuring The Device Id
Configuring the device ID RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value for each online user based on the system time, random digits, and device ID. To configure the device ID: Step Command Remarks...
Page 71 # Add an account for the SSH user and specify the password. (Details not shown.) Configure the switch: # Configure IP addresses for the interfaces. (Details not shown.) # Create an HWTACACS scheme. <Switch> system-view [Switch] hwtacacs scheme hwtac # Specify the primary authentication server. [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server.
Page 72: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users Network requirements As shown in Figure 13, configure the switch to meet the following requirements: • Perform local authentication for SSH servers. • Use the HWTACACS server and RADIUS server for SSH user authorization and accounting, respectively.
Page 73: Authentication And Authorization For Ssh Users By A Radius Server
# Configure a RADIUS scheme. [Switch] radius scheme rd [Switch-radius-rd] primary accounting 10.1.1.1 1813 [Switch-radius-rd] key accounting simple expert [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a device management user. [Switch] local-user hello class manage # Assign the SSH service to the local user. [Switch-luser-manage-hello] service-type ssh # Set the password to 123456TESTplat&! in plaintext form for the local user.
Page 74 Figure 14 Network diagram Configuration procedure Configure the RADIUS server on IMC 5.0: NOTE: In this example, the RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101). # Add the switch to the IMC Platform as an access device. Log in to IMC, click the Service tab, and select User Access Manager >...
Page 75 Figure 15 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows: a.
Page 76 Figure 16 Adding an account for device management Configure the switch: # Configure the IP addresses for interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service.
Page 77: Authentication For Ssh Users By An Ldap Server
# Create an ISP domain named bbb and configure authentication, authorization, and accounting methods for login users. [Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] accounting login none [Switch-isp-bbb] quit Verifying the configuration # Initiate an SSH connection to the switch, and enter the username hello@bbb and the correct password.
Page 78 d. Select Action > New > User from the menu to display the dialog box for adding a user. e. Enter the logon name aaa and click Next. Figure 18 Adding user aaa f. In the dialog box, enter the password ldap!123456, select options as needed, and click Next.
Page 79 c. In the dialog box, click the Member Of tab and click Add. Figure 20 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 21 Adding user aaa to group Users # Set the administrator password to admin!123456.
Page 80 # Configure the IP addresses for interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...
Page 81: Troubleshooting Radius
Troubleshooting RADIUS RADIUS authentication failure Symptom User authentication always fails. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The username is not in the userid@isp-name format, or the ISP domain is not correctly configured on the NAS.
Page 82: Radius Accounting Error
The authentication and accounting UDP port numbers configured on the NAS are the same as those of the RADIUS server. The RADIUS server's authentication and accounting port numbers are available. If the problem persists, contact Hewlett Packard Enterprise Support. RADIUS accounting error Symptom A user is authenticated and authorized, but accounting for the user is not normal.
Page 83 Solution To resolve the problem: Verify the following items: The NAS and the LDAP server can ping each other. The IP address and port number of the LDAP server configured on the NAS match those of the server. The username is in the correct format and the ISP domain for the user authentication is correctly configured on the NAS.
Page 84: 802.1X Overview
The port controls traffic by using one of the following methods: − Performs bidirectional traffic control to deny traffic to and from the client. − Performs unidirectional traffic control to deny traffic from the client. The HPE devices support only unidirectional traffic control.
Page 85: 802.1X-Related Protocols
Figure 23 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).
Page 86: Eap Over Radius
• Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field. EAPOL packet format Figure 25 shows the EAPOL packet format.
Page 87: 802.1X Authentication Initiation
01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client that can send broadcast EAPOL-Start packets. For example, you can use the HPE iNode 802.1X client.
Page 88: 802.1X Authentication Procedures
• Supports only the following EAP authentication methods: MD5-Challenge EAP Works with any RADIUS server authentication. EAP termination that supports PAP or CHAP authentication. The username and password EAP authentication initiated by an HPE iNode 802.1X client.
Page 89: Eap Relay
Packet exchange Benefits Limitations method • The processing is complex on the access device. EAP relay Figure 30 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used. Figure 30 802.1X authentication procedure in EAP relay mode Client Device Authentication server...
Page 90: Eap Termination
challenge (EAP-Request/MD5-Challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the access device. The access device transmits the EAP-Request/MD5-Challenge packet to the client. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5-Challenge packet to the access device.
Page 91 Figure 31 802.1X authentication procedure in EAP termination mode In EAP termination mode, the access device rather than the authentication server generates an MD5 challenge for password encryption. The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Page 92: Configuring 802.1X
Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port.
Page 93 The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members. NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.
Page 94: Guest Vlan
Table 7 VLAN manipulation Port access control VLAN manipulation method The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. Port-based If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID.
Page 95: Auth-Fail Vlan
Authentication status VLAN manipulation 802.1X authentication. 802.1X users on this port can access only resources in the guest VLAN. If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation. If an 802.1X Auth-Fail VLAN (see "Auth-Fail VLAN") is available, the device assigns the Auth-Fail VLAN to the port as the PVID.
Page 96: Critical Vlan
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation The device assigns the Auth-Fail VLAN to the port as the PVID. All A user fails 802.1X 802.1X users on this port can access only resources in the Auth-Fail authentication.
Page 97 not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA." The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation A user that has not been assigned to any...
Page 98: Critical Voice Vlan
Authentication status VLAN manipulation device remaps the MAC address of the user to the initial PVID. The device remaps the MAC address of the user to the authorization VLAN. A user in the 802.1X critical VLAN passes If the authentication server (either the local access 802.1X authentication.
Page 99: Using 802.1X Authentication With Other Features
Using 802.1X authentication with other features ACL assignment You can specify an ACL for an 802.1X user to control the user's access to network resources. After the user passes 802.1X authentication, the authentication server assigns the ACL to the access port to filter traffic from this user.
Page 100: Redirect Url Assignment
The EAD assistant feature creates an ACL-based EAD rule automatically to open access to the redirect URL for each redirected user. EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user passes authentication, the rule is removed. If users fail to download EAD client or fail to pass authentication before the timer expires, they must reconnect to the network to access the free IP.
Page 101: Enabling 802.1X
CHAP authentication on the access device. • The client is an HPE iNode 802.1X client and initiates only the username and password EAP authentication. If EAP termination is used, you can enable either PAP or CHAP authentication on the access device. However, if the password is required to be transmitted in cipher text, you must use CHAP authentication on the access device.
Page 102: Setting The Port Authorization State
Step Command Remarks Enter system system-view view. By default, the access device performs EAP termination and uses CHAP to communicate with Configure EAP dot1x the RADIUS server. relay or EAP authentication-method Specify the eap keyword to enable EAP relay. termination. { chap | eap | pap } Specify the chap or pap keyword to enable CHAP-enabled or PAP-enabled EAP termination.
Page 103: Setting The Maximum Number Of Concurrent 802.1X Users On A Port
Setting the maximum number of concurrent 802.1X users on a port Perform this task to prevent the system resources from being overused. To set the maximum number of concurrent 802.1X users on a port: Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type...
Page 104: Configuring Online User Handshake
Step Command Remarks Enter system view. system-view Set the client timeout dot1x timer supp-timeout The default is 30 seconds. timer. supp-timeout-value Set the server dot1x timer server-timeout The default is 100 seconds. timeout timer. server-timeout-value Configuring online user handshake The online user handshake feature checks the connectivity status of online 802.1X users. The access device sends handshake requests (EAP-Request/Identity) to online users at the interval specified by the dot1x timer handshake-period command.
Page 105: Configuring The Authentication Trigger Feature
Step Command Remarks handshake feature. (Optional.) Enable the online user handshake security dot1x handshake secure By default, the feature is disabled. feature. By default, the device does not (Optional.) Enable the reply to 802.1X clients' 802.1X online user dot1x handshake reply enable EAP-Response/Identity packets handshake reply feature.
Page 106: Setting The Quiet Timer
the network through the port. The implementation of a mandatory authentication domain enhances the flexibility of 802.1X access control deployment. To specify a mandatory authentication domain for a port: Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view.
Page 107: Configuration Restrictions And Guidelines
Configuration restrictions and guidelines When you configure 802.1X reauthentication, follow these restrictions and guidelines: • The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) together can affect periodic reauthentication. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).
Page 108: Enabling The Keep-Online Feature
Step Command Remarks Enter Ethernet interface interface interface-type view. interface-number The device immediately Manually reauthenticate all reauthenticates all online 802.1X online 802.1X users on the dot1x re-authenticate manual users on the port after you port. execute this command. Enabling the keep-online feature Step Command Remarks...
Page 109: Configuration Prerequisites
Feature Relationship description Reference The 802.1X guest VLAN feature has higher Port intrusion protection priority than the block MAC action. actions on a port that "Configuring port The 802.1X guest VLAN feature has lower performs MAC-based security." priority than the shutdown port action of the access control port intrusion protection feature.
Page 110: Configuring An 802.1X Auth-Fail Vlan
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Enable 802.1X guest dot1x guest-vlan-delay By default, 802.1X guest VLAN VLAN assignment delay { eapol | new-mac } assignment delay is disabled on a port. on the port.
Page 111: Configuration Procedure
Configuration procedure To configure an 802.1X Auth-Fail VLAN: Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number Configure the 802.1X dot1x auth-fail vlan By default, no 802.1X Auth-Fail Auth-Fail VLAN on the port. authfail-vlan-id VLAN exists. Configuring an 802.1X critical VLAN Typically, when a client user is assigned to the 802.1X critical VLAN on a port, the device sends an EAP-Failure packet to the client.
Page 112: Enabling The 802.1X Critical Voice Vlan
Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number Configure the 802.1X critical By default, no 802.1X critical dot1x critical vlan critical-vlan-id VLAN on the port. VLAN exists. (Optional.) Send an By default, the device sends an EAP-Success packet to a EAP-Failure packet to a client client when the 802.1X client...
Page 113: Enabling 802.1X User Ip Freezing
If an 802.1X username string contains multiple configured delimiters, the rightmost delimiter is the domain name delimiter. For example, if you configure the backslash (\), dot (.), and forward slash (/) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\).
Page 114: Setting The Maximum Number Of 802.1X Authentication Attempts For Mac Authenticated Users
Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Enable the device to send By default, the device can send 802.1X 802.1X protocol packets dot1x eapol untag EAPOL packets out of a port with VLAN out of the port without tags.
Page 115: Displaying And Maintaining 802.1X
To configure the EAD assistant feature: Step Command Remarks Enter system view. system-view Enable the EAD assistant dot1x ead-assistant enable By default, this feature is disabled. feature. dot1x ead-assistant free-ip Configure a free IP. ip-address { mask-address | By default, no free IPs exist. mask-length } By default, no redirect URL exists.
Page 116 Figure 32 Network diagram Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.)
Page 117: Guest Vlan And Authorization Vlan Configuration Example
NOTE: The access device must use the same username format as the RADIUS server. If the RADIUS server includes the ISP domain name in the username, so must the access device. Configure the ISP domain: # Create an ISP domain named bbb and enter ISP domain view. [Device] domain bbb # Apply RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.
Page 118 Figure 33 Network diagram Configuration procedure Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.) Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users.
Page 119 [Device-radius-2000] primary authentication 10.11.1.1 1812 # Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.11.1.1 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device.
Page 120: 802.1X With Acl Assignment Configuration Example
802.1X with ACL assignment configuration example Network requirements As shown in Figure 34, the host that connects to Ten-GigabitEthernet 1/0/1 must pass 802.1X authentication to access the Internet. Perform 802.1X authentication on Ten-GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server, and the RADIUS server at 10.1.1.2 as the accounting server.
Page 121: With Ead Assistant Configuration Example (With Dhcp Relay Agent)
[Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure an ISP domain: # Create ISP domain bbb and enter ISP domain view. [Device] domain bbb # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting. [Device-isp-bbb] authentication lan-access radius-scheme 2000 [Device-isp-bbb] authorization lan-access radius-scheme 2000 [Device-isp-bbb] accounting lan-access radius-scheme 2000 [Device-isp-bbb] quit...
Page 122 • The intranet 192.168.1.0/24 is attached to Ten-GigabitEthernet 1/0/1 of the access device. • The hosts use DHCP to obtain IP addresses. • A DHCP server and a Web server are deployed on the 192.168.2.0/24 subnet for users to obtain IP addresses and download client software. Deploy an EAD solution for the intranet to meet the following requirements: •...
Page 123 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812. [Device-radius-2000] primary authentication 10.1.1.1 1812 # Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813.
Page 124: With Ead Assistant Configuration Example (With Dhcp Server)
Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access the free IP subnet before passing 802.1X authentication.
Page 125 Configure an IP address for each interface. (Details not shown.) Configure the DHCP server: # Enable DHCP. <Device> system-view [Device] dhcp enable # Enable the DHCP server on VLAN-interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select server [Device-Vlan-interface2] quit # Create DHCP address pool 0.
Page 126: Troubleshooting 802.1X
[Device] dot1x ead-assistant url http://192.168.2.3 # Enable the EAD assistant feature. [Device] dot1x ead-assistant enable # Enable 802.1X on Ten-GigabitEthernet 1/0/1. [Device] interface ten-gigabitethernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1] dot1x [Device-Ten-GigabitEthernet1/0/1] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify the 802.1X configuration. [Device] display dot1x # Verify that you can ping an IP address on the free IP subnet from a host.
Page 127 • No server is using the redirect URL, or the server with the URL does not provide Web services. Solution To resolve the problem: Enter a dotted decimal IP address that is not in any free IP segments. Verify that the access device and the server are configured correctly. If the problem persists, contact Hewlett Packard Enterprise Support.
Page 128: Configuring Mac Authentication
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.
Page 129: Vlan Assignment
VLAN assignment Authorization VLAN The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources. The device supports the following VLAN authorization methods: • Remote VLAN authorization—The authorization VLAN information of a MAC authentication user is assigned by a remote server.
Page 130 Table 11 shows the way that the network access device handles guest VLANs for MAC authentication users. Table 11 VLAN manipulation Authentication status VLAN manipulation A user in the MAC authentication guest VLAN fails MAC The user is still in the MAC authentication guest VLAN. authentication for any other reason than server unreachable.
Page 131: Acl Assignment
is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA" Table 13 shows the way that the network access device handles critical voice VLANs for MAC authentication voice users. Table 13 VLAN manipulation Authentication status VLAN manipulation The device maps the MAC address of the voice user to the...
Page 132: Redirect Url Assignment
For more information about user profiles, see "Configuring user profiles." Redirect URL assignment The device supports the URL attribute assigned by a RADIUS server. During MAC authentication, a user is redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the Web user and uses a DM (Disconnect Message) to log off the Web user.
Page 133: Specifying A Mac Authentication Domain
MAC authentication is exclusive with link aggregation group or service loopback group. • You cannot enable MAC authentication on a port already in a link aggregation group or a service loopback group. • You cannot add a MAC authentication-enabled port to a link aggregation group or a service loopback group.
Page 134: Configuring Mac Authentication Timers
Step Command Remarks user-name-format mac-address MAC authentication. The MAC [ { with-hyphen | address is in the hexadecimal without-hyphen } [ lowercase | notation without hyphens, and uppercase ] ] letters are in lower case. • Use one shared user account for all users: mac-authentication user-name-format fixed...
Page 135: Enabling Mac Authentication Multi-Vlan Mode On A Port
Step Command Remarks Set the maximum number of concurrent MAC mac-authentication max-user The default setting is authentication users on the max-number 4294967295. port Enabling MAC authentication multi-VLAN mode on a port The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port.
Page 136: Enabling Parallel Processing Of Mac Authentication And 802.1X Authentication
Step Command Remarks Enable MAC authentication mac-authentication timer By default, MAC authentication delay and set the delay auth-delay time delay is disabled. timer. Enabling parallel processing of MAC authentication and 802.1X authentication This feature enables a port that processes MAC authentication after 802.1X authentication is finished to process MAC authentication in parallel with 802.1X authentication.
Page 137: Configuring A Mac Authentication Guest Vlan
Step Command Remarks Enter Ethernet interface interface interface-type view. interface-number Enable parallel processing of MAC mac-authentication authentication and By default, this feature is disabled. parallel-with-dot1x 802.1X authentication on the port. Configuring a MAC authentication guest VLAN You must configure the MAC authentication guest VLAN on a hybrid port. Before you configure the MAC authentication guest VLAN on a hybrid port, complete the following tasks: •...
Page 138: Configuring A Mac Authentication Critical Vlan
Configuring a MAC authentication critical VLAN You must configure the MAC authentication critical VLAN on a hybrid port. Before you configure the MAC authentication critical VLAN on a hybrid port, complete the following tasks: • Enable MAC authentication globally and on the port. •...
Page 139: Configuration Procedure
The device uses LLDP to identify voice users. For information about LLDP, see Layer 2—LAN Switching Configuration Guide. • Enable voice VLAN on the port. For information about voice VLANs, see Layer 2—LAN Switching Configuration Guide. Configuration procedure To enable the MAC authentication critical voice VLAN feature on a port: Step Command Remarks...
Page 140: Configuration Procedure
The device selects a periodic reauthentication timer for MAC reauthentication in the following order: a. Server-assigned reauthentication timer. b. Port-specific reauthentication timer. c. Global reauthentication timer. d. Default reauthentication timer. • In a fast-recovery network, you can use the keep-online feature to prevent MAC authentication users from coming online and going offline frequently.
Page 141: Displaying And Maintaining Mac Authentication
Step Command Remarks Enable MAC authentication mac-authentication By default, MAC authentication offline detection. offline-detect enable offline detection is enabled. Displaying and maintaining MAC authentication Execute display commands in any view and reset commands in user view. Task Command display mac-authentication [ interface interface-type Display MAC authentication information.
Page 142 Figure 37 Network diagram Configuration procedure # Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc-12-34-56. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 class network [Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 # Specify the LAN access service for the user. [Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit # Configure ISP domain bbb to perform local authentication for LAN users.
Page 143: Radius-Based Mac Authentication Configuration Example
Server timeout : 100 s Reauth period : 3600 s Authentication domain : bbb Online MAC-auth users Silent MAC users: MAC address VLAN ID From port Port index 00e0-fc11-1111 XGE1/0/1 Ten-GigabitEthernet1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer...
Page 144 Figure 38 Network diagram Configuration procedure Make sure the RADIUS server and the access device can reach each other. (Details not shown.) Configure the RADIUS servers: # Create a shared account for MAC authentication users. (Details not shown.) # Set username aaa and password 123456 for the account. (Details not shown.) Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme.
Page 145: Acl Assignment Configuration Example
[Device] mac-authentication Verifying the configuration # Verify the MAC authentication configuration. [Device] display mac-authentication Global MAC authentication parameters: MAC authentication : Enabled Username format : Fixed account Username : aaa Password : ****** Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s...
Page 146 • Use MAC-based user accounts for MAC authentication users. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. • Use an ACL to deny authenticated users to access the FTP server at 10.0.0.1. Figure 39 Network diagram Configuration procedure Make sure the RADIUS servers and the access device can reach each other.
Page 147 [Device-Ten-GigabitEthernet1/0/1] quit # Enable MAC authentication globally. [Device] mac-authentication Configure the RADIUS servers: # Add a user account with 00-e0-fc-12-34-56 as both the username and password on each RADIUS server. (Details not shown.) # Specify ACL 3000 as the authorization ACL for the user account. (Details not shown.) Verifying the configuration # Verify the MAC authentication configuration.
Page 148 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has been assigned to Ten-GigabitEthernet 1/0/1 to deny access to the FTP server.
Page 149: Configuring Portal Authentication
Users can access more network resources after passing security check. Security check must cooperate with the HPE IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device,...
Page 150 Figure 40 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.
Page 151: Portal System Using The Local Portal Web Server
Web browser. When receiving the HTTP or HTTPS request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HPE iNode client for extended portal functions.
Page 152: Portal Authentication Modes
HPE iNode client. NOTE: Portal authentication supports NAT traversal whether it is initiated by a Web client or an HPE iNode client. NAT traversal must be configured when the portal client is on a private network and the portal server is on a public network.
Page 153: Portal Authentication Process
EAP authentication. NOTE: • To use portal authentication that supports EAP, the portal authentication server and client must be the HPE IMC portal server and the HPE iNode portal client. • Local portal authentication does not support EAP authentication.
Page 154 If the packet does not match any portal-free rule, the access device redirects the packet to the portal Web server. The portal Web server pushes the Web authentication page to the user for him to enter his username and password. The portal Web server submits the user authentication information to the portal authentication server.
Page 155: Portal Packet Filtering Rules
Step 1 through step 7 are the same as those in the direct authentication/cross-subnet authentication process. After receiving the authentication success packet, the client obtains a public IP address through DHCP. The client then notifies the portal authentication server that it has a public IP address. The portal authentication server notifies the access device that the client has obtained a public IP address.
Page 156: Portal Configuration Task List
The authentication is implemented as follows: When a user accesses the network for the first time, the access device generates a MAC-trigger entry that records the user's MAC address and access interface. The user can access the network without performing portal authentication if the user's network traffic is below the free-traffic threshold.
Page 157: Configuration Prerequisites
Tasks at a glance (Optional.) Enabling portal roaming (Optional.) Specifying a format for the NAS-Port-ID attribute (Optional.) Specifying the device ID (Optional.) Logging out online portal users (Optional.) Configuring Web redirect Web redirect does not work when both Web redirect and portal authentication are enabled. (Optional.) Applying a NAS-ID profile to an interface (Optional.)
Page 158: Configuring A Portal Web Server
Do not delete a portal authentication server in use. Otherwise, users authenticated by that server cannot log out normally. To configure a portal authentication server: Step Command Remarks Enter system view. system-view Create a portal By default, no portal authentication server, and portal server server-name authentication servers exist.
Page 159: Enabling Portal Authentication
To configure a portal Web server: Step Command Remarks Enter system view. system-view Create a portal Web server By default, no portal Web servers portal web-server server-name and enter its view. exist. Specify the VPN instance to By default, the portal Web server which the portal Web server vpn-instance vpn-instance-name belongs to the public network.
Page 160: Configuration Procedure
• Cross-subnet authentication mode (layer3) does not require Layer 3 forwarding devices between the access device and the portal authentication clients. However, if a Layer 3 forwarding device exists between the authentication client and the access device, you must use the cross-subnet portal authentication mode.
Page 161: Controlling Portal User Access
Controlling portal user access Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. The matching items for a portal-free rule include the host name, source/destination IP address, TCP/UDP port number, source MAC address, access interface, and VLAN. Packets matching a portal-free rule will not trigger portal authentication, so users sending the packets can directly access the specified external websites.
Page 162: Configuring An Authentication Source Subnet
Step Command Remarks Enter system view. system-view Configure a portal free-rule rule-number By default, no destination-based destination-based destination host-name portal-free rule exists. portal-free rule. Configuring an authentication source subnet By configuring authentication source subnets, you specify that only HTTP packets from users on the authentication source subnets can trigger portal authentication.
Page 163: Configuring An Authentication Destination Subnet
Configuring an authentication destination subnet By configuring authentication destination subnets, you specify that users trigger portal authentication only when they accessing the specified subnets (excluding the destination IP addresses and subnets specified in portal-free rules). Users can access other subnets without portal authentication. If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnets take effect.
Page 164: Specifying A Portal Authentication Domain
Step Command Remarks Enter system view. system-view By default, no limit is set on the Set the maximum number portal max-user max-number number of portal users in the of total portal users. system. To set the maximum number of portal users: Step Command Remarks...
Page 165: Specifying A Preauthentication Domain
Specifying a preauthentication domain The preauthentication domain takes effect only on portal users with IP addresses obtained through DHCP or DHCPv6. After you configure a preauthentication domain on a portal-enabled interface, the device authorizes users on the interface as follows: After an unauthenticated user obtains an IP address, the user is assigned authorization attributes (such as ACL and user profile) configured for the preauthentication domain.
Page 166: Enabling Strict-Checking On Portal Authorization Information
If the client is configured to obtain an IP address automatically through DHCP, the user obtains an address from the specified IP address pool. If the client is configured with a static IP address, the user uses the static IP address. However, if the interface does not have an IP address, users using static IP addresses cannot pass authentication.
Page 167: Enabling Portal Authentication Only For Dhcp Users
Enabling portal authentication only for DHCP users To ensure that only users with valid IP addresses access the network, enable this feature on an interface. This feature allows only users with DHCP-assigned IP addresses to pass portal authentication. Users with static IP addresses cannot pass portal authentication to get online. IPv6 users use IPv6 temporary addresses to access the IPv6 network even though they have been assigned DHCPv6 addresses.
Page 168: Configuring Portal Authentication Server Detection
If the device receives no packets from a portal user within the idle time, the device detects the user's online status as follows: • ICMP or ICMPv6 detection—Sends ICMP or ICMPv6 requests to the user at configurable intervals to detect the user status. If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets.
Page 169: Configuring Portal Web Server Detection
receives a portal packet within a detection timeout (timeout timeout) and the portal packet is valid, the device considers the portal authentication server to be reachable. Otherwise, the device considers the portal authentication server to be unreachable. Portal packets include user login packets, user logout packets, and heartbeat packets. Heartbeat packets are periodically sent by a server.
Page 170: Configuring Portal User Synchronization
• Maximum number of consecutive failures—If the number of consecutive detection failures reaches this value, the access device considers that the portal Web server is unreachable. You can configure the device to take one or more of the following actions when the server reachability status changes: •...
Page 171: Configuring The Portal Fail-Permit Feature
Step Command Remarks Enter system view. system-view Enter portal authentication portal server server-name server view. Configure portal By default, portal user user user-sync timeout timeout synchronization is disabled. synchronization. Configuring the portal fail-permit feature Perform this task to configure the portal fail-permit feature on an interface. When the access device detects that the portal authentication server or portal Web server is unreachable, it allows users on the interface to have network access without portal authentication.
Page 172: Enabling Portal Roaming
During a re-DHCP portal authentication or mandatory user logout process, the device sends portal notification packets to the portal authentication server. For the authentication or logout process to complete, make sure the BAS-IP/BAS-IPv6 attribute is the same as the device IP or IPv6 address specified on the portal authentication server.
Page 173: Specifying A Format For The Nas-Port-Id Attribute
Specifying a format for the NAS-Port-ID attribute RADIUS servers from different vendors might require different formats of the NAS-Port-ID attribute in the RADIUS packets. You can specify the NAS-Port-ID attribute format as required. The device supports the NAS-Port-ID attribute in format 1, format 2, format 3, and format 4. For more information about the formats, see Security Command Reference.
Page 174: Configuring Web Redirect
Configuring Web redirect Web redirect is a simplified portal feature. With Web redirect, a user does not perform portal authentication but is directly redirected to the specified URL on the first Web access attempt in a browser. After the specified redirect interval, the user is redirected from the visiting website to the specified URL again.
Page 175: Configuring The Local Portal Web Server Feature
Step Command Remarks Return to system view. quit interface interface-type Enter interface view. interface-number Specify the NAS-ID profile on portal nas-id-profile By default, no NAS-ID profile is the interface. profile-name specified on the interface. Configuring the local portal Web server feature To perform local portal authentication for users, perform the following tasks: •...
Page 176 Main authentication page File name System busy page busy.htm Pushed when the system is busy or the user is in the logon process Logoff success page logoffSuccess.htm Page request rules The local portal Web server supports only Get and Post requests. •...
Page 177: Configuring A Local Portal Web Server
-rw- 1405 Feb 28 2008 15:53:20 ssid1.zip -rw- 1405 Feb 28 2008 15:53:31 ssid2.zip -rw- 1405 Feb 28 2008 15:53:39 ssid3.zip -rw- 1405 Feb 28 2008 15:53:44 ssid4.zip 2540 KB total (1319 KB free) Redirecting authenticated users to a specific webpage To make the device automatically redirect authenticated users to a specific webpage, do the following in logon.htm and logonSuccess.htm: In logon.htm, set the target attribute of Form to _blank.
Page 178: Enabling Arp Or Nd Entry Conversion For Portal Clients
Enabling ARP or ND entry conversion for portal clients This feature converts the ARP or ND entries to Rule ARP or ND entries for portal users. Rule ARP or ND entries will not be aged and they will be deleted immediately when the portal users go offline. When this feature is disabled, ARP or ND entries for portal users are dynamic entries and will be aged out when their respective aging timers expire.
Page 179: Specifying A Mac Binding Server On An Interface
Step Command Remarks Create a MAC binding server portal mac-trigger-server By default, no MAC binder servers and enter its view. server-name exist. ip ipv4-address [ vpn-instance By default, the IP address of a Specify the IP address of the ipv4-vpn-instance-name ] [ key MAC binding server is not MAC binding server.
Page 180: Enabling Logging For User Logins And Logouts
Enabling logging for user logins and logouts This feature logs information about user login and logout events, including the username, IP address, user's MAC address, interface name, VLAN, and reason for login failure. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Page 181: Portal Configuration Examples
Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure 45, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server portal...
Page 182 Figure 46 Portal authentication server configuration Configure the IP address group: a. Select Access Service > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
Page 183 g. Set whether to support the portal server heartbeat and user heartbeat functions. In this example, select No for both Support Server Heartbeat and Support User Heartbeat. h. Click OK. Figure 48 Adding a portal device Associate the portal device with the IP address group: a.
Page 184 The IP address used by the user to access the network must be within this IP address group. e. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the portal authentication server on IMC PLAT 5.0 In this example, the portal server runs on IMC PLAT 5.0(E0101) and IMC UAM 5.0(E0101).
Page 185 Figure 52 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure c.
Page 186 b. Click Add to open the page as shown in Figure c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group.
Page 187 # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
Page 188 IP address Prefix length A user can perform portal authentication by using the HPE iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
Page 189: Configuring Re-Dhcp Portal Authentication
Session group profile: N/A ACL: N/A CAR: N/A Configuring re-DHCP portal authentication Network requirements As shown in Figure 56, the host is directly connected to the switch (the access device). The host obtains an IP address through the DHCP server. A portal server acts as both a portal authentication server and a portal Web server.
Page 190 # Create a RADIUS scheme named rs1 and enter its view. <Switch> system-view [Switch] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.113 [Switch-radius-rs1] primary accounting 192.168.0.113 [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] key accounting simple radius...
Page 191 # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method redhcp # Reference the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.
Page 192: Configuring Cross-Subnet Portal Authentication
IP address Prefix length Before passing the authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.
Page 193 Figure 57 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 57 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
Page 194 # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 Configure portal authentication: # Configure a portal authentication server.
Page 195 IP address Prefix length A user can perform portal authentication by using the HPE iNode client or through a Web browser. Before passing the authentication, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
Page 196: Configuring Extended Direct Portal Authentication
Configuring extended direct portal authentication Network requirements As shown in Figure 58, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server portal...
Page 197 Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
Page 198 Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
Page 199: Configuring Extended Re-Dhcp Portal Authentication
# After the user passes identity authentication and security check, use the following command to display information about the portal user. [Switch] display portal user interface vlan-interface 100 Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0015-e9a6-7cfe...
Page 200 • For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24) and a private address pool (10.0.0.0/24) on the DHCP server. (Details not shown.) • For re-DHCP portal authentication: The switch must be configured as a DHCP relay agent. The portal-enabled interface must be configured with a primary IP address (a public IP address) and a secondary IP address (a private IP address).
Page 201 [Switch] acl advanced 3001 [Switch-acl-ipv4-adv-3001] rule permit ip [Switch-acl-ipv4-adv-3001] quit NOTE: Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server. Configure DHCP relay and authorized ARP: # Configure DHCP relay. [Switch] dhcp enable [Switch] dhcp relay client-information record [Switch] interface vlan-interface 100...
Page 202 Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
Page 203: Configuring Extended Cross-Subnet Portal Authentication
Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0015-e9a6-7cfe 20.20.20.2 Vlan-interface100 Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL: 3001 CAR: N/A Configuring extended cross-subnet portal authentication Network requirements As shown in Figure 60, Switch A supports portal authentication.
Page 204 <SwitchA> system-view [SwitchA] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [SwitchA-radius-rs1] primary authentication 192.168.0.112 [SwitchA-radius-rs1] primary accounting 192.168.0.112 [SwitchA-radius-rs1] key accounting simple radius [SwitchA-radius-rs1] key authentication simple radius [SwitchA-radius-rs1] user-name-format without-domain # Specify the security policy server.
Page 205 [SwitchA-portal-websvr-newpt] quit # Enable cross-subnet portal authentication on VLAN-interface 4. [SwitchA] interface vlan-interface 4 [SwitchA–Vlan-interface4] portal enable method layer3 # Reference the portal Web server newpt on VLAN-interface 4. [SwitchA–Vlan-interface4] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 4 to the portal authentication server.
Page 206: Configuring Portal Server Detection And Portal User Synchronization
Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
Page 207 • Configure the switch to synchronize portal user information with the portal server periodically. Figure 61 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 61 and make sure the host, switch, and servers can reach each other.
Page 208 Figure 62 Portal authentication server configuration Configure the IP address group: a. Select Access Service > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
Page 209 g. Set whether to support the portal server heartbeat and user heartbeat functions. In this example, select Yes for both Support Server Heartbeat and Support User Heartbeat. h. Click OK. Figure 64 Adding a portal device Associate the portal device with the IP address group: a.
Page 210 The IP address used by the user to access the network must be within this IP address group. e. User default values for other parameters. f. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations.
Page 211 Figure 68 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure c.
Page 212 b. Click Add to open the page as shown in Figure c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group.
Page 213 # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
Page 214: Configuring Direct Portal Authentication With A Preauthentication Domain
Verifying the configuration # Use the following command to display information about the portal authentication server. [Switch] display portal server newpt Portal server: newpt Type : IMC : 192.168.0.111 VPN instance : Not configured Port : 50100 Server Detection : Timeout 40s Action: log User synchronization : Timeout 600s...
Page 215 <Switch> system-view [Switch] dhcp server ip-pool pre [Switch-dhcp-pool-pre] gateway-list 2.2.2.1 [Switch-dhcp-pool-pre] network 2.2.2.0 24 [Switch-dhcp-pool-pre] quit # Enable the DHCP server on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] dhcp select server [Switch–Vlan-interface100] quit Configure a preauthentication domain: # Create an ISP domain named abc and enter its view. [Switch] domain abc # Specify authorization ACL 3010 in the domain.
Page 216: Configuring Re-Dhcp Portal Authentication With A Preauthentication Domain
VLAN Interface 0015-e9a6-7cfe 10.10.10.4 Vlan-interface100 State: Online VPN instance: -- Authorization information: DHCP IP pool: N/A User profile: N/A Session group profile: N/A ACL number: 3010 Inbound CAR: N/A Outbound CAR: N/A Configuring re-DHCP portal authentication with a preauthentication domain Network requirements As shown in Figure...
Page 217 For information about DHCP relay agent configuration, see Layer 3—IP Services Configuration Guide. • Make sure the IP address of the portal device added on the portal server is the public IP address (20.20.20.1) of the switch's interface connecting the host. The private IP address range for the IP address group associated with the portal device is the private subnet 10.0.0.0/24 where the host resides.
Page 218: Configuring Direct Portal Authentication Using Local Portal Web Server
[Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] portal enable method redhcp # Reference the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.
Page 219 Configuration prerequisites and guidelines • Configure IP addresses for the host, switch, and server as shown in Figure 74 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. • Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch.
Page 220 [Switch-portal-websvr-newpt] url http://2.2.2.1:2331/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method direct # Specify the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt [Switch–Vlan-interface100] quit Verifying the configuration # Verify that the portal configuration has taken effect.
Page 221: Troubleshooting Portal
Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication through a Web page. Before passing the authentication, the user can access only the authentication page http://2.2.2.1:2331/portal and all Web requests will be redirected to the authentication page.
Page 222: Cannot Log Out Portal Users On The Access Device
Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
Page 223: Re-Dhcp Portal Authenticated Users Cannot Log In Successfully
address specified on the portal authentication server, the portal authentication server discards the logout notification. When sending of the logout notifications times out, the access device logs out the user. However, the portal authentication server does not receive the logout notification successfully, and therefore it regards the user is still online.
Page 224: Configuring Port Security
Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks that require different authentication methods for different users on a port. Port security provides the following functions: •...
Page 225 Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action, or sends SNMP notifications.
Page 226 A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
Page 227: Configuration Task List
In this mode, the port performs 802.1X authentication first. By default, if 802.1X authentication fails, MAC authentication is performed. However, the port in this mode processes authentication differently when the following conditions exist: The port is enabled with parallel processing of MAC authentication and 802.1X authentication.
Page 228: Setting Port Security's Limit On The Number Of Secure Mac Addresses On A Port
When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. Port security automatically modifies these settings in different security modes. To enable port security: Step Command Remarks Enter system view. system-view By default, port security is Enable port security.
Page 229: Setting The Port Security Mode
Step Command Remarks that port security allows on a port. If you use the vlan keyword without the vlan-id-list argument, this command sets the maximum number of secure MAC addresses for each VLAN on the port. If you use the vlan keyword with the vlan-id-list argument, this command sets the maximum number of secure MAC addresses...
Page 230: Configuring Port Security Features
Step Command Remarks oui-value This command is required for the userlogin-withoui mode. You can set multiple OUIs, but when the port security mode is userlogin-withoui, the port allows one 802.1X user and only one user that matches one of the specified OUIs.
Page 231: Configuring Intrusion Protection
Configuring intrusion protection Intrusion protection enables a device to take one of the following actions in response to illegal frames: • blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards the frames. All subsequent frames sourced from a blocked MAC address are dropped.
Page 232: Configuration Prerequisites
Can be saved and Type Address sources Aging mechanism survive a device reboot? By default, sticky MAC addresses do not age out. However, you can • Manually added (by configure an aging timer or use the using the aging timer together with the inactivity port-security aging feature to remove old sticky MAC mac-address security...
Page 233: Ignoring Authorization Information From The Server
Step Command Remarks interface-number vlan vlan-id In a VLAN, a MAC address cannot • be specified as both a static In Layer 2 Ethernet interface view: secure MAC address and a sticky a. interface interface-type MAC address. interface-number b. port-security mac-address security [ sticky ] mac-address vlan vlan-id c.
Page 234: Enabling The Authorization-Fail-Offline Feature
Step Command Remarks By default, MAC move is Enable MAC move. port-security mac-move permit disabled. Enabling the authorization-fail-offline feature The authorization-fail-offline feature logs off port security users that fail ACL or user profile authorization. A user fails ACL or user profile authorization in the following situations: •...
Page 235: Enabling Snmp Notifications For Port Security
Step Command Remarks • In interface view: a. interface interface-type interface-number b. port-security nas-id-profile profile-name Enabling SNMP notifications for port security Use this feature to report critical port security events to an NMS. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.
Page 236 • Be permitted to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes. • Stop learning MAC addresses after the number of secure MAC addresses reaches 64. If any frame with an unknown MAC address arrives, intrusion protection starts, and the port shuts down and stays silent for 30 seconds.
Page 237 Mac-auth-logoff trap : Disabled OUI value list Index : Value : 123401 Ten-GigabitEthernet1/0/1 is link-up Port mode : autoLearn NeedToKnow mode : Disabled Intrusion protection mode : DisablePortTemporarily Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses...
Page 238: Userloginwithoui Configuration Example
userLoginWithOUI configuration example Network requirements As shown in Figure 76, a client is connected to the device through Ten-GigabitEthernet 1/0/1. The device authenticates the client with a RADIUS server in ISP domain sun. If the authentication succeeds, the client is authorized to access the Internet. •...
Page 239: Configure Port Security
[Device] domain sun [Device-isp-sun] authentication lan-access radius-scheme radsun [Device-isp-sun] authorization lan-access radius-scheme radsun [Device-isp-sun] accounting lan-access radius-scheme radsun [Device-isp-sun] quit Configure 802.1X: # Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP. [Device] dot1x authentication-method chap # Specify ISP domain sun as the mandatory authentication domain for 802.1X users on Ten-GigabitEthernet 1/0/1.
Page 240: Macaddresselseuserloginsecure Configuration Example
Index : Value : 123402 Index : Value : 123403 Index : Value : 123404 Index : Value : 123405 Ten-GigabitEthernet1/0/1 is link-up Port mode : userLoginWithOUI NeedToKnow mode : Disabled Intrusion protection mode : NoAction Security MAC address attribute Learning mode : Sticky Aging type...
Page 241 Figure 77 Network diagram Configuration procedure Make sure the host and the RADIUS server can reach each other. Configure RADIUS authentication/accounting and ISP domain settings. (See "userLoginWithOUI configuration example.") Configure port security: # Enable port security. <Device> system-view [Device] port-security enable # Use MAC-based accounts for MAC authentication.
Page 242 NAS-ID profile : Not configured Dot1x-failure trap : Disabled Dot1x-logon trap : Disabled Dot1x-logoff trap : Disabled Intrusion trap : Disabled Address-learned trap : Disabled Mac-auth-failure trap : Disabled Mac-auth-logon trap : Disabled Mac-auth-logoff trap : Disabled OUI value list Ten-GigabitEthernet1/0/1 is link-up Port mode : macAddressElseUserLoginSecure...
Page 243 Guest VLAN auth-period : 30 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Single VLAN Offline detection : Enabled Authentication order : Default Max online users : 4294967295 Authentication attempts : successful 3, failed 7 Current online users MAC address Auth state...
Page 244: Troubleshooting Port Security
Re-auth server-unreachable : Logoff Max online users : 4294967295 Add Guest VLAN delay : Disabled User IP freezing : Disabled Reauth period : 60 s Send Packets Without Tag : Disabled Max Attempts Fail Number EAPOL packets: Tx 16331, Rx 102 Sent EAP Request/Identity packets : 16316 EAP Request/Challenge packets: 6 EAP Success packets: 4...
Page 245 Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn. Solution To resolve the problem: Set the port security mode to autoLearn. [Device-Ten-GigabitEthernet1/0/1] undo port-security port-mode [Device-Ten-GigabitEthernet1/0/1] port-security max-mac-count 64 [Device-Ten-GigabitEthernet1/0/1] port-security port-mode autolearn [Device-Ten-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1 If the problem persists, contact Hewlett Packard Enterprise Support.
Page 246: Configuring User Profiles
Configuring user profiles Overview A user profile saves a set of predefined parameters, such as a CAR policy or a QoS policy. The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.
Page 247: Displaying And Maintaining User Profiles
Displaying and maintaining user profiles Execute display commands in any view. Task Command Display configuration and online user information display user-profile [ name profile-name ] [ slot for the specified user profile or all user profiles. slot-number ] User profile configuration example Network requirements As shown in Figure...
Page 248 # Create a traffic behavior named for_usera, and configure the deny action. [Device] traffic behavior for_usera [Device-behavior-for_usera] filter deny [Device-behavior-for_usera] quit # Create a QoS policy named for_usera, and associate traffic class for_usera and traffic behavior for_usera in the QoS policy. [Device] qos policy for_usera [Device-qospolicy-for_usera] classifier for_usera behavior for_usera [Device-qospolicy-for_usera] quit...
Page 249 # Create a user profile named userc. [Device] user-profile userc # Apply QoS policy for_userc to the outbound direction of user profile userc. [Device-user-profile-userc] qos apply policy for_userc outbound [Device-user-profile-userc] quit Configure local users: # Create a local user named usera. [Device] local-user usera class network New local user added.
Page 250: Verifying The Configuration
# Enable MAC-based access control on the port. By default, a port uses MAC-based access control. [Device-Ten-GigabitEthernet1/0/1] dot1x port-method macbased [Device-Ten-GigabitEthernet1/0/1] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify that the three users can pass 802.1X authentication and that QoS policies take effect on these users.
Page 252: Configuring Password Control
Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.
Page 253: Password Updating And Expiration
Character name Symbol Character name Symbol Underscore Vertical bar Depending on the system's security requirements, you can set the minimum number of character types a password must contain and the minimum number of characters for each type, as shown Table Table 20 Password composition policy Password combination Minimum number of...
Page 254: User Login Control
Telnet users, SSH users, and console users can change their own passwords. The administrator must change passwords for FTP users. Early notice on pending password expiration When a user logs in, the system checks whether the password will expire in a time equal to or less than the specified notification period.
Page 255: Password Not Displayed In Any Form
• Disables the user account for a period of time. The user can use the account to log in when either of the following conditions exists: The locking timer expires. The account is manually removed from the password control blacklist before the locking timer expires.
Page 256: Enabling Password Control
Tasks at a glance (Optional.) Setting local user password control parameters (Optional.) Setting super password control parameters Enabling password control To successfully enable the global password control feature and allow device management users to log in to the device, the device must have sufficient storage space. Enabling the global password control feature is the prerequisite for all password control configurations to take effect.
Page 257: Setting User Group Password Control Parameters
Step Command Remarks Enter system view. system-view Set the password expiration password-control aging The default setting is 90 days. time. aging-time Set the minimum password password-control update The default setting is 24 hours. update interval. interval interval • In non-FIPS mode, the default setting is 10 Set the minimum password characters.
Page 258: Setting Local User Password Control Parameters
Step Command Remarks configure a user group, see "Configuring AAA." By default, the password Configure the password password-control aging expiration time of the user group expiration time for the user equals the global password aging-time group. expiration time. By default, the minimum Configure the minimum password length of the user group password length for the user...
Page 259: Setting Super Password Control Parameters
Step Command Remarks global settings apply to the local user. By default, the settings equal those for the user group to which Configure the password password-control complexity the local user belongs. If no complexity checking policy { same-character | user-name } password complexity checking for the local user.
Page 260: Password Control Configuration Example
Task Command Display password control configuration. display password-control [ super ] Display information about users in the display password-control blacklist [ user-name user-name | ip ipv4-address | ipv6 ipv6-address ] password control blacklist. reset password-control blacklist [ user-name Delete users from the password control blacklist.
Page 261 # Disable a user account permanently if a user fails two consecutive login attempts on the user account. [Sysname] password-control login-attempt 2 exceed lock # Set all passwords to expire after 30 days. [Sysname] password-control aging 30 # Globally set the minimum password length to 16 characters. [Sysname] password-control length 16 # Set the minimum password update interval to 36 hours.
Page 262: Verifying The Configuration
Verifying the configuration # Display the global password control configuration. <Sysname> display password-control Global password control configurations: Password control: Enabled Password aging: Enabled (30 days) Password length: Enabled (16 characters) Password composition: Enabled (4 types, 4 characters per type) Password history: Enabled (max history record:4) Early notice on password expiration: 7 days...
Page 263: Configuring Keychains
Configuring keychains Overview A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption. Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime.
Page 264: Displaying And Maintaining Keychain
Step Command Remarks device. (Optional.) Set a By default, no tolerance time is tolerance time for accept accept-tolerance { value | infinite } configured for accept keys in a keys in the keychain. keychain. Create a key and enter key key-id By default, no keys exist.
Page 265: Configuring Switch B
<SwitchA> system-view [SwitchA] ospf 1 router-id 1.1.1.1 [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1] quit # Create a keychain named abc, and specify the absolute time mode for it. [SwitchA] keychain abc mode absolute # Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
Page 266: Verifying The Configuration
[SwitchB-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06 [SwitchB-keychain-abc-key-1] quit # Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key. [SwitchB-keychain-abc] key 2 [SwitchB-keychain-abc-key-2] authentication-algorithm hmac-md5 [SwitchB-keychain-abc-key-2] key-string plain pwd123 [SwitchB-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchB-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00...
Page 267 Send status : Inactive Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Inactive # Display keychain information on Switch B. The output shows that key 1 is the valid key. [SwitchB]display keychain Keychain name : abc Mode : absolute Accept tolerance TCP kind value...
Page 268 Key ID Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg== Algorithm : md5 Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Send status : Inactive Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Inactive Key ID Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06...
Page 269: Managing Public Keys
Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 80.
Page 270 • When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, the longer the key generation time. When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve determines the ECDSA key length.
Page 271: Distributing A Local Host Public Key
Distributing a local host public key For applications such as SSH, you must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...
Page 272: Destroying A Local Key Pair
Task Command Display local DSA public keys. display public-key local dsa public [ name key-name ] NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs: •...
Page 273: Entering A Peer Host Public Key
Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key." Use the display public-key local public command to display the public key on the peer device.
Page 274 Figure 81 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).
Page 275: Example For Importing A Public Key From A Public Key File
[DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the peer host public key configured on Device B is the same as the key displayed on Device A.
Page 276 # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 277 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred...
Page 278: Configuring Pki
Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.
Page 279: Pki Architecture
• The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.
Page 280: Pki Applications
The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.
Page 281: Configuring A Pki Entity
Configuring a PKI entity A certificate applicant uses an entity to provide its identity information to a CA. A valid PKI entity must include one or more of following identity categories: • Distinguished name (DN) of the entity, which further includes the common name, county code, locality, organization, unit in the organization, and state.
Page 282 • If the CA certificate is imported or obtained through manual certificate request, the device automatically compares the configured fingerprint with the fingerprint in the CA certificate. If the two fingerprints do not match, the device rejects the CA certificate, and the certificate import or request fails.
Page 283: Requesting A Certificate
Step Command Remarks [ length key-length ] | signature If the specified key pair does not name signature-key-name [ length exist, the PKI entity automatically key-length ] } * | general name creates the key pair before key-name [ length key-length ] } submitting a certificate request.
Page 284: Configuration Guidelines
Configuration guidelines The following guidelines apply to certificate request for an entity in a PKI domain: • Make sure the device is time synchronized with the CA server. If the device is not time synchronized with the CA server, the certificate request might fail because the certificate might be considered to be outside of the validity period.
Page 285: Manually Requesting A Certificate
Manually requesting a certificate Before you manually submit a certificate request, make sure the CA certificate exists and a key pair is specified for the PKI domain. • The CA certificate is used to verify the authenticity and validity of the obtained local certificate. •...
Page 286: Configuration Prerequisites
• In offline mode, obtain the certificates by an out-of-band means like FTP, disk, or email, and then import them locally. Use this mode when the CRL repository is not specified, the CA server does not support SCEP, or the CA server generates the key pair for the certificates. •...
Page 287: Verifying Pki Certificates
Verifying PKI certificates A certificate is automatically verified when it is requested, obtained, or used by an application. If the certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used. You can also manually verify a certificate.
Page 288: Verifying Certificates Without Crl Checking
Step Command Remarks and save it locally. domain-name the old one, if any. The obtained CRL must be issued by a CA certificate in the CA certificate chain in the current domain. Manually verify the validity pki validate-certificate domain of the certificates. domain-name { ca | local } Verifying certificates without CRL checking Step...
Page 289: Exporting Certificates
Exporting certificates IMPORTANT: To export all certificates in PKCS12 format, the PKI domain must have a minimum of one local certificate. If the PKI domain does not have any local certificates, the certificates in the PKI domain cannot be exported. You can export the CA certificate and the local certificates in a PKI domain to certificate files.
Page 290: Configuring A Certificate-Based Access Control Policy
Step Command Remarks number, this command removes all peer certificates. Configuring a certificate-based access control policy Certificate-based access control policies allow you to authorize access to a device (for example, an HTTPS server) based on the attributes of an authenticated client's certificate. A certificate-based access control policy is a set of access control rules (permit or deny statements), each associated with a certificate attribute group.
Page 291: Displaying And Maintaining Pki
Step Command Remarks policy. Displaying and maintaining PKI Execute display commands in any view. Task Command display pki certificate domain domain-name { ca | local | peer Display the contents of a certificate. [ serial serial-num ] } display pki certificate request-status [ domain domain-name ] Display certificate request status.
Page 292 You can use the default values for other attributes. Configure extended attributes: Configure parameters in the Jurisdiction Configuration section on the management page of the CA server: Select the correct extension profiles. Enable the SCEP autovetting function to enable the CA server to automatically approve certificate requests without manual intervention.
Page 293 [Device] pki retrieve-certificate domain torsa ca The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually and set the certificate revocation password to 1111.
Page 294: Requesting A Certificate From A Windows Server 2003 Ca Server
73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA server.
Page 295 d. Specify the path for certificate service in the Local path box. e. Specify a unique TCP port number for the default website to avoid conflict with existing services. In this example, port 8080 is used. Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates.
Page 296 [Device] pki request-certificate domain winserver Start to request the general certificate ... … Request certificate of domain winserver successfully Verifying the configuration # Display information about the local certificate in PKI domain winserver. [Device] display pki certificate domain winserver local Certificate: Data: Version: 3 (0x2)
Page 297: Requesting A Certificate From An Openca Server
keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access: CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03: bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27: 90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a: 00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47: 6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06: 7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14: 02:09:ad:08 To display detailed information about the CA certificate, use the display pki certificate domain command.
Page 298 Make sure the version of the OpenCA server is later than version 0.9.2 because the earlier versions do not support SCEP. Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates. (Details not shown.) Create a PKI entity named aaa and configure the common name, country code, organization name, and OU for the entity.
Page 299 # Submit a certificate request manually. [Device] pki request-certificate domain openca Start to request the general certificate ... … Request certificate of domain openca successfully Verifying the configuration # Display information about the local certificate in PKI domain openca. [Device] display pki certificate domain openca local Certificate: Data: Version: 3 (0x2)
Page 300: Certificate-Based Access Control Policy Configuration Example
X509v3 Authority Key Identifier: keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B X509v3 Issuer Alternative Name: DNS:root@docm.com, DNS:, IP Address:192.168.154.145, IP Address:192.168.154.138 Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 5c:4c:ba:d0:a1:35:79:e6:e5:98:69:91:f6:66:2a:4f:7f:8b: 0e:80:de:79:45:b9:d9:12:5e:13:28:17:36:42:d5:ae:fc:4e: ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6:...
Page 301 Figure 87 Network diagram Configuration procedure Create PKI domain domain1 to be used by SSL. (Details not shown.) Request an SSL server certificate for the device from the CA server. (Details not shown.) Configure the HTTPS server: # Configure an SSL server policy named abc. <Device>...
Page 302: Certificate Import And Export Configuration Example
# Define a statement to permit the certificates that match the attribute rules in certificate attribute group mygroup2. [Device-pki-cert-acp-myacp] rule 2 permit mygroup2 [Device-pki-cert-acp-myacp] quit Verifying the configuration # On the host, access the HTTPS server through a Web browser. The server first verifies the validity of the host's certificate according to the configured certificate-based access control policy.
Page 303 Now, Device A has three certificate files in PEM format: A CA certificate file named pkicachain.pem. A local certificate file named pkilocal.pem-signature, which contains the private key for signature. A local certificate file named pkilocal.pem-encryption, which contains the private key for encryption.
Page 304 Upload the certificate files pkicachain.pem, pkilocal.pem-sign, and pkilocal.pem-encr from the host to Device B through FTP. (Details not shown.) Import the certificate files to Device B: # Disable CRL checking. (You can configure CRL checking as required. This example assumes CRL checking is not required.) <DeviceB>...
Page 305 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: AA:45:54:29:5A:50:2B:89:AB:06:E5:BD:0D:07:8C:D9:79:35:B1:F5 X509v3 Authority Key Identifier:...
Page 306 Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)
Page 307: Troubleshooting Pki Configuration
X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 53:69:66:5f:93:f0:2f:8c:54:24:8f:a2:f2:f1:29:fa:15:16: 90:71:e2:98:e3:5c:c6:e3:d4:5f:7a:f6:a9:4f:a2:7f:ca:af: c4:c8:c7:2c:c0:51:0a:45:d4:56:e2:81:30:41:be:9f:67:a1: 23:a6:09:50:99:a1:40:5f:44:6f:be:ff:00:67:9d:64:98:fb: 72:77:9e:fd:f2:4c:3a:b2:43:d8:50:5c:48:08:e7:77:df:fb: 25:9f:4a:ea:de:37:1e:fb:bc:42:12:0a:98:11:f2:d9:5b:60: bc:59:72:04:48:59:cc:50:39:a5:40:12:ff:9d:d0:69:3a:5e: 3a:09:5a:79:e0:54:67:a0:32:df:bf:72:a0:74:63:f9:05:6f: 5e:28:d2:e8:65:49:e6:c7:b5:48:7d:95:47:46:c1:61:5a:29: 90:65:45:4a:88:96:e4:88:bd:59:25:44:3f:61:c6:b1:08:5b: 86:d2:4f:61:4c:20:38:1c:f4:a1:0b:ea:65:87:7d:1c:22:be: b6:17:17:8a:5a:0f:35:4c:b8:b3:73:03:03:63:b1:fc:c4:f5: e9:6e:7c:11:e8:17:5a:fb:39:e7:33:93:5b:2b:54:72:57:72: 5e:78:d6:97:ef:b8:d8:6d:0c:05:28:ea:81:3a:06:a0:2e:c3: 79:05:cd:c3 To display detailed information about the CA certificate, use the display pki certificate domain command. Troubleshooting PKI configuration This section provides troubleshooting information for common problems with PKI.
Page 308: Failed To Obtain Local Certificates
Specify the correct source IP address for PKI protocol packets that the CA server can accept. Verify the CA certificate's fingerprint on the CA server. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to obtain local certificates Symptom No local certificates can be obtained.
Page 309: Failed To Obtain Crls
• The required parameters are not configured for the PKI entity or are mistakenly configured. • No key pair is specified for the PKI domain for certificate request, or the key pair is changed during a certificate request process. • Exclusive certificate request applications are running in the PKI domain.
Page 310: Failed To Import The Ca Certificate
Obtain or import the CA certificate. If the URL of the CRL repository cannot be obtained, verify that the following conditions exist: The URL for certificate request is valid. A local certificate has been successfully obtained. The local certificate contains a public key that matches the locally stored key pair. Make sure the LDAP server address is contained in the CRL repository URL, or is configured in the PKI domain.
Page 311: Failed To Export Certificates
Make sure the certificate file contains the private key. Make sure the certificate is not revoked. Make sure the certificate is valid. Configure the correct system time for the device. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to export certificates Symptom Certificates cannot be exported.
Page 312: Configuring Ipsec
Configuring IPsec Overview IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
Page 313 algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.
Page 314: Security Association
Security association A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers. An SA includes the following parameters for data protection: • Security protocols (AH, ESP, or both). • Encapsulation mode (transport mode or tunnel mode). •...
Page 315: Ipsec Implementation
• AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest security strength and is slower than 3DES. IPsec implementation To implement IPsec protection for packets between two peers, complete the following tasks on each peer: •...
Page 316: Protocols And Standards
In one-to-many communication scenarios, you must configure the IPsec SAs for an IPv6 routing protocol in manual mode because of the following reasons: • The automatic key exchange mechanism is used only to protect communications between two points. In one-to-many communication scenarios, automatic key exchange cannot be implemented.
Page 317: Configuring An Acl
Configure an ACL for identifying data flows to be protected. To use IPsec to protect VPN traffic, you do not need to specify the VPN parameters in the ACL rules. Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and the encapsulation mode.
Page 318: Configuring An Ipsec Transform Set
Non-IPsec packets that match a permit statement are dropped. IPsec packets destined for the device itself are de-encapsulated. By default, the de-encapsulated packets are compared against the ACL rules. Only those that match a permit statement are processed. Other packets are dropped. If ACL checking for de-encapsulated IPsec packets is disabled, the de-encapsulated packets are not compared against the ACL rules and are directly processed by other modules.
Page 319 Step Command Remarks camellia-cbc-256 | des-cbc | example, you can specify the gmac-128 | gmac-192 | ESP-specific security algorithms gmac-256 | gcm-128 | gcm-192 | only when you select ESP or gcm-256 | null } * AH-ESP as the security protocol. •...
Page 320: Configuring A Manual Ipsec Policy
Step Command Remarks Number (ESN) feature. Configuring a manual IPsec policy In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP addresses of the two ends in tunnel mode. Configuration restrictions and guidelines When you configure a manual IPsec policy, make sure the IPsec configuration at both ends of the IPsec tunnel meets the following requirements: •...
Page 321: Configuring An Ike-Based Ipsec Policy
Step Command Remarks IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied. • To configure an SPI for the inbound IPsec SA: sa spi inbound { ah | esp } Configure an SPI for the spi-number By default, no SPI is configured for the inbound or outbound...
Page 322 • The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode. • The IPsec policies at the two tunnel ends must have the same IKE profile parameters. •...
Page 323 Step Command Remarks as the IP address used as the local IKE identity. remote-address { [ ipv6 ] By default, the remote IP address Specify the remote IP host-name | ipv4-address | ipv6 of the IPsec tunnel is not address of the IPsec tunnel. ipv6-address } specified.
Page 324 Step Command Remarks policy template. By default, no IKE profile is specified for the IPsec policy template. You can specify only one IKE Specify an IKE profile for the profile for an IPsec policy template ike-profile profile-name IPsec policy. and the IKE profile cannot be used by another IPsec policy template or IPsec policy.
Page 325: Applying An Ipsec Policy To An Interface
Applying an IPsec policy to an interface You can apply an IPsec policy to an interface to protect certain data flows. To cancel the IPsec protection, remove the application of the IPsec policy. For each packet to be sent out of an interface applied with an IPsec policy, the interface looks through the IPsec policy entries in the IPsec policy in ascending order of sequence numbers.
Page 326: Configuring Ipsec Anti-Replay
Configuring IPsec anti-replay IPsec anti-replay protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window. This feature checks the sequence number of each received IPsec packet against the current IPsec packet sequence number range of the sliding window. If the sequence number is not in the current sequence number range, the packet is considered a replayed packet and is discarded.
Page 327: Binding A Source Interface To An Ipsec Policy
Step Command Remarks Enter system view. system-view By default, IPsec redundancy is Enable IPsec redundancy. ipsec redundancy enable disabled. • Enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number [ isakmp | manual ] Enter IPsec policy view or •...
Page 328: Enabling Qos Pre-Classify
Enabling QoS pre-classify CAUTION: If you configure both IPsec and QoS on an interface, make sure the IPsec traffic classification rules match the QoS traffic classification rules. If the rules do not match, QoS might classify the packets of one IPsec SA to different queues, causing packets to be sent out of order. When IPsec anti-replay is enabled, IPsec will drop the incoming packets that are out of the anti-replay window, resulting in packet loss.
Page 329: Configuring Ipsec For Ipv6 Routing Protocols
• copy—Copies the DF bit in the original IP header to the new IP header. You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes precedence over the system-view DF bit setting. If the interface-view DF bit setting is not configured, the interface uses the system-view DF bit setting.
Page 330: Configuring A Manual Ipsec Profile
Configuring a manual IPsec profile A manual IPsec profile is similar to a manual IPsec policy. The difference is that an IPsec profile is uniquely identified by a name and it does not support ACL configuration. A manual IPsec profile specifies the IPsec transform set used for protecting data flows, and the SPIs and keys used by the SAs.
Page 331: Configuring Snmp Notifications For Ipsec
Step Command Remarks sa hex-key authentication { inbound | outbound } esp { cipher | simple } string • Configure an encryption key in hexadecimal format for ESP: sa hex-key encryption { inbound | outbound } esp { cipher | simple } string Configuring SNMP notifications for IPsec After you enable SNMP notifications for IPsec, the IPsec module notifies the NMS of important module events.
Page 332: Setting The Maximum Number Of Ipsec Tunnels
Step Command Remarks Enter system view system-view ipsec fragmentation By default, the device fragments Configure IPsec { after-encryption | packets before IPsec fragmentation. before-encryption } encapsulation. Setting the maximum number of IPsec tunnels Perform this task to limit the maximum number of IPsec tunnels that can be established. Set the limit according to the memory usage.
Page 333: Ipsec Configuration Examples
IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 92, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches. Configure the tunnel as follows: •...
Page 334 # Configure inbound and outbound SPIs for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg [SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba [SwitchA-ipsec-policy-manual-map1-10] quit # Apply IPsec policy map1 to VLAN-interface 1.
Page 335: Configuring Ipsec For Ripng
[SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration After the configuration is completed, an IPsec tunnel between Switch A and Switch B is established, and the traffic between the switches is IPsec protected. This example uses Switch A to verify the configuration.
Page 336 Requirements analysis To meet the network requirements, perform the following tasks: Configure basic RIPng. For more information about RIPng configurations, see Layer 3—IP Routing Configuration Guide. Configure an IPsec profile. The IPsec profiles on all the switches must have IPsec transform sets that use the same security protocol, authentication and encryption algorithms, and encapsulation mode.
Page 337 [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1. [SwitchB] ipsec transform-set tran1 [SwitchB-ipsec-transform-set-tran1] encapsulation-mode transport [SwitchB-ipsec-transform-set-tran1] protocol esp [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit...
Page 338 [SwitchC-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1. [SwitchC] ripng 1 [SwitchC-ripng-1] enable ipsec-profile profile001 [SwitchC-ripng-1] quit Verifying the configuration After the configuration is completed, Switch A, Switch B, and Switch C learn IPv6 routing information through RIPng. IPsec SAs are set up successfully on the switches to protect RIPng packets. This example uses Switch A to verify the configuration.
Page 339: Configuring Ike
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec. IKE provides the following benefits for IPsec: •...
Page 340: Ike Security Mechanism
Figure 95 IKE exchange process in main mode As shown in Figure 95, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. • Key exchange—Used for exchanging the DH public value and other values, such as the random number.
Page 341: Protocols And Standards
DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.
Page 342: Configuring An Ike Profile
Tasks at a glance Remarks (Optional.) Configuring the global identity information (Optional.) Configuring the IKE keepalive feature (Optional.) Configuring the IKE NAT keepalive feature (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile...
Page 343 b. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority number has a higher priority. c. If a tie still exists, the device prefers an IKE profile configured earlier. To configure an IKE profile: Step Command Remarks...
Page 344: Configuring An Ike Proposal
Step Command Remarks detection. (Optional.) Specify the local match local address { interface-type By default, an IKE profile can interface or IP address to interface-number | { ipv4-address | be applied to any local which the IKE profile can be ipv6 ipv6-address } [ vpn-instance interface or IP address.
Page 345: Configuring An Ike Keychain
Step Command Remarks { aes-cbc-128 | aes-cbc-192 | proposal uses the 128-bit aes-cbc-256 } AES encryption algorithm in CBC mode. Specify an authentication authentication-method By default, an IKE proposal uses method for the IKE { dsa-signature | pre-share | the pre-shared key proposal.
Page 346: Configuring The Global Identity Information
Step Command Remarks hostname host-name } key configured in plain text, are { cipher | simple } string saved in cipher text to the • configuration file. In FIPS mode: pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key [ cipher string ]...
Page 347: Configuring The Ike Nat Keepalive Feature
Follow these guidelines when you configure the IKE keepalive feature: • Configure IKE DPD instead of IKE keepalive unless IKE DPD is not supported on the peer. The IKE keepalive feature sends keepalives at regular intervals, which consumes network bandwidth and resources. •...
Page 348: Enabling Invalid Spi Recovery
If the local device receives no response after two retries, the device considers the peer to be dead, and deletes the IKE SA along with the IPsec SAs it negotiated. If the local device receives a response from the peer during the detection process, the peer is considered alive.
Page 349: Configuring Snmp Notifications For Ike
• The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system. To set the limit on the number of IKE SAs: Step Command Remarks...
Page 350: Ike Configuration Examples
Task Command remote-address [ vpn-instance vpn-instance-name ] ] ] Display IKE statistics. display ike statistics Delete IKE SAs. reset ike sa [ connection-id connection-id ] Clear IKE MIB statistics. reset ike statistics IKE configuration examples Configuring an IKE-based IPsec tunnel for IPv4 packets Network requirements As shown in Figure...
Page 351 # Create an IKE keychain named keychain1. [SwitchA] ike keychain keychain1 # Specify 12345zxcvb!@#$%ZXCVB in plain text as the pre-shared key to be used with the remote peer at 2.2.3.1. [SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchA-ike-keychain-keychain1] quit # Create and configure an IKE profile named profile1.
Page 352: Main Mode Ike With Pre-Shared Key Authentication Configuration Example
[SwitchB-ipsec-transform-set-tran1] quit # Create an IKE keychain named keychain1. [SwitchB] ike keychain keychain1 # Specify 12345zxcvb!@#$%ZXCVB in plain text as the pre-shared key to be used with the remote peer at 2.2.2.1. [SwitchB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchB-ike-keychain-keychain1] quit # Create and configure an IKE profile named profile1.
Page 353 Figure 97 Network diagram Configuration procedure Before the configuration, make sure Switch A and Switch B can reach each other. Configure Switch A: # Assign an IP address to VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-vlan-interface1] ip address 1.1.1.1 255.255.0.0 [SwitchA-vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify the traffic between Switch A and Switch B.
Page 354 # Specify ACL 3101 to identify the traffic to be protected. [SwitchA-ipsec-policy-isakmp-map1-10] security acl 3101 # Specify IPsec transform set tran1 for the IPsec policy. [SwitchA-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify IKE profile profile1 for the IPsec policy. [SwitchA-ipsec-policy-isakmp-map1-10] ike-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to VLAN-interface 1.
Page 355: Troubleshooting Ike
# Specify the remote IP address 1.1.1.1 for the IPsec tunnel. [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1 # Specify ACL 3101 to identify the traffic to be protected. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Specify IPsec transform set tran1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp-use1-10] transform-set tran1 # Specify IKE profile profile1 for the IPsec policy.
Page 356: Ike Negotiation Failed Because No Ike Proposals Or Ike Keychains Are Specified Correctly
IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly Symptom The IKE SA is in Unknown state. <Sysname> display ike sa Connection-ID Remote Flag ------------------------------------------------------------------ 192.168.222.5 Unknown IPSEC Flags: RD--READY RL--REPLACED FD-FADING The following IKE event debugging or packet debugging message appeared: IKE event debugging message: Notification PAYLOAD_MALFORMED is received.
Page 357: Ipsec Sa Negotiation Failed Due To Invalid Identity Information
Solution Examine the IPsec configuration to see whether the two ends have matching IPsec transform sets. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec SA negotiation failed due to invalid identity information Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not...
Page 358 # Verify that the IPsec policy is using an IKE profile. [Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1 Interface: vlan-interface 1 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: ISAKMP ----------------------------- Description: Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: 192.168.222.71 Transform set: transform1...
Page 359 ----------------------------- Security data flow: 3000 Selector mode: aggregation Local address: 192.168.222.5 Remote address: Transform set: transform1 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Solution If the IPsec policy specifies an IKE profile but no matching IKE profiles was found in IKE negotiation, perform one of the following tasks on the responder: Remove the specified IKE profile from the IPsec policy.
Page 360: Configuring Ikev2
Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.
Page 361: New Features In Ikev2
New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.
Page 362: Configuring An Ikev2 Profile
• The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
Page 363 Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
Page 364 Step Command Remarks By default, no keychain is specified for an IKEv2 profile. Specify a keychain. keychain keychain-name Perform this task when the pre-shared key authentication method is specified. By default, the device uses PKI domains configured in system view. certificate domain domain-name Specify a PKI domain.
Page 365: Configuring An Ikev2 Policy
Step Command Remarks feature. Configuring an IKEv2 policy During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion. • If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of the local security gateway.
Page 366 To configure an IKEv2 proposal: Step Command Remarks Enter system view. system-view By default, an IKEv2 proposal named default exists. In non-FIPS mode, the default proposal uses the following settings: • Encryption algorithms AES-CBC-128 and 3DES. • Integrity protection algorithms HMAC-SHA1 and HMAC-MD5.
Page 367: Configuring An Ikev2 Keychain
Step Command Remarks group24 | group5 | group19 | group20 } * In FIPS mode: dh { group14 | group19 | group20 } * Configuring an IKEv2 keychain An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation. An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host name, IP address or address range, or ID).
Page 368: Configure Global Ikev2 Parameters
Configure global IKEv2 parameters Enabling the cookie challenging feature Enable cookie challenging on responders to protect them against DoS attacks that use a large number of source IP addresses to forge IKE_SA_INIT requests. To enable cookie challenging: Step Command Remarks Enter system view.
Page 369: Displaying And Maintaining Ikev2
Step Command Remarks Set the IKEv2 NAT keepalive By default, the IKEv2 NAT ikev2 nat-keepalive seconds interval. keepalive interval is 10 seconds. Displaying and maintaining IKEv2 Execute display commands in any view and reset commands in user view. Task Command Display the IKEv2 proposal configuration.
Page 370: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found
IPsec SA negotiation failed because no matching IPsec transform sets were found Symptom The display ikev2 sa command shows that the IKEv2 SA negotiation succeeded and the IKEv2 SA is in EST status. The display ipsec sa command shows that the expected IPsec SAs have not been negotiated yet.
Page 371: Configuring Ssh
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
Page 372: Ssh Authentication Methods
Stages Description • Key exchange algorithm for generating session keys. • Encryption algorithm for encrypting data. • Public key algorithm for the digital signature and authentication. • HMAC algorithm for protecting data integrity. The two parties use the DH exchange algorithm to dynamically generate the session keys and session ID.
Page 373: Ssh Support For Suite B
Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name. If the digital certificate of the client is required in authentication, the client also encapsulates the digital certificate in the authentication request.
Page 374: Configuring The Device As An Ssh Server
Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks (Required.) Generating local key pairs (Required.) Enabling the Stelnet server Required only for Stelnet servers. (Required.) Enabling the SFTP server Required only for SFTP servers. (Required.) Enabling the SCP server Required only for SCP servers.
Page 375: Enabling The Stelnet Server
• To support SSH clients that use different types of key pairs, generate DSA, ECDSA, and RSA key pairs on the SSH server. • The SSH server operating in FIPS mode supports only ECDSA and RSA key pairs. Do not generate a DSA key pair on the SSH server.
Page 376: Enabling The Scp Server
Enabling the SCP server After you enable the SCP server on the device, a client can log in to the device through SCP. When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients. To enable the SCP server: Step Command...
Page 377: Configuring A Client's Host Public Key
Configuring a client's host public key In publickey authentication, the server compares the SSH username and the client's host public key received from the client with the locally saved SSH username and the client's host public key. If they are the same, the server checks the digital signature that the client sends. The client generates the digital signature by using the private key that is paired with the client's host public key.
Page 378: Configuring An Ssh User
Configuring an SSH user Configure an SSH user and a local user depending on the authentication method. • If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.
Page 379: Configuring The Ssh Management Parameters
Configuration procedure To configure an SSH user, and specify the service type and authentication method: Step Command Enter system view. system-view • In non-FIPS mode: ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } [ assign { pki-domain Create an SSH user, and domain-name | publickey keyname&<1-6>...
Page 380: Specifying A Pki Domain For The Ssh Server
Step Command Remarks • Set the DSCP value in IPv4 The default setting is 48. packets: The DSCP value of a packet ssh server dscp dscp-value Set the DSCP value in the defines the priority of the packet • packets that the SSH server Set the DSCP value in IPv6 and affects the transmission sends to the SSH clients.
Page 381: Generating Local Key Pairs
Generating local key pairs Generate local key pairs on the Stelnet client when the Stelnet server uses the authentication method publickey, password-publickey, or any. Configuration restrictions and guidelines When you generate local key pairs on an Stelnet client, follow these restrictions and guidelines: •...
Page 382 • If you choose to continue, the device accesses the server and downloads the server's host public key. • If you choose to not continue, the connection cannot be established. As a best practice, configure the server's host public key on the device in an insecure network. The client cannot establish connections to both IPv4 and IPv6 Stelnet servers.
Page 383: Establishing A Connection To An Stelnet Server Based On Suite B
Task Command Remarks vpn-instance-name ] [ -i interface-type connection to an IPv6 Stelnet server. interface-number ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |...
Page 384: Configuring The Device As An Sftp Client
Task Command Remarks ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Configuring the device as an SFTP client...
Page 385: Specifying The Source Ip Address For Sftp Packets
Specifying the source IP address for SFTP packets As a best practice, specify the IP address of a loopback interface as the source address of SFTP packets for the following purposes: • Ensuring the communication between the SFTP client and the SFTP server. •...
Page 386 Task Command Remarks { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | { public-key keyname | server-pki-domain domain-name } | source...
Page 387: Establishing A Connection To An Sftp Server Based On Suite B
Task Command Remarks vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 |...
Page 388: Working With Sftp Files
Task Command Remarks Display the current working Available in SFTP client view. directory on the SFTP server. Available in SFTP client view. • dir [ -a | -l ] [ remote-path ] Display files under a directory. The dir command has the same •...
Page 389: Configuring The Device As An Scp Client
Configuring the device as an SCP client SCP client configuration task list Tasks at a glance Remarks Only required when the SCP server uses the (Required.) Generating local key pairs authentication method publickey, password-publickey, or any. (Required.) Establishing a connection to an SCP server (Optional.) Establishing a connection to an SCP...
Page 390 Task Command Remarks • In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr |...
Page 391: Establishing A Connection To An Scp Server Based On Suite B
Task Command Remarks aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr |...
Page 392: Specifying Algorithms For Ssh2
Task Command Remarks [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ipv6 ipv6-address } ] * Specifying algorithms for SSH2 Perform this task to specify the following types of algorithms that the SSH2 client and server use for algorithm negotiation during the Stelnet, SFTP, or SCP session establishment: •...
Page 393: Specifying Encryption Algorithms For Ssh2
Step Command Remarks x509v3-ecdsa-sha2-nistp3 for algorithm negotiation. 84 } * • In FIPS mode: ssh2 algorithm public-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | x509v3-ecdsa-sha2-nistp2 56 | x509v3-ecdsa-sha2-nistp3 84 } * Specifying encryption algorithms for SSH2 Step Command Remarks Enter system view. system-view •...
Page 394: Stelnet Configuration Examples
Task Command the Stelnet client. Display SSH server status or sessions. display ssh server { session | status } Display SSH user information on the SSH display ssh user-information [ username ] server. display public-key local { dsa | ecdsa | rsa } public Display the public keys of the local key pairs.
Page 395 ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 396: Publickey Authentication Enabled Stelnet Server Configuration Example
b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server. Figure 100 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username and password.
Page 397 Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
Page 398 Figure 103 Generating process a. After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 104 Saving a key pair on the client d. Enter a file name (key.pub in this example), and click Save.
Page 399 e. On the page shown in Figure 104, click Save private key to save the private key. A confirmation dialog box appears. f. Click Yes. A file saving window appears. g. Enter a file name (private.ppk in this example), and click Save. h.
Page 400 # Import the client's public key from the public key file key.pub and name it switchkey. [Switch] public-key peer switchkey import sshkey key.pub # Create an SSH user named client002. Specify the authentication method as publickey for the user, and assign the public key switchkey to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user named client002.
Page 401 Figure 106 Specifying the preferred SSH version e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 107 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.
Page 402: Password Authentication Enabled Stelnet Client Configuration Example
g. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in...
Page 403 # Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the Stelnet server. [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the destination address of the SSH connection.
Page 404 6FD60FE01941DDD77FE6B12893DA76E [SwitchA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3 68950387811C7DA33021500C773218C [SwitchA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E 14EC474BAF2932E69D3B1F18517AD95 [SwitchA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 [SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC 9B09EEF0381840002818000AF995917 [SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA>...
Page 405: Publickey Authentication Enabled Stelnet Client Configuration Example
****************************************************************************** * Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ****************************************************************************** <SwitchB> After you enter the correct password, you can access Switch B successfully. At the next connection attempt, the client authenticates the server by using the saved server's host public key on the client.
Page 406 [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.) Configure the Stelnet server: # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key modulus is (512 ~ 2048) If the key modulus is greater than 512, it will take a few minutes.
Page 407: Stelnet Configuration Example Based On 128-Bit Suite B Algorithms
[SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user named client002. [SwitchB] local-user client002 class manage # Authorize local user client002 to use the SSH service. [SwitchB-luser-manage-client002] service-type ssh # Assign the network-admin user role to local user client002. [SwitchB-luser-manage-client002] authorization-attribute user-role network-admin [SwitchB-luser-manage-client002] quit Establish an SSH connection to the Stelnet server.
Page 408 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an Stelnet client. # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file ssh-client-ecdsa256.p12 to the Stelnet client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server256 for verifying the server's certificate and enter its view.
Page 409 CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b # Create a PKI domain named client256 for the client's certificate and enter its view. [SwitchA] pki domain client256 # Disable CRL checking.
Page 410 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1: 5c:17:cb:22:fa:8f:b3:e5:76:89:06:9f:96:47:dc:34:87:02: 31:00:e3:af:2a:8f:d6:8d:1f:3a:2b:ae:2f:97:b3:52:63:b6: 18:67:70:2c:93:2a:41:c0:e7:fa:93:20:09:4d:f4:bf:d0:11: 66:0f:48:56:01:1e:c3:be:37:4e:49:19:cf:c6 # Assign an IP address to VLAN-interface 2. <SwitchA>...
Page 411: Sftp Configuration Examples
# Create a local device management user named client001. Authorize the user to use the SSH service and assign the network-admin user role to the user. [SwitchB] local-user client001 class manage [SwitchB-luser-manage-client001] service-type ssh [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Create an SSH user named client001.
Page 412: Ssh Connection
Figure 111 Network diagram Configuration procedure Configure the SFTP server: # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 413 [Switch-luser-manage-client002] password simple aabbcc # Authorize local user client002 to use the SSH service. [Switch-luser-manage-client002] service-type ssh # Assign the network-admin user role and working directory flash:/ to local user client002. [Switch-luser-manage-client002] authorization-attribute user-role network-admin work-directory flash:/ [Switch-luser-manage-client002] quit # Create an SSH user named client002. Specify the authentication method as password and service type as sftp for the user.
Page 414: Publickey Authentication Enabled Sftp Client Configuration Example
Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 113, Switch B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm. Establish an SFTP connection between Switch A and Switch B, so you can log in to Switch B to manage and transfer files.
Page 415 Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 416 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n sftp> # Display files under the current directory of the server, delete file z, and verify the result. sftp>...
Page 417: Sftp Configuration Example Based On 192-Bit Suite B Algorithms
NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SFTP client. # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server384 for verifying the server's certificate and enter its view.
Page 418 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: server384]: # Display information about local certificates in PKI domain server384.
Page 419 #Disable CRL checking. [SwitchA-pki-domain-client384] undo crl check enable [SwitchA-pki-domain-client384] quit # Import local certificate file ssh-client-ecdsa384.p12 to PKI domain client384. [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters.
Page 420 33:71:75:5e:11:c9:a6:51:4b:3e:7c:eb:2a:4d:87:2b:71:7c: 30:64:fe:14:ce:06:d5:0a:e2:cf:9a:69:19:ff # Assign an IP address to VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit Configure the SFTP server: # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP server through FTP or TFTP. (Details not shown.) # Create a PKI domain named client384 for verifying the client's certificate and import the file of the client's certificate to this domain.
Page 421: Scp Configuration Examples
Connecting to 192.168.0.1 port 22. sftp> SCP configuration examples Unless otherwise noted, devices in the configuration examples operate in non-FIPS mode. When the device acts as an SCP server and is operating in FIPS mode, only ECDSA and RSA key pairs are supported.
Page 422: Scp Configuration Example Based On Suite B Algorithms
...+....+..+...+. Create the key pair successfully. # Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the SCP server. [SwitchB] scp server enable # Configure an IP address for VLAN-interface 2. The client uses this address as the destination for SCP connection.
Page 423 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client. # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP.
Page 424 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52: 6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef: 0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81: 3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e: c7:61:4a:52:51 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f:...
Page 425 Validity Not Before: Aug 21 08:41:09 2015 GMT Not After : Aug 20 08:41:09 2016 GMT Subject: C=CN, ST=BBB, O=AAA, OU=Software, CN=SSH Client secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5: 96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39: b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34: 29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16: 12:d0:b4:8a:92 ASN1 OID: prime256v1 NIST CURVE: P-256...
Page 426 Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=BBB, L=BBB, O=AAA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:08:41 2015 GMT Not After : Aug 19 10:08:41 2016 GMT Subject: C=CN, ST=BBB, O=AAA, OU=Software, CN=ssh server Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit)
Page 427 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: client384]: # Display information about local certificates in PKI domain client384.
Page 428 [SwitchA-Vlan-interface2] quit Configure the SCP server: # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP server through FTP or TFTP. (Details not shown.) # Create a PKI domain named client256 for verifying the client's certificate ecdsa256 and import the file of this certificate to this domain.
Page 429: Netconf Over Ssh Configuration Example With Password Authentication
# Establish an SCP connection to the SCP server at 192.168.0.1 based on the 128-bit Suite B algorithms. <SwitchA> scp 192.168.0.1 get src.cfg suite-b 128-bit pki-domain client256 server-pki -domain server256 Username: client001 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. src.cfg 100% 4814 4.7KB/s...
Page 430 Figure 117 Network diagram Configuration procedure # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 431: Verifying The Configuration
# Create a local device management user named client001. [Switch] local-user client001 class manage # Set the password to aabbcc in plain text for local user client001. [Switch-luser-manage-client001] password simple aabbcc # Authorize local user client001 to use the SSH service. [Switch-luser-manage-client001] service-type ssh # Assign the network-admin user role to local user client001.
Page 432: Configuring Ssl
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...
Page 433: Fips Compliance
Figure 119 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.
Page 434 Step Command Remarks By default: • • In non-FIPS mode: In non-FIPS mode, the ssl version { ssl3.0 | tls1.0 | (Optional.) Disable the SSL SSL server supports SSL tls1.1 } * disable server from using specific SSL 3.0, TLS 1.0, TLS 1.1, •...
Page 435: Configuring An Ssl Client Policy
Step Command Remarks rsa_rc4_128_md5 | rsa_rc4_128_sha } * • In FIPS mode: ciphersuite { ecdhe_ecdsa_aes_128_cb c_sha256 | ecdhe_ecdsa_aes_256_cbc _sha384 | ecdhe_ecdsa_aes_128_gc m_sha256 | ecdhe_ecdsa_aes_256_gc m_sha384 | ecdhe_rsa_aes_128_cbc_s ha256 | ecdhe_rsa_aes_128_gcm_s ha256 | ecdhe_rsa_aes_256_cbc_s ha384 | ecdhe_rsa_aes_256_gcm_s ha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 }...
Page 436 Step Command Remarks Create an SSL client policy and By default, no SSL client policies ssl client-policy policy-name enter its view. exist. By default, no PKI domain is specified for an SSL client policy. If SSL client authentication is required, you must specify a PKI (Optional.) Specify a PKI domain and request a local domain for the SSL client...
Page 437: Displaying And Maintaining Ssl
Step Command Remarks ecdhe_rsa_aes_128_gcm _sha256 | ecdhe_rsa_aes_256_cbc_ sha384 | ecdhe_rsa_aes_256_gcm _sha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 • In non-FIPS mode: By default, an SSL client policy version { ssl3.0 | tls1.0 | uses TLS 1.0. Specify the SSL protocol tls1.1 | tls1.2 } version for the SSL client To ensure security, do not...
Page 438: Configuring Attack Detection And Prevention
Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging and packet dropping. Attacks that the device can prevent This section describes the attacks that the device can detect and prevent.
Page 439: Scanning Attacks
Single-packet attack Description An attacker sends IP datagrams in which the IP options are abnormal. This IP options attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets. An attacker sends the victim an IP datagram with an offset smaller than 5, IP fragment which causes the victim to malfunction or crash.
Page 440: Flood Attacks
Flood attacks An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time. The victim is too busy responding to these forged requests to provide services for legal users, and a DoS attack occurs. The device can detect and prevent the following types of flood attacks: •...
Page 441: Tcp Fragment Attack
An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services. • UDP flood attack. A UDP flood attacker sends UDP packets to a host at a fast rate. These packets consume a large amount of the target host's bandwidth, so the host cannot provide other services.
Page 442: Configuring An Attack Defense Policy
Configuring an attack defense policy Creating an attack defense policy An attack defense policy can contain a set of attack detection and prevention configuration against multiple attacks. To create an attack defense policy: Step Command Remarks Enter system view. system-view Create an attack defense attack-defense policy By default, no attack defense policy...
Page 443: Configuring A Scanning Attack Defense Policy
Step Command Remarks • signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ] •...
Page 444: Configuring A Flood Attack Defense Policy
Step Command Remarks logging } * Configuring a flood attack defense policy Flood attack detection monitors the rate at which connections are initiated to the device. With flood attack detection enabled, the device is in attack detection state. When the packet sending rate to an IP address reaches the threshold, the device enters prevention state and takes the specified actions.
Page 445 Step Command Remarks | logging } * | none } ] Configuring a SYN-ACK flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view. policy-name Enable global SYN-ACK syn-ack-flood detect By default, global SYN-ACK flood flood attack detection.
Page 446 Step Command Remarks attack detection. detection is disabled. Set the global trigger rst-flood threshold threshold for RST flood The default setting is 1000. threshold-value attack prevention. Specify global actions rst-flood action { drop | By default, no global action is against RST flood attacks.
Page 447 Configuring a UDP flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view. policy-name Enable global UDP flood By default, global UDP flood attack udp-flood detect non-specific attack detection. detection is disabled. Set the global trigger udp-flood threshold threshold for UDP flood...
Page 448: Configuring Attack Detection Exemption
Step Command Remarks Set the global trigger http-flood threshold threshold for HTTP flood The default setting is 1000. threshold-value attack prevention. (Optional.) Specify the By default, HTTP flood attack global ports to be protected http-flood port port-list prevention protects port 80. against HTTP flood attacks.
Page 449: Enabling Log Non-Aggregation For Single-Packet Attack Events
A switch uses hardware to implement packet forwarding and uses software to process packets if the packets are destined for the switch. The software does not provide any attack defense features, so you must apply an attack defense policy to the switch to prevent attacks aimed at the switch. To apply an attack defense policy to the device: Step Command...
Page 450: Enabling The Login Delay
Enabling the login delay The login delay feature delays the device from accepting a login request from a user after the user fails a login attempt. This feature can slow down login dictionary attacks. To enable the login delay: Step Command Remarks Enter system view.
Page 451: Attack Detection And Prevention Configuration Examples
Task Command | dns-flood | fin-flood | flood | http-flood | protected by flood attack detection and prevention. icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ] Clear attack detection and prevention statistics reset attack-defense statistics local for the device.
Page 452 [Switch-attack-defense-policy-a1] signature detect tcp-fin-only action logging [Switch-attack-defense-policy-a1] signature detect tcp-invalid-flags action logging [Switch-attack-defense-policy-a1] signature detect tcp-null-flag action logging [Switch-attack-defense-policy-a1] signature detect tcp-syn-fin action logging # Enable low level scanning attack detection and specify logging as the attack prevention action. [Router-attack-defense-policy-a1] scan detect level low action logging # Enable SYN flood attack detection for 192.168.2.1.
Page 453 TCP all flags Disabled medium TCP SYN-FIN flags Disabled medium TCP FIN only flag Disabled medium TCP Land Disabled medium Winnuke Disabled medium UDP Bomb Disabled medium UDP Snork Disabled medium UDP Fraggle Disabled medium IP option record route Disabled info IP option internet timestamp Disabled...
Page 454 RST flood 1000(default) Disabled FIN flood 1000(default) Disabled UDP flood 1000(default) Disabled ICMP flood 1000(default) Disabled ICMPv6 flood 1000(default) Disabled DNS flood 1000(default) Disabled HTTP flood 1000(default) Disabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 192.168.2.1 SYN-FLOOD...
Page 455: Configuring Tcp Attack Prevention
Configuring TCP attack prevention Overview TCP attack prevention can detect and prevent attacks that exploit the TCP connection establishment process. Configuring Naptha attack prevention Naptha is a DDoS attack that targets operating systems. It exploits the resources consuming vulnerability in TCP/IP stack and network application process. The attacker establishes a large number of TCP connections in a short period of time and leaves them in certain states without requesting any data.
Page 456: Configuring Ip Source Guard
Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface. The IPSG binding table can include global and interface-specific bindings.
Page 457: Dynamic Ipsg Bindings
• Global static binding—Binds the IP address and MAC address in system view. The binding takes effect on all interfaces to filter packets for user spoofing attack prevention. • Interface-specific static binding—Binds the IP address, MAC address, VLAN, or any combination of the items in interface view.
Page 458: Configuring The Ipv4Sg Feature
Tasks at a glance (Optional.) Configuring a static IPv4SG binding To configure IPv6SG, perform the following tasks: Tasks at a glance (Required.) Enabling IPv6SG on an interface (Optional.) Configuring a static IPv6SG binding Configuring the IPv4SG feature You cannot configure the IPv4SG feature on a service loopback interface. If IPv4SG is enabled on an interface, you cannot assign the interface to a service loopback group.
Page 459: Configuring The Ipv6Sg Feature
Configuring a global static IPv4SG binding Step Command Remarks Enter system view. system-view ip source binding ip-address Configure a global static No global static IPv4SG bindings ip-address mac-address IPv4SG binding. exist. mac-address Configuring a static IPv4SG binding on an interface Step Command Remarks...
Page 460: Configuring A Static Ipv6Sg Binding
Step Command Remarks interface-number supported: • Layer 2 Ethernet port. • Layer 3 Ethernet interface. • Layer 3 Ethernet subinterface. • Layer 3 aggregate interface. • VLAN interface. By default, the IPv6SG feature is disabled on an interface. ipv6 verify source Enable the IPv6SG { ip-address | ip-address If you configure this command on an...
Page 461: Ipsg Configuration Examples
Task Command display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ arp-snooping | dhcp-relay | dhcp-server | dhcp-snooping | dot1x ] ] Display IPv4SG bindings. [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ] display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-relay | dhcpv6-snooping | dot1x ] ] [ ip-address ipv6-address ]...
Page 462: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example
[DeviceA] interface ten-gigabitethernet 1/0/1 [DeviceA-Ten-GigabitEthernet1/0/1] ip verify source ip-address mac-address # On Ten-GigabitEthernet 1/0/1, configure a static IPv4SG binding for Host A. [DeviceA-Ten-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceA-Ten-GigabitEthernet1/0/1] quit Configure Device B: # Configure an IP address for each interface. (Details not shown.) # Enable IPv4SG on Ten-GigabitEthernet 1/0/2.
Page 463: Dynamic Ipv4Sg Using Dhcp Relay Agent Configuration Example
• Enable dynamic IPv4SG on Ten-GigabitEthernet 1/0/1 to filter incoming packets by using the IPv4SG bindings generated based on DHCP snooping entries. Only packets from the DHCP client are allowed to pass. Figure 123 Network diagram Configuration procedure Configure the DHCP server. For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide.
Page 464: Static Ipv6Sg Configuration Example
Figure 124 Network diagram Configuration procedure Configure dynamic IPv4SG: # Configure IP addresses for the interfaces. (Details not shown.) # Enable IPv4SG on VLAN-interface 100 and verify the source IP address and MAC address for dynamic IPSG. <Switch> system-view [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit Configure the DHCP relay agent:...
Page 465: Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example
Configuration procedure # Enable IPv6SG on Ten-GigabitEthernet 1/0/1. <Device> system-view [Device] interface ten-gigabitethernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address # On Ten-GigabitEthernet 1/0/1, configure a static IPv6SG binding for the host. [Device-Ten-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202 [Device-Ten-GigabitEthernet1/0/1] quit Verifying the configuration # Verify that the static IPv6SG binding is configured successfully on the device.
Page 466: Dynamic Ipv6Sg Using Dhcpv6 Relay Agent Configuration Example
[Device] interface ten-gigabitethernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address # Enable recording of client information in DHCPv6 snooping entries on Ten-GigabitEthernet 1/0/1. [Device-Ten-GigabitEthernet1/0/1] ipv6 dhcp snooping binding record [Device-Ten-GigabitEthernet1/0/1] quit Verifying the configuration # Verify that a dynamic IPv6SG binding is generated based on a DHCPv6 snooping entry. [Device] display ipv6 source binding dhcpv6-snooping Total entries found: 1 IPv6 Address...
Page 467 Enable IPv6SG on VLAN-interface 3 and verify the source IP address and MAC address for dynamic IPv6SG. <Switch> system-view [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ipv6 verify source ip-address mac-address [Switch-Vlan-interface3] quit Verifying the configuration # Verify that a dynamic IPv6SG binding is generated based on a DHCPv6 relay entry. [Switch] display ipv6 source binding dhcpv6-relay Total entries found: 1 IP Address...
Page 468: Configuring Arp Attack Protection
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
Page 469: Configuring Arp Source Suppression
After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request. If the resolution fails, the device continues probing according to the probe settings. If the IP address resolution succeeds in a probe, the device converts the blackhole route to a normal route.
Page 470: Configuration Example
Configuration example Network requirements As shown in Figure 128, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets.
Page 471: Configuration Guidelines
Configuration guidelines Configure this feature when ARP attack detection, ARP snooping, or ARP fast-reply is enabled, or when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. When the receiving rate of ARP packets on the interface exceeds the rate limit, those packets are discarded.
Page 472: Configuration Procedure
entry for the MAC address. Before the entry ages out, the device handles the attack by using either of the following methods: • Monitor—Only generates log messages. • Filter—Generates log messages and filters out subsequent ARP packets from the MAC address.
Page 473: Configuration Example
Configuration example Network requirements As shown in Figure 129, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway.
Page 474: Configuring Arp Packet Source Mac Consistency Check
Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.
Page 475: Configuration Procedure
Configuration procedure To enable authorized ARP: Step Command Remarks Enter system view. system-view The following interface types are supported: • Layer 3 Ethernet interfaces. interface interface-type • Layer 3 Ethernet subinterfaces. Enter interface view. interface-number • Layer 3 aggregate interfaces. •...
Page 476: Configuration Example (On A Dhcp Relay Agent)
[DeviceB] interface ten-gigabitethernet 1/0/1 [DeviceB-Ten-GigabitEthernet1/0/1] ip address dhcp-alloc [DeviceB-Ten-GigabitEthernet1/0/1] quit Verifying the configuration # Display authorized ARP entry information on Device A. [DeviceA] display arp all Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid IP Address MAC Address Interface/Link ID Aging Type 10.1.1.2 0012-3f86-e94c XGE1/0/1...
Page 477: Configuring Arp Attack Detection
<DeviceB> system-view [DeviceB] dhcp enable # Specify the IP addresses of Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2. [DeviceB] interface ten-gigabitethernet 1/0/1 [DeviceB-Ten-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [DeviceB-Ten-GigabitEthernet1/0/1] quit [DeviceB] interface ten-gigabitethernet 1/0/2 [DeviceB-Ten-GigabitEthernet1/0/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on Ten-GigabitEthernet 1/0/2. [DeviceB-Ten-GigabitEthernet1/0/2] dhcp select relay # Add the DHCP server 10.1.1.1 to DHCP server group 1.
Page 478: Configuring User Validity Check
Configuring user validity check User validity check compares the sender IP and sender MAC in the received ARP packet with the matching criteria in the following order: User validity check rules. If a match is found, the device processes the ARP packet according to the rule. If no match is found or no user validity check rule is configured, proceeds to step 2.
Page 479: Configuring Arp Packet Validity Check
Step Command Remarks (Optional.) Configure the interface as a trusted interface arp detection trust By default, an interface is untrusted. excluded from ARP attack detection. Configuring ARP packet validity check Enable validity check for ARP packets received on untrusted interfaces and specify the following objects to be checked: •...
Page 480: Enabling Arp Attack Detection Logging
Configure user validity check before you configure ARP restricted forwarding. To enable ARP restricted forwarding: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id arp restricted-forwarding By default, ARP restricted Enable ARP restricted forwarding. enable forwarding is disabled. Enabling ARP attack detection logging The ARP attack detection logging feature enables a device to generate ARP attack detection log messages when illegal ARP packets are detected.
Page 481 Figure 132 Network diagram Gateway DHCP server Device A XGE1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 XGE1/0/3 Device B XGE1/0/2 XGE1/0/1 Host A Host B Configuration procedure Add all interfaces on Device B to VLAN 10, and specify the IP address of VLAN-interface 10 on Device A.
Page 482: User Validity Check And Arp Packet Validity Check Configuration Example
[DeviceB-Ten-GigabitEthernet1/0/3] quit After the configurations are completed, ARP packets received on interfaces Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 are checked against 802.1X entries. User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 133, configure Device B to perform ARP packet validity check and user validity check based on static IP source guard bindings and DHCP snooping entries for connected hosts.
Page 483: Arp Restricted Forwarding Configuration Example
[DeviceB-Ten-GigabitEthernet1/0/1] quit # Enable ARP attack detection for VLAN 10. [DeviceB] vlan 10 [DeviceB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface. [DeviceB-vlan10] interface ten-gigabitethernet 1/0/3 [DeviceB-Ten-GigabitEthernet1/0/3] arp detection trust [DeviceB-Ten-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface Ten-GigabitEthernet 1/0/2 for user validity check.
Page 484 Configuration procedure Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of VLAN-interface 10 on Device A. (Details not shown.) Configure the DHCP server on Device A, and configure DHCP address pool 0. <DeviceA> system-view [DeviceA] dhcp enable [DeviceA] dhcp server ip-pool 0 [DeviceA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 Configure Host A (DHCP client) and Host B.
Page 485: Configuring Arp Scanning And Fixed Arp
[DeviceB-vlan10] quit After the configuration is completed, Device B forwards ARP broadcast requests from Host A to Device A through the trusted interface Ten-GigabitEthernet 1/0/3. Host B cannot receive such packets. Port isolation operates correctly. Configuring ARP scanning and fixed ARP ARP scanning is typically used together with the fixed ARP feature in small-scale networks.
Page 486: Configuration Guidelines
When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet correctly. Configuration guidelines Follow these guidelines when you configure ARP gateway protection: •...
Page 487: Configuring Arp Filtering
Configuration procedure # Configure ARP gateway protection on Device B. <DeviceB> system-view [DeviceB] interface ten-gigabitethernet 1/0/1 [DeviceB-Ten-GigabitEthernet1/0/1] arp filter source 10.1.1.1 [DeviceB-Ten-GigabitEthernet1/0/1] quit [DeviceB] interface ten-gigabitethernet 1/0/2 [DeviceB-Ten-GigabitEthernet1/0/2] arp filter source 10.1.1.1 Verifying the configuration # Verify that Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway.
Page 488: Configuring Arp Sender Ip Address Checking
Figure 136 Network diagram Device A XGE1/0/3 Device B XGE1/0/1 XGE1/0/2 Host A Host B Configuration procedure # Configure ARP filtering on Device B. <DeviceB> system-view [DeviceB] interface ten-gigabitethernet 1/0/1 [DeviceB-Ten-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [DeviceB-Ten-GigabitEthernet1/0/1] quit [DeviceB] interface ten-gigabitethernet 1/0/2 [DeviceB-Ten-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 Verifying the configuration # Verify that Ten-GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP...
Page 489 Step Command Remarks Enter VLAN view. vlan vlan-id Enable the ARP sender IP By default, the ARP sender IP address checking feature arp sender-ip-range address checking feature is and specify the IP address start-ip-address end-ip-address disabled. range.
Page 490: Configuring Nd Attack Defense
Configuring ND attack defense Overview IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks. The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An attacker can send the following forged ICMPv6 messages to perform ND attacks: •...
Page 491: Configuring Nd Attack Detection
The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Page 492: Configuration Guidelines
Configuration guidelines Make sure one or more of the following features are configured to prevent ND untrusted interfaces from dropping all received ND messages: • IPv6 source guard static bindings. To make the bindings effective for ND attack detection, you must specify the vlan vlan-id option in the ipv6 source binding command, and enable ND attack detection for the same VLAN.
Page 493 Figure 137 Network diagram Configuration procedure Configure Device A: # Create VLAN 10. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit # Configure Ten-GigabitEthernet 1/0/3 to trunk VLAN 10. [DeviceA] interface ten-gigabitethernet 1/0/3 [DeviceA-Ten-GigabitEthernet1/0/3] port link-type trunk [DeviceA-Ten-GigabitEthernet1/0/3] port trunk permit vlan 10 [DeviceA-Ten-GigabitEthernet1/0/3] quit # Assign IPv6 address 10::1/64 to VLAN-interface 10.
Page 494: Configuring Ra Guard
[DeviceB] interface ten-gigabitethernet 1/0/2 [DeviceB-Ten-GigabitEthernet1/0/2] port link-type access [DeviceB-Ten-GigabitEthernet1/0/2] port access vlan 10 [DeviceB-Ten-GigabitEthernet1/0/2] quit [DeviceB] interface ten-gigabitethernet 1/0/3 [DeviceB-Ten-GigabitEthernet1/0/3] port link-type trunk [DeviceB-Ten-GigabitEthernet1/0/3] port trunk permit vlan 10 [DeviceB-Ten-GigabitEthernet1/0/3] quit # Enable ND attack detection for VLAN 10. [DeviceB] vlan 10 [DeviceB-vlan10] ipv6 nd detection enable # Enable ND snooping for IPv6 global unicast addresses and ND snooping for IPv6 link-local addresses in VLAN 10.
Page 495: Configuring An Ra Guard Policy
Step Command Remarks Make sure your setting is consistent with the device type. Configuring an RA guard policy Configure an RA guard policy if you do not specify a role for the attached device or if you want to filter the RA messages sent by a router.
Page 496: Displaying And Maintaining Ra Guard
more information about the information center, see Network Management and Monitoring Configuration Guide. To enable the RA guard logging feature: Step Command Remarks Enter system view. system-view Enable the RA guard logging By default, the RA guard logging ipv6 nd raguard log enable feature.
Page 497 Configuration procedure # Create an RA guard policy named policy1. <DeviceB> system-view [DeviceB] ipv6 nd raguard policy policy1 # Set the maximum router preference to high for the RA guard policy. [DeviceB-raguard-policy-policy1] if-match router-preference maximum high # Specify on as the M flag match criterion for the RA guard policy. [DeviceB-raguard-policy-policy1] if-match autoconfig managed-address-flag on # Specify on as the O flag match criterion for the RA guard policy.
Page 498 # Verify that the device drops RA messages received on Ten-GigabitEthernet 1/0/1. (Details not shown.) # Verify that the device forwards RA messages received on Ten-GigabitEthernet 1/0/3 to other ports in VLAN 10. (Details not shown.)
Page 499: Configuring Urpf
Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Page 500 Figure 140 uRPF work flow Checks the received packet Broadcast source address? All-zero source address? Broadcast destination Discards the packet address? Matching FIB entry Default route found? found? Loose uRPF? Loose uRPF? Matching route is a direct Receiving route? interface matches the output interface of the default route？...
Page 501 If yes, uRPF proceeds to step 3. If no, uRPF proceeds to step 6. uRPF checks whether the check mode is loose: If yes, uRPF proceeds to step 8. If no, uRPF checks whether the matching route is a direct route: −...
Page 502: Network Application
Network application Figure 141 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User As shown in Figure 141, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs. Enabling uRPF uRPF checks only incoming packets on interfaces.
Page 503: Global Urpf Configuration Example
Task Command Display uRPF configuration. display ip urpf [ slot slot-number ] Global uRPF configuration example Network requirements As shown in Figure 142, a client (Switch A) directly connects to an ISP switch (Switch B). To prevent source address spoofing attacks, perform the following tasks: •...
Page 504: Configuring Crypto Engines
Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.
Page 505: Configuring Fips
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.
Page 506: Configuring Fips Mode
e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.
Page 507: Configuration Changes In Fips Mode
A password that complies with the password control policies as described in step 2 and step 3. A user role of network-admin. A service type of terminal. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode. Select the manual reboot method.
Page 508: Exiting Fips Mode
The password for a device management local user and password for switching user roles depend on password control policies. By default, the passwords must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters.
Page 509: Power-Up Self-Tests
NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests The power-up self-test examines the availability of FIPS-allowed cryptographic algorithms. The device supports the following types of power-up self-tests: • Known-answer test (KAT) A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer.
Page 510: Triggering Self-Tests
• Continuous random number generator test—This test is run when a random number is generated. Each subsequent generation of a random number will be compared with the previously generated number. The test fails if any two compared numbers are the same. This test can also be run when a DSA/RSA asymmetrical key-pair is generated.
Page 511: Entering Fips Mode Through Manual Reboot
Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters.
Page 512 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal. [Sysname] local-user test class manage [Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB [Sysname-luser-manage-test] authorization-attribute user-role network-admin...
Page 513: Exiting Fips Mode Through Automatic Reboot
# Display the FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode. Configuration procedure # Disable FIPS mode.
Page 514 flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to mainboard device successfully. [Sysname] quit # Delete the startup configuration file in binary format. <Sysname> delete flash:/startup.mdb Delete flash:/startup.mdb?[Y/N]:y Deleting file flash:/startup.mdb...Done. # Reboot the device. <Sysname> reboot Verifying the configuration After the device reboots, enter a username of test and a password of 12345zxcvb!@#$%ZXCVB to enter non-FIPS mode.
Page 515: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Page 516: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 517: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 518: Websites
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 519 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 520: Index
Index Numerics EAPOL packet format, enable, 3DES feature cooperation, IPsec encryption algorithm, guest VLAN, 802.1X, 71, See also under 802 guest VLAN assignment delay, 802.1X protocol packet sending rule, guest VLAN configuration, 95, access control method, keep-online, ACL assignment configuration, MAC authentication delay, architecture, MAC-based access control,...
Page 521 device implementation, RADIUS attribute translation, display, RADIUS attributes, displaying local users/user groups, RADIUS authentication server, FIPS compliance, RADIUS DAE server, HWTACACS accounting server, RADIUS display, HWTACACS authentication server, RADIUS implementation, HWTACACS authorization server, RADIUS maintain, HWTACACS display, RADIUS packet DSCP priority, HWTACACS implementation, RADIUS request transmission attempts max, HWTACACS maintain,...
Page 522 access control policy IPsec encryption (3DES), PKI certificate-based access control IPsec encryption (AES), policy, IPsec encryption (DES), accessing IPsec IKE DH algorithm, portal authentication device access, keychain configuration, 250, account idle time (password control), SSH negotiation, accounting SSH2, AAA configuration, 1, 19, SSH2 encryption, AAA device ID configuration, SSH2 key exchange,...
Page 523 packet source MAC consistency check, defense policy configuration (SYN flood attack), packet validity check configuration, defense policy configuration (SYN-ACK flood restricted forwarding, attack), restricted forwarding configuration, defense policy configuration (UDP flood scanning configuration, attack), source MAC-based attack detection, 458, defense policy creation, source MAC-based detection display, detection exemption configuration, unresolvable IP attack, 455,...
Page 524 portal authentication NAS-Port-ID attribute IPsec IKE RSA signature authentication, format, IPsec RIPng configuration, authenticating IPsec tunnel for IPv4 packets (IKE-based), 802.1X access device initiated IPsec tunnel for IPv4 packets (manual), authentication, keychain configuration, 250, 802.1X authentication, MAC authentication, 115, 119, 802.1X authentication attempts max number MAC authentication (local), for MAC authenticated users,...
Page 525 authorized ARP PKI architecture, configuration, PKI CA policy, configuration configuration (DHCP relay PKI certificate, agent), PKI certificate export, configuration configuration (DHCP PKI certificate obtain, server), PKI certificate removal, authorizing PKI certificate request, 802.1X authorization VLAN, PKI certificate request (automatic), 802.1X port authorization state, PKI certificate request (manual), 802.1X port authorization status, PKI certificate request abort,...
Page 526 class 802.1X+ACL assignment, AAA RADIUS class attribute as CAR 802.1X+EAD assistant (DHCP relay agent), parameter, 802.1X+EAD assistant (DHCP server), classifying AAA, 1, 19, IPsec QoS pre-classify enable, AAA device ID, clearing AAA HWTACACS schemes, IPsec packet DF bit clear, AAA HWTACACS server SSH user, client AAA ISP domain accounting method, 802.1X authentication,...
Page 527 ARP attack protection (unresolvable IP direct portal authentication+preauthentication attack), 455, domain, ARP attack protection blackhole routing dynamic IPv4 source guard (IPv4SG)+DHCP (unresolvable IP attack), relay agent, ARP attack protection source suppression dynamic IPv4 source guard (IPv4SG)+DHCP (unresolvable IP attack), snooping, ARP filtering, 474, dynamic IPv6 source guard (IPv6SG)+DHCPv6 relay agent,...
Page 528 IPsec transform set, port security secure MAC addresses, IPsec tunnel for IPv4 packets portal authentication, 136, 143, (IKE-based), portal authentication destination subnet, IPsec tunnel for IPv4 packets (manual), portal authentication detection features, IPv4 source guard (IPv4SG), portal authentication fail-permit, IPv4 source guard (IPv4SG) static portal authentication local portal Web binding, server, 162,...
Page 529 SSH user, PKI certificate export, SSH2 algorithms (encryption ), PKI certificate removal, SSH2 algorithms (key exchange), PKI certificate-based access control policy, SSH2 algorithms (MAC), PKI storage path, SSH2 algorithms (public key), troubleshooting PKI CRL obtain failure, SSL, 419, cross-subnet SSL client policy, extended cross-subnet portal authentication configuration, SSL server policy,...
Page 530 attack D&P defense policy configuration AAA HWTACACS authorization server, (SYN-ACK flood attack), AAA HWTACACS implementation, attack D&P policy application (device), AAA HWTACACS scheme, delay AAA HWTACACS scheme VPN instance, 802.1X guest VLAN assignment delay, AAA HWTACACS server SSH user, delaying AAA HWTACACS shared keys, MAC authentication delay, AAA implementation,...
Page 531 MAC authentication, 119, SSH SFTP client, MAC authentication (local), SSH SFTP client configuration (publickey authentication-enabled), MAC authentication (RADIUS-based), SSH SFTP configuration, MAC authentication ACL assignment, SSH SFTP configuration (192-bit Suite B), MAC authentication configuration, SSH SFTP server configuration (password NETCONF-over-SSH+password authentication-enabled), authentication configuration, SSH SFTP server enable,...
Page 532 PKI certificate export, IPsec, PKI certificate import/export IPsec IKE, configuration, IPsec IKEv2, PKI certificate obtain, IPv4 source guard (IPv4SG), PKI certificate removal, IPv6 source guard (IPv6SG), PKI certificate request, keychain, PKI certificate request (automatic), MAC authentication, PKI certificate request (manual), ND attack detection, PKI certificate request abort, password control,...
Page 533 dst-mac validity check (ARP attack detection), 802.1X guest VLAN assignment delay, dynamic 802.1X keep-online, IP source guard (IPSG) dynamic binding, 802.1X user IP freezing, IPv4 source guard (IPv4SG)+DHCP relay AAA RADIUS server load sharing, agent configuration, AAA RADIUS SNMP notification, IPv4 source guard (IPv4SG)+DHCP snooping ARP attack detection logging, configuration,...
Page 534 IPsec tunnel mode, extended cross-subnet portal authentication configuration, encrypting extended direct portal authentication crypto engine configuration, configuration, IPsec, extended re-DHCP portal authentication IPsec configuration, 299, configuration, IPsec encryption algorithm (3DES), IPsec encryption algorithm (AES), IPsec encryption algorithm (DES), fail IPsec RIPng configuration, portal fail-permit feature, IPsec tunnel for IPv4 packets Federal Information Processing Standard.
Page 535 attack D&P defense policy (FIN flood static IPv6 source guard (IPv6SG) attack), configuration, attack D&P defense policy (HTTP flood fragment attack), attack D&P TCP fragment attack prevention, attack D&P defense policy (ICMP flood IPsec packet DF bit, attack), fragmenting attack D&P defense policy (ICMPv6 flood IPsec packet fragmentation, attack), frame...
Page 536 802.1X online user handshake, attack D&P defense policy (ICMP flood attack), SSL handshake protocol, attack D&P defense policy (ICMPv6 flood hardware attack), crypto engine configuration, history AAA device ID configuration, password history, identity host IPsec IKE global identity information, local host public key distribution, ignoring peer host public key configuration, port security server authorization information,...
Page 537 global parameter configuration, port security feature, keychain configuration, maintain, global uRPF configuration, message retransmission, portal authentication portal-free rule, NAT keepalive, security. Use IPsec negotiation, uRPF enable, policy configuration, IP address profile configuration, 802.1X user IP freezing enable, proposal configuration, IP addressing protocols and standards, AAA HWTACACS outgoing packet source IP address,...
Page 538 application-based IPsec, policy configuration (manual), authentication, policy configuration restrictions, authentication algorithms, policy configuration restrictions (IKE-based), configuration, 299, protocols and standards, display, QoS pre-classify enable, encapsulation modes, RIPng configuration, encryption, encryption algorithms, security protocols, FIPS compliance, SNMP notification configuration, fragmentation configuration, source interface policy bind, IKE configuration, 326, 328, transform set configuration,...
Page 539 enable on interface, maintain, keepalive static binding configuration, IPsec IKE configuration, static configuration, IPsec IKE NAT configuration, IPv6 IPsec IKEv2 NAT, IPsec IPv6 routing protocol profile (manual), IPsec IKE pre-shared key authentication, ND attack defense. See IPv6 ND attack PKI configuration, 265, 267, defense key pair portal authentication enable,...
Page 540 server IP address, attack D&P login delay, server SSH user authentication, attack D&P login dictionary attack, server timeout period, password expired login, troubleshooting, password user first login, troubleshooting authentication failure, password user login attempt limit, user attribute, password user login control, versions, RADIUS Login-Service attribute, Lightweight Directory Access Protocol.
Page 541 static IPv6 source guard (IPv6SG) maintaining configuration, 802.1X, troubleshooting port security secure MAC AAA HWTACACS, addresses, AAA RADIUS, MAC authentication ARP attack detection, ACL assignment, 118, attack D&P, authorization VLAN, crypto engine, concurrent port users max, IP source guard (IPSG), configuration, 115, 119, IPsec, critical VLAN,...
Page 542 PKI online, IPsec IKEv2 keepalive, port security, port security authentication control, portal authentication client ND entry conversion, port security autoLearn MAC learning control, ND attack defense port security MAC learning control, configuration, port security MAC learning control configuring ND attack detection, autoLearn, configuring RA guard, port security MAC learning control secure,...
Page 543 802.1X guest VLAN, 81, ARP attack detection packet validity check, 802.1X guest VLAN assignment delay, ARP attack detection restricted forwarding, 802.1X guest VLAN configuration, ARP attack detection restricted forwarding configuration, 802.1X keep-online, ARP attack detection user validity 802.1X manual reauthentication, check, 465, 802.1X online user handshake, ARP attack protection (unresolvable IP...
Page 544 IPsec IKE configuration (main MAC authentication redirect URL mode+pre-shared key authentication), assignment, IPsec IKE SNMP notification, MAC authentication timer, IPsec implementation, MAC authentication user account format, IPsec IPv6 routing protocol profile MAC authentication user profile assignment, (manual), MAC authentication VLAN assignment, IPsec IPv6 routing protocols, MAC-based quick portal authentication, IPsec packet DF bit,...
Page 545 portal authentication BAS-IP, SSH SCP client device, portal authentication client, SSH SCP configuration, portal authentication client ARP entry SSH SCP configuration (Suite B), conversion, SSH SCP file transfer+password portal authentication client ND entry authentication, conversion, SSH SCP server connection establishment, portal authentication detection, SSH SCP server connection establishment based portal authentication domain,...
Page 546 SSL server policy configuration, IPsec SNMP notification, static IPv4 source guard (IPv4SG) port security SNMP notification, configuration, static IPv6 source guard (IPv6SG) ntkonly mode, configuration, ntk-withbroadcasts mode, TCP Naptha attack prevention, ntk-withmulticasts mode, uRPF application, port security feature, uRPF check modes, numbering uRPF enable, IPsec IKE SA max,...
Page 547 ARP packet source MAC consistency configuring SSH management parameters, check, password control parameters (global), ARP sender IP address checking, password control parameters (local user), attack D&P TCP fragment attack password control parameters (super), prevention, password control parameters (user group), global uRPF configuration, password IPsec ACL de-encapsulated packet SSH password authentication,...
Page 548 attack D&P defense policy (flood attack), applications, attack D&P defense policy (scanning attack), architecture, attack D&P defense policy (single-packet attack), CA digital certificate, attack D&P defense policy creation, CA policy, IPsec application to interface, certificate export, IPsec configuration (manual), certificate import/export configuration, IPsec IKEv2 configuration, certificate obtain, IPsec policy (IKE-based/direct),...
Page 549 portal authentication server detection+user troubleshoot secure MAC addresses, synchronization configuration, portal authentication re-DHCP portal authentication AAA server, configuration, access device, security. See port security authenticated user redirection, port security authentication destination subnet, 802.1X access control method, authentication server, 802.1X authentication, authentication source subnet, 802.1X authentication configuration, BAS-IP,...
Page 550 policy server, applying portal authentication interface NAS-ID profile, portal authorization strict-checking mode, authenticating with 802.1X EAP relay, portal user preauthentication IP address pool, authenticating with 802.1X EAP termination mode, portal-free rule configuration, binding IPsec source interface to policy, post request rules, changing AAA RADIUS packet DSCP priority, process, configuring 802.1X,...
Page 551 configuring AAA RADIUS attribute 31 MAC configuring attack D&P defense policy (DNS flood address format, attack), configuring AAA RADIUS attribute configuring attack D&P defense policy (FIN flood translation, attack), configuring AAA RADIUS DAE server, configuring attack D&P defense policy (flood attack), configuring AAA RADIUS Login-Service attribute check method,...
Page 552 configuring IPsec for IPv6 routing configuring MAC authentication (local), protocols, configuring MAC authentication configuring IPsec fragmentation, (RADIUS-based), configuring IPsec IKE, configuring MAC authentication ACL assignment, configuring IPsec IKE (main mode+pre-shared key authentication), configuring MAC authentication critical VLAN, configuring IPsec IKE DPD, configuring MAC authentication delay, configuring IPsec IKE global identity information,...
Page 553 configuring port security secure MAC configuring SSH management parameters, addresses, configuring SSH SCP client device, configuring portal authentication, configuring SSH SCP file+password configuring portal authentication destination authentication, subnet, configuring SSH Secure Telnet client (password configuring portal authentication authentication-enabled), detection, configuring SSH Secure Telnet client (publickey configuring portal authentication authentication-enabled), fail-permit,...
Page 554 displaying FIPS, enabling NETCONF-over-SSH, displaying host public key, enabling parallel processing with 802.1X authentication, displaying IP source guard (IPSG), enabling password control, displaying IPsec, enabling port security, displaying IPsec IKE, enabling port security displaying IPsec IKEv2, authorization-fail-offline, displaying IPv4 source guard (IPv4SG), enabling port security MAC move, displaying IPv6 source guard (IPv6SG), enabling port security SNMP notification,...
Page 555 implementing ACL-based IPsec, setting AAA RADIUS traffic statistics unit, importing peer host public key from file, setting AAA RADIUS username format, importing public key from file, setting IPsec tunnel max, importing SSH client host public key, setting MAC authentication concurrent port users max, interpreting AAA RADIUS class attribute as CAR parameter,...
Page 556 specifying portal user preauthentication IP troubleshooting portal authentication cannot log address pool, out users (access device), specifying SSH Secure Telnet packet source troubleshooting portal authentication no page IP address, pushed for users, specifying SSH server PKI domain, troubleshooting portal authentication users cannot log in (re-DHCP), specifying SSH SFTP packet source IP address,...
Page 557 AAA LDAP, 9, RA guard policy AAA RADIUS, 2, displaying, IPsec, maintaining, IPsec IKE, RADIUS IPsec IKEv2, 802.1X EAP over RADIUS, IPsec IPv6 routing protocols 802.1X EAP relay enable, configuration, 802.1X EAP termination enable, IPsec security protocol 50 (ESP), 802.1X RADIUS EAP-Message attribute, IPsec security protocol 51 (AH), 802.1X RADIUS Message-Authentication SSL configuration, 419,...
Page 558 server load sharing, dynamic IPv4 source guard (IPv4SG)+DHCP relay agent configuration, server status, dynamic IPv6 source guard (IPv6SG)+DHCPv6 server status detection test profile, relay agent configuration, session-control, remote shared keys, 802.1X authorization VLAN, SNMP notification enable, AAA remote accounting method, SSH user authentication+authorization, AAA remote authentication, SSH user local authentication+HWTACACS...
Page 559 802.1X+EAD assistant configuration (DHCP attack D&P device-preventable attacks, server), scheme IPsec IPv6 routing protocol profile AAA, (manual), AAA HWTACACS, IPsec IPv6 routing protocols AAA HWTACACS scheme VPN instance, configuration, AAA LDAP, SSH configuration, AAA LDAP scheme creation, SSH server configuration, AAA RADIUS configuration, AAA RADIUS scheme VPN instance, host public key display,...
Page 560 802.1X Auth-Fail VLAN, 82, AAA LDAP server SSH user authentication, 802.1X authorization VLAN, AAA local user, 802.1X authorization VLAN configuration, AAA MPLS L3VPN implementation, 802.1X basic configuration, AAA protocols and standards, 802.1X concurrent port users max, AAA RADIUS attribute translation, 802.1X critical VLAN, 83, AAA RADIUS attributes, 802.1X critical voice VLAN, 85,...
Page 561 attack D&P configuration, 425, 428, FIPS mode system changes, attack D&P configuration (device FIPS self-test, application), fixed ARP configuration, attack D&P defense policy, fixed ARP configuration restrictions, attack D&P detection exemption, global uRPF configuration, attack D&P device-preventable attacks, host public key export, attack D&P display, IP, 299, See also IPsec...
Page 562 IPv6 source guard (IPv6SG) static binding password control parameters (super), configuration, password control parameters (user group), keychain configuration, 250, password event logging, keychain display, password expiration, 240, local host public key distribution, password history, local key pair creation, password not displayed, local key pair destruction, password setting, MAC authentication, 119,...
Page 563 portal authentication public key management, 256, configuration, 136, 143, RA guard, portal authentication detection, re-DHCP portal authentication configuration, portal authentication display, re-DHCP portal authentication+preauthentication portal authentication domain, domain configuration, portal authentication EAP support, Secure Telnet client local key pair generation, portal authentication enable, Secure Telnet client user line, portal authentication enable restrictions,...
Page 564 SSH SFTP files, troubleshooting PKI local certificate failure, SSH SFTP help information display, troubleshooting PKI local certificate import failure, SSH SFTP packet source IP address, troubleshooting PKI local certificate request SSH SFTP server configuration (password failure, authentication-enabled), troubleshooting PKI storage path set failure, SSH SFTP server connection establishment, uRPF configuration,...
Page 565 setting server connection establishment based on Suite 802.1X authentication attempts max number for MAC authenticated users, server connection termination, 802.1X authentication request attempts server enable, max, SSH application, 802.1X authentication timeout timers, SSH management parameters, 802.1X concurrent port users max, shared key 802.1X port authorization state, AAA HWTACACS,...
Page 566 access device ID, SCP, MAC authentication domain, SCP client device, PKI storage path, SCP client local key pair generation, portal authentication domain, SCP configuration, portal authentication MAC binding server SCP configuration (Suite B), (interface), SCP file transfer+password authentication, portal authentication NAS-Port-ID attribute SCP server connection establishment, format, SCP server connection establishment based on...
Page 567 SSH2 algorithms (encryption), cross-subnet portal authentication configuration, SSH2 algorithms (key exchange), extended cross-subnet portal authentication SSH2 algorithms (MAC), configuration, SSH2 algorithms (public key), portal authentication cross-subnet mode, support for Suite B, portal authentication destination subnet, user configuration, portal authentication direct/cross-subnet user configuration restrictions, authentication process (CHAP/PAP versions,...
Page 568 FIPS mode exit (manual reboot), SSH Secure Telnet server configuration (password authentication-enabled), FIPS mode system changes, SSH Secure Telnet server configuration IPsec authentication, (publickey authentication-enabled), IPsec configuration, SSH Secure Telnet server connection IPsec encryption, establishment, IPsec IKE configuration, 326, 328, SSH Secure Telnet server connection IPsec IKE global identity information, establishment based on Suite B,...
Page 569 AAA RADIUS SNMP notification, tunnel IPsec IKE SNMP notification, IPsec tunnel max, IPsec SNMP notification, tunneling port security SNMP notification, IPsec configuration, 299, triggering IPsec encapsulation tunnel mode, 802.1X authentication trigger, IPsec RIPng configuration, FIPS self-test, IPsec tunnel establishment, troubleshooting IPsec tunnel for IPv4 packets (IKE-based), AAA HWTACACS, IPsec tunnel for IPv4 packets (manual),...
Page 570 direct portal authentication+preauthentication password event logging, domain configuration, password expiration, 240, port security client userLoginWithOUI, password expired login, port security userLogin 802.1X authentication password history, mode, password max user account idle time, port security userLoginSecure 802.1X password not displayed, authentication mode, password setting, port security userLoginSecureExt 802.1X password updating, 240,...
Page 571 802.1X VLAN manipulation, portal authentication local portal Web server, 138, 162, 802.1X+ACL assignment configuration, portal authentication local portal Web server page IP source guard (IPSG) customization, configuration, 443, 444, portal authentication local portal Web MAC authentication authorization VLAN, server+client interaction protocols, MAC authentication critical VLAN, portal authentication redirect, MAC authentication critical VLAN...

HPE FlexFabric 5940 Series Security Configuration Manual

Configuring AAA

802.1X Overview

Configuring 802.1X

Configuring MAC Authentication

Configuring Portal Authentication

Configuring Port Security

Configuring User Profiles

Configuring Password Control

Configuring Keychains

Managing Public Keys

Quick Links

Troubleshooting

Related Manuals for HPE FlexFabric 5940 Series

Summary of Contents for HPE FlexFabric 5940 Series