HPE FlexNetwork 7500 Series Security Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Switch
  5. FlexNetwork 7500 Series
  6. Security configuration manual
HPE FlexNetwork 7500 Series Security Configuration Manual

HPE FlexNetwork 7500 Series Security Configuration Manual

Hide thumbs Also See for FlexNetwork 7500 Series:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Security Configuration Manual
HPE FlexNetwork 7500 Switch Series
Security Configuration Guide
Part number: 5998-7485R
Software version: 7500-CMW710-R7178
Document version: 6W100-20160129

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FlexNetwork 7500 Series and is the answer not in the manual?

Questions and answers

Related Manuals for HPE FlexNetwork 7500 Series

Summary of Contents for HPE FlexNetwork 7500 Series

  • Page 1 HPE FlexNetwork 7500 Switch Series Security Configuration Guide Part number: 5998-7485R Software version: 7500-CMW710-R7178 Document version: 6W100-20160129...
  • Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring AAA ····························································································· 1 Overview ···························································································································································· 1 RADIUS ······················································································································································ 2 HWTACACS ··············································································································································· 7 LDAP ·························································································································································· 9 AAA implementation on the device ·········································································································· 11 AAA for MPLS L3VPNs ···························································································································· 13 Protocols and standards ·························································································································· 13 RADIUS attributes ···································································································································· 14 FIPS compliance ·············································································································································· 17 AAA configuration considerations and task list ································································································...
  • Page 4 802.1X VLAN manipulation ······························································································································ 76 Authorization VLAN ·································································································································· 76 Guest VLAN ············································································································································· 78 Auth-Fail VLAN ········································································································································ 79 Critical VLAN ············································································································································ 80 Using 802.1X authentication with other features ····························································································· 82 ACL assignment ······································································································································· 82 EAD assistant ··········································································································································· 82 Redirect URL assignment ························································································································ 83 SmartOn ···················································································································································...
  • Page 5 User account policies ····························································································································· 114 Authentication methods ·························································································································· 114 VLAN assignment ·································································································································· 115 ACL assignment ····································································································································· 116 Redirect URL assignment ······················································································································ 117 Periodic MAC reauthentication ··············································································································· 117 Configuration prerequisites ···························································································································· 117 General guidelines and restrictions ················································································································ 117 Configuration task list ····································································································································· 118 Enabling MAC authentication ·························································································································...
  • Page 6 Configuring portal Web server detection ································································································ 149 Configuring portal user synchronization ································································································· 150 Configuring the portal fail-permit feature ········································································································ 150 Configuring BAS-IP for portal packets sent to the portal authentication server ············································· 151 Applying a NAS-ID profile to an interface ······································································································ 152 Configuring the local portal Web server feature ·····························································································...
  • Page 7 FIPS compliance ············································································································································ 215 Password control configuration task list ········································································································· 215 Enabling password control ····························································································································· 215 Setting global password control parameters ·································································································· 216 Setting user group password control parameters ·························································································· 217 Setting local user password control parameters ···························································································· 218 Setting super password control parameters ·································································································· 218 Displaying and maintaining password control ································································································...
  • Page 8 Verifying certificates without CRL checking ··························································································· 250 Specifying the storage path for the certificates and CRLs ············································································· 251 Exporting certificates ······································································································································ 251 Removing a certificate ··································································································································· 252 Configuring a certificate-based access control policy ···················································································· 252 Displaying and maintaining PKI ····················································································································· 253 PKI configuration examples ···························································································································...
  • Page 9 Specifying MAC algorithms for SSH2 ···································································································· 298 Displaying and maintaining SSH ···················································································································· 298 Stelnet configuration examples ······················································································································ 298 Password authentication enabled Stelnet server configuration example ··············································· 298 Publickey authentication enabled Stelnet server configuration example ··············································· 301 Password authentication enabled Stelnet client configuration example ················································ 306 Publickey authentication enabled Stelnet client configuration example ·················································...
  • Page 10 Configuring ARP restricted forwarding ··································································································· 358 Enabling ARP detection logging ············································································································· 359 Displaying and maintaining ARP detection ···························································································· 359 User validity check configuration example ····························································································· 359 User validity check and ARP packet validity check configuration example ············································ 361 Configuring ARP scanning and fixed ARP ····································································································· 362 Configuration restrictions and guidelines ·······························································································...
  • Page 11 TCP fragment attack ······························································································································ 390 Login DoS attack ···································································································································· 390 Login dictionary attack ··························································································································· 390 Blacklist feature ·············································································································································· 390 Attack detection and prevention configuration task list ·················································································· 391 Configuring an attack defense policy ············································································································· 391 Creating an attack defense policy ·········································································································· 391 Configuring a single-packet attack defense policy ·················································································...
  • Page 12 Displaying and maintaining MFF ···················································································································· 426 MFF configuration examples ·························································································································· 426 Auto-mode MFF configuration example in a tree network ····································································· 426 Auto-mode MFF configuration example in a ring network ······································································ 428 Manual-mode MFF configuration example in a tree network ································································· 430 Manual-mode MFF configuration example in a ring network ·································································...

  • Page 13: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.

  • Page 14: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
  • Page 15 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses in the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
  • Page 16 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Packet type Description From the client to the server.
  • Page 17 Type—Type of the attribute. Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. Value—Value of the attribute. Its format and content depend on the Type subfield. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
  • Page 18 Attribute Attribute NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes.

  • Page 19: Hwtacacs

    HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for VPDN and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS.
  • Page 20 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 21: Ldap

    10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
  • Page 22 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.

  • Page 23: Aaa Implementation On The Device

    After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server, which checks whether the user password is correct.
  • Page 24 AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.

  • Page 25: Aaa For Mpls L3Vpns

    command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide. • User role authentication—Authenticates each user who wants to obtain another user role without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide.

  • Page 26: Radius Attributes

    User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
  • Page 27 Attribute Description Authentication method used by the user. Possible values include: • 1—RADIUS. Acct-Authentic • 2—Local. • 3—Remote. CHAP challenge generated by the NAS for MD5 calculation during CHAP-Challenge CHAP authentication. Type of the physical port of the NAS that is authenticating the user. Possible values include: •...
  • Page 28 Subattribute Description Operation for the session, used for session control. Possible values include: • 1—Trigger-Request. • 2—Terminate-Request. Command • 3—SetPolicy. • 4—Result. • 5—PortalClear. Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value.

  • Page 29: Fips Compliance

    Subattribute Description Output-Interval-Gigaword Amount of bytes output within an accounting interval, in units of 4G bytes. Backup-NAS-IP Backup source IP address for sending RADIUS packets. User-defined attribute pair. Available attribute pairs include: • Dynamically assigned WEP key in the format of leap:session-key=xxx.

  • Page 30: Configuring Aaa Schemes

    Figure 10 AAA configuration procedure Local AAA Configure AAA methods for different types of users or/and Configure local users and related the default methods for all attributes types of users Authentication method none/ local (the default)/scheme Create an ISP domain No AAA and enter ISP domain view...
  • Page 31 the device. A local user is uniquely identified by the combination of a username and a user type. Local users are classified into the following types: • Device management user—User who logs in to the device for device management. • Network access user—User who accesses network resources through the device.
  • Page 32 • When you use the password-control enable command to globally enable the password control feature, local user passwords are not displayed. • You can configure authorization attributes and password control attributes in local user view or user group view. The setting in local user view takes precedence over the setting in user group view.

  • Page 33: Configuring User Group Attributes

    Step Command Remarks The following default settings apply: • FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory. authorization-attribute { acl •...
  • Page 34 By default, every new local user belongs to the default user group system and has all attributes of the group. To assign a local user to a different user group, use the group command in local user view. To configure user group attributes: Step Command Remarks...

  • Page 35: Configuring Radius Schemes

    Configuring RADIUS schemes A RADIUS scheme specifies the RADIUS servers that the device can work with and defines a set of parameters. The device uses the parameters to exchange information with the RADIUS servers, including the server IP addresses, UDP port numbers, shared keys, and server types. Configuration task list Tasks at a glance (Optional.)
  • Page 36 • The RADIUS server is manually set to the blocked state. • The RADIUS scheme is deleted. To configure a test profile for RADIUS server status detection: Step Command Remarks Enter system view. system-view Configure a test profile for By default, no test profiles exist. radius-server test-profile detecting the status of profile-name username name...
  • Page 37 Step Command Remarks • Specify the primary RADIUS authentication server: By default, no authentication primary authentication server is specified. { host-name | ipv4-address | ipv6 To support server status ipv6-address } [ port-number | detection, specify an existing test key { cipher | simple } string | profile for the RADIUS test-profile profile-name | authentication server.
  • Page 38 Step Command Remarks • Specify the primary RADIUS accounting server: primary accounting { host-name By default, no accounting | ipv4-address | ipv6 server is specified. ipv6-address } [ port-number | key Two accounting servers in a { cipher | simple } string | scheme, primary or vpn-instance secondary, cannot have the...
  • Page 39 Step Command Remarks By default, a RADIUS Specify a VPN for the RADIUS vpn-instance vpn-instance-name scheme belongs to the public scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.
  • Page 40 Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers. The secondary servers act as the backup of the primary server.
  • Page 41 Step Command Remarks Enter system view. system-view Enter RADIUS scheme radius scheme radius-scheme-name view. • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: By default, every server state primary accounting { active specified in a RADIUS...
  • Page 42 receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. • If it is the IP address of a managed NAS, the server processes the packet. •...
  • Page 43 • Realtime accounting timer (realtime-accounting)—Defines the interval at which the device sends realtime accounting packets to the RADIUS accounting server for online users. When you set RADIUS timers, follow these guidelines: • When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, consider the number of secondary servers.
  • Page 44 Step Command Remarks accounting-on enable [ interval By default, the accounting-on Enable accounting-on. seconds | send send-times ] * feature is disabled. Configuring the IP addresses of the security policy servers The NAS verifies the validity of received control packets and accepts only control packets from known servers.

  • Page 45: Configuring Hwtacacs Schemes

    • RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it does not receive a response to an accounting or authentication request within the specified number of RADIUS request transmission attempts. • RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
  • Page 46 Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure up to 16 HWTACACS schemes. An HWTACACS scheme can be referenced by multiple ISP domains. To create an HWTACACS scheme: Step Command Remarks Enter system view.
  • Page 47 Step Command Remarks Enter system view. system-view Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS authorization server: primary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no authorization server single-connection | is specified.
  • Page 48 Specifying the shared keys for secure HWTACACS communication The HWTACACS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. The client and server must use the same key for each type of communication. Perform this task to configure shared keys for servers in an HWTACACS scheme.
  • Page 49 Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name Set the format of usernames user-name-format { keep-original By default, the ISP domain name sent to the HWTACACS | with-domain | without-domain } is included in a username. servers. data-flow-format { data { byte | (Optional.) Set the data flow giga-byte | kilo-byte | By default, traffic is counted in...
  • Page 50 Step Command Remarks By default, the source IP address specified by the hwtacacs nas-ip Specify the source IP nas-ip { ipv4-address | ipv6 command in system view is used. address of outgoing ipv6-address } If the source IP address is not HWTACACS packets.

  • Page 51: Configuring Ldap Schemes

    To set HWTACACS timers: Step Command Remarks Enter system view. system-view Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name By default, the HWTACACS Set the HWTACACS server timer response-timeout server response timeout timer is 5 response timeout timer. seconds seconds. By default, the realtime accounting interval is 12 minutes.
  • Page 52 Step Command Remarks Create an LDAP server and enter LDAP server ldap server server-name By default, no LDAP server exists. view. Configuring the IP address of the LDAP server Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name By default, an LDAP server has no IP address.
  • Page 53 Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name By default, no administrator DN is specified. Specify the administrator login-dn dn-string The administrator DN specified on the device must be the same as configured on the LDAP server. Configure the login-password { cipher | By default, no administrator...

  • Page 54: Configuring Aaa Methods For Isp Domains

    Step Command Remarks By default, no user object is user-parameters (Optional.) Specify the user specified, and the default user user-object-class object class. object class on the LDAP server is object-class-name used. Creating an LDAP scheme You can configure up to 16 LDAP schemes. An LDAP scheme can be referenced by multiple ISP domains.

  • Page 55: Creating An Isp Domain

    "Configuring RADIUS schemes," "Configuring HWTACACS schemes," and "Configuring LDAP schemes." Creating an ISP domain In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. These users can have different user attributes, such as different username and password structures, different service types, and different rights.

  • Page 56: Configuring Authentication Methods For An Isp Domain

    whose total traffic in the idle timeout period is less than the specified minimum traffic. If no idle cut attribute is available in the ISP domain, the idle cut feature of the server takes effect. An ISP domain attribute applies to all users in the domain. To configure ISP domain attributes: Step Command...

  • Page 57: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default radius-scheme-name ] [ local ] [ none ] | authentication method is Specify the default ldap-scheme ldap-scheme-name [ local ] local. authentication method for [ none ] | local [ none ] | none | all types of users.

  • Page 58: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authorization default { hwtacacs-scheme hwtacacs-scheme-name By default, the authorization Specify the default [ radius-scheme radius-scheme-name ] method is local. authorization method for [ local ] [ none ] | local [ none ] | none | The none keyword is not all types of users.

  • Page 59: Enabling The Session-Control Feature

    Configuration procedure To configure accounting methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name accounting default { hwtacacs-scheme hwtacacs-scheme-name By default, the accounting [ radius-scheme radius-scheme-name ] Specify the default method is local. [ local ] [ none ] | local [ none ] | none | accounting method for all radius-scheme radius-scheme-name...

  • Page 60: Configuring The Radius Dae Server Feature

    Configuring the RADIUS DAE server feature Dynamic Authorization Extensions (DAE) to RADIUS, defined in RFC 5176, can log off online users, change their authorization information, or shut down their access interfaces. DAE uses the client/server model. In a RADIUS network, the RADIUS server typically acts as the DAE client and the NAS acts as the DAE server.

  • Page 61: Configuring A Nas-Id Profile

    Step Command Remarks • In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } By default, the maximum number Set the maximum number of max-sessions of concurrent login users is 32 for concurrent login users. •...
  • Page 62 • Use the HWTACACS server for SSH user authentication, authorization, and accounting. • Assign the default user role network-operator to SSH users after they pass authentication. • Exclude domain names from the usernames sent to the HWTACACS server. • Use expert as the shared keys for secure HWTACACS communication. Figure 11 Network diagram Configuration procedure Configure the HWTACACS server:...

  • Page 63: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users

    [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator.
  • Page 64 # Create local RSA and DSA key pairs. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...

  • Page 65: Authentication And Authorization For Ssh Users By A Radius Server

    Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 13, configure the switch to meet the following requirements: • Use the RADIUS server for SSH user authentication and authorization. • Include domain names in the usernames sent to the RADIUS server. •...
  • Page 66 IP address of the outbound interface (the default). Figure 14 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree.
  • Page 67 Figure 15 Adding an account for device management Configure the switch: # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.

  • Page 68: Authentication For Ssh Users By An Ldap Server

    # Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server.
  • Page 69 NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. a. On the LDAP server, select Start > Control Panel > Administrative Tools. b. Double-click Active Directory Users and Computers. The Active Directory Users and Computers window is displayed.
  • Page 70 Figure 18 Setting the user's password g. Click OK. # Add user aaa to group Users. h. From the navigation tree, click Users under the ldap.com node. i. In the right pane, right-click the user aaa and select Properties. j. In the dialog box, click the Member Of tab and click Add.
  • Page 71 Figure 19 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.
  • Page 72 # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.

  • Page 73: Aaa For 802.1X Users By A Radius Server

    Verifying the configuration # Initiate an SSH connection to the switch, and enter the username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) AAA for 802.1X users by a RADIUS server Network requirements...
  • Page 74 d. Select HP(Comware) as the access device type. e. Select the access device from the device list or manually add the device with the IP address 10.1.1.2. f. Leave the default settings for other parameters and click OK. The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the switch.
  • Page 75 Figure 23 Adding a service # Add a user. Click the User tab, and select Access User View > All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to configure a user as follows: a.
  • Page 76 Figure 24 Adding an access user account Configure the switch: a. Configure a RADIUS scheme: # Create a RADIUS scheme named rad and enter RADIUS scheme view. <Switch> system-view [Switch] radius scheme rad # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 77: Troubleshooting Radius

    # Configure the access control method. By default, an 802.1X-enabled port uses the MAC-based access control. [Switch] dot1x port-method macbased interface gigabitethernet 1/0/1 Verifying the configuration On the host, use the user dot1x@bbb to pass 802.1X authentication: # If the user host runs the Windows XP 802.1X client, configure the network connection properties as follows: a.

  • Page 78: Radius Packet Delivery Failure

    RADIUS packet delivery failure Symptom RADIUS packets cannot reach the RADIUS server. Analysis Possible reasons include: • A communication failure exists between the NAS and the RADIUS server. • The NAS is not configured with the IP address of the RADIUS server. •...

  • Page 79: Troubleshooting Ldap

    Troubleshooting LDAP Symptom User authentication fails. Analysis Possible reasons include: • A communication failure exists between the NAS and the LDAP server. • The LDAP server IP address or port number configured on the NAS is not correct. • The username is not in the userid@isp-name format, or the ISP domain is not correctly configured on the NAS.

  • Page 80: 802.1X Overview

    The port controls traffic by using one of the following methods: − Performs bidirectional traffic control to deny traffic to and from the client. − Performs unidirectional traffic control to deny traffic from the client. The HPE devices support only unidirectional traffic control.

  • Page 81: 802.1X-Related Protocols

    Figure 26 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).

  • Page 82: Eap Over Radius

    • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identify) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 28 shows the EAPOL packet format.

  • Page 83: 802.1X Authentication Initiation

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client that can send broadcast EAPOL-Start packets. For example, you can use the HPE iNode 802.1X client.

  • Page 84: 802.1X Authentication Procedures

    802.1X authentication procedures 802.1X authentication has two methods: EAP relay and EAP termination. You choose either mode depending on support of the RADIUS server for EAP packets and EAP authentication methods. • EAP relay mode. EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure Figure 31 EAP relay...

  • Page 85: Eap Relay

    Works with any RADIUS server EAP termination that supports PAP or CHAP The username and password authentication. EAP authentication initiated by an HPE iNode 802.1X client. • The processing is complex on the access device. EAP relay Figure 33 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used.

  • Page 86: Eap Termination

    In response to the Identity EAP-Request packet, the client sends the username in an Identity EAP-Response packet to the access device. The access device relays the Identity EAP-Response packet in a RADIUS Access-Request packet to the authentication server. The authentication server uses the identity information in the RADIUS Access-Request to search its user database.
  • Page 87 Figure 34 802.1X authentication procedure in EAP termination mode In EAP termination mode, the access device rather than the authentication server generates an MD5 challenge for password encryption. The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

  • Page 88: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port.
  • Page 89 NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment. Unsupported VLAN types Do not specify the following types of VLANs for VLAN authorization. The access device does not assign these VLANs to 802.1X users. •...

  • Page 90: Guest Vlan

    Table 6 VLAN manipulation Port access control VLAN manipulation method The device assigns the first authenticated user's authorization VLAN to the port as the port VLAN (PVID). All subsequent 802.1X users can access the VLAN without authentication. Port-based When the first authenticated user logs off, the previous PVID is restored, and all other online users are logged off.

  • Page 91: Auth-Fail Vlan

    Authentication status VLAN manipulation • The device assigns the authorization VLAN of the user to the port as the PVID, and it removes the port from the 802.1X guest VLAN. After the user logs off, the initial PVID of the port is restored. •...

  • Page 92: Critical Vlan

    Authentication status VLAN manipulation The device assigns the Auth-Fail VLAN to the port as the PVID. All A user fails 802.1X 802.1X users on this port can access only resources in the Auth-Fail authentication. VLAN. A user in the 802.1X Auth-Fail VLAN fails 802.1X The Auth-Fail VLAN is still the PVID on the port, and all 802.1X users authentication because of...
  • Page 93 • On a port that performs port-based access control: Authentication status VLAN manipulation A user that has not been assigned to any The device assigns the critical VLAN to the port as the VLAN fails 802.1X authentication PVID. The 802.1X user and all subsequent 802.1X users because all the RADIUS servers are on this port can access only resources in the 802.1X unreachable.

  • Page 94: Using 802.1X Authentication With Other Features

    Authentication status VLAN manipulation The device remaps the MAC address of the user to the authorization VLAN. A user in the 802.1X critical VLAN passes If the authentication server (either the local access 802.1X authentication. device or a RADIUS server) does not authorize a VLAN to the user, the device remaps the MAC address of the user to the initial PVID on the port.

  • Page 95: Redirect Url Assignment

    The EAD assistant feature enables the access device to redirect a user who is seeking to access the network to download and install an EAD client. This feature eliminates the administrative task to deploy EAD clients. EAD assistant is implemented by the following functionality: •...

  • Page 96: Configuration Prerequisites

    Figure 35 802.1X authentication process with the SmartOn feature If the user attempts to use another 802.1X client for authentication, it will fail SmartOn authentication. The access device stops 802.1X authentication for the user. NOTE: After you install the SmartOn client software, add two values QX_ID and QX_PASSWORD to the Windows registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Soliton Systems K.K.\SmartOn Client\Clients\1XGate].

  • Page 97: Enabling 802.1X

    Tasks at a glance (Optional.) Setting the maximum number of concurrent 802.1X users on a port (Optional.) Setting the maximum number of authentication request attempts (Optional.) Setting the 802.1X authentication timeout timers (Optional.) Configuring the online user handshake feature (Optional.) Configuring the authentication trigger feature (Optional.) Specifying a mandatory authentication domain on a port...

  • Page 98: Enabling Eap Relay Or Eap Termination

    The client is using only MD5-Challenge EAP authentication. • The client is using only the username and password EAP authentication initiated by an HPE iNode 802.1X client. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "Comparing EAP relay and EAP...

  • Page 99: Specifying An Access Control Method

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number dot1x port-control Set the port authorization By default, the auto state { authorized-force | auto | state. applies. unauthorized-force } Specifying an access control method Step Command Remarks Enter system view.

  • Page 100: Setting The 802.1X Authentication Timeout Timers

    To set the maximum number of authentication request attempts: Step Command Remarks Enter system view. system-view Set the maximum number of attempts The default setting is dot1x retry max-retry-value for sending an authentication request. Setting the 802.1X authentication timeout timers The network device uses the following 802.1X authentication timeout timers: •...

  • Page 101: Configuration Guidelines

    Configuration guidelines When you configure the online user handshake feature, follow these restrictions and guidelines: • The SmartOn feature and the online user handshake feature are mutually exclusive. Before you enable the online user handshake feature, make sure the SmartOn feature is disabled. •...

  • Page 102: Configuration Procedure

    • Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these clients cannot initiate authentication. • To avoid duplicate authentication packets, do not enable both triggers on a port. Configuration procedure To configure the authentication trigger feature on a port: Step Command...

  • Page 103: Enabling The Periodic Online User Reauthentication Feature

    Step Command Remarks Enter system view. system-view Enable the quiet timer. dot1x quiet-period By default, the timer is disabled. (Optional.) Set the quiet dot1x timer quiet-period The default is 60 seconds. timer. quiet-period-value Enabling the periodic online user reauthentication feature Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server.

  • Page 104: Manually Reauthenticating All Online 802.1X Users On A Port

    Manually reauthenticating all online 802.1X users on a port This feature reauthenticates all online 802.1X users on a port after the dot1x re-authenticate manual command is executed. The feature is independent of the server-assigned reauthentication attribute and the periodic reauthentication feature. When no server is reachable for the reauthentication, the device keeps the users online or logs off the users, depending on the keep-online feature configuration on the port.

  • Page 105: Configuring An 802.1X Guest Vlan

    Configuring an 802.1X guest VLAN Configuration guidelines When you configure an 802.1X guest VLAN, follow these guidelines: • You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different ports can be different. • Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port.

  • Page 106: Configuring An 802.1X Auth-Fail Vlan

    Step Command Remarks Enter Layer 2 Ethernet interface interface-type interface view. interface-number Configure the 802.1X guest By default, no 802.1X guest VLAN dot1x guest-vlan guest-vlan-id VLAN on the port. is configured on any port. Configuring an 802.1X Auth-Fail VLAN Configuration guidelines When you configure an 802.1X Auth-Fail VLAN, follow these restrictions and guidelines: •...

  • Page 107: Configuring An 802.1X Critical Vlan

    Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Configure the 802.1X dot1x auth-fail vlan By default, no 802.1X Auth-Fail Auth-Fail VLAN on the port. authfail-vlan-id VLAN is configured. Configuring an 802.1X critical VLAN Configuration guidelines When you configure an 802.1X critical VLAN, follow these restrictions and guidelines: •...

  • Page 108: Enabling The 802.1X Critical Voice Vlan

    Enabling the 802.1X critical voice VLAN This feature assigns the access port of a voice user to the 802.1X critical voice VLAN if the voice user fails authentication because all the RADIUS servers are unreachable. The feature does not take effect if the voice user has been in the 802.1X Auth-Fail VLAN.

  • Page 109: Specifying Supported Domain Name Delimiters

    To enable the device to send an EAP-Success packet to a client when the 802.1X client user is assigned to the 802.1X critical VLAN on a port: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view.

  • Page 110: Configuring The Ead Assistant Feature

    Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the authentication. Retransmits the packet if no response is received within the username request timeout interval set by using the dot1x timer tx-period command. Assigns the port the 802.1X guest VLAN after the maximum number of request attempts set by using the dot1x retry command is reached.

  • Page 111: Configuring 802.1X Smarton

    Configuring 802.1X SmartOn The SmartOn feature is mutually exclusive with the 802.1X online user handshake feature. When the device sends a unicast EAP-Request/Notification packet to the client, it starts the SmartOn client timeout timer (set by using the dot1x smarton timer supp-timeout command). •...

  • Page 112: 802.1X Authentication Configuration Examples

    Figure 36 Network diagram Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.)
  • Page 113 Configure user accounts for the 802.1X users on the access device: # Add a local network access user with the username localuser, and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS servers.) <Device>...

  • Page 114: Guest Vlan And Authorization Vlan Configuration Example

    [Device-GigabitEthernet1/0/1] dot1x mandatory-domain bbb [Device-GigabitEthernet1/0/1] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify the 802.1X configuration on GigabitEthernet 1/0/1. [Device] display dot1x interface gigabitethernet 1/0/1 # Display the user connection information after an 802.1X user passes authentication. [Device] display dot1x connection 802.1X guest VLAN and authorization VLAN configuration example...
  • Page 115 Configuration procedure Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.) Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users.

  • Page 116: 802.1X With Acl Assignment Configuration Example

    # Enable 802.1X on port GigabitEthernet 1/0/2. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] dot1x # Implement port-based access control on the port. [Device-GigabitEthernet1/0/2] dot1x port-method portbased # Set the port authorization mode to auto. By default, the port uses the auto mode. [Device-GigabitEthernet1/0/2] dot1x port-control auto # Set VLAN 10 as the 802.1X guest VLAN on port GigabitEthernet 1/0/2.
  • Page 117 Configuration procedure Configure the 802.1X client. Make sure the client is able to update its IP address after the access port is assigned to the 802.1X guest VLAN or an authorization VLAN. (Details not shown.) Configure the RADIUS servers to provide authentication, authorization, and accounting services.

  • Page 118: With Ead Assistant Configuration Example (With Dhcp Relay Agent)

    # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Use the user account to pass authentication. (Details not shown.) # Verify that the user cannot ping the FTP server at any time from 8:00 to 18:00 on any weekday. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out.
  • Page 119 Figure 39 Network diagram Configuration procedure Make sure the DHCP server, the Web server, and the authentication servers have been configured correctly. (Details not shown.) Configure an IP address for each interface. (Details not shown.) Configure DHCP relay: # Enable DHCP. <Device>...
  • Page 120 # Exclude the ISP domain names from the usernames sent to the RADIUS server. [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure an ISP domain: # Create ISP domain bbb and enter ISP domain view. [Device] domain bbb # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

  • Page 121: With Ead Assistant Configuration Example (With Dhcp Server)

    802.1X with EAD assistant configuration example (with DHCP server) Network requirements As shown in Figure • The intranet 192.168.1.0/24 is attached to GigabitEthernet 1/0/1 of the access device. • The hosts use DHCP to obtain IP addresses. • A Web server is deployed on the 192.168.2.0/24 subnet for users to download client software. Deploy an EAD solution for the intranet to meet the following requirements: •...
  • Page 122 [Device] dhcp server ip-pool 0 # Specify subnet 192.168.1.0/24 in DHCP address pool 0. [Device-dhcp-pool-0] network 192.168.1.0 mask 255.255.255.0 # Specify the gateway address 192.168.1.1 in DHCP address pool 0. [Device-dhcp-pool-0] gateway-list 192.168.1.1 [Device-dhcp-pool-0] quit Configure a RADIUS scheme: # Create RADIUS scheme 2000 and enter RADIUS scheme view. [Device] radius scheme 2000 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.

  • Page 123: 802.1X Smarton Configuration Example

    Verifying the configuration # Verify the 802.1X configuration. [Device] display dot1x # Verify that you can ping an IP address on the free IP subnet from a host. C:\>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128...

  • Page 124: Troubleshooting 802.1X Ead Assistant For Web Browser Users

    # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812. [Device-radius-2000] primary authentication 10.1.1.1 1812 # Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813.
  • Page 125 Analysis Redirection will not happen for one of the following reasons: • The address is in the string format. The operating system of the host regards the string as a website name and tries to resolve the string. If the resolution fails, the operating system sends an ARP request, but the target address is not in the dotted decimal notation.

  • Page 126: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.

  • Page 127: Vlan Assignment

    VLAN assignment MAC authentication supports the authorization VLAN, guest VLAN, and critical VLAN. Authorization VLAN You can specify the authorization VLAN for a MAC authentication user to control access to authorized network resources. • On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VLAN name.

  • Page 128: Acl Assignment

    Table 10 VLAN manipulation Authentication status VLAN manipulation A user in the MAC authentication guest VLAN fails MAC authentication for any The user is still in the MAC authentication guest VLAN. other reason than server unreachable. The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server.

  • Page 129: Redirect Url Assignment

    • Specify another authorization ACL on the authentication server. For more information about ACLs, see ACL and QoS Configuration Guide. Redirect URL assignment The device supports the URL attribute assigned by a RADIUS server. During MAC authentication, a user is redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the Web user and uses a DM (Disconnect Message) to log off the Web user.

  • Page 130: Configuration Task List

    Configuration task list Tasks at a glance (Required.) Enabling MAC authentication (Optional.) Specifying a MAC authentication domain (Optional.) Configuring the user account format (Optional.) Setting MAC authentication timers (Optional.) Enabling MAC authentication offline detection (Optional.) Setting the maximum number of concurrent MAC authentication users on a port (Optional.) Enabling MAC authentication multi-VLAN mode on a port (Optional.)

  • Page 131: Configuring The User Account Format

    MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA." To specify an authentication domain for MAC authentication users: Step Command Remarks...

  • Page 132: Enabling Mac Authentication Offline Detection

    Step Command Remarks Enter system view. system-view By default, the offline detect mac-authentication timer timer is 300 seconds, the quiet Set MAC authentication { offline-detect offline-detect-value | timer is 60 seconds, and the timers. quiet quiet-value | server-timeout server timeout timer is 100 server-timeout-value } seconds.

  • Page 133: Configuring Mac Authentication Delay

    nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports. This feature improves transmission of data that is vulnerable to delay and interference.

  • Page 134: Configuration Restrictions And Guidelines

    • Create the VLAN to be specified as the MAC authentication guest VLAN. • Configure the VLAN as an untagged member on the port. Configuration restrictions and guidelines The following table shows the relationships of the MAC authentication guest VLAN with other security features: Feature Relationship description...

  • Page 135: Configuring A Mac Authentication Critical Vlan

    Configuring a MAC authentication critical VLAN You must configure the MAC authentication critical VLAN on a hybrid port. Before you configure the MAC authentication critical VLAN on a hybrid port, complete the following tasks: • Enable MAC authentication globally and on the port. •...

  • Page 136: Configuration Prerequisites

    Configuration prerequisites Before you enable the MAC authentication critical voice VLAN on a port, complete the following tasks: • Enable LLDP both globally and on the port. The device uses LLDP to identify voice users. For information about LLDP, see Layer 2—LAN Switching Configuration Guide.

  • Page 137: Enabling Parallel Processing Of Mac Authentication And 802.1X Authentication

    IP-MAC mapping of the user. If a match is found, the IMC server verifies the user valid. If no match is found, the user fails the MAC authentication. For information about IMC user IP-MAC bindings, see HPE IMC User Access Manager Administrator Guide. When you configure this feature, follow these guidelines and restrictions: •...

  • Page 138: Configuration Procedure

    • For the parallel processing feature to work correctly, do not enable MAC authentication delay on the port. This operation will delay MAC authentication after 802.1X authentication is triggered. • To configure both 802.1X authentication and MAC authentication on the port, use one of the following methods: Enable the 802.1X and MAC authentication features separately on the port.

  • Page 139: Mac Authentication Configuration Examples

    MAC authentication configuration examples Local MAC authentication configuration example Network requirements As shown in Figure 42, the device performs local MAC authentication on GigabitEthernet 1/0/1 to control Internet access of users. Configure the device to meet the following requirements: • Detect whether a user has gone offline every 180 seconds.
  • Page 140 # Configure MAC authentication to use MAC-based accounts. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. [Device] mac-authentication user-name-format mac-address with-hyphen lowercase # Enable MAC authentication globally. [Device] mac-authentication Verifying the configuration # Display MAC authentication settings and statistics to verify your configuration.

  • Page 141: Radius-Based Mac Authentication Configuration Example

    RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 43, the device uses RADIUS servers to perform authentication, authorization, and accounting for users. To control user access to the Internet by MAC authentication, perform the following tasks: • Enable MAC authentication globally and on GigabitEthernet 1/0/1.
  • Page 142 # Enable MAC authentication on GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] mac-authentication [Device-GigabitEthernet1/0/1] quit # Specify the MAC authentication domain as the ISP domain bbb. [Device] mac-authentication domain bbb # Set MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users.

  • Page 143: Acl Assignment Configuration Example

    MAC address Auth state 00e0-fc12-3456 Authenticated ACL assignment configuration example Network requirements As shown in Figure 44, configure the device to meet the following requirements: • Use RADIUS servers to perform authentication, authorization, and accounting for users. • Perform MAC authentication on GigabitEthernet 1/0/1 to control Internet access. •...
  • Page 144 [Device-isp-bbb] quit # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain bbb # Configure the device to use MAC-based user accounts. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. [Device] mac-authentication user-name-format mac-address with-hyphen lowercase # Enable MAC authentication on GigabitEthernet 1/0/1.

  • Page 145: Ftp Server

    Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users MAC address Auth state 00e0-fc12-3456 Authenticated # Verify that you cannot ping the FTP server from the host. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out.

  • Page 146: Configuring Portal Authentication

    Users can access more Internet resources after passing security check. Security check must cooperate with the HPE IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device,...
  • Page 147 Figure 45 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.

  • Page 148: Interaction Between Portal System Components

    Web browser. When receiving the HTTP request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HPE iNode client for extended portal functions.

  • Page 149: Portal Support For Eap

    NOTE: • To use portal authentication that supports EAP, the portal authentication server and client must be the HPE IMC portal server and the HPE iNode portal client. • Local portal authentication does not support EAP authentication. Portal authentication process Direct authentication and cross-subnet authentication share the same authentication process.
  • Page 150 Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 47 Direct authentication/cross-subnet authentication process Portal Authentication Portal Web Access Security authentication AAA server client server device policy server server 1) Initiate a connection 2) User information 3) CHAP authentication 4) Authentication request 5) RADIUS authentication Timer...

  • Page 151: Portal Configuration Task List

    Re-DHCP authentication process (with CHAP/PAP authentication) Figure 48 Re-DHCP authentication process The re-DHCP authentication process is as follows: Step 1 through step 7 are the same as those in the direct authentication/cross-subnet authentication process. After receiving the authentication success packet, the client obtains a public IP address through DHCP.

  • Page 152: Configuration Prerequisites

    Tasks at a glance (Required.) Configuring a portal Web server (Required.) Enabling portal authentication on an interface (Required.) Specifying a portal Web server on an interface (Optional.) Controlling portal user access • Configuring a portal-free rule • Configuring an authentication source subnet •...

  • Page 153: Configuring A Portal Authentication Server

    Configuring a portal authentication server Configure this feature when user authentication uses an external portal authentication server. Perform this task to configure the following portal authentication server parameters: • IP address of the portal authentication server • VPN instance of the portal authentication server •...

  • Page 154: Enabling Portal Authentication On An Interface

    Step Command Remarks and enter its view. created. Specify the VPN instance to By default, the portal Web server which the portal Web server vpn-instance vpn-instance-name belongs to the public network. belongs. Specify the URL of the portal url url-string By default, no URL is specified.

  • Page 155: Specifying A Portal Web Server On An Interface

    Step Command Remarks layer3 | redhcp } interface. • To enable IPv6 portal authentication: portal ipv6 enable method { direct | layer3 } Specifying a portal Web server on an interface After you specify a portal Web server on an interface, the device redirects the HTTP requests of the portal users on the interface to the portal Web server.

  • Page 156: Configuring An Authentication Source Subnet

    Step Command Remarks { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] } * portal free-rule rule-number { destination ipv6 { ipv6-address prefix-length | any } [ tcp Configure an tcp-port-number | udp By default, no IPv6-based IPv6-based portal-free udp-port-number ] | source ipv6...

  • Page 157: Configuring An Authentication Destination Subnet

    Step Command Remarks By default, no IPv4 portal Configure an IPv4 portal portal layer3 source authentication source subnet is authentication source configured, and users from any ipv4-network-address subnet. { mask-length | mask } subnets must pass portal authentication. To configure an IPv6 portal authentication source subnet: Step Command Remarks...

  • Page 158: Setting The Maximum Number Of Portal Users

    Step Command Remarks authentication. Setting the maximum number of portal users Perform this task to control the total number of IPv4 and IPv6 portal users in the system. If you configure the maximum total number smaller than the number of current online portal users on the device, this configuration still takes effect.

  • Page 159: Enabling Outgoing Packets Filtering On A Portal-Enabled Interface

    Step Command Remarks Enter VLAN interface interface-type interface view. interface-number Specify an IPv6 By default, no ISP domain is portal authentication portal ipv6 domain domain-name specified for IPv6 portal users on domain. the interface. Enabling outgoing packets filtering on a portal-enabled interface When you enable this feature on a portal-enabled interface, the device permits the interface to send the following packets:...

  • Page 160: Configuring Portal Authentication Server Detection

    ND entry. Then the device resets the idle timer and repeats the detection process when the timer expires. If the ARP or ND entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user. ARP and ND detections apply only to direct and re-DHCP portal authentication.

  • Page 161: Configuring Portal Web Server Detection

    • Sending a log message, which contains the name, the current state, and the original state of the portal authentication server. • Enabling portal fail-permit. When the portal authentication server is unreachable, the portal fail-permit feature on an interface allows users on the interface to have network access. When the server recovers, it resumes portal authentication on the interface.

  • Page 162: Configuring Portal User Synchronization

    Step Command Remarks server view. By default, portal Web server detection is disabled. Configure portal server-detect [ interval interval ] [ retry Web server This feature takes effect regardless retries ] { log | trap } * detection. of whether portal authentication is enabled on an interface or not.

  • Page 163: Configuring Bas-Ip For Portal Packets Sent To The Portal Authentication Server

    If you enable fail-permit for both a portal authentication server and a portal Web server on an interface, the interface does the following: • Disables portal authentication when either server is unreachable. • Resumes portal authentication when both servers are reachable. After portal authentication resumes, unauthenticated users must pass portal authentication to access the network.

  • Page 164: Applying A Nas-Id Profile To An Interface

    Step Command Remarks server is the IPv4 address of the packet's output interface. By default, the BAS-IPv6 attribute of an IPv6 portal reply packet sent to the portal Configure BAS-IPv6 for authentication server is the source IPv6 IPv6 portal packets sent to address of the packet.

  • Page 165: Customizing Authentication Pages

    During local portal authentication, the local Web portal server pushes authentication pages to users. You must customize the authentication pages and upload them to the device. On the device, specify an authentication page file as the default authentication page file for local portal authentication. Customizing authentication pages Authentication pages are HTML files.
  • Page 166 The value of the PtButton attribute is either Logon or Logoff, which indicates the action that the user requests. A logon Post request must contain PtUser, PtPwd, and PtButton attributes. A logoff Post request must contain the PtButton attribute. Authentication pages logon.htm and logonFail.htm must contain the logon Post request. The following example shows part of the script in page logon.htm.

  • Page 167: Configuring A Local Portal Web Server

    </head> <body onload="pt_init();" onbeforeunload="return pt_unload();"> ..</body> </html> Configuring a local portal Web server Perform the following tasks for the local portal Web server to support HTTPS: • Configure a PKI policy, obtain the CA certificate, and request a local certificate. For more information, see "Configuring PKI."...

  • Page 168: Logging Out Online Portal Users

    Step Command Remarks device. Logging out online portal users Logging out a user terminates the authentication process for the user or removes the user from the authenticated users list. When the number of users exceeds 2000, executing the portal delete-user command takes a few minutes.

  • Page 169: Portal Configuration Examples

    Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure 49, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server portal...
  • Page 170 Figure 50 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
  • Page 171 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the switch's interface connected to the host. e.
  • Page 172 Figure 54 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...

  • Page 173: Authentication Server

    # Configure a portal authentication server. [Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method direct # Specify the portal Web server newpt on VLAN-interface 100.

  • Page 174: Configuring Re-Dhcp Portal Authentication

    Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page.
  • Page 175 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 55 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
  • Page 176 # Configure DHCP relay. [Switch] dhcp enable [Switch] dhcp relay client-information record [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0 [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub [Switch-Vlan-interface100] dhcp select relay [Switch-Vlan-interface100] dhcp relay server-address 192.168.0.112 # Enable authorized ARP. [Switch-Vlan-interface100] arp authorized enable [Switch-Vlan-interface100] quit Configure portal authentication:...

  • Page 177: Configuring Cross-Subnet Portal Authentication

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal.
  • Page 178 Figure 56 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 56 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
  • Page 179 # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 Configure portal authentication: # Configure a portal authentication server.

  • Page 180: Configuring Extended Direct Portal Authentication

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal.
  • Page 181 Figure 57 Network diagram Configuration prerequisites • Configure IP addresses for the host, switch, and servers as shown in Figure 57 and make sure they can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on the switch.
  • Page 182 [Switch] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL. [Switch] acl number 3000 [Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Switch-acl-adv-3000] rule deny ip [Switch-acl-adv-3000] quit [Switch] acl number 3001 [Switch-acl-adv-3001] rule permit ip [Switch-acl-adv-3001] quit NOTE:...

  • Page 183: Configuring Extended Re-Dhcp Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 184 Configure extended re-DHCP portal authentication. Before passing portal authentication, the host is assigned a private IP address. After passing portal identity authentication, the host obtains a public IP address and accepts security check. If the host fails the security check, it can access only subnet 192.168.0.0/24.
  • Page 185 [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] user-name-format without-domain # Specify the security policy server. [Switch-radius-rs1] security-policy-server 192.168.0.114 [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain.
  • Page 186 [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method redhcp # Specify the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

  • Page 187: Configuring Extended Cross-Subnet Portal Authentication

    IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. • The user can access the resources permitted by ACL 3000 after passing only identity authentication.
  • Page 188 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 59 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
  • Page 189 NOTE: Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL on the security policy server. Configure portal authentication: # Configure a portal authentication server. [SwitchA] portal server newpt [SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal [SwitchA-portal-server-newpt] port 50100 [SwitchA-portal-server-newpt] quit # Configure a portal Web server.

  • Page 190: Configuring Portal Server Detection And Portal User Synchronization

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 191 Figure 60 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 60 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server correctly to provide authentication and accounting functions. •...
  • Page 192 Figure 61 Portal authentication server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
  • Page 193 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the switch's interface connected to the host. e.
  • Page 194 Figure 65 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...
  • Page 195 # Configure a portal authentication server. [Switch] portal server newpt [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 # Configure reachability detection of the portal authentication server: set the server detection interval to 40 seconds, and send log messages upon reachability status changes. [Switch-portal-server-newpt] server-detect timeout 40 log NOTE: The value of timeout must be greater than or equal to the portal server heartbeat interval.

  • Page 196: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns

    Configuring cross-subnet portal authentication for MPLS L3VPNs Network requirements As shown in Figure 66, the PE device Switch A provides portal authentication for the host in VPN 1. A portal server in VPN 3 acts as the portal authentication server, portal Web server, and RADIUS server.
  • Page 197 # Specify the source IP address for RADIUS packets to be sent as 3.3.0.3. This address must be the same as that of the portal device specified on the portal authentication server to avoid authentication failures. [SwitchA-radius-rs1] nas-ip 3.3.0.3 [SwitchA-radius-rs1] quit # Enable RADIUS session control.

  • Page 198: Configuring Direct Portal Authentication Using The Local Portal Web Server

    State: Online VPN instance: vpn3 VLAN Interface 0000-0000-0000 3.3.0.1 Vlan-interface3 Authorization information: DHCP IP pool: N/A ACL: N/A CAR: N/A Configuring direct portal authentication using the local portal Web server Network requirements As shown in Figure 67, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP.
  • Page 199 # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
  • Page 200 Authentication domain: Not configured Pre-auth domain: Not configured User-dhcp-only: Disabled Pre-auth IP pool: Not configured Max Portal users: Not configured Bas-ip: Not configured User Detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Mask Destination authenticate subnet: IP address...

  • Page 201: Troubleshooting Portal

    IP pool: N/A ACL: N/A CAR: N/A Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the IMC portal authentication server, no portal authentication page or error message is prompted for the user. The login page is blank. Analysis The key configured on the portal access device and that configured on the portal authentication server are inconsistent.

  • Page 202: Cannot Log Out Portal Users On The Radius Server

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
  • Page 203 discards the portal notification packet. As a result, the portal authentication server considers that the user has failed the authentication. Solution Configure the BAS-IP or BAS-IPv6 attribute on the interface enabled with portal authentication. Make sure the attribute value is the same as the portal device IP address specified on the portal authentication server.

  • Page 204: Configuring Port Security

    Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks that require different authentication methods for different users on a port. Port security provides the following functions: •...
  • Page 205 Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action.
  • Page 206 A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 207: Configuration Task List

    In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. • macAddressOrUserLoginSecureExt. This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users. • macAddressElseUserLoginSecure. This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies.

  • Page 208: Setting Port Security's Limit On The Number Of Secure Mac Addresses On A Port

    You can use the undo port-security enable command to disable port security. Because the command logs off the online users, make sure no online users are present. Enabling or disabling port security resets the following security settings to the default: •...

  • Page 209: Configuring Port Security Features

    • The device supports the URL attribute assigned by a RADIUS server in the following port security modes: mac-authentication. mac-else-userlogin-secure. mac-else-userlogin-secure-ext. userlogin-secure. userlogin-secure-ext. userlogin-secure-or-mac. userlogin-secure-or-mac-ext. userlogin-withoui. During authentication, a user is redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the Web user and uses a DM (Disconnect Message) to log off the Web user.

  • Page 210: Configuring Intrusion Protection

    The NTK feature supports the following modes: • ntkonly—Forwards only unicast frames with authenticated destination MAC addresses. • ntk-withbroadcasts—Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses. • ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.

  • Page 211: Configuring Secure Mac Addresses

    Configuring secure MAC addresses Secure MAC addresses are configured or learned in autoLearn mode. If the secure MAC addresses are saved, they can survive a device reboot. You can bind a secure MAC address only to one port in a VLAN. Secure MAC addresses include static, sticky, and dynamic secure MAC addresses.

  • Page 212: Configuration Procedure

    • Set the port security mode to autoLearn. • Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. Make sure the VLAN already exists. Configuration procedure To configure a secure MAC address: Step Command Remarks...

  • Page 213: Enabling Mac Move

    Enabling MAC move MAC move allows 802.1X or MAC authenticated users to move between ports on a device. For example, if an authenticated 802.1X user moves to another 802.1X-enabled port on the device, the authentication session is deleted from the first port. The user is reauthenticated on the new port. If MAC move is disabled and an 802.1X authenticated user moves to another port, the user is not reauthenticated.

  • Page 214: Displaying And Maintaining Port Security

    The NAS-ID profile applied globally. If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device name as the NAS-ID. For more information about the NAS-ID profile configuration, see "Configuring AAA."...
  • Page 215 Figure 68 Network diagram Configuration procedure # Enable port security. <Device> system-view [Device] port-security enable # Set the secure MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Set port security's limit on the number of secure MAC addresses to 64 on port GigabitEthernet 1/0/1.

  • Page 216: Userloginwithoui Configuration Example

    The port allows for MAC address learning, and you can view the number of learned MAC addresses in the Current secure MAC addresses field. # Display additional information about the learned MAC addresses. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] display this interface GigabitEthernet1/0/1 port-security max-mac-count 64 port-security port-mode autolearn...
  • Page 217 Figure 69 Network diagram Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference. Make sure the host and the RADIUS server can reach each other. Configure AAA: # Configure a RADIUS scheme named radsun. <Device>...
  • Page 218 [Device] port-security oui index 5 mac-address 1234-0500-1111 # Set the port security mode to userLoginWithOUI. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui [Device-GigabitEthernet1/0/1] quit Verifying the configuration # Verify the RADIUS scheme configuration. [Device] display radius scheme radsun RADIUS Scheme Name : radsun Index : 0 Primary Auth Server:...

  • Page 219: Macaddresselseuserloginsecure Configuration Example

    Port security : Enabled AutoLearn aging time : 30 min Disableport timeout : 30 s MAC move : Denied Authorization fail : Online OUI value list Index : Value : 123401 Index : Value : 123402 Index : Value : 123403 Index : Value : 123404 Index :...
  • Page 220 Figure 70 Network diagram Configuration procedure Make sure the host and the RADIUS server can reach each other. Configure RADIUS authentication/accounting and ISP domain settings. (See "userLoginWithOUI configuration example.") Configure port security: # Enable port security. <Device> system-view [Device] port-security enable # Use MAC-based accounts for MAC authentication.
  • Page 221 Port mode : macAddressElseUserLoginSecure NeedToKnow mode : NeedToKnowOnly Intrusion protection mode : NoAction Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses Authorization : Permitted # After users pass authentication, display MAC authentication information. Verify that port GigabitEthernet 1/0/1 allows multiple MAC authentication users to be authenticated.
  • Page 222 [Device] display dot1x interface gigabitethernet 1/0/1 Global 802.1X parameters: 802.1X authentication : Enabled CHAP authentication : Enabled Max-tx period : 30 s Handshake period : 15 s Quiet timer : Disabled Quiet period : 60 s Supp timeout : 30 s Server timeout : 100 s Reauth period...

  • Page 223: Troubleshooting Port Security

    EAP Response/Identity packets : 80 EAP Response/Challenge packets: 6 Error packets: 0 Online 802.1X users: 1 MAC address Auth state 0002-0000-0011 Authenticated # Verify that frames with an unknown destination MAC address, multicast address, or broadcast address are discarded. (Details not shown.) Troubleshooting port security Cannot set the port security mode Symptom...

  • Page 224: Configuring Password Control

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.

  • Page 225: Password Updating And Expiration

    when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.

  • Page 226: User Login Control

    Current login passwords of device management users are not stored in the password history, because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login With the global password control feature enabled, users must change the password at first login before they can access the system.

  • Page 227: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.

  • Page 228: Setting Global Password Control Parameters

    Step Command Remarks • In non-FIPS mode, the global password control feature is disabled by default. Enable the global password password-control enable • control feature. In FIPS mode, the global password control feature is enabled, and cannot be disabled by default. password-control { aging | (Optional.) Enable a specific By default, all four password...

  • Page 229: Setting User Group Password Control Parameters

    Step Command Remarks Set the maximum number of password-control history history password records for The default setting is 4. max-record-num each user. By default, the maximum number password-control login-attempt of login attempts is 3 and a user Configure the login attempt login-times [ exceed { lock | failing to log in after the specified limit.

  • Page 230: Setting Local User Password Control Parameters

    Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local user exists. Local user password control applies to device management Create a device local-user user-name class users instead of network access management user and enter manage users.

  • Page 231: Displaying And Maintaining Password Control

    Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • In non-FIPS mode, the default setting is 10 Configure the minimum password-control super length characters.

  • Page 232: Configuration Procedure

    • An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in. • A user can log in five times within 60 days after the password expires. • A password expires after 30 days. •...

  • Page 233: Verifying The Configuration

    [Sysname] password-control super length 24 # Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type. [Sysname] password-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text.
  • Page 234 Password length: Enabled (24 characters) Password composition: Enabled (4 types, 5 characters per type) # Display the password control configuration for local user test. <Sysname> display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type:...

  • Page 235: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 71.
  • Page 236 • Enter an appropriate key modulus length at the prompt (see Table 17). The longer the key modulus length, the higher the security, the longer the key generation time. • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default.

  • Page 237: Distributing A Local Host Public Key

    Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...

  • Page 238: Destroying A Local Key Pair

    Task Command Display local DSA public keys. display public-key local dsa public [ name key-name ] NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs: •...

  • Page 239: Entering A Peer Host Public Key

    Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key." Use the display public-key local public command to display the public key on the peer device.
  • Page 240 Figure 72 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).

  • Page 241: Example For Importing A Public Key From A Public Key File

    [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA...
  • Page 242 <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 243 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred 301 bytes received in 0.003 seconds (98.0 kbyte/s)

  • Page 244: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...

  • Page 245: Fips Compliance

    Figure 75 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.
  • Page 246 Step Command Remarks By default: • • In non-FIPS mode: In non-FIPS mode, the ssl version { ssl3.0 | tls1.0 | device supports SSL 3.0, (Optional.) Disable specific tls1.1 } * disable TLS 1.0, TLS 1.1, and SSL protocol versions on the •...

  • Page 247: Configuring An Ssl Client Policy

    Step Command Remarks rsa_rc4_128_sha } * • In FIPS mode: ciphersuite { ecdhe_rsa_aes_128_cbc_ sha256 | ecdhe_rsa_aes_256_cbc_s ha384 | ecdhe_rsa_aes_128_gcm_s ha256 | ecdhe_rsa_aes_256_gcm_s ha384 | ecdhe_ecdsa_aes_128_cbc _sha256 | ecdhe_ecdsa_aes_256_cbc _sha384 | ecdhe_ecdsa_aes_128_gc m_sha256 | ecdhe_ecdsa_aes_256_gc m_sha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 } Set the maximum number of...
  • Page 248 Step Command Remarks domain and request a local certificate for the SSL client in the PKI domain. For information about how to create and configure a PKI domain, see "Configuring PKI." • In non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_s ha | dhe_rsa_aes_128_cbc_sh a256 | dhe_rsa_aes_256_cbc_sh...

  • Page 249: Displaying And Maintaining Ssl

    Step Command Remarks rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 • In non-FIPS mode: By default, an SSL client policy version { ssl3.0 | tls1.0 | uses TLS 1.0. Specify the SSL protocol tls1.1 | tls1.2 } version for the SSL client As a best practice to ensure •...
  • Page 250 • Request a client certificate for the host so that the device can authenticate the identity of the host. Configuration procedure Make sure the device, the host, and the CA server can reach each other. (Details not shown.) Configure the device: # Create a PKI entity named en.
  • Page 251 # Specify PKI domain 1 for the SSL server policy. [Device-ssl-server-policy-myssl] pki-domain 1 # Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure the HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable the HTTPS service. [Device] ip https enable # Create a local user named usera.

  • Page 252: Configuring Pki

    Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.

  • Page 253: Pki Architecture

    • The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.

  • Page 254: Pki Applications

    A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.

  • Page 255: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)

  • Page 256: Configuring A Pki Domain

    Step Command Remarks To create multiple PKI entities, repeat this step. Set a common name for the common-name By default, the common name is not entity. set. common-name-sting Set the country code of the country country-code-string By default, the country code is not set. entity.
  • Page 257 Step Command Remarks (Optional.) Set the By default, the device polls the CA SCEP polling interval server for the certificate request certificate request polling { count and maximum status every 20 minutes. The count | interval minutes } number of polling maximum number of polling attempts.

  • Page 258: Requesting A Certificate

    Step Command Remarks The device does not support the ike keyword in the current software version. • Specify the source IPv4 address for This task is required if the CA the PKI protocol packets: policy requires that the CA server source ip { ip-address | interface accept certificate requests from a 12.

  • Page 259: Configuring Automatic Certificate Request

    Configuring automatic certificate request IMPORTANT: The device does not support automatic certificate rollover. To avoid service interruptions, you must manually submit a certificate renewal request before the current certificate expires. In auto request mode, when an application works with a PKI entity that does not have a local certificate, the entity automatically submits a certificate request to the CA.

  • Page 260: Aborting A Certificate Request

    Step Command Remarks algorithm, and length of the key pair are configured in the PKI domain. Aborting a certificate request Before the CA issues a certificate, you can abort a certificate request and change its parameters, such as the common name, country code, or FQDN. You can use the display pki certificate request-status command to display the status of a certificate request.

  • Page 261: Configuration Procedure

    • If local or peer certificates already exist, you can obtain new local or peer certificates to overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for signature and the other for encryption. •...

  • Page 262: Verifying Certificates Without Crl Checking

    the parent certificate belongs. If CRL checking is enabled for the domains, the system checks whether or not the CA certificate has been revoked. The process continues until the root CA certificate is reached. The system verifies that each CA certificate in the certificate chain is issued by the named parent CA, starting from the root CA.

  • Page 263: Specifying The Storage Path For The Certificates And Crls

    Specifying the storage path for the certificates and CRLs CAUTION: If you change the storage path, save the configuration before you reboot or shut down the device to avoid loss of the certificates or the CRLs. The device has a default storage path for certificates and CRLs. You can change the storage path and specify different paths for the certificates and CRLs.

  • Page 264: Removing A Certificate

    Removing a certificate You can remove the CA certificate, local certificate, or peer certificates in a PKI domain. After you remove the CA certificate, the system automatically removes the local certificates, peer certificates, and CRLs in the domain. You can remove a local certificate and request a new one when the local certificate is about to expire or the certificate's private key is compromised.

  • Page 265: Displaying And Maintaining Pki

    Step Command Remarks Enter system view. system-view Create a certificate attribute pki certificate attribute-group By default, no certificate attribute group and enter its view. groups exist. group-name attribute id { alt-subject-name (Optional.) Configure an { fqdn | ip } | { issuer-name | attribute rule for issuer name, By default, not attribute rules are subject-name } { dn | fqdn | ip } }...

  • Page 266: Requesting A Certificate From An Rsa Keon Ca Server

    Requesting a certificate from an RSA Keon CA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 79 Network diagram Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA.
  • Page 267 [Device-pki-domain-torsa] certificate request entity aaa # Specify the URL of the CRL repository. [Device-pki-domain-torsa] crl url ldap://1.1.2.22:389/CN=myca # Specify a 1024-bit general-purpose RSA key pair named abc for certificate request. [Device-pki-domain-torsa] public-key rsa general name abc length 1024 [Device-pki-domain-torsa] quit Generate a local RSA key pair.

  • Page 268: Requesting A Certificate From A Windows Server 2003 Ca Server

    Modulus: 00:ab:45:64:a8:6c:10:70:3b:b9:46:34:8d:eb:1a: a1:b3:64:b2:37:27:37:9d:15:bd:1a:69:1d:22:0f: 3a:5a:64:0c:8f:93:e5:f0:70:67:dc:cd:c1:6f:7a: 0c:b1:57:48:55:81:35:d7:36:d5:3c:37:1f:ce:16: 7e:f8:18:30:f6:6b:00:d6:50:48:23:5c:8c:05:30: 6f:35:04:37:1a:95:56:96:21:95:85:53:6f:f2:5a: dc:f8:ec:42:4a:6d:5c:c8:43:08:bb:f1:f7:46:d5: f1:9c:22:be:f3:1b:37:73:44:f5:2d:2c:5e:8f:40: 3e:36:36:0d:c8:33:90:f3:9b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command.
  • Page 269 d. Set the CA name. In this example, set the CA name to myca. Install the SCEP add-on: By default, Windows Server 2003 does not support SCEP. You must install the SCEP add-on on the server for a PKI entity to register and obtain a certificate from the server. After the SCEP add-on installation is complete, you will see a URL.
  • Page 270 [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 271 f8:dd:f8:a7:2a:94:58:d9:c7:f8:1a:78:bd:f5:42: 51:3b:31:5d:ac:3e:c3:af:fa:33:2c:fc:c2:ed:b9: ee:60:83:b3:d3:e5:8e:e5:02:cf:b0:c8:f0:3a:a4: b7:ac:a0:2c:4d:47:5f:39:4b:2c:87:f2:ee:ea:d0: c3:d0:8e:2c:80:83:6f:39:86:92:98:1f:d2:56:3b: d7:94:d2:22:f4:df:e3:f8:d1:b8:92:27:9c:50:57: f3:a1:18:8b:1c:41:ba:db:69:07:52:c1:9a:3d:b1: 2d:78:ab:e3:97:47:e2:70:14:30:88:af:f8:8e:cb: 68:f9:6f:07:6e:34:b6:38:6a:a2:a8:29:47:91:0e: 25:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encip herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access:...

  • Page 272: Requesting A Certificate From An Openca Server

    To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from an OpenCA server Network requirements Configure the PKI entity (the device) to request a local certificate from the CA server. Figure 81 Network diagram Configuring the OpenCA server The configuration is not shown.
  • Page 273 Generate RSA key pair abc. [Device] public-key local create rsa name abc The range of public key size is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 274 0d:f7:64:cf:0a:dd:39:49:d7:3f:25:35:18:f4:1c: 59:46:2b:ec:0d:21:1d:00:05:8a:bf:ee:ac:61:03: 6c:1f:35:b5:b4:cd:86:9f:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B...

  • Page 275: Certificate-Based Access Control Policy Configuration Example

    81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command. Certificate-based access control policy configuration example Network requirements As shown in Figure 82, the host accesses the device through HTTPS. Configure a certificate-based access control policy on the device to authenticate the host and verify the validity of the host's certificate.

  • Page 276: Certificate Import And Export Configuration Example

    [Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc [Device-pki-cert-attribute-group-mygroup2] quit Configure a certificate-based access control policy: # Create a certificate-based access control policy named myacp. [Device] pki certificate access-control-policy myacp # Define a statement to deny the certificates that match the attribute rules in certificate attribute group mygroup1.
  • Page 277 Figure 83 Network diagram Configuration procedure Export the certificate on Device A: # Export the CA certificate to a .pem file. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with password 111111.
  • Page 278 friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...
  • Page 279 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63: ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:f5:00: ee:a3:aa:03:cb:b3:49:c4:f8:ae:55:ee:43:93:69: 6c:bf:0d:8c:f4:4e:ca:69:e5:3f:37:5c:83:ea:83: ad:16:b8:99:37:cb:86:10:6b:a0:4d:03:95:06:42: ef:ef:0d:4e:53:08:0a:c9:29:dd:94:28:02:6e:e2: 9b:87:c1:38:2d:a4:90:a2:13:5f:a4:e3:24:d3:2c: bf:98:db:a7:c2:36:e2:86:90:55:c7:8c:c5:ea:12:...
  • Page 280 Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info:...

  • Page 281: Troubleshooting Pki Configuration

    Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/ X509v3 CRL Distribution Points:...

  • Page 282: Failed To Obtain The Ca Certificate

    Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. •...

  • Page 283: Failed To Request Local Certificates

    Specify the key pair for certificate request, or remove the existing key pair, specify a new key pair, and submit a local certificate request again. Check the registration policy on the CA or RA, and make sure the attributes of the PKI entity meet the policy requirements.

  • Page 284: Failed To Obtain Crls

    Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • The PKI domain does not have a CA certificate before you try to obtain CRLs. •...

  • Page 285: Failed To Import The Local Certificate

    Solution Use the undo crl check enable command to disable CRL checking in the PKI domain. Make sure the format of the imported file is correct. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to import the local certificate Symptom The local certificate cannot be imported.

  • Page 286: Failed To Set The Storage Path

    Solution Obtain or request local certificates first. Use the mkdir command to create the required path. Specify a correct export path. Configure the correct key pair in the PKI domain. Clear up the storage space of the device. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set.

  • Page 287: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.

  • Page 288: Ssh Authentication Methods

    Stages Description Version negotiation The two parties determine a version to use after negotiation. SSH supports multiple algorithms. Based on the local algorithms, the two parties determine to use the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation •...

  • Page 289: Ssh Support For Suite B

    NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.

  • Page 290: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS." Configuring the device as an SSH server SSH server configuration task list Tasks at a glance Remarks...

  • Page 291: Enabling The Stelnet Server

    • SSH supports locally generated DSA, RSA, and ECDSA key pairs only with default names. • To support SSH clients that use different types of key pairs, generate DSA, RSA, and ECDSA key pairs on the SSH server. • The SSH server operating in FIPS mode supports only RSA and ECDSA key pairs. If both RSA and ECDSA key pairs exist on the server, the server uses the ECDSA key pair.

  • Page 292: Enabling The Scp Server

    Enabling the SCP server After you enable the SCP server on the device, a client can log in to the device through SCP. When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients. To enable the SCP server: Step Command...

  • Page 293: Configuring A Client's Host Public Key

    Step Command Remarks By default, the authentication mode is password. Set the login authentication authentication-mode scheme For more information about this mode to scheme. command, see Fundamentals Command Reference. Configuring a client's host public key In publickey authentication, the server compares the SSH username and the client's host public key received from the client with the locally saved SSH username and the client's host public key.

  • Page 294: Configuring An Ssh User

    Step Command Enter system view. system-view Import a client's public key public-key peer keyname import sshkey filename from the public key file. Configuring an SSH user Configure an SSH user and a local user depending on the authentication method. • If the authentication method is publickey, you must create an SSH user and a local user on the SSH server.

  • Page 295: Configuring The Ssh Management Parameters

    For a client that sends the user's public key information to the server through a digital certificate, specify a PKI domain on the server to verify the client's digital certificate. For successful verification, the specified PKI domain must have the correct CA certificate. To specify the PKI domain, use the ssh user or ssh server pki-domain command.

  • Page 296: Specifying A Pki Domain For The Ssh Server

    Step Command Remarks • Control IPv4 SSH user connections: ssh server acl acl-number By default, all SSH users are Specify an ACL to control • allowed to initiate connections Control IPv6 SSH user SSH user connections. with the SSH server. connections: ssh server ipv6 acl [ ipv6 ] acl-number...

  • Page 297: Specifying The Source Ip Address For Ssh Packets

    Tasks at a glance (Optional.) Establishing a connection to an Stelnet server based on Suite B Specifying the source IP address for SSH packets As a best practice, specify the IP address of the loopback interface as the source address of SSH packets for the following purposes: •...
  • Page 298 Task Command Remarks • (In non-FIPS mode.) Establish a connection to an IPv4 Stelnet server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |...
  • Page 299 Task Command Remarks • (In non-FIPS mode.) Establish a connection to an IPv6 Stelnet server: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc |...

  • Page 300: Establishing A Connection To An Stelnet Server Based On Suite B

    Establishing a connection to an Stelnet server based on Suite Task Command Remarks • Establish a connection to an IPv4 Stelnet server based on Suite B: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value |...

  • Page 301: Establishing A Connection To An Sftp Server

    Step Command Remarks Enter system view. system-view By default, the source IP address • Specify the source IPv4 address for SFTP packets is not for SFTP packets: configured. sftp client source { ip ip-address The IPv4 SFTP packets use the | interface interface-type Specify the source primary IP address of the output...
  • Page 302 Task Command Remarks • (In non-FIPS mode.) Establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |...

  • Page 303: Establishing A Connection To An Sftp Server Based On Suite B

    Task Command Remarks • (In non-FIPS mode.) Establish a connection to an IPv6 SFTP server: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc |...

  • Page 304: Working With Sftp Directories

    Task Command Remarks • Establish a connection to an IPv4 SFTP server based on Suite B: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type Available in user view.

  • Page 305: Displaying Help Information

    Task Command Remarks Available in SFTP client view. • dir [ -a | -l ] [ remote-path ] Display files under a directory. The dir command has the same • ls [ -a | -l ] [ remote-path ] function as the ls command. Available in SFTP client view.
  • Page 306 Task Command Remarks • (In non-FIPS mode.) Connect to an IPv4 SCP server, and transfer files with this server: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |...
  • Page 307 Task Command Remarks • (In non-FIPS mode.) Connect to an IPv6 SCP server, and transfer files with this server: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain...

  • Page 308: Establishing A Connection To An Scp Server Based On Suite B

    Establishing a connection to an SCP server based on Suite B Task Command Remarks • Establish a connection to an IPv4 SCP server based on Suite B: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain...

  • Page 309: Specifying Public Key Algorithms For Ssh2

    Step Command Remarks • In non-FIPS mode: ssh2 algorithm key-exchange By default, SSH2 uses the key { dh-group-exchange-sha1 exchange algorithms | dh-group1-sha1 | ecdh-sha2-nistp256, dh-group14-sha1 | ecdh-sha2-nistp384, ecdh-sha2-nistp256 | Specify key exchange dh-group-exchange-sha1, ecdh-sha2-nistp384 } * algorithms for SSH2. dh-group14-sha1, and •...

  • Page 310: Specifying Mac Algorithms For Ssh2

    Specifying MAC algorithms for SSH2 Step Command Remarks Enter system view. system-view • In non-FIPS mode: ssh2 algorithm mac { md5 | By default, SSH2 uses the MAC md5-96 | sha1 | sha1-96 | algorithms sha2-256, sha2-512, sha2-256 | sha2-512 } * Specify MAC algorithms for sha1, md5, sha1-96, and •...
  • Page 311 Establish an Stelnet connection between the host and the switch, so you can log in to the switch to manage configurations. Figure 84 Network diagram Stelnet client Stelnet server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure Configure the Stelnet server: # Generate RSA key pairs.
  • Page 312 [Switch-line-vty0-15] authentication-mode scheme [Switch-line-vty0-15] quit # Create a local device management user client001. [Switch] local-user client001 class manage # Set the password to aabbcc in plain text for the local user client001. [Switch-luser-manage-client001] password simple aabbcc # Authorize the local user client001 to use the SSH service. [Switch-luser-manage-client001] service-type ssh # Assign the user role network-admin to the local user client001.

  • Page 313: Publickey Authentication Enabled Stelnet Server Configuration Example

    If the connection is successfully established, the system notifies you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server. Publickey authentication enabled Stelnet server configuration example Network requirements As shown in...
  • Page 314 Figure 87 Generating a key pair on the client b. Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 88. Otherwise, the progress bar stops moving and the key pair generating progress stops.
  • Page 315 c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 89 Saving a key pair on the client d. Enter a file name (key.pub in this example), and click Save. e.
  • Page 316 The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully.
  • Page 317 Figure 90 Specifying the host name (or IP address) c. Select Connection > SSH from the navigation tree. The window shown in Figure 91 appears. d. Specify the Preferred SSH protocol version as 2. Figure 91 Specifying the preferred SSH version...

  • Page 318: Password Authentication Enabled Stelnet Client Configuration Example

    e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 92 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 92 Specifying the private key file a.
  • Page 319 Configuration procedure Configure the Stelnet server: # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 320 # Assign the user role network-admin to the local user client001. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Create an SSH user client001. Specify the service type as stelnet and the authentication method as password for the user. [SwitchB] ssh user client001 service-type stelnet authentication-type password Establish a connection to the Stelnet server: # Assign an IP address to VLAN-interface 2.

  • Page 321: Publickey Authentication Enabled Stelnet Client Configuration Example

    01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 client001@192.168.1.40's password: After you enter the correct password, you successfully log in to Switch B. If the client does not have the server's host public key, the system will notify you to confirm the further access when you access the server.
  • Page 322 # Generate a DSA key pair. [SwitchA] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...

  • Page 323: Stelnet Configuration Example Based On 128-Bit Suite B Algorithms

    [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Import the peer public key from the file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user client002.
  • Page 324 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an Stelnet client. # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file ssh-client-ecdsa256.p12 to the Stelnet client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server256 for verifying the server's certificate and enter its view.
  • Page 325 Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=Beijing, L=Beijing, O=HPE, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:41:09 2015 GMT Not After : Aug 20 08:41:09 2016 GMT Subject: C=CN, ST=Beijing, O=HPE, OU=Software, CN=SSH Client secp256...
  • Page 326 Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5: 96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39: b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34: 29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16: 12:d0:b4:8a:92 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1:...

  • Page 327: Sftp Configuration Examples

    [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Create a local device management user client001.

  • Page 328: Password Authentication Enabled Sftp Server Configuration Example

    Password authentication enabled SFTP server configuration example Network requirements As shown in Figure • The switch acts as the SFTP server and uses password authentication. • The username and password of the client are saved on the switch. Establish an SFTP connection between the host and the switch, so you can log in to the switch to manage and transfer files.
  • Page 329 # Enable the SFTP server. [Switch] sftp server enable # Assign an IP address to VLAN-interface 2. The client uses this address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.45 255.255.255.0 [Switch-Vlan-interface2] quit # Create a local device management user client002. [Switch] local-user client002 class manage # Set the password to aabbcc in plain text for the local user client002.

  • Page 330: Publickey Authentication Enabled Sftp Client Configuration Example

    Figure 97 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 98, Switch B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm. Establish an SFTP connection between Switch A and Switch B, so you can log in to Switch B to manage and transfer files.
  • Page 331 If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Export the host public key to the file pubkey. [SwitchA] public-key local export rsa ssh2 pubkey [SwitchA] quit # Transmit the public key file pubkey to the server through FTP or TFTP.
  • Page 332 [SwitchB-Vlan-interface2] quit # Import the peer public key from the file pubkey, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey pubkey # Create an SSH user client001. Specify the service type as sftp and the authentication method as publickey for the user. Assign the public key switchkey to the user. [SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey switchkey # Create a local device management user client001.

  • Page 333: Sftp Configuration Example Based On 192-Bit Suite B Algorithms

    -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename directory new1 to new2 and verify the result. sftp> rename new1 new2 sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup...
  • Page 334 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SFTP client. # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server384 for verifying the server's certificate and enter its view.
  • Page 335 Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=Beijing, L=Beijing, O=HPE, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:10:59 2015 GMT Not After : Aug 19 10:10:59 2016 GMT Subject: C=CN, ST=Beijing, O=HPE, OU=Software, CN=ssh client...
  • Page 336 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:85:7c:8b:f4:7a:36:bf:74:f6:7c:72:f9:08:69: d0:b9:ac:89:98:17:c9:fc:89:94:43:da:9a:a6:89: 41:d3:72:24:9b:9a:29:a8:d1:ba:b4:e5:77:ba:fc: df:ae:c6:dd:46:72:ab:bc:d1:7f:18:7d:54:88:f6: b4:06:54:7e:e7:4d:49:b4:07:dc:30:54:4b:b6:5b: 01:10:51:6b:0c:6d:a3:b1:4b:c9:d9:6c:d6:be:13: 91:70:31:2a:92:00:76 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BD:5F:8E:4F:7B:FE:74:03:5A:D1:94:DB:CA:A7:82:D6:F7:78:A1:B0 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22...

  • Page 337: Scp Configuration Examples

    # Enable the SFTP server. [SwitchB] sftp server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit # Create a local device management user client001.
  • Page 338 Figure 100 Network diagram Configuration procedure Configure the SCP server: # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 339: Scp Configuration Example Based On Suite B Algorithms

    # Authorize the local user client001 to use the SSH service. [SwitchB-luser-manage-client001] service-type ssh # Assign the user role network-admin to the local user client001. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Configure the SSH user client001. Specify the service type as scp and the authentication method as password for the user.
  • Page 340 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client. # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP.
  • Page 341 Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=Beijing, L=Beijing, O=HPE, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:41:09 2015 GMT Not After : Aug 20 08:41:09 2016 GMT Subject: C=CN, ST=Beijing, O=HPE, OU=Software, CN=SSH Client secp256...
  • Page 342 Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=Beijing, L=Beijing, O=HPE, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:08:41 2015 GMT Not After : Aug 19 10:08:41 2016 GMT Subject: C=CN, ST=Beijing, O=HPE, OU=Software, CN=ssh server...
  • Page 343 Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=Beijing, L=Beijing, O=HPE, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:10:59 2015 GMT Not After : Aug 19 10:10:59 2016 GMT Subject: C=CN, ST=Beijing, O=HPE, OU=Software, CN=ssh client...
  • Page 344 Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:85:7c:8b:f4:7a:36:bf:74:f6:7c:72:f9:08:69: d0:b9:ac:89:98:17:c9:fc:89:94:43:da:9a:a6:89: 41:d3:72:24:9b:9a:29:a8:d1:ba:b4:e5:77:ba:fc: df:ae:c6:dd:46:72:ab:bc:d1:7f:18:7d:54:88:f6: b4:06:54:7e:e7:4d:49:b4:07:dc:30:54:4b:b6:5b: 01:10:51:6b:0c:6d:a3:b1:4b:c9:d9:6c:d6:be:13: 91:70:31:2a:92:00:76 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BD:5F:8E:4F:7B:FE:74:03:5A:D1:94:DB:CA:A7:82:D6:F7:78:A1:B0 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA384 30:66:02:31:00:d2:06:fa:2c:0b:0d:f0:81:90:01:c3:3d:bf:...
  • Page 345 [SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 # Enable the SCP server. [SwitchB] scp server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines. [SwitchB] line vty 0 15 [SwitchB-line-vty0-15] authentication-mode scheme [SwitchB-line-vty0-15] quit...

  • Page 346: Netconf Over Ssh Configuration Example With Password Authentication

    # Establish an SCP connection to the SCP server 192.168.0.1 based on the 192-bit Suite B algorithms. <SwitchA> scp 192.168.0.1 get src.cfg suite-b 192-bit pki-domain client384 server-pki -domain server384 Username: client002 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. src.cfg 100% 4814 4.7KB/s...
  • Page 347 ......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [Switch] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 348: Verifying The Configuration

    Verifying the configuration # Verify that you can perform NETCONF operations after logging in to the switch. (Details not shown.)

  • Page 349: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops all packets that do not match the table. IPSG is a per-interface packet filter. The feature configured on one interface does not affect packet forwarding on another interface. The IPSG binding table can include the following bindings: •...

  • Page 350: Dynamic Ipsg Bindings

    Dynamic IPSG bindings IPSG automatically obtains user information from other modules to generate dynamic bindings. The source modules include 802.1X, DHCP relay, DHCP snooping, DHCPv6 snooping, and DHCP server. DHCP-based IPSG bindings are suitable for scenarios where hosts on a LAN obtain IP addresses through DHCP.

  • Page 351: Configuring The Ipv4Sg Feature

    Configuring the IPv4SG feature You cannot configure the IPv4SG feature on a service loopback interface. If IPv4SG is enabled on an interface, you cannot assign the interface to a service loopback group. Enabling IPv4SG on an interface When you enable IPSG on an interface, the static and dynamic IPSG are both enabled. •...

  • Page 352: Configuring The Ipv6Sg Feature

    Step Command Remarks The following interface types are interface interface-type Enter interface view. supported: Layer 2 Ethernet port, Layer 3 interface-number Ethernet interface, VLAN interface. By default, no static IPv4SG binding is configured on an interface. The vlan vlan-id option is supported only in Layer 2 Ethernet interface view.

  • Page 353: Displaying And Maintaining Ipsg

    Interface-specific static bindings take priority over global static bindings. An interface first uses the static bindings on the interface to match packets. If no match is found, the interface uses the global bindings. Configuring a global static IPv6SG binding Step Command Remarks Enter system view.

  • Page 354: Ipsg Configuration Examples

    IPSG configuration examples Static IPv4SG configuration example Network requirements As shown in Figure 104, all hosts use static IP addresses. Configure static IPv4SG bindings on Device A and Device B to meet the following requirements: • GigabitEthernet 1/0/2 of Device A allows only IP packets from Host C to pass. •...

  • Page 355: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example

    [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address [DeviceB-GigabitEthernet1/0/2] quit # Configure a static IPv4SG binding for Host A. [DeviceB] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 # Enable IPv4SG on GigabitEthernet 1/0/1. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address mac-address # On GigabitEthernet 1/0/1, configure a static IPv4SG binding for Host B.

  • Page 356: Dynamic Ipv4Sg Using Dhcp Relay Configuration Example

    Configuration procedure Configure the DHCP server. For information about DHCP server configuration, see Layer 3—IP Services Configuration Guide. Configure the device: # Configure IP addresses for the interfaces. (Details not shown.) # Enable DHCP snooping. <Device> system-view [Device] dhcp snooping enable # Configure GigabitEthernet 1/0/2 as a trusted interface.

  • Page 357: Static Ipv6Sg Configuration Example

    <Switch> system-view [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit Configure the DHCP relay agent: # Enable the DHCP service. [Switch] dhcp enable # Enable recording DHCP relay client entries. [Switch] dhcp relay client-information record # Configure VLAN-interface 100 to operate in DHCP relay mode. [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] dhcp select relay # Specify the IP address of the DHCP server.

  • Page 358: Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example

    Total entries found: 1 IPv6 Address MAC Address Interface VLAN Type 2001::1 0001-0202-0202 GE1/0/1 Static Dynamic IPv6SG using DHCPv6 snooping configuration example Network requirements As shown in Figure 108, the host (the DHCPv6 client) obtains an IP address from the DHCPv6 server. Perform the following tasks: •...

  • Page 359: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 360: Configuring Arp Source Suppression

    • ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer (25 seconds) is reached or the route becomes reachable. After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request.

  • Page 361: Configuration Example

    Configuration example Network requirements As shown in Figure 109, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets.

  • Page 362: Configuring Arp Packet Rate Limit

    Configuring ARP packet rate limit The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP detection enabled device will send all received ARP packets to the CPU for inspection. Processing excessive ARP packets will make the device malfunction or even crash.

  • Page 363: Configuring Source Mac-Based Arp Attack Detection

    Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry.

  • Page 364: Configuration Example

    Task Command Display ARP attack entries detected by source display arp source-mac { slot slot-number | interface MAC-based ARP attack detection (in interface-type interface-number } standalone mode). Display ARP attack entries detected by source display arp source-mac { chassis chassis-number slot MAC-based ARP attack detection (in IRF slot-number | interface interface-type interface-number } mode).

  • Page 365: Configuring Arp Packet Source Mac Consistency Check

    [Device] arp source-mac filter # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection. [Device] arp source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet...

  • Page 366: Configuring Authorized Arp

    Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide. With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries.

  • Page 367: Configuration Example (On A Dhcp Relay Agent)

    [DeviceA-GigabitEthernet1/0/1] port link-mode route [DeviceA-GigabitEthernet1/0/1] arp authorized enable [DeviceA-GigabitEthernet1/0/1] quit Configure Device B: <DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address dhcp-alloc [DeviceB-GigabitEthernet1/0/1] quit Verifying the configuration # Display authorized ARP entry information on Device A. [DeviceA] display arp all Type: S-Static D-Dynamic O-Openflow...

  • Page 368: Configuring Arp Detection

    [DeviceA-dhcp-pool-1] gateway-list 10.10.1.1 [DeviceA-dhcp-pool-1] quit [DeviceA] ip route-static 10.10.1.0 24 10.1.1.2 Configure Device B: # Enable DHCP. <DeviceB> system-view [DeviceB] dhcp enable # Specify the IP addresses of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip address 10.10.1.1 24...

  • Page 369: Configuring User Validity Check

    • ARP packet validity check. • ARP restricted forwarding. • ARP detection logging. If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies. Configuring user validity check The device checks user validity upon receiving an ARP packet from an ARP untrusted interface as follows: Uses the user validity check rules to match the sender IP and MAC addresses of the ARP packet.

  • Page 370: Configuring Arp Packet Validity Check

    Step Command Remarks (Optional.) Configure the By default, an interface is interface as a trusted interface arp detection trust untrusted. excluded from ARP detection. Configuring ARP packet validity check Enable validity check for ARP packets received on untrusted interfaces and specify the following objects to be checked: •...

  • Page 371: Enabling Arp Detection Logging

    To enable ARP restricted forwarding: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id arp restricted-forwarding By default, ARP restricted Enable ARP restricted forwarding. enable forwarding is disabled. Enabling ARP detection logging The ARP detection logging feature enables a device to generate ARP detection log messages when illegal ARP packets are detected.
  • Page 372 Figure 113 Network diagram Configuration procedure Add all interfaces on Switch B to VLAN 10, and specify the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure the DHCP server on Switch A, and configure DHCP address pool 0. <SwitchA>...

  • Page 373: User Validity Check And Arp Packet Validity Check Configuration Example

    [SwitchB-GigabitEthernet1/0/3] quit After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are checked against 802.1X entries. User validity check and ARP packet validity check configuration example Network requirements As shown in Figure 114, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts.

  • Page 374: Configuring Arp Scanning And Fixed Arp

    [SwitchB-GigabitEthernet1/0/1] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface. [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit # Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user validity check.

  • Page 375: Configuration Procedure

    Configuration procedure To configure ARP scanning and fixed ARP: Step Command Enter system view. system-view Enter Layer 3 Ethernet interface, VLAN interface, or Layer 3 aggregate interface interface interface-type interface-number view. Trigger an ARP scanning. arp scan [ start-ip-address to end-ip-address ] Return to system view.

  • Page 376: Configuration Example

    Configuration example Network requirements As shown in Figure 115, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 115 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B.

  • Page 377: Configuration Procedure

    • If ARP filtering works with ARP detection, MFF, ARP snooping, and ARP fast-reply, ARP filtering applies first. Configuration procedure To configure ARP filtering: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface or Layer 2 interface-number aggregate interface view.

  • Page 378: Configuring The Checking Of Sender Ip Addresses For Arp Packets

    Verifying the configuration # Verify that GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP packets. # Verify that GigabitEthernet 1/0/2 permits ARP packets from Host B and discards other ARP packets. Configuring the checking of sender IP addresses for ARP packets This feature allows a gateway to check the sender IP address of an ARP packet before ARP learning.

  • Page 379: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 380: Urpf Operation

    uRPF operation Figure 118 shows how uRPF works. Figure 118 uRPF work flow uRPF checks address validity: uRPF permits a packet with a multicast destination address. For a packet with an all-zero source address, uRPF permits the packet if it has a broadcast destination address.

  • Page 381: Network Application

    255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.) The packet is discarded if it has a non-broadcast destination address. uRPF proceeds to step 2 for other packets. uRPF checks whether the source address matches a unicast route: If yes, uRPF proceeds to step 3.

  • Page 382: Configuration Procedure

    Configuration procedure A device supports uRPF configuration globally. Global uRPF configuration takes effect on all interfaces. Follow these guidelines when you configure uRPF: • uRPF checks only incoming packets on an interface. • uRPF does not check tunneled packets. For more information about tunneling, see Layer 3—IP Services Configuration Guide.
  • Page 383 [SwitchB] ip urpf strict Configure strict uRPF check on Switch A and allow using the default route for uRPF check. <SwitchA> system-view [SwitchA] ip urpf strict allow-default-route...

  • Page 384: Configuring Ipv6 Urpf

    Configuring IPv6 uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 385: Ipv6 Urpf Operation

    IPv6 uRPF operation Figure 122 shows how IPv6 uRPF works. Figure 122 IPv6 uRPF work flow IPv6 uRPF checks whether the received packet carries a multicast destination address: If yes, IPv6 uRPF permits the packet. If no, IPv6 uRPF proceeds to step 2. IPv6 uRPF checks whether the source address matches a unicast route: If yes, IPv6 uRPF proceeds to step 3.

  • Page 386: Network Application

    If no, IPv6 uRPF discards the packet. A non-unicast source address matches a non-unicast route. IPv6 uRPF checks whether the matching route is to the host itself: If yes, the output interface of the matching route is an InLoop interface. IPv6 uRPF checks whether the receiving interface of the packet is an InLoop interface.

  • Page 387: Configuration Procedure

    Configuration procedure A device supports IPv6 uRPF configuration globally. Global IPv6 uRPF configuration takes effect on all interfaces. Follow these guidelines when you configure IPv6 uRPF: • IPv6 uRPF does not check packets received on the SA interface modules if the source IPv6 addresses of the packets have a prefix length longer than 64.
  • Page 388 <SwitchB> system-view [SwitchB] ipv6 urpf strict Configure strict uRPF check on Switch A and allow using the default route for IPv6 uRPF check. <SwitchA> system-view [SwitchA] ipv6 urpf strict allow-default-route...

  • Page 389: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.

  • Page 390: Configuring Fips Mode

    e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.

  • Page 391: Configuration Changes In Fips Mode

    A username. A password that complies with the password control policies as described in step 2 and step 3. A user role of network-admin or mdc-admin. A service type of terminal. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode.

  • Page 392: Exiting Fips Mode

    The password for a device management local user and password for switching user roles depend on password control policies. By default, the passwords must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters.

  • Page 393: Power-Up Self-Tests

    self-test fails, the card where the self-test process exists reboots. If the conditional self-test fails, the system outputs self-test failure information. NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests Power-up self-tests include the following types: • Known-answer test (KAT) This test examines the availability of FIPS-allowed cryptographic algorithms.

  • Page 394: Triggering Self-Tests

    • Signature and authentication PWCT test—This test is run when a DSA/RSA asymmetrical key pair is generated. It uses the private key to sign the specific data, and then uses the public key to authenticate the signed data. If the authentication is successful, the test succeeds. •...

  • Page 395: Entering Fips Mode Through Manual Reboot

    Enter password(15-63 characters): Confirm password: Waiting for reboot... After reboot, the device will enter FIPS mode. Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode.
  • Page 396 # Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.

  • Page 397: Exiting Fips Mode Through Automatic Reboot

    Updating user information. Please wait ..… <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode.
  • Page 398 [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to mainboard device successfully. [Sysname] quit # Delete the startup configuration file in binary format.

  • Page 399: Configuring Attack Detection And Prevention

    Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, and blacklisting. Attacks that the device can prevent This section describes the attacks that the device can detect and prevent.

  • Page 400: Scanning Attacks

    Single-packet attack Description An attacker sends IP datagrams in which the IP options are abnormal. This IP options attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets. An attacker sends the victim an IP datagram with an offset smaller than 5, IP fragment which causes the victim to malfunction or crash.

  • Page 401: Flood Attacks

    The device can detect and prevent the IP sweep and port scan attacks. If an attacker performs port scanning from multiple hosts to the target host, distributed port scan attacks occur. Flood attacks An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time.

  • Page 402: Tcp Fragment Attack

    An ICMP flood attacker sends ICMP request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services. • ICMPv6 flood attack. An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate.

  • Page 403: Attack Detection And Prevention Configuration Task List

    Attack detection and prevention configuration task list Tasks at a glance (Required.) Configuring an attack defense policy: • (Required.) Creating an attack defense policy • (Required.) Perform at least one of the following tasks to configure attack detection: Configuring a single-packet attack defense policy Configuring a scanning attack defense policy Configuring a flood attack defense policy •...
  • Page 404 To configure a single-packet attack defense policy: Step Command Remarks Enter system view. system-view Enter attack defense attack-defense policy policy-name policy view. • signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment |...

  • Page 405: Configuring A Scanning Attack Defense Policy

    Step Command Remarks The default action is logging for single-packet attacks of the (Optional.) Specify the informational and low levels. signature level { high | info | low | actions against medium } action { { drop | logging } * | The default actions are single-packet attacks of a none }...
  • Page 406 You can configure flood attack detection and prevention for a specific IP address. For non-specific IP addresses, the device uses the global attack prevention settings. Configuring a SYN flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view.
  • Page 407 Step Command Remarks Set the global trigger syn-ack-flood threshold threshold for SYN-ACK The default setting is 1000. threshold-value flood attack prevention. Specify global actions By default, no global action is syn-ack-flood action { drop | against SYN-ACK flood specified for SYN-ACK flood logging } * attacks.
  • Page 408 Step Command Remarks rst-flood detect { ip ipv4-address | ipv6 Configure IP By default, IP address-specific RST ipv6-address } [ vpn-instance address-specific RST flood flood attack detection is not vpn-instance-name ] [ threshold attack detection. configured. threshold-value ] [ action { drop | logging } * ] Configuring an ICMP flood attack defense policy Step...
  • Page 409 Step Command Remarks Enter attack defense policy attack-defense policy view. policy-name Enable global UDP flood By default, global UDP flood attack udp-flood detect non-specific attack detection. detection is disabled. Set the global trigger udp-flood threshold threshold for UDP flood The default setting is 1000. threshold-value attack prevention.

  • Page 410: Configuring Attack Detection Exemption

    Step Command Remarks Set the global trigger http-flood threshold threshold for HTTP flood The default setting is 1000. threshold-value attack prevention. (Optional.) Specify the By default, HTTP flood attack global ports to be protected http-flood port port-list prevention protects port 80. against HTTP flood attacks.

  • Page 411: Applying An Attack Defense Policy To The Device

    If you apply an attack defense policy to a global interface, specify a service card to process traffic for the interface. If you do not specify a service card, the policy cannot correctly detect and prevent scanning and flood attacks. To apply an attack defense policy to an interface: Step Command...

  • Page 412: Configuring Tcp Fragment Attack Prevention

    As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console. To enable log non-aggregation for single-packet attack events: Step Command Remarks Enter system view. system-view Enable log By default, log non-aggregation is non-aggregation for attack-defense signature log disabled for single-packet attack...

  • Page 413: Configuring Login Attack Prevention

    Step Command Remarks blacklist ip source-ip-address (Optional.) Add an IPv4 By default, no IPv4 blacklist [ vpn-instance vpn-instance-name ] blacklist entry. entries exist. [ timeout minutes ] blacklist ipv6 source-ipv6-address (Optional.) Add an IPv6 By default, no IPv6 blacklist [ vpn-instance vpn-instance-name ] blacklist entry.

  • Page 414: Displaying And Maintaining Attack Detection And Prevention

    Step Command Remarks By default, the login delay feature is disabled. The device does not Enable the login delay attack-defense login delay accepting a login request feature. reauthentication-delay seconds from a user who has failed a login attempt. Displaying and maintaining attack detection and prevention Use the display commands in any view and the reset commands in user view.
  • Page 415 Task Command display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood Display flood attack detection and prevention | syn-ack-flood | syn-flood | udp-flood } statistics statistics for an IPv6 address (in standalone ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] mode).

  • Page 416: Attack Detection And Prevention Configuration Examples

    Task Command reset blacklist ip { source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer Clear dynamic IPv4 blacklist entries. ds-lite-peer-address ] | all } reset blacklist ipv6 { source-ipv6-address Clear dynamic IPv6 blacklist entries. [ vpn-instance vpn-instance-name ] | all } Clear blacklist statistics.
  • Page 417 # Create the attack defense policy a1. [Device] attack-defense policy a1 # Configure signature detection for smurf attacks, and specify logging as the prevention action. [Device-attack-defense-policy-a1] signature detect smurf action logging # Configure low-level scanning attack detection, specify logging and block-source as the prevention actions, and set the blacklist entry aging time to 10 minutes.
  • Page 418 TCP FIN only flag Disabled medium TCP Land Disabled medium Winnuke Disabled medium UDP Bomb Disabled medium UDP Snork Disabled medium UDP Fraggle Disabled medium IP option record route Disabled info IP option internet timestamp Disabled info IP option security Disabled info IP option loose source routing...

  • Page 419: Ip Blacklist Configuration Example

    UDP flood 1000(default) Disabled ICMP flood 1000(default) Disabled ICMPv6 flood 1000(default) Disabled DNS flood 1000(default) Disabled HTTP flood 1000(default) Disabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 10.1.1.2 SYN-FLOOD 5000 # Verify that the attack detection and prevention takes effect on GigabitEthernet 1/0/2. [Device] display attack-defense statistics interface gigabitethernet 1/0/2 Attack policy name: a1 Scan attack defense statistics:...
  • Page 420 <Device> system-view [Device] blacklist global enable # Add an IPv4 blacklist entry for Host D. [Device] blacklist ip 5.5.5.5 # Add an IPv4 blacklist entry for Host C and set the blacklist entry aging time to 50 minutes. [Device] blacklist ip 192.168.1.4 timeout 50 Verifying the configuration # Verify that the IPv4 blacklist entries are successfully added.

  • Page 421: Configuring Macsec

    Configuring MACsec Overview Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec provides services such as data encryption, frame integrity check, and data origin validation for frames on the MAC sublayer of the Data Link Layer. Basic concepts Secure connectivity association (CA) is a group of CA participants that use the same key and key algorithm.

  • Page 422: Macsec Applications

    out-of-order packets within the replay protection window size and drop other out-of-order packets. MACsec applications MACsec supports the following application modes: • Client-oriented mode—Operates with 802.1X authentication and secures data transmission between the client and the access device. In this mode, the authentication server generates and distributes the CAK to the client and the access device.
  • Page 423 Figure 129 MACsec interactive process in client-oriented mode The following shows the MACsec process: After the client passes 802.1X authentication, the RADIUS server distributes the generated CAK to the client and the access device. After receiving the CAK, the client and the access device exchange EAPOL-MKA packets. The client and the access device exchange the MACsec capability and required parameters for session establishment.

  • Page 424: Protocols And Standards

    Operating mechanism for device-oriented mode As shown in Figure 130, the devices use the configured preshared keys to start the session negotiation. In this mode, the session negotiation, secure communication, and session termination processes are the same as the processes in client-oriented mode. However, MACsec performs a key server selection in this mode.

  • Page 425: Macsec Configuration Task List

    • The MACsec header occupies 38 bytes in each frame. Please take into consideration the header when you plan the network capacity. MACsec configuration task list Tasks at a glance (Required.) Enabling MKA (Optional.) Enabling MACsec desire (Required.) Configuring a preshared key (Optional.) Configuring the MKA key server priority (Optional.) Use one of the following methods to configure MACsec protection parameters:...

  • Page 426: Configuring A Preshared Key

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the port does not Enable MACsec desire. macsec desire expect MACsec protection for outbound frames. Configuring a preshared key In device-oriented mode, configure a preshared key as the CAK to be used during MKA negotiation. To successfully establish an MKA session between two devices, make sure the connected MACsec ports are configured with the same preshared key.

  • Page 427: Configuring Macsec Protection Parameters In Interface View

    Configuring MACsec protection parameters in interface view If you configure a parameter in interface view after applying an MKA policy, the configuration in interface view overwrites the configuration of the parameter in the MKA policy. Your configuration also removes the MKA policy application from the port. However, other parameter settings of the MKA policy are effective on the port.

  • Page 428: Configuring The Macsec Validation Mode

    Configuring the MACsec validation mode The MACsec validation allows a port to perform integrity check based on the following validation modes: • check—Performs validation only, and does not drop illegal frames. • strict—Performs validation, and drops illegal frames. To avoid data loss, use the default validation mode check on the MACsec devices in case of MKA negotiation failure.

  • Page 429: Applying An Mka Policy

    Step Command Remarks a. Enable MACsec replay protection: By default, MACsec replay replay-protection protection is enabled. enable (Optional.) Configure The default replay protection MACsec replay protection. b. Configure the replay window size is 0. Frames are protection window size: accepted only in the correct order. replay-protection window-size size-value Configure the MACsec...

  • Page 430: Device-Oriented Macsec Configuration Example

    Task Command reset mka session [ interface interface-type Reset MKA sessions on ports. interface-number ] reset mka statistics [ interface interface-type Clear MKA statistics on ports. interface-number ] Device-oriented MACsec configuration example Network requirements As shown in Figure 131, Device A is the MACsec key server. To secure data transmission between the two devices by MACsec, perform the following tasks on Device A and Device B, respectively: •...

  • Page 431: Verifying The Configuration

    [DeviceA-GigabitEthernet1/0/1] mka enable [DeviceA-GigabitEthernet1/0/1] quit Configure Device B: # Enter system view. <DeviceB> system-view # Enter GigabitEthernet 1/0/1 interface view. [DeviceB] interface gigabitethernet 1/0/1 # Enable MACsec desire on GigabitEthernet 1/0/1. [DeviceB-GigabitEthernet1/0/1] macsec desire # Set the MKA key server priority to 10. [DeviceB-GigabitEthernet1/0/1] mka priority 10 # Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text.
  • Page 432 # Display MKA session information on GigabitEthernet 1/0/1 of Device A. [DeviceA] display mka session interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Tx-SCI : 00E00100000A0006 Priority Capability: 3 CKN for participant: E9AC Key server : Yes MI (MN) : 85E004AF49934720AC5131D3 (182) Live peers Potential peers Principal actor...

  • Page 433: Troubleshooting Macsec

    Capability: 3 CKN for participant: E9AC Key server : No MI (MN) : 12A1677D59DD211AE86A0128 (1219) Live peers Potential peers Principal actor : Yes MKA session status : Secured Confidentiality offset: 30 bytes Current SAK status : Rx & Tx Current SAK AN Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3) Previous SAK status...

  • Page 434: Configuring Mff

    Configuring MFF Overview MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain. An MFF-enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.

  • Page 435: Basic Concepts

    Basic concepts An MFF-enabled device has two types of ports: user port and network port. User port An MFF user port is directly connected to a host and processes the following packets differently: • Allows DHCP packets and multicast packets to pass. •...

  • Page 436: Mff Working Mechanism

    Automatic mode The automatic mode applies to networks that allocate IP addresses to hosts through DHCP. In automatic mode, the device configured with DHCP snooping resolves Option 3 (Router IP option) in the received DHCP ACK message to obtain a gateway for the DHCP snooping entry. If the DHCP ACK message contains multiple gateway addresses, only the first one is recorded for the entry.

  • Page 437: Configuring A Network Port

    Step Command Remarks • Enable automatic mode: mac-forced-forwarding auto • Enable MFF. By default, MFF is disabled. Enable manual mode: mac-forced-forwarding default-gateway gateway-ip Configuring a network port Step Command Remarks Enter system view. system-view • Layer 2 Ethernet interface view: interface interface-type interface-number Enter Layer 2 Ethernet...

  • Page 438: Displaying And Maintaining Mff

    When the MFF device receives an ARP request from a server, the device searches IP-to-MAC address entries it has stored. Then the device replies with the requested MAC address to the server. As a result, packets from a host to a server are forwarded by the gateway. However, packets from a server to a host are not forwarded by the gateway.
  • Page 439 Figure 133 Network diagram Configuration procedure Configure the IP address of GigabitEthernet 1/0/1 on Gateway. <Gateway> system-view [Gateway] interface gigabitethernet 1/0/1 [Gateway-GigabitEthernet1/0/1] ip address 10.1.1.100 24 Configure the DHCP server: # Enable DHCP and configure DHCP address pool 1. <Device> system-view [Device] dhcp enable [Device] dhcp server ip-pool 1 [Device-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0...

  • Page 440: Auto-Mode Mff Configuration Example In A Ring Network

    # Enable DHCP snooping. <SwitchB> system-view [SwitchB] dhcp snooping enable # Enable MFF in automatic mode on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding auto [SwitchB-vlan100] quit # Configure IP address 10.1.1.50 for the DHCP server. [SwitchB-vlan100] mac-forced-forwarding server 10.1.1.50 # Configure GigabitEthernet 1/0/6 as a network port.
  • Page 441 # Add gateway's IP address to DHCP address pool 1. [Device-dhcp-pool-1] gateway-list 10.1.1.100 [Device-dhcp-pool-1] quit # Configure the IP address of GigabitEthernet 1/0/2. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] ip address 10.1.1.50 24 Configure Switch A: # Enable DHCP snooping. <SwitchA> system-view [SwitchA] dhcp snooping enable # Enable STP globally to make sure STP is enabled on interfaces.

  • Page 442: Manual-Mode Mff Configuration Example In A Tree Network

    # Configure GigabitEthernet 1/0/6 as a network port. [SwitchB] interface gigabitethernet 1/0/6 [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port # Configure GigabitEthernet 1/0/6 as a DHCP snooping trusted port. [SwitchB-GigabitEthernet1/0/6] dhcp snooping trust Enable STP on Switch C globally to make sure STP is enabled on interfaces. <SwitchC>...

  • Page 443: Manual-Mode Mff Configuration Example In A Ring Network

    [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port Configure Switch B: # Configure manual-mode MFF on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchB-vlan100] arp snooping enable [SwitchB-vlan100] quit # Configure GigabitEthernet 1/0/6 as a network port.
  • Page 444 # Configure manual-mode MFF on VLAN 100. [SwitchA] vlan 100 [SwitchA-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchA-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchA-vlan100] arp snooping enable [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 as network ports. [SwitchA] interface gigabitethernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] mac-forced-forwarding network-port [SwitchA-GigabitEthernet1/0/2] quit...

  • Page 445: Configuring Nd Attack Defense

    Configuring ND attack defense Overview Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks. The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. An attacker can send the following forged ICMPv6 messages to perform ND attacks: •...

  • Page 446: Configuring Nd Attack Detection

    The ND logging feature logs source MAC inconsistency events, and it sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

  • Page 447: Configuration Procedure

    Configuration procedure To configure ND attack detection: Step Command Remarks Enter system view. system-view Enter VLAN view. vlan vlan-id By default, ND attack detection is Enable ND attack detection. ipv6 nd detection enable disabled. Return to system view. quit Enter Layer 2 Ethernet or interface interface-type aggregate interface view.

  • Page 448: Specifying The Role Of The Attached Device

    Specifying the role of the attached device Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet or interface interface-type aggregate interface view. interface-number By default, the role of the device attached to the port is not Specify the role of the device ipv6 nd raguard role { host | specified.

  • Page 449: Enabling The Ra Guard Logging Feature

    Enabling the RA guard logging feature This feature allows a device to generate logs when it detects forged RA messages. Each log records the following information: • Name of the interface that received the forged RA message. • Source IP address of the forged RA message. •...

  • Page 450: Configuration Procedure

    Figure 137 Network diagram Configuration procedure # Create an RA guard policy named policy1. <Switch> system-view [Switch] ipv6 nd raguard policy policy1 # Set the maximum router preference to high for the RA guard policy. [Switch-raguard-policy-policy1] if-match router-preference maximum high # Specify on as the M flag match criterion for the RA guard policy.

  • Page 451: Verifying The Configuration

    [Switch-vlan10] quit # Specify host as the role of the device attached to GigabitEthernet 1/0/1. [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] ipv6 nd raguard role host [Switch-GigabitEthernet1/0/1] quit # Specify router as the role of the device attached to GigabitEthernet 1/0/3. [Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] ipv6 nd raguard role router [Switch-GigabitEthernet1/0/3] quit...

  • Page 452: Configuring Keychains

    Configuring keychains Overview A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption. Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime.

  • Page 453: Displaying And Maintaining Keychain

    Displaying and maintaining keychain Execute display commands in any view. Task Command Display keychain information. display keychain [ name keychain-name [ key key-id ] ] Keychain configuration example Network requirements As shown in Figure 138, establish an OSPF neighbor relationship between Switch A and Switch B, and use a keychain to authenticate packets between the switches.

  • Page 454: Configuring Switch B

    [SwitchA-keychain-abc-key-2] authentication-algorithm hmac-sha-256 [SwitchA-keychain-abc-key-2] key-string plain pwd123 [SwitchA-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchA-keychain-abc-key-2] quit [SwitchA-keychain-abc] quit # Configure VLAN-interface 100 to use keychain abc for authentication. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ospf authentication-mode keychain abc [SwitchA-Vlan-interface100] quit Configuring Switch B...

  • Page 455: Verifying The Configuration

    Verifying the configuration When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc. # Display keychain information on Switch A. The output shows that key 1 is the valid key. [SwitchA] display keychain Keychain name : abc...
  • Page 456 Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-sha-256 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Inactive Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Inactive When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc.
  • Page 457 Send status : Inactive Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Inactive Key ID Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-sha-256 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Active Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Active...

  • Page 458: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 459: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 460: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 461: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 462 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 463: Index

    Index feature cooperation, Numerics guest VLAN, guest VLAN assignment configuration, MACsec configuration, 409, guest VLAN assignment delay, 802.1X guest VLAN configuration, 802.1X protocol packet sending rule, MAC authentication delay, AAA RADIUS server 802.1X user, MAC-based access control, access control method, maintain, ACL assignment, mandatory port authentication domain,...
  • Page 464 FIPS compliance, RADIUS scheme, HWTACACS accounting server, RADIUS scheme creation, HWTACACS authentication server, RADIUS scheme VPN, HWTACACS authorization server, RADIUS security policy server IP address, HWTACACS display, RADIUS server 802.1X user, HWTACACS implementation, RADIUS server SSH user authentication+authorization, HWTACACS maintain, RADIUS server status, HWTACACS outgoing packet source IP address,...
  • Page 465 AAA configuration, 1, 17, scanning configuration restrictions, AAA ISP domain accounting method, ARP attack protection AAA RADIUS accounting server active acknowledgement, parameters, ARP detection display, AAA RADIUS accounting-on, ARP detection maintain, AAA SSH user local ARP packet sender IP address checking authentication+HWTACACS configuration, authorization+RADIUS accounting,...
  • Page 466 defense policy configuration (DNS flood), AAA RADIUS common standard attributes, defense policy configuration (FIN flood), AAA RADIUS extended attributes, defense policy configuration (flood), AAA RADIUS Login-Service attribute check method, defense policy configuration (HTTP flood), AAA RADIUS scheme, defense policy configuration (ICMP flood), AAA scheme, defense policy configuration (ICMPv6 AAA user group attribute,...
  • Page 467 portal authentication client, AAA SSH user local authentication+HWTACACS authorization+RADIUS accounting, portal authentication configuration (cross-subnet for MPLS L3VPN), MAC authentication authorization VLAN, portal authentication server, port security authorization-fail-offline feature, SSH configuration, port security server authorization information, SSH methods, auto SSH SCP file transfer+password FIPS mode (automatic reboot), authentication, FIPS mode entry (automatic reboot),...
  • Page 468 PKI domain configuration, 802.1X EAD assistant configuration (DHCP relay agent), PKI entity configuration, 802.1X EAD assistant configuration (DHCP PKI OpenCA server certificate request, server), PKI RSA Keon CA server certificate 802.1X guest VLAN assignment request, configuration, PKI storage path, 802.1X SmartOn feature configuration, PKI Windows 2003 CA server certificate 802.1X+ACL assignment configuration, request,...
  • Page 469 AAA ISP domain method, attack D&P defense policy (DNS flood), AAA LDAP administrator attributes, attack D&P defense policy (FIN flood), AAA LDAP scheme, attack D&P defense policy (flood), AAA LDAP server IP address, attack D&P defense policy (HTTP flood), AAA LDAP server SSH user attack D&P defense policy (ICMP flood), authentication, attack D&P defense policy (ICMPv6 flood),...
  • Page 470 MACsec MKA policy, portal authentication extended cross-subnet configuration, MACsec preshared key, portal authentication extended direct MACsec protection parameters (interface configuration, view), portal authentication extended re-DHCP MACsec protection parameters (MKA configuration, policy), portal authentication fail-permit, MACsec replay protection, portal authentication portal-free rule, MACsec validation mode, portal authentication re-DHCP configuration, MFF, 422, 424,...
  • Page 471 SSH user, portal authentication configuration (MPLS L3VPN), SSH2 algorithms (encryption ), portal authentication extended configuration, SSH2 algorithms (key exchange), portal authentication mode, 137, SSH2 algorithms (MAC), cryptography SSH2 algorithms (public key), FIPS self-test, SSL, 232, customization rules SSL client policy, portal authentication pages, SSL server policy, 233, customizing...
  • Page 472 MAC authentication delay, IPv4 source guard (IPv4SG) dynamic binding+DHCP relay configuration, delimiter (802.1X domain name), MAC authentication, 114, 118, desire MAC authentication (local), MACsec enable, MAC authentication (RADIUS-based), destination MAC authentication ACL assignment, portal authentication portal-free rule, MAC authentication configuration, portal authentication subnet, MACsec (device-oriented), destroying...
  • Page 473 802.1X EAD assistant configuration (DHCP PKI verification (w/o CRL checking), relay agent), PKI Windows 2003 CA server certificate 802.1X EAD assistant configuration (DHCP request, server), digital certificate-based portal authentication, authorized ARP (DHCP server), Digital Signature Algorithm. Use authorized ARP (relay agent), direct portal authentication mode, 136, IPv4 source guard (IPv4SG) dynamic directory...
  • Page 474 AAA ISP domain authentication method, public key management, 223, AAA ISP domain authorization method, SSH ECDSA host key pair, MAC authentication, Elliptic Curve Digital Signature Algorithm. Use ECDSA PKI domain configuration, email (PKI secure), portal authentication domain, enabling 802.1X, attack D&P login attack prevention, 802.1X critical VLAN, attack D&P login DoS attack, 802.1X EAP relay,...
  • Page 475 entering outgoing packets filtering on portal interface, FIPS mode (automatic reboot), 378, FIN flood, FIPS mode (manual reboot), 378, FIPS peer public key, 227, configuration, 377, establishing configuration restrictions, SSH SCP server connection, display, SSH SCP server connection based on Suite mode configuration, mode entry, SSH Secure Telnet server connection,...
  • Page 476 ARP restricted forwarding, general guidelines IP source guard (IPSG) MAC authentication configuration, configuration, 337, 338, general restrictions IPv4 source guard (IPv4SG) dynamic binding MAC authentication configuration, configuration, general restrictions and guidelines IPv4 source guard (IPv4SG) dynamic MACsec, binding+DHCP relay configuration, generating IPv4 source guard (IPv4SG) static binding SSH local DSA key pair,...
  • Page 477 shared keys, SSH user local authentication+HWTACACS ARP attack protection (unresolvable IP authorization+RADIUS accounting, attack), 347, timer set), ARP attack protection blackhole routing (unresolvable IP attack), traffic statistics units, ARP attack protection source suppression troubleshooting, (unresolvable IP attack), username format, ARP ip validity check, Hypertext Transfer Protocol.
  • Page 478 SSH Secure Telnet server connection AAA ISP domain authentication method, establishment based on Suite B, AAA ISP domain authorization method, SSH SFTP server connection AAA ISP domain creation, establishment, AAA ISP domain method, SSH SFTP server connection establishment portal support for EAP, based on Suite B, IPv4 source guard (IPv4SG) configuration, 337, 338, 339,...
  • Page 479 server SSH user authentication, password user login attempt limit, server timeout period, password user login control, troubleshooting user authentication fails, RADIUS Login-Service attribute, user attribute, logging out versions, portal authentication users, Lightweight Directory Access Protocol. Use LDAP login limiting attack D&P login delay, ARP packet rate limit, port security secure MAC addresses, link...
  • Page 480 troubleshooting port security secure MAC port security MAC learning control modes, addresses, port security secure MAC learning control, MAC authentication MAC-forced forwarding. Use ACL assignment, 116, MACsec authorization VLAN, application mode, concurrent port users max, basic concepts, configuration, 114, 118, confidentiality offset configuration, critical VLAN, configuration, 409,...
  • Page 481 FIPS mode exit (manual reboot), 380, port security MAC learning control, MFF manual-mode in ring network, port security MAC learning control autoLearn, MFF manual-mode in tree network, port security MAC learning control secure, MFF operation mode, port security macAddressWithRadius authentication, Media Access Control Security.
  • Page 482 need to know. Use AAA HWTACACS server SSH user, NETCONF AAA ISP domain accounting method, enable over SSH, AAA ISP domain attribute, Secure Telnet client user line AAA ISP domain authentication method, configuration, AAA ISP domain authorization method, SSH client user line configuration, AAA ISP domain creation, SSH+password authentication AAA ISP domain method,...
  • Page 483 FIPS mode entry (manual reboot), MACsec desire enable, FIPS mode exit (automatic reboot), MACsec MKA enable, FIPS mode exit (manual reboot), MACsec preshared key, fixed ARP configuration, MACsec protection parameter (interface view), IP source guard (IPSG) dynamic binding, MACsec protection parameter (MKA policy), IP source guard (IPSG) static binding, MACsec services, IPv4 source guard (IPv4SG)
  • Page 484 port security MAC address learning SSH SFTP client device, control, SSH SFTP client publickey authentication, port security mode, 192, SSH SFTP configuration, port security NAS-ID profile, SSH SFTP configuration (192-bit Suite B), port security NTK, SSH SFTP directories, port security secure MAC address, SSH SFTP files, port security secure MAC address port SSH SFTP packet source IP address,...
  • Page 485 portal authentication configuration, 134, AAA HWTACACS outgoing packet source IP address, public key import from file, AAA HWTACACS packet exchange process, public key management, 223, AAA LDAP packet exchange process, RA guard, AAA RADIUS outgoing packet source IP SSH configuration, address, SSL configuration, 232, AAA RADIUS packet exchange process,...
  • Page 486 password control parameters (local user), architecture, password control parameters (super), CA digital certificate, password control parameters (user CA policy, group), CA storage path, password certificate export, SSH password authentication, certificate import/export, SSH password-publickey authentication, certificate obtain, SSH SCP file transfer+password certificate removal, authentication, certificate request,...
  • Page 487 MACsec MKA policy configuration, security portal authentication direct local portal Web server, MACsec protection parameter (MKA policy), port security password control configuration, 212, 215, 802.1X access control method, PKI CA policy, 802.1X authentication, PKI certificate-based access control 802.1X authentication configuration, policy, 802.1X authorization state, portal authentication extended functions,...
  • Page 488 support for EAP, troubleshoot users cannot log in (re-DHCP), portal authentication troubleshoot users logged out still exist on server, AAA server, types, access device, user access control, authentication destination subnet, user logout, authentication modes, user online detection, authentication page customization, user setting max, authentication process, user synchronization configuration,...
  • Page 489 configuring 802.1X SmartOn, 99, configuring ARP gateway protection, 363, configuring 802.1X+ACL assignment, configuring ARP packet rate limit, configuring AAA, configuring ARP packet sender IP address checking, configuring AAA HWTACACS schemes, configuring ARP packet source MAC consistency configuring AAA HWTACACS server SSH check, user, configuring ARP packet validity check,...
  • Page 490 configuring FIPS mode, configuring MFF manual-mode in ring network, configuring fixed ARP, configuring MFF manual-mode in tree configuring IP source guard (IPSG), network, configuring IPv4 source guard (IPv4SG), configuring MFF network port, configuring IPv4 source guard (IPv4SG) configuring ND attack detection, dynamic binding, configuring NETCONF-over-SSH client user configuring IPv4 source guard (IPv4SG)
  • Page 491 configuring portal authentication configuring SSH SFTP client publickey fail-permit, authentication, configuring portal authentication portal-free configuring SSH SFTP server password rule, authentication, configuring portal authentication re-DHCP configuring SSH user, configuration, configuring SSH2 algorithms (encryption ), configuring portal authentication server, configuring SSH2 algorithms (key exchange), configuring portal authentication server configuring SSH2 algorithms (MAC), BAS-IP,...
  • Page 492 displaying security SSL, establishing SSH SCP server connection, displaying SSH, establishing SSH SCP server connection based on Suite B, displaying SSH SFTP help information, establishing SSH Secure Telnet server displaying uRPF, connection, distributing local host public key, establishing SSH Secure Telnet server enabling 802.1X, connection based on Suite B, enabling 802.1X critical voice VLAN,...
  • Page 493 setting AAA HWTACACS timer, specifying PKI CA storage path, setting AAA HWTACACS traffic statistics specifying portal authentication domain, unit, specifying security portal authentication Web setting AAA HWTACACS username server, format, specifying SSH packet source IP address, setting AAA LDAP server timeout period, specifying SSH server PKI domain, setting AAA RADIUS request transmission specifying SSH SFTP packet source IP...
  • Page 494 verifying PKI certificate verification (CRL SSH SFTP client publickey authentication, checking), SSH user configuration, verifying PKI certificate verification (w/o CRL SSH v client publickey authentication, checking), Public Key Infrastructure. Use working with SSH SFTP directories, working with SSH SFTP files, quiet processing 802.1X timer,...
  • Page 495 outgoing packet source IP address, 802.1X EAD assistant configuration (DHCP relay agent), packet exchange process, authorized ARP (DHCP relay agent), packet format, remote port security macAddressWithRadius, 802.1X authorization VLAN, port security NAS-ID profile, AAA remote accounting method, portal authentication interface NAS-ID profile, AAA remote authentication, protocols and standards,...
  • Page 496 configuration, PKI certificate export, configuration (128-bit Suite B), PKI OpenCA server certificate request, server connection establishment, PKI RSA Keon CA server certificate server connection establishment based on Suite request, PKI Windows 2003 CA server certificate server password authentication, request, server publickey authentication, public key management, 223, SSH application, SSH client host public key configuration,...
  • Page 497 AAA device implementation, ARP packet rate limit, AAA display, ARP packet sender IP address checking, AAA HWTACACS implementation, ARP packet source MAC consistency check, AAA HWTACACS scheme, 33, ARP packet validity check, AAA HWTACACS server SSH user, ARP restricted forwarding, AAA ISP domain accounting method, ARP scanning, AAA ISP domain attribute,...
  • Page 498 IPv4 source guard (IPv4SG) dynamic MAC authentication VLAN assignment, binding+DHCP relay configuration, MAC security. Use MACsec IPv4 source guard (IPv4SG) enable on MACsec application mode, interface, MACsec configuration, 409, IPv4 source guard (IPv4SG) static binding MACsec configuration (device-oriented), configuration, 339, MACsec desire enable, IPv6 source guard (IPv6SG) MACsec display,...
  • Page 499 password updating, 213, portal authentication extended cross-subnet configuration, password user first login, portal authentication extended direct password user login control, configuration, peer host public key import from file, portal authentication extended re-DHCP peer public key entry, 227, configuration, periodic MAC reauthentication, portal authentication fail-permit, PKI applications, portal authentication logout,...
  • Page 500 SSH Secure Telnet client password troubleshooting AAA LDAP user authentication authentication, fails, SSH Secure Telnet client publickey troubleshooting AAA RADIUS, authentication, troubleshooting AAA RADIUS accounting SSH Secure Telnet configuration, error, SSH Secure Telnet configuration based on troubleshooting AAA RADIUS authentication (128-bit Suite B), failure, SSH Secure Telnet server connection...
  • Page 501 PKI OpenCA server certificate request, password control parameters (user group), PKI Windows 2003 CA server certificate port security mode, request, portal authentication users max, port security authorization information, SFTP portal authentication AAA server, client device configuration, portal authentication fail-permit, client publickey authentication, portal authentication policy server, configuration, portal authentication server, 135,...
  • Page 502 AAA HWTACACS shared keys, SCP configuration, AAA LDAP authentication server, SCP configuration (Suite B), AAA LDAP version, SCP file transfer+password authentication, AAA RADIUS accounting server SCP server connection establishment, parameters, SCP server connection establishment based on AAA RADIUS authentication server, Suite B, AAA RADIUS outgoing packet source IP SCP server enable,...
  • Page 503 portal authentication server detection+user synchronization configuration, client policy configuration, SYN flood, configuration, 232, SYN-ACK flood, display, synchronizing FIPS compliance, portal authentication server detection+user PKI configuration, 240, 243, synchronization configuration, PKI Web application, portal authentication user synchronization, protocol stack, system administration public key management, 223, attack D&P configuration, 387, 391, security services,...
  • Page 504 SSH Secure Telnet server connection AAA RADIUS SNMP notification, establishment based on Suite B, triggering SSH Secure Telnet server password 802.1X authentication trigger, authentication, FIPS self-test, SSH Secure Telnet server publickey troubleshooting authentication, 802.1X EAD assistant Web browser users, terminal AAA HWTACACS, AAA RADIUS Login-Service attribute check AAA LDAP user authentication fails,...
  • Page 505 passwords, 213, IPv6 source guard (IPv6SG) static binding configuration, user account 802.1X redirect URL assignment, MAC authentication user account format, uRPF MAC authentication user account policies, check modes, user authentication configuration, 367, 370, password control configuration, 212, 215, display, password control parameters (global), features, password control parameters (local user), IPv6.
  • Page 506 802.1X EAP-Success packet sending, portal authentication direct configuration, 802.1X guest VLAN, 78, portal authentication extended cross-subnet configuration, 802.1X guest VLAN assignment configuration, portal authentication extended direct configuration, 802.1X guest VLAN assignment delay, portal authentication extended functions, 802.1X VLAN manipulation, portal authentication extended re-DHCP 802.1X+ACL assignment configuration, configuration, IP source guard (IPSG)

Table of Contents