Contents Configuring AAA ·············································································· 1 Overview ·································································································································· 1 RADIUS ···························································································································· 2 HWTACACS ······················································································································ 6 LDAP ································································································································ 9 AAA implementation on the device ························································································ 11 AAA for MPLS L3VPNs ······································································································ 13 Protocols and standards ····································································································· 13 RADIUS attributes ············································································································· 14 FIPS compliance······················································································································ 16 AAA configuration considerations and task list ···············································································...
Page 4
Authorization VLAN ··········································································································· 72 Guest VLAN ····················································································································· 74 Auth-Fail VLAN ················································································································· 75 Critical VLAN ···················································································································· 76 Critical voice VLAN ············································································································ 78 Using 802.1X authentication with other features ············································································· 79 ACL assignment ················································································································ 79 User profile assignment ······································································································ 79 EAD assistant ··················································································································· 79 Configuration prerequisites ········································································································...
Page 5
ACL assignment ·············································································································· 105 User profile assignment ···································································································· 106 Periodic MAC reauthentication ··························································································· 106 Configuration prerequisites ······································································································ 106 Configuration task list·············································································································· 107 Enabling MAC authentication ···································································································· 107 Specifying a MAC authentication domain ···················································································· 108 Configuring the user account format ··························································································· 108 Configuring MAC authentication timers ·······················································································...
Page 6
Configuring a local portal Web server ·················································································· 144 Displaying and maintaining portal ······························································································ 145 Portal configuration examples ··································································································· 145 Configuring direct portal authentication ················································································ 145 Configuring re-DHCP portal authentication ············································································ 153 Configuring cross-subnet portal authentication ······································································· 156 Configuring extended direct portal authentication ··································································· 159 Configuring extended re-DHCP portal authentication ······························································...
Page 7
Password control configuration example ····················································································· 213 Network requirements ······································································································ 213 Configuration procedure ··································································································· 214 Verifying the configuration ································································································· 215 Managing public keys ···································································· 217 Overview ······························································································································ 217 FIPS compliance···················································································································· 217 Creating a local key pair ·········································································································· 217 Distributing a local host public key ····························································································· 219 Exporting a host public key ································································································...
Page 8
Failed to set the storage path ····························································································· 258 Configuring IPsec ········································································· 259 Overview ······························································································································ 259 Security protocols and encapsulation modes ········································································· 260 Security association ········································································································· 261 Authentication and encryption ···························································································· 262 IPsec implementation ······································································································· 262 Protocols and standards ··································································································· 263 FIPS compliance····················································································································...
Page 9
IPsec SA negotiation failed due to invalid identity information ··················································· 305 Configuring IKEv2 ········································································ 309 Overview ······························································································································ 309 IKEv2 negotiation process ································································································· 309 New features in IKEv2 ······································································································ 310 Protocols and standards ··································································································· 310 Feature and software version compatibility ·················································································· 310 IKEv2 configuration task list ·····································································································...
Page 10
Specifying algorithms for SSH2 ································································································· 351 Specifying key exchange algorithms for SSH2 ······································································· 352 Specifying public key algorithms for SSH2 ············································································ 352 Specifying encryption algorithms for SSH2 ············································································ 352 Specifying MAC algorithms for SSH2 ··················································································· 353 Displaying and maintaining SSH ······························································································· 353 Stelnet configuration examples ·································································································...
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Page 16
Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host access the resources...
Page 17
Figure 4 RADIUS packet format Code Identifier Length Authenticator (16bytes) Attributes Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Packet type Description...
Page 18
Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. Value—Value of the attribute. Its format and content depend on the Type subfield. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
Attribute Attribute Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes.
Page 20
HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing authentication and obtaining authorized rights, a user logs in to the device and performs operations.
Page 21
Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
Page 23
Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server.
Page 25
AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.
• Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.
User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute includes the MAC address of the user in the format HH-HH-HH-HH-HH-HH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Page 28
Attribute Description Authentication method used by the user. Possible values include: • 1—RADIUS. Acct-Authentic • 2—Local. • 3—Remote. CHAP challenge generated by the NAS for MD5 calculation during CHAP CHAP-Challenge authentication. Type of the physical port of the NAS that is authenticating the user. Possible values include: •...
Subattribute Description types, the Control_Identifier attribute does not take effect. Result of the Trigger-Request or SetPolicy operation, zero for success Result_Code and any other value for failure. Connect_ID Index of the user connection. FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this Ftp_Directory attribute is used to set the working directory for an FTP, SFTP, or SCP...
AAA configuration considerations and task list To configure AAA, complete the following tasks on the NAS: Configure the required AAA schemes. Local authentication—Configure local users and the related attributes, including the usernames and passwords, for the users to be authenticated. Remote authentication—Configure the required RADIUS, HWTACACS, and LDAP ...
Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes, and LDAP schemes. Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device.
Page 32
Local user configuration task list Tasks at a glance (Required.) Configuring local user attributes (Optional.) Configuring user group attributes (Optional.) Displaying and maintaining local users and local user groups Configuring local user attributes When you configure local user attributes, follow these guidelines: •...
Page 33
Step Command Remarks password provides the correct username and passes attribute checks. enhance security, configure password for each local user. FIPS mode, only password-protected users can pass authentication. • For a network access user: service-type { lan-access | portal } •...
Page 34
Step Command Remarks • feature. Configure password composition policy: password-control composition type-number type-number [ type-length type-length ] • Configure password complexity checking policy: password-control complexity same-character user-name } check • Configure the maximum login attempts and the action to take if there is a login failure: password-control login-attempt login-times...
Step Command Remarks type-length ] • Configure password complexity checking policy: password-control complexity same-character user-name } check • Configure the maximum login attempts and the action to take login failures: password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] Displaying and maintaining local users and local user groups Execute display commands in any view.
Page 36
Tasks at a glance (Optional.) Configuring the IP addresses of the security policy servers (Optional.) Configuring the Login-Service attribute check method for SSH, FTP, and terminal users (Optional.) Enabling SNMP notifications for RADIUS (Optional.) Displaying and maintaining RADIUS Configuring a test profile for RADIUS server status detection IMPORTANT: This feature is available in Release 1121 and later.
Page 37
Step Command Remarks The default setting depends on type startup configuration: • If the device starts up with initial settings, no RADIUS scheme is defined. Create a RADIUS scheme • radius scheme If the device starts up with and enter RADIUS scheme radius-scheme-name factory defaults,...
Page 38
Step Command Remarks authentication server: feature is enabled for the RADIUS secondary authentication scheme. { host-name | ipv4-address | ipv6 The test-profile profile-name and ipv6-address } [ port-number | weight weight-value options are key { cipher | simple } string | available in Release 1121 and test-profile profile-name...
Page 39
Step Command Remarks { host-name | ipv4-address | ipv6 sharing feature is enabled for ipv6-address } [ port-number | key the RADIUS scheme. { cipher | simple } string | weight weight-value vpn-instance vpn-instance-name option is available in Release | weight weight-value ] * 1121 and later.
Page 40
The device reports online user traffic statistics in accounting packets. The traffic measurement units are configurable, but they must be the same as the traffic measurement units configured on the RADIUS accounting servers. To set the username format and the traffic statistics units for a RADIUS scheme: Step Command Remarks...
Page 41
Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers. The secondary servers act as the backup of the primary server.
Page 42
Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: By default, every server state primary accounting { active specified RADIUS | block }...
Page 43
receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. • If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
Page 44
timer for the server, and tries to communicate with another server in active state. After the server quiet timer expires, the device changes the status of the server back to active. • Realtime accounting timer (realtime-accounting)—Defines the interval at which the device sends realtime accounting packets to the RADIUS accounting server for online users.
Page 45
IP address of the security policy server on the NAS. The security policy server is the management and control center of the HPE EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.
• RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts. • RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
Page 47
Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure a maximum of 16 HWTACACS schemes. An HWTACACS scheme can be used by multiple ISP domains. To create an HWTACACS scheme: Step Command Remarks Enter system view.
Page 48
for the secondary servers in the order they are configured. The first secondary server in active state is used for communication. If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time.
Page 49
To specify HWTACACS accounting servers for an HWTACACS scheme: Step Command Remarks Enter system view. system-view Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS accounting server: primary accounting { host-name ipv4-address ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no accounting server single-connection...
Page 50
Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name default, HWTACACS Specify vpn-instance vpn-instance-name scheme belongs to the public HWTACACS scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.
Page 51
Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: The source IP address specified for the HWTACACS scheme. The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides.
Page 52
Changes the server status to blocked. Starts a quiet timer for the server. Tries to communicate with the next secondary server in active state that has the highest priority. • The search process continues until the device finds an available secondary server or has checked all secondary servers in active state.
Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server: • (Required.) Creating an LDAP server • (Required.) Configuring the IP address of the LDAP server • (Optional.) Specifying the LDAP version • (Optional.) Setting the LDAP server timeout period •...
Page 54
Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server's response within the server timeout period, the authentication or authorization request times out. Then, the device tries the backup authentication or authorization method. If no backup method is configured in the ISP domain, the device considers the authentication or authorization attempt a failure.
Page 55
To configure LDAP user attributes: Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name Specify the user search base By default, no user search base search-base-dn base-dn DN is specified. (Optional.) Specify the user search-scope all-level By default, the user search scope search scope.
Task Command Display the configuration of LDAP schemes. display ldap scheme [ scheme-name ] Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by specifying configured AAA schemes in ISP domain view. Each ISP domain has a set of system-defined AAA methods, which are local authentication, local authorization, and local accounting.
Step Command Remarks Return to system view. quit (Optional.) Specify domain default enable By default, the default ISP domain is the default ISP domain. isp-name system-defined ISP domain system. By default, no ISP domain is specified to (Optional.) Specify an ISP accommodate users that are assigned domain accommodate...
• If a RADIUS scheme is used for authentication but not for authorization, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server also includes the authorization information, but the device ignores the information. •...
Page 59
Determine whether to configure the default authorization method for all access types or service types. The default authorization method applies to all access users. However, the method has a lower priority than the authorization method that is specified for an access type or service type. Configuration guidelines When configuring authorization methods, follow these guidelines: •...
Configuring accounting methods for an ISP domain Configuration prerequisites Before configuring accounting methods, complete the following tasks: Determine the access type or service type to be configured. With AAA, you can configure an accounting method for each access type and service type. Determine whether to configure the default accounting method for all access types or service types.
Enabling the session-control feature A RADIUS server running on IMC can use session-control packets to inform disconnect or dynamic authorization change requests. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To enable the session-control feature: Step Command Remarks...
Step Command Remarks Enter system view. system-view Create a NAS-ID profile and enter NAS-ID profile aaa nas-id profile profile-name view. Configure a NAS-ID and By default, no NAS-ID and VLAN VLAN binding nas-id nas-identifier bind vlan vlan-id binding exists. profile. Displaying and maintaining AAA Execute display commands in any view.
# Create an HWTACACS scheme. <Switch> system-view [Switch] hwtacacs scheme hwtac # Specify the primary authentication server. [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server. [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 # Specify the primary accounting server. [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 # Set the shared keys for secure HWTACACS communication to expert in plain text.
Page 64
• Use the HWTACACS server and RADIUS server for SSH user authorization and accounting, respectively. • Exclude domain names from the usernames sent to the servers. • Assign the default user role network-operator to SSH users after they pass authentication. Configure an account with the username hello for the SSH user.
[Switch] local-user hello class manage # Assign the SSH service for the local user. [Switch-luser-manage-hello] service-type ssh # Set a password for the local user to 123456TESTplat&! in plain text. In FIPS mode, you must set the password in interactive mode. [Switch-luser-manage-hello] password simple 123456TESTplat&! [Switch-luser-manage-hello] quit # Create ISP domain bbb and configure the login users to use local authentication,...
Page 66
Figure 13 Network diagram RADIUS server 10.1.1.1/24 Vlan-int3 10.1.1.2/24 Vlan-int2 192.168.1.70/24 Internet SSH user Switch Configuration procedure Configure the RADIUS server on IMC 5.0: NOTE: This example assumes that the RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101).
Page 67
Figure 14 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows: a.
Page 68
Figure 15 Adding an account for device management Configure the switch: # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
# Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server.
Page 70
NOTE: This example assumes that the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. a. On the LDAP server, select Start > Control Panel > Administrative Tools. b.
Page 71
Figure 18 Setting the user password g. Click OK. # Add user aaa to group Users. h. From the navigation tree, click Users under the ldap.com node. i. In the right pane, right-click the user aaa and select Properties. j. In the dialog box, click the Member Of tab and click Add.
Page 72
Figure 19 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.
Page 73
# Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
Verifying the configuration # Initiate an SSH connection to the switch, and enter the username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) Troubleshooting RADIUS RADIUS authentication failure...
Solution To resolve the problem: Verify the following items: The link between the NAS and the RADIUS server works well at both the physical and data link layers. The IP address of the RADIUS server is correctly configured on the NAS. ...
Page 76
• The user is not configured on the LDAP server. • The password entered by the user is incorrect. • The administrator DN or password is not configured. • Some user attributes (for example, the username attribute) configured on the NAS are not consistent with those configured on the server.
The port controls traffic by using one of the following methods: − Performs bidirectional traffic control to deny traffic to and from the client. − Performs unidirectional traffic control to deny traffic from the client. The HPE devices support only unidirectional traffic control.
Figure 22 Authorization state of a controlled port Authenticator system 1 Authenticator system 2 Controlled port Uncontrolled port Controlled port Uncontrolled port Port authorized Port unauthorized 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server.
• Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identify) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 24 shows the EAPOL packet format.
01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client that can send broadcast EAPOL-Start packets. For example, you can use the HPE iNode 802.1X client.
• Supports only the following EAP authentication methods: MD5-Challenge Works with any RADIUS server authentication. EAP termination that supports CHAP authentication. The username and password EAP authentication initiated by an HPE iNode 802.1X client.
challenge (EAP-Request/MD5 challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the access device. The access device transmits the EAP-Request/MD5 Challenge packet to the client. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5 Challenge packet to the access device.
Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port.
Page 86
The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members. NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.
Table 6 VLAN manipulation Port access control VLAN manipulation method The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. Port-based If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID.
Authentication status VLAN manipulation The device assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the guest VLAN. A user has not passed 802.1X authentication. If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation.
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation user fails 802.1X The device assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X authentication.
Page 90
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation A user that has not been assigned to any The device assigns the critical VLAN to the port as the PVID. VLAN fails 802.1X authentication because The 802.1X user and all subsequent 802.1X users on this port all the RADIUS servers are unreachable.
Authentication status VLAN manipulation PVID. The device remaps the MAC address of the user to the authorization VLAN. A user in the 802.1X critical VLAN passes If the authentication server (either the local access device 802.1X authentication. or a RADIUS server) does not authorize a VLAN to the user, the device remaps the MAC address of the user to the initial PVID on the port.
EAD assistant Endpoint Admission Defense (EAD) is an HPE integrated endpoint access control solution to improve the threat defensive capability of a network. The solution enables the security client, security policy server, access device, and third-party server to operate together. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user passes authentication, the rule is removed. If users fail to download EAD client or fail to pass authentication before the timer expires, they must reconnect to the network to access the free IP. Configuration prerequisites Before you configure 802.1X, complete the following tasks: •...
• If the PVID is a voice VLAN, the 802.1X feature cannot take effect on the port. For more information about voice VLANs, see Layer 2—LAN Switching Configuration Guide. • Do not enable 802.1X on a port that is in a link aggregation or service loopback group. To enable 802.1X: Step Command...
Setting the port authorization state The port authorization state determines whether the client is granted access to the network or not. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: •...
Setting the maximum number of authentication request attempts The access device retransmits an authentication request if it does not receive any responses to the request from the client within a period of time. To set the time, use the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command.
• Client timeout timer—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client. • Server timeout timer—Starts when the access device sends a RADIUS Access-Request packet to the authentication server.
Configuration procedure To configure the online user handshake feature: Step Command Remarks Enter system view. system-view (Optional.) dot1x timer handshake-period The default is 15 seconds. handshake timer. handshake-period-value Enter Layer Ethernet interface interface-type interface view. interface-number Enable the online handshake dot1x handshake By default, the feature is enabled.
Step Command Remarks interface view. interface-number By default, the multicast trigger is Enable authentication dot1x multicast-trigger enabled, and the unicast trigger is trigger. unicast-trigger } disabled. Specifying a mandatory authentication domain on a port You can place all 802.1X users in a mandatory authentication domain for authentication, authorization, and accounting on a port.
Enabling the periodic online user reauthentication feature Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server. The attributes include the ACL, VLAN, and user profile-based QoS. The reauthentication interval is user configurable. The server-assigned RADIUS Session-Timeout (attribute 27) and Termination-Action (attribute 29) attributes can affect the periodic online user reauthentication feature.
• Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port. The assignment makes sure the port can correctly process incoming VLAN-tagged traffic. • When you configure multiple security features on a port, follow the guidelines in Table Table 7 Relationships of the 802.1X guest VLAN and other security features Feature...
This feature does not take effect if the 802.1 X authentication is triggered by EAPOL-Start packets from 802.1X clients. To use this feature, the 802.1X-enabled port must be configured with the unicast trigger feature and perform MAC-based access control. When 802.1X authentication is triggered on a port, the device performs the following operations: Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the authentication.
Configuration prerequisites Before you configure an 802.1X Auth-Fail VLAN, complete the following tasks: • Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port: Configure the port as a hybrid port.
Configuring the 802.1X critical VLAN on a port Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number Configure the 802.1X critical By default, no 802.1X critical dot1x critical vlan vlan-id VLAN on the port. VLAN is configured. Sending EAP-Success packets to users in the 802.1X critical VLAN IMPORTANT:...
Configuration prerequisites Before you enable the 802.1X critical voice VLAN on a port, complete the following tasks: • Enable LLDP both globally and on the port. The device uses LLDP to identify voice users. For information about LLDP, see Layer 2—LAN Switching Configuration Guide.
Configuring the EAD assistant feature When you configure the EAD assistant feature, follow these restrictions and guidelines: • You must disable MAC authentication and port security globally before you enable the EAD assistant feature. • To make the EAD assistant feature take effect on an 802.1X-enabled port, you must set the port authorization mode to auto.
192.168.1.2/24 Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.)
Page 108
Configure a RADIUS scheme: # Create the RADIUS scheme radius1 and enter RADIUS scheme view. [Device] radius scheme radius1 # Specify the IP addresses of the primary authentication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers.
802.1X guest VLAN and authorization VLAN configuration example Network requirements As shown in Figure 32, use RADIUS servers to perform authentication, authorization, and accounting for 802.1X users who connect to GigabitEthernet 1/0/2. Implement port-based access control on the port. If no user performs 802.1X authentication on GigabitEthernet 1/0/2 within a period of time, the device adds GigabitEthernet 1/0/2 to the guest VLAN, VLAN 10.
Page 110
[Device-vlan10] port gigabitethernet 1/0/1 [Device-vlan10] quit [Device] vlan 2 [Device-vlan2] port gigabitethernet 1/0/4 [Device-vlan2] quit [Device] vlan 5 [Device-vlan5] port gigabitethernet 1/0/3 [Device-vlan5] quit Configure a RADIUS scheme on the access device: # Create RADIUS scheme 2000 and enter RADIUS scheme view. [Device] radius scheme 2000 # Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.
Verifying the configuration # Verify the 802.1X guest VLAN configuration on GigabitEthernet 1/0/2. [Device] display dot1x interface gigabitethernet 1/0/2 # Verify that GigabitEthernet 1/0/2 is assigned to VLAN 10 when no user passes authentication on the port. [Device] display vlan 10 # After a user passes authentication, display information on GigabitEthernet 1/0/2.
Page 112
# Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.1.1.2 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device. [Device-radius-2000] key authentication simple abc # Set the shared key to abc in plain text for secure communication between the accounting server and the device.
Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 is active on the user, and the user cannot access the FTP server. 802.1X with EAD assistant configuration example Network requirements As shown in Figure...
Page 114
[Device-Vlan-interface2] dhcp select relay # Specify the DHCP server 192.168.2.2 on the relay agent interface VLAN-interface 2. [Device-Vlan-interface2] dhcp relay server-address 192.168.2.2 [Device-Vlan-interface2] quit Configure a RADIUS scheme: # Create RADIUS scheme 2000 and enter RADIUS scheme view. [Device] radius scheme 2000 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.
# Verify that you can ping an IP address on the free IP subnet from a host. C:\>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),...
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.
VLAN assignment Authorization VLAN The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources. The device supports the following VLAN authorization methods: • Remote VLAN authorization—The authorization VLAN information of a MAC authentication user is assigned by a remote server.
A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN. Table 10 shows the way that the network access device handles guest VLANs for MAC authentication users.
The ACL will filter traffic for this user. You must configure ACL rules for the authorization ACL on the access device for the ACL assignment feature. To ensure a successful ACL assignment, make sure the ACL does not contain rules that match source MAC addresses.
Make sure the port security feature is disabled. For more information about port security, see "Configuring port security." Configuration task list Tasks at a glance (Required.) Enabling MAC authentication (Optional.) Specifying a MAC authentication domain (Optional.) Configuring the user account format (Optional.) Configuring MAC authentication timers (Optional.)
Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can use one of the following methods to specify authentication domains for MAC authentication users: •...
logs the user out and stops accounting for the user. In Release 1121 and later, this timer takes effect when the MAC authentication offline detection feature is enabled. After you set the offline detect timer, assign the same value to the MAC address aging timer by using the mac-address timer command.
This feature improves transmission of data that is vulnerable to delay and interference. It is typically applicable to IP phone users. To enable MAC authentication multi-VLAN mode on a port: Step Command Remarks Enter system view. system-view Enter Layer Ethernet interface interface-type interface view.
After MAC authentication succeeds, the port is assigned to the MAC authentication authorization VLAN. • If 802.1X authentication fails, the MAC authentication result takes effect. • If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result.
When you configure the MAC authentication guest VLAN on a port, follow the guidelines in Table Table 12 Relationships of the MAC authentication guest VLAN with other security features Feature Relationship description Reference The MAC authentication guest VLAN feature has higher priority. Quiet feature of MAC "Configuring When a user fails MAC authentication, the...
Table 13 Relationships of the MAC authentication critical VLAN with other security features Feature Relationship description Reference The MAC authentication critical VLAN feature has higher priority. When a user fails MAC authentication because no Quiet feature of MAC "Configuring RADIUS authentication server is reachable, the authentication authentication timers."...
For information about voice VLANs, see Layer 2—LAN Switching Configuration Guide. Configuration procedure To enable the MAC authentication critical voice VLAN feature on a port: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Enable default,...
Step Command Remarks Enter system view. system-view Enter Layer Ethernet interface interface-type interface view. interface-number Enable MAC authentication mac-authentication By default, MAC authentication offline detection. offline-detect enable offline detection is enabled. Displaying and maintaining MAC authentication IMPORTANT: The reset mac-authentication critical-voice-vlan interface interface-type interface-number [ mac-address mac-address ] command is available in Release 1121 and later.
Page 129
• Use the MAC address of each user as the username and password for authentication. A MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. Figure 35 Network diagram Host A GE1/0/1 MAC: 00-e0-fc-12-34-56 IP network Device Host B...
Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s Authentication domain : bbb Max MAC-auth users : 2048 per slot Online MAC-auth users Silent MAC users: MAC address VLAN ID From port Port index 00e0-fc11-1111 GigabitEthernet1/0/1 GigabitEthernet1/0/1...
Page 131
Figure 36 Network diagram RADIUS servers Auth:10.1.1.1 Acct:10.1.1.2 GE1/0/1 IP network Host Device Configuration procedure Make sure the RADIUS server and the access device can reach each other. (Details not shown.) Configure the RADIUS servers: # Create a shared account for MAC authentication users. (Details not shown.) # Set the username aaa and password 123456 for the account.
[Device] mac-authentication Verifying the configuration # Verify the MAC authentication configuration. [Device] display mac-authentication Global MAC authentication parameters: MAC authentication : Enabled Username format : Fixed account Username : aaa Password : ****** Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s...
Page 133
Figure 37 Network diagram RADIUS servers Auth:10.1.1.1 Acct:10.1.1.2 GE1/0/1 Internet Host Device FTP server IP: 192.168.1.10/24 10.0.0.1/24 MAC: 00-e0-fc-12-34-56 Configuration procedure Make sure the RADIUS servers and the access device can reach each other. Configure ACL 3000 to deny packets destined for 10.0.0.1. <Sysname>...
Page 134
Configure the RADIUS servers: # Add a user account with 00-e0-fc-12-34-56 as both the username and password on each RADIUS server. (Details not shown.) # Authorize ACL 3000 to the user account. (Details not shown.) Verifying the configuration # Verify the MAC authentication configuration. [Sysname] display mac-authentication Global MAC authentication parameters: MAC authentication...
Page 135
Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has been assigned to port GigabitEthernet 1/0/1 to deny access to the FTP server.
Users can access more Internet resources after passing security check. Security check must cooperate with the HPE IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device,...
Page 137
Figure 38 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.
Web browser. When receiving the HTTP request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HPE iNode client for extended portal functions.
HPE iNode client. NOTE: Portal authentication supports NAT traversal whether it is initiated by a Web client or an HPE iNode client. NAT traversal must be configured when the portal client is on a private network and the portal server is on a public network.
Portal authentication process Direct authentication and cross-subnet authentication share the same authentication process. Re-DHCP authentication has a different process as it has two address allocation procedures. Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 40 Direct authentication/cross-subnet authentication process Portal Authentication Portal Web Access...
Page 141
10. The security policy server authorizes the user to access certain network resources based on the check result. The access device saves the authorization information and uses it to control access of the user. Re-DHCP authentication process (with CHAP/PAP authentication) Figure 41 Re-DHCP authentication process Portal Security...
Portal configuration task list Tasks at a glance (Required.) Configuring a portal authentication server (Required.) Configuring a portal Web server (Required.) Enabling portal authentication on an interface (Required.) Referencing a portal Web server for an interface (Optional.) Controlling portal user access •...
Configuring a portal authentication server Perform this task to configure the following portal authentication server parameters: • IP address of the portal authentication server • VPN instance of the portal authentication server • Shared encryption key used between the device and the portal authentication server •...
Step Command Remarks Specify the VPN instance to By default, the portal Web server which the portal Web server vpn-instance vpn-instance-name belongs to the public network. belongs. Specify the URL of the portal url url-string By default, no URL is specified. Web server.
Step Command Remarks on the interface. authentication: authentication, IPv6 portal portal enable method { direct | authentication, or both on the layer3 | redhcp } interface. • enable IPv6 portal authentication: portal ipv6 enable method { direct | layer3 } Referencing a portal Web server for an interface After you reference a portal Web server for an interface, the device redirects the HTTP requests of the portal users on the interface to the portal Web server.
In re-DHCP mode, the access device regards the authentication source subnet on an interface as the subnet to which the private IP address of the interface belongs. • If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnets take effect.
Step Command Remarks authentication domain. specified for IPv4 portal users on the interface. To specify an IPv6 portal authentication domain: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Specify IPv6 By default, no ISP domain is portal authentication portal ipv6 domain domain-name specified for IPv6 portal users on...
Step Command Remarks By default, portal authentication server detection is disabled. Configure portal This feature takes effect authentication server server-detect [ timeout timeout ] log regardless whether portal detection. authentication is enabled on an interface or not. Configuring portal Web server detection A portal authentication process cannot complete if the communication between the access device and the portal Web server is broken.
The portal authentication server sends the online user information to the access device in a synchronization packet at the user heartbeat interval, which is set on the portal authentication server. Upon receiving the synchronization packet, the access device compares the users carried in the packet with its own user list.
Step Command Remarks Enable portal portal [ ipv6 ] apply web-server By default, portal fail-permit is fail-permit for a portal server-name fail-permit disabled for a portal Web server. Web server. Configuring BAS-IP for portal packets sent to the portal authentication server If the device runs Portal 2.0, the unsolicited packets sent to the portal authentication server must carry the BAS-IP attribute.
Applying a NAS-ID profile to an interface By default, the device sends its device name in the NAS-Identifier attribute of any RADIUS requests. A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs. The strings can be organization names, service names, or any user categorization criteria, depending on the administrative requirements.
Step Command Remarks device. Logging out portal users Logging out a user terminates the authentication process for the user or removes the user from the authenticated users list. To log out users: Step Command Enter system view. system-view portal delete-user { ipv4-address | all | interface interface-type Log out IPv4 portal users.
Page 156
File name rules The names of the main authentication page files are fixed (see Table 14). You can define the names of the files other than the main authentication page files. File names and directory names are case insensitive. Table 14 Main authentication page file names Main authentication page File name Logon page...
<p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;"> </form> Page file compression and saving rules You must compress the authentication pages and their page elements into a standard zip file. • The name of a zip file can contain only letters, numbers, and underscores. •...
Step Command Remarks portal local-web-server { http | Create a local portal Web https ssl-server-policy By default, no local portal Web server and enter its view. policy-name tcp-port servers exist. port-number ] } default, default Specify default authentication page file authentication page file for default-logon-page filename specified for the local portal Web...
Page 159
Figure 42 Network diagram Portal server Vlan-int100 Vlan-int2 192.168.0.111/24 2.2.2.1/24 192.168.0.100/24 Host Switch 2.2.2.2/24 Gateway: 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration prerequisites • Configure IP addresses for the host, switch, and servers as shown in Figure 42 and make sure they can reach each other. •...
Page 160
e. Select a service group. This example uses the default group Ungrouped. f. Select Normal from the Action list. g. Click OK. Figure 44 Adding an IP address group Add a portal device: a. Select Access Service > Portal Service Management > Device from the navigation tree to enter the portal device configuration page.
Page 161
a. As shown in Figure 46, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 46 Device list b. Click Add to enter the page shown in Figure Figure 47 Port group configuration c.
Page 162
Figure 48 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure c.
Page 163
a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure c. Enter the device name NAS. d. Enter the IP address of the switch's interface connected to the host. e.
Page 164
Figure 52 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...
# Configure a portal authentication server. [Switch] portal server newpt New portal server added. [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100.
Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal and all Web requests will be redirected to the authentication page.
Page 167
Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 53 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server properly to provide authentication and accounting functions. •...
Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal and all Web requests will be redirected to the authentication page.
Page 170
Figure 54 Network diagram Switch A Vlan-int2 192.168.0.100/24 Portal server 192.168.0.111/24 Vlan-int4 20.20.20.1/24 Vlan-int4 20.20.20.2/24 Vlan-int2 8.8.8.1/24 Switch B Host 8.8.8.2/24 RADIUS server 192.168.0.112/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 54 and make sure the host, switch, and servers can reach each other.
Page 171
# Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 Configure portal authentication: # Configure a portal authentication server.
Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal and all Web requests will be redirected to the authentication page.
Page 173
Figure 55 Network diagram Portal server 192.168.0.111/24 Vlan-int100 Vlan-int2 2.2.2.1/24 192.168.0.100/24 RADIUS server Host Switch 192.168.0.112/24 2.2.2.2/24 Gateway: 2.2.2.1/24 Security policy server 192.168.0.113/24 Configuration prerequisites • Configure IP addresses for the host, switch, and servers as shown in Figure 55 and make sure they can reach each other.
Page 174
[Switch] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL: [Switch] acl number 3000 [Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Switch-acl-adv-3000] rule deny ip [Switch-acl-adv-3000] quit [Switch] acl number 3001 [Switch-acl-adv-3001] rule permit ip [Switch-acl-adv-3001] quit NOTE:...
Destination authenticate subnet: IP address Prefix length Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page.
Page 176
Figure 56 Network diagram Portal server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 DHCP server 10.0.0.1/24 sub 192.168.0.100/24 192.168.0.112/24 Host Switch automatically obtains an IP address RADIUS server 192.168.0.113/24 Security policy server 192.168.0.114/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 56 and make sure the host, switch, and servers can reach each other.
Page 177
[Switch-radius-rs1] security-policy-server 192.168.0.114 [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...
Page 178
[Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method redhcp # Reference the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.
Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page. • If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.
Page 180
• Make sure the IP address of the portal device added on the portal server is the IP address (20.20.20.1) of the switch's interface connecting the host. The IP address group associated with the portal device is the subnet of the host (8.8.8.0/24). Configuration procedure Perform the following tasks on Switch A.
Page 181
[SwitchA] portal server newpt [SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal [SwitchA-portal-server-newpt] port 50100 [SwitchA-portal-server-newpt] quit # Configure a portal Web server. [SwitchA] portal web-server newpt [SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal [SwitchA-portal-websvr-newpt] quit # Enable cross-subnet portal authentication on VLAN-interface 4. [SwitchA] interface vlan-interface 4 [SwitchA–Vlan-interface4] portal enable method layer3 # Reference the portal Web server newpt on VLAN-interface 4.
Destination authenticate subnet: IP address Prefix length Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page.
Page 183
Figure 58 Network diagram Portal server Vlan-int100 Vlan-int2 192.168.0.111/24 2.2.2.1/24 192.168.0.100/24 Host Switch 2.2.2.2/24 Gateway: 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 58 and make sure the host, switch, and servers can reach each other.
Page 184
Figure 59 Portal authentication server configuration Configure the IP address group: a. Select Access Service > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure c.
Page 185
g. Set whether to support the portal server heartbeat and user heartbeat functions. In this example, select Yes for both Support Server Heartbeat and Support User Heartbeat. h. Click OK. Figure 61 Adding a portal device Associate the portal device with the IP address group: a.
Page 186
The IP address used by the user to access the network must be within this IP address group. e. User default values for other parameters. f. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations.
Page 187
g. Click OK. Figure 65 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure c.
Page 188
a. As shown in Figure 67, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. b. Click Add to enter the page shown in Figure c. Enter the port group name. d.
Page 189
[Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...
[Switch–Vlan-interface100] portal bas-ip 2.2.2.1 [Switch–Vlan-interface100] quit Verifying the configuration # Use the following command to display information about the portal authentication server. [Switch] display portal server newpt Portal server: newpt : 192.168.0.111 VPN instance : Not configured Port : 50100 Server Detection : Timeout 40s Action: log...
Page 191
<SwitchA> system-view [SwitchA] radius scheme rs1 # For the RADIUS scheme, specify the VPN instance that is bound to the interface connected to the portal/RADIUS server. This example uses VPN instance vpn3. [SwitchA-radius-rs1] vpn-instance vpn3 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
# Configure the BAS-IP as 3.3.0.3 for portal packets sent from VLAN-interface 3 to the portal authentication server. [SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3 [SwitchA–Vlan-interface3] quit Verifying the configuration # Verify the portal configuration by executing the display portal interface command. (Details not shown.) # After the user passes authentication, execute the display portal user command to display the portal user information.
Page 193
<Switch> system-view [Switch] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.112 [Switch-radius-rs1] primary accounting 192.168.0.112 [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] key accounting simple radius # Configure the switch to remove the ISP domain name from the usernames sent to the RADIUS server.
Page 194
Verifying the configuration # Verify that the portal configuration has taken effect. [Switch] display portal interface vlan-interface 100 Portal information of Vlan-interface 100 VSRP instance: -- VSRP state: N/A Authorization Strict checking Disabled User profile Disabled IPv4: Portal status: Enabled Authentication type: Direct Portal Web server: newpt Authentication domain: Not configured...
Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: -- VLAN Interface 0015-e9a6-7cfe 2.2.2.2 vlan-interface 100 Authorization information: IP pool: N/A User profile: N/A Session group profile: N/A ACL: N/A CAR: N/A Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the IMC portal authentication server, no portal authentication page or error message is prompted for the user.
Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
Re-DHCP portal authenticated users cannot log in successfully Symptom The device performs re-DHCP portal authentication for users. A user enters the correct username and password, and the client successfully obtains the private and public IP addresses. However, the authentication result for the user is failure. Analysis When the access device detects that the client IP address is changed, it sends an unsolicited portal packet to notify of the IP change to the portal authentication server.
Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port. Port security provides the following functions: •...
Page 199
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action.
Page 200
A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. • macAddressOrUserLoginSecureExt. This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users. • macAddressElseUserLoginSecure. This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies.
Step Command Remarks disabled. You can use the undo port-security enable command to disable port security. Because the command logs off the online users, make sure no online users are present. Enabling or disabling port security resets the following security settings to the default: •...
• If you are configuring the autoLearn mode, set port security's limit on the number of secure MAC addresses. You cannot change the setting when the port is operating in autoLearn mode. When you set the port security mode, follow these guidelines: •...
The NTK feature drops any unicast frame with an unknown destination MAC address. Not all port security modes support triggering the NTK feature. For more information, see Table To configure the NTK feature: Step Command Remarks Enter system view. system-view Enter Layer Ethernet...
When the maximum number of secure MAC address entries is reached, the port changes to secure mode. In secure mode, the port cannot add or learn any more secure MAC addresses. The port allows only frames sourced from secure MAC addresses or MAC addresses configured by using the mac-address dynamic or mac-address static command to pass through.
As a best practice, enable MAC move for wireless users that roam between ports to access the network. To enable MAC move: Step Command Remarks Enter system view. system-view default, move Enable MAC move. port-security mac-move permit disabled. Applying a NAS-ID profile to port security By default, the device sends its device name in the NAS-Identifier attribute of all RADIUS requests.
This feature does not apply to VLAN authorization failure. The device logs off these users directly. To enable the authorization-fail-offline feature: Step Command Remarks Enter system view. system-view By default, this feature is disabled, Enable port-security authorization-fail and the device does not log off authorization-fail-offline offline users who fail ACL or user profile...
Port security configuration examples autoLearn configuration example Network requirements As shown in Figure 71, configure port GigabitEthernet 1/0/1 on the device to meet the following requirements: • Accept up to 64 users without authentication. • Be permitted to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes.
Page 210
NAS-ID profile is not configured Dot1x-failure trap : Disabled Dot1x-logon trap : Disabled Dot1x-logoff trap : Enabled Intrusion trap : Disabled Address-learned trap : Enabled Mac-auth-failure trap : Disabled Mac-auth-logon trap : Enabled Mac-auth-logoff trap : Disabled OUI value list GigabitEthernet1/0/1 is link-up Port mode : autoLearn...
# After the port is re-enabled, delete several secure MAC addresses. [Device] undo port-security mac-address security sticky 0002-0000-0015 vlan 1 [Device] undo port-security mac-address security sticky 0002-0000-0014 vlan 1 # Verify that the port security mode of the port changes to autoLearn, and the port can learn MAC addresses again.
Page 213
retransmission interval(seconds) Timeout Interval(seconds) Retransmission Times Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 15 NAS IP Address : Not configured : Not configured User Name Format : without-domain Data flow unit : Byte Packet unit : one Attribute-15 check-mode...
# Display information about the online 802.1X user to verify 802.1X configuration. [Device] display dot1x # Verify that the port also allows one user whose MAC address has an OUI among the specified OUIs to pass authentication. [Device] display mac-address interface gigabitethernet 1/0/1 MAC Address VLAN ID State...
Page 215
# Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP. [Device] dot1x authentication-method chap # Set port security's limit on the number of MAC addresses to 64 on the port. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to macAddressElseUserLoginSecure.
Page 216
Username : mac Password : Not configured Offline detect period : 60 s Quiet period : 5 s Server timeout : 100 s Authentication domain : sun Max MAC-auth users : 2048 per slot Online MAC-auth users Silent MAC users: MAC address VLAN ID From port...
Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command. Solution To resolve the problem: Set the port security mode to noRestrictions. [Device-GigabitEthernet1/0/1] undo port-security port-mode Set a new port security mode for the port, for example, autoLearn.
Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.
when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
Current login passwords of device management users are not stored in the password history. This is because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login With the global password control feature enabled, users must change the password at first login before they can access the system.
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.
Step Command Remarks Enter system view. system-view • non-FIPS mode, global password control feature disabled default. Enable the global password password-control enable • control feature. In FIPS mode, the global password control feature is enabled default, cannot be disabled. password-control aging (Optional.) Enable a specific By default, all four password...
Step Command Remarks each user. Specify maximum By default, the maximum number number of login attempts and password-control login-attempt of login attempts is 3 and a user the action to be taken when a login-times [ exceed { lock | failing to log in after the specified user fails to log in after the lock-time time | unlock } ]...
Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local user exists. Local user password control applies to device management Create device local-user user-name class users instead of network access management user and enter manage users.
Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • non-FIPS mode, default setting Configure minimum password-control super length characters. length for super passwords. length •...
• A password expires after 30 days. • The minimum password update interval is 36 hours. • The maximum account idle time is 30 days. • A password cannot contain the username or the reverse of the username. • No character appears consecutively three or more times in a password. Configure a super password control policy for user role network-operator to meet the following requirements: •...
[Sysname] password-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text. [Sysname] super password role network-operator simple 123456789ABGFTweuix@#$%! Updating user information. Please wait ..# Create a device management user named test. [Sysname] local-user test class manage # Set the service type of the user to Telnet.
Page 229
# Display the password control configuration for local user test. <Sysname> display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type: Telnet User group: system Bind attributes: Authorization attributes: Work directory: flash: User role list: network-operator...
Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 74.
Page 231
• If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default.
Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...
Task Command display public-key local rsa public [ name Display local RSA public keys. key-name ] Display local ECDSA public keys. display public-key local ecdsa public [ name key-name ] (Available in Release 1121 and later.) display public-key local dsa public [ name Display local DSA public keys.
Step Command Remarks Enter system view. system-view Import a peer host public key public-key peer keyname import By default, no peer host from a public key file. sshkey filename public keys exist. Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key.
Page 235
• Configure Device B to use the asymmetric key algorithm of RSA to authenticate Device A. • Manually specify the host public key of Device A on Device B. Figure 75 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits.
<DeviceB> system-view [DeviceB] public-key peer devicea Enter public key view. Return to system view with "peer-public-key end" command. [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A.
Page 237
Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.
Page 238
Configure Device B: # Use FTP in binary mode to get the public key file devicea.pub from Device A. <DeviceB> ftp 10.1.1.1 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX.
Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.
• The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.
A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)
Step Command Remarks To create multiple PKI entities, repeat this step. Set a common name for the common-name By default, the common name is not entity. common-name-sting set. Set the country code of the country country-code-string By default, the country code is not set. entity.
Page 244
Step Command Remarks (Optional.) By default, the switch polls the CA SCEP polling interval server for the certificate request certificate request polling { count maximum status every 20 minutes. The count | interval minutes } number polling maximum number polling attempts.
Step Command Remarks • Specify the source IPv4 address for This task is required if the CA protocol packets: policy requires that the CA server source ip { ip-address | interface accept certificate requests from a 12. (Optional.) Specify a {interface-type interface-number } specific IP address or subnet.
Configuring automatic certificate request IMPORTANT: The device does not support automatic certificate rollover. To avoid service interruptions, you must manually submit a certificate renewal request before the current certificate expires. In auto request mode, a PKI entity automatically submits a certificate request to the CA when an application works with the PKI entity that does not have a local certificate.
Step Command Remarks a key pair if the key pair specified in the PKI domain does not exist. The name, algorithm, and length of the key pair are configured in the PKI domain. Aborting a certificate request Before the CA issues a certificate, you can abort a certificate request and change its parameters, such as the common name, country code, or FQDN.
• If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first. • If local or peer certificates already exist, you can obtain new local or peer certificates to overwrite the existing ones.
Step Command Remarks Enter system view. system-view Enter PKI domain view. pki domain domain-name (Optional.) Specify the URL crl url url-string [ vpn-instance By default, the URL of the CRL of the CRL repository. vpn-instance-name ] repository is not specified. default, checking Enable CRL checking.
After you change the storage path for certificates or CRLs, the certificate files (with the .cer or .p12 extension) and CRL files (with the .crl extension) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Remarks...
To remove a certificate: Step Command Remarks Enter system view. system-view If you use the peer keyword without pki delete-certificate domain domain-name { ca specifying serial Remove a certificate. | local | peer [ serial serial-num ] } number, the command removes peer certificates.
Step Command Remarks By default, no certificate access control rules are configured, and all certificates can pass the verification. Create a certificate access rule [ id ] { deny | permit } control rule. group-name You can create multiple access control rules certificate-based access control...
Page 253
Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA. Subject DN—DN attributes of the CA, including the common name (CN), organization unit ...
Page 254
......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain torsa ca The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully.
Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA...
Page 256
a. Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu. b. Select Web Sites from the navigation tree. c. Right-click Default Web Site and select Properties > Home Directory. d. Specify the path for certificate service in the Local path box. e.
Page 257
SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain winserver Start to request the general certificate ... …… Certificate requested successfully. Verifying the configuration # Display information about the local certificate in PKI domain winserver.
herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access: CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03:...
Page 259
Configuring the OpenCA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals. When you configure the CA server, use the OpenCA version later than version 0.9.2 because the earlier versions do not support SCEP. Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates.
Page 260
fingerprint:5AA3 DEFD 7B23 2A25 16A3 14F4 C81C C0FA SHA1 fingerprint:9668 4E63 D742 4B09 90E0 4C78 E213 F15F DC8E 9122 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain openca Start to request the general certificate ... ……...
Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B X509v3 Authority Key Identifier: keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B X509v3 Issuer Alternative Name: DNS:root@docm.com, DNS:, IP Address:192.168.154.145, IP Address:192.168.154.138 Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl...
Page 262
Figure 82 Network diagram Device A 1) Export IP network Host Device B 2) Import IP network Host Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a .pem file. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. •...
Check the registration policy on the CR or RA, and make sure the attributes of the PKI entity meet the policy requirements. Obtain the CRL from the CRL repository. Specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator.
Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No CA certificate has been obtained before you try to obtain CRLs. • The URL of the CRL repository is not configured and cannot be obtained from the CA certificate or local certificates in the PKI domain.
Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis • The PKI domain does not have a locally stored CA certificate, and the certificate file to be imported does not contain the CA certificate chain. •...
If the problem persists, contact Hewlett Packard Enterprise Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis • The specified storage path does not exist. • The specified storage path is illegal. •...
Configuring IPsec The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide). CAUTION: •...
Security protocols and encapsulation modes Security protocols IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets and the security services that they can provide. • AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown in Figure 85.
Figure 85 shows how the security protocols encapsulate an IP packet in different encapsulation modes. Figure 85 Security protocol encapsulations in different modes Mode Transport Tunnel Protocol Data AH IP Data Data ESP-T ESP IP Data ESP-T AH-ESP Data ESP-T Data ESP-T Security association...
Authentication and encryption Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. The receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid.
• Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it. • Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL.
Implementing ACL-based IPsec Feature restrictions and guidelines ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for the device. They do not take effect on traffic forwarded through the device. For example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it cannot protect all the data flows and voice flows that are forwarded by the device.
Configuring an ACL IPsec uses ACLs to identify the traffic to be protected. Keywords in ACL rules An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec.
Page 279
Step Command Remarks Create IPsec ipsec transform-set By default, no IPsec transform transform set and enter transform-set-name set exists. its view. Optional. Specify security By default, the IPsec transform protocol for the IPsec protocol { ah | ah-esp | esp } set uses ESP as the security transform set.
Page 281
• The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode. • The remote IPv4 address configured on the local end must be the same as the primary IPv4 address of the interface applied with the IPsec policy at the remote end.
Step Command Remarks • Configure an authentication key in hexadecimal format sa hex-key authentication { inbound | outbound } ah cipher simple key-value • Configure an authentication key in character format for By default, no keys are configured for the IPsec SA. sa string-key { inbound | outbound } ah { cipher | Configure keys correctly for the security...
Page 283
• The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. For an IPsec SA established through IKE negotiation: •...
Page 284
Step Command Remarks address of the interface to which the IPsec policy is applied. The local IP address specified by this command must be the same as the IP address used as the local IKE identity. remote-address ipv6 By default, the remote IP address Specify remote host-name | ipv4-address | ipv6...
Page 285
Step Command Remarks By default, no ACL is specified for security acl [ ipv6 ] { acl-number | an IPsec policy template. (Optional.) Specify an ACL name acl-name } [ aggregation | for the IPsec policy template. You can specify only one ACL for per-host ] an IPsec policy template.
Step Command Remarks 13. Return to system view. quit By default, time-based SA lifetime ipsec global-duration 14. Configure the global SA 3600 seconds, time-based seconds lifetime. traffic-based lifetime traffic-based kilobytes } 1843200 kilobytes. 15. (Optional.) Enable the global IPsec idle timeout By default, the global IPsec SA ipsec sa idle-time seconds...
To enable ACL checking for de-encapsulated packets: Step Command Remarks Enter system view. system-view Enable ACL checking for ipsec decrypt-check enable By default, this feature is enabled. de-encapsulated packets. Configuring IPsec anti-replay The IPsec anti-replay feature protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window.
• IPsec anti-replay sequence numbers for outbound packets. This feature, used together with IPsec redundancy, ensures uninterrupted IPsec traffic forwarding and anti-replay protection when the master device in an IRF fabric fails. To configure IPsec anti-replay redundancy: Step Command Remarks Enter system view.
Step Command Remarks interface-type interface-number Enabling QoS pre-classify If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using the new headers added by IPsec. If you want QoS to classify packets by using the headers of the original IP packets, enable the QoS pre-classify feature.
You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes precedence over the system-view DF bit setting. If the interface-view DF bit setting is not configured, the interface uses the system-view DF bit setting. Follow these guidelines when you configure the DF bit: •...
Configuring a manual IPsec profile An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified by a name and it does not support ACL configuration. An IPsec profile defines the IPsec transform set used for protecting data flows, and specifies SPIs and the keys used by the SAs.
Step Command Remarks • Configure an authentication key in hexadecimal format for AH: hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication key By default, no keys are configured in character format for AH: for the IPsec SA.
Displaying and maintaining IPsec Execute display commands in any view and reset commands in user view. Task Command display ipsec { ipv6-policy | policy } [ policy-name Display IPsec policy information. [ seq-number ] ] display ipsec ipv6-policy-template Display IPsec policy template information. policy-template } [ template-name [ seq-number ] ] Display IPsec profile information.
Page 294
[SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Configure an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel.
Page 295
# Specify the encapsulation mode as tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create a manual IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
remote address: 2.2.3.1 Flow: as defined in ACL 3101 [Inbound ESP SA] SPI: 54321 (0x0000d431) Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1 No duration limit for this SA [Outbound ESP SA] SPI: 12345 (0x00003039) Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1 No duration limit for this SA Configuring an IKE-based IPsec tunnel for IPv4 packets Network requirements As shown in...
Page 297
# Create the IKE keychain named keychain1. [SwitchA] ike keychain keychain1 # Specify 12345zxcvb!@#$%ZXCVB in plain text as the pre-shared key to be used with the peer 2.2.3.1. [SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchA-ike-keychain-keychain1] quit # Create the IKE profile named profile1. [SwitchA] ike profile profile1 # Specify the keychain keychain1.
# Specify the ESP encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create the IKE keychain named keychain1. [SwitchB] ike keychain keychain1 # Specify 12345zxcvb!@#$%ZXCVB in plain text as the pre-shared key to be used with the peer 2.2.2.1.
Page 299
Figure 88 Network diagram Vlan-int100 Vlan-int200 1::1/64 3::2/64 Vlan-int100 Vlan-int200 1::2/64 3::1/64 Switch A Switch C Switch B Requirements analysis To meet the network requirements, perform the following tasks: Configure basic RIPng. For more information about RIPng configurations, see Layer 3—IP Routing Configuration Guide.
Page 300
Configure Switch B: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. <SwitchB> system-view [SwitchB] ripng 1 [SwitchB-ripng-1] quit [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1.
Page 301
# Create and configure the IPsec profile named profile001. [SwitchC] ipsec profile profile001 manual [SwitchC-ipsec-profile-profile001] transform-set tran1 [SwitchC-ipsec-profile-profile001] sa spi outbound esp 123456 [SwitchC-ipsec-profile-profile001] sa spi inbound esp 123456 [SwitchC-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [SwitchC-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [SwitchC-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1.
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
Figure 90 IKE exchange process in main mode Peer 1 Peer 2 Algorithm negotiation Initiator’s policy Send local IKE policy Search for matched policy Confirmed policy Receive the SA exchange confirmed policy Key generation Initiator’s keying data Generate the key Receiver’s keying data Identity...
DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.
Tasks at a glance Remarks (Optional.) Configuring the IKE keepalive feature (Optional.) Configuring the IKE NAT keepalive feature (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation.
Page 307
Step Command Remarks Enter system view. system-view Create an IKE profile and By default, no IKE profile is ike profile profile-name enter its view. configured. match remote certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] By default, an IKE profile has range low-ipv4-address...
Step Command Remarks By default, no inside VPN instance is specified for an IKE profile, device 10. (Optional.) Specify an inside inside-vpn vpn-instance vpn-name forwards protected data to the VPN instance. instance where interface receiving the data resides. 11. (Optional.) Specify a priority By default, the priority of an priority number for the IKE profile.
Step Command Remarks In Release 1111: • non-FIPS mode: authentication-algorithm By default, an IKE proposal uses { md5 | sha } the HMAC-SHA1 authentication • FIPS mode: algorithm in Release 1111. authentication-algorithm sha Specify an authentication By default, an IKE proposal uses In Release 1121 and later: algorithm the HMAC-SHA1 authentication...
Step Command Remarks supports only DN for signature authentication. Configuring the IKE keepalive feature IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval on the local device. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
• On-demand DPD—Sends a DPD message based on traffic. When the device has traffic to send and is not aware of the liveness of the peer, it sends a DPD message to query the status of the peer. If the device has no traffic to send, it never sends DPD messages. As a best practice, use the on-demand mode.
Step Command Remarks invalid-spi-recovery By default, the invalid SPI recovery Enable invalid SPI recovery. enable is disabled. Setting the maximum number of IKE SAs You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.
Step Command Remarks delete | tunnel-start | tunnel-stop | unsupport-exch-type ] * Displaying and maintaining IKE Execute display commands in any view and reset commands in user view. Task Command Display configuration information about all IKE display ike proposal proposals. display verbose connection-id...
Page 315
[SwitchA-acl-adv-3101] quit # Create IPsec transform set tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit...
Page 316
[SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch B and Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] quit # Create IPsec transform set tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
Verifying the configuration # Initiate a connection from Switch A to Switch B to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two switches is IPsec protected. Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom The IKE SA is in Unknown state.
IKE packet debugging message: Construct notification packet: PAYLOAD_MALFORMED. Analysis • If the following debugging information appeared, the matched IKE profile is not using the matched IKE proposal: Failed to find proposal 1 in profile profile1. • If the following debugging information appeared, the matched IKE profile is not using the matched IKE keychain: Failed to find keychain keychain1 in profile profile1.
Page 319
Analysis Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows: Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy has an IKE profile specified, the IPsec SA negotiation fails.
Page 320
IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Verify that the ACL used by the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.
Page 321
For example: [Sysname] display acl 3000 Advanced ACL 3000, named -none-, 2 rules, ACL's step is 5 rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255 Configure the missing settings (for example, the remote address).
Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.
New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.
IKEv2 configuration task list Determine the following parameters prior to IKEv2 configuration: • The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources.
Page 325
The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2 profiles will be compared in descending order of their priorities. Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address.
Page 326
Step Command Remarks remote identity remote dsa-signature authentication method is configured. ecdsa-signature | pre-share | authentication methods. rsa-signature } By default, no keychain is specified for an IKEv2 profile. Specify a keychain. keychain keychain-name Perform this task when pre-shared authentication method is specified.
Step Command Remarks interval. 15. (Optional.) Enable the config-exchange { request | set default, configuration configuration exchange { accept | send } } exchange options are disabled. feature. Configuring an IKEv2 policy During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion.
Page 328
A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group. You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.
Configure global IKEv2 parameters Enabling the cookie challenging feature Enable cookie challenging on responders to protect them against DoS attacks that use a large number of source IP addresses to forge IKE_SA_INIT requests. To enable cookie challenging: Step Command Remarks Enter system view.
Step Command Remarks Set the IKEv2 NAT keepalive default, IKEv2 ikev2 nat-keepalive seconds interval. keepalive interval is 10 seconds. Displaying and maintaining IKEv2 Execute display commands in any view and reset commands in user view. Task Command Display the IKEv2 proposal configuration. display ikev2 proposal [ name | default ] Display the IKEv2 policy configuration.
Page 332
# Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl advanced 3101 [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
Page 333
[SwitchA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 [SwitchA-Vlan-interface1] quit Configure Switch B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B.
[SwitchB-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [SwitchB-ikev2-profile-profile1] quit # Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10. [SwitchB] ipsec policy use1 10 isakmp # Specify remote IP address 1.1.1.1 for the IPsec tunnel. [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1 # Specify ACL 3101 to identify the traffic to be protected.
Page 335
[SwitchA-vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl advanced 3101 [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
Page 336
[SwitchA-ikev2-profile-profile1] certificate domain domain1 # Set the local ID to FQDN name www.switcha.com. [SwitchA-ikev2-profile-profile1] identity local fqdn www.switcha.com # Specify the peer ID that the IKEv2 profile matches. The peer ID is FQDN name www.routerb.com. [SwitchA-ikev2-profile-profile1] match remote identity fqdn www.routerb.com [SwitchA-ikev2-profile-profile1] quit # Create an IKEv2 proposal named 10.
Page 337
[SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms.
Page 338
[SwitchB-ikev2-profile-profile2] match remote identity fqdn www.switcha.com [SwitchB-ikev2-profile-profile2] quit # Create an IKEv2 proposal named 10. [SwitchB] ikev2 proposal 10 # Specify the integrity protection algorithm as HMAC-MD5. [SwitchB-ikev2-proposal-10] integrity md5 # Specify the encryption algorithm as 3DES-CBC. [SwitchB-ikev2-proposal-10] encryption 3des-cbc # Specify the DH group as Group 1.
Troubleshooting IKEv2 IKEv2 negotiation failed because no matching IKEv2 proposals were found Symptom The IKEv2 SA is in IN-NEGO status. <Sysname> display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 123.234.234.124/500 123.234.234.123/500 IN-NEGO Status: IN-NEGO: Negotiating, EST: Establish, DEL:Deleting Analysis Certain IKEv2 proposal settings are incorrect.
Page 340
Solution Use the display ikev2 sa command to examine whether an IKEv2 SA exists on both ends. If the IKEv2 SA on one end is lost, delete the IKEv2 SA on the other end by using the reset ikev2 sa command and trigger new negotiation. If an IKEv2 SA exists on both ends, go to the next step.
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
Stages Description TCP connection. Version negotiation The two parties determine a version to use. SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation •...
NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.
Feature and software version compatibility The following algorithms are available in Release 1121 and later: • Public key algorithm ECDSA. • Suite B algorithms. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode.
Generating local key pairs The DSA, ECDSA, or RSA key pairs are required for generating the session keys and session ID in the key exchange stage. They can also be used by a client to authenticate the server. When a client authenticates the server, it compares the public key received from the server with the server's public key that the client saved locally.
Step Command Remarks Enter system view. system-view By default, the Stelnet server is Enable the Stelnet server. ssh server enable disabled. Enabling the SFTP server After you enable the SFTP server on the device, a client can log in to the device through SFTP. To enable the SFTP server: Step Command...
Configuring user lines for SSH login Depending on the SSH application, an SSH client can be an Stelnet client, SFTP client, SCP client, or NETCONF-over-SSH client. Only Stelnet and NETCONF-over-SSH clients require the user line configuration. The user line configuration takes effect on the clients at the next login. To configure the user lines for Stelnet and NETCONF-over-SSH clients: Step Command...
Step Command Remarks and carriage returns are removed automatically. For more information, see "Managing public keys." Return to system view. peer-public-key end Importing the client's host public key from the public key file Before you import the host public key, upload the client's public key file (in binary) to the server, for example, through FTP or TFTP.
If the authentication method is password, the user role is authorized by the remote AAA server or the local device. If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view. •...
Step Command Remarks default, server supports SSH1 clients. Enable the SSH server to ssh server compatible-ssh1x support SSH1 clients. enable This command is not available in FIPS mode. By default, the device does not update the RSA server key pair. Set the RSA server key pair This command takes effect only ssh server rekey-interval hours...
The PKI domain specified for the SSH server has the following functions: • The SSH server uses the PKI domain to send its certificate to the client in the key exchange stage. • The SSH server uses the PKI domain to authenticate the client's certificate if no PKI domain is specified for the client authentication by using the ssh user command.
Establishing a connection to an Stelnet server When you try to access an Stelnet server, the device must use the server's host public key to authenticate the server. If the server's host public key is not configured on the device, the device will notify you to confirm whether to continue with the access.
Establishing a connection to an Stelnet server based on Suite Task Command Remarks • Establish a connection to an IPv4 Stelnet server based Suite ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ip...
To specify the source IP address for SFTP packets: Step Command Remarks Enter system view. system-view By default, the source IP address SFTP packets • Specify the source IPv4 address configured. IPv4 SFTP SFTP packets: packets, the device uses the sftp client source { ip ip-address primary IPv4 address of the interface...
Page 357
Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 SFTP server: sftp server port-number vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 sha1 sha1-96...
Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return upper-level cdup Available in SFTP client view. directory. Display current working Available in SFTP client view. directory on the SFTP server.
Terminating the connection with the SFTP server Task Command Remarks • Available in SFTP client view. Terminate the connection with the • exit SFTP server and return to user These three commands have the • view. quit same function. Configuring the device as an SCP client This section describes how to configure the device as an SCP client to establish a connection with an SCP server and transfer files with the server.
Page 362
Task Command Remarks • In non-FIPS mode, connect to the IPv6 SCP server, and transfer files with this server: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | prefer-compress zlib prefer-ctos-cipher { 3des | aes128 | aes256 |...
Task Command Remarks [ { public-key keyname | server-pki-domain domain-name source interface interface-type interface-number ipv6 ipv6-address } ] * Establishing a connection to an SCP server based on Suite B Task Command Remarks • Establish a connection to an IPv4 SCP server based Suite scp server [ port-number ] [ vpn-instance...
If you specify algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The client uses the specified algorithms to initiate the negotiation, and the server uses the matching algorithms to negotiate with the client. If multiple algorithms of the same type are specified, the algorithm specified earlier has a higher priority during negotiation.
Password authentication enabled Stelnet server configuration example Network requirements As shown in Figure • You can log in to Switch through the Stelnet client that runs on the host. • After login, you are assigned the user role network-admin for configuration management. •...
Page 368
Create the key pair successfully. # Enable the Stelnet server. [Switch] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this IP address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines.
Figure 96 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server.
Page 370
Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
Page 371
Figure 99 Generating process c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. d. Enter a file name (key.pub in this example), and click Save. Figure 100 Saving a key pair on the client...
Page 372
e. On the page as shown in Figure 100, click Save private key to save the private key. A confirmation dialog box appears. f. Click Yes. A file saving window appears. g. Enter a file name (private.ppk in this example), and click Save. h.
Page 373
# Import the client's public key from file key.pub and name it switchkey. [Switch] public-key peer switchkey import sshkey key.pub # Create an SSH user client002. Specify the authentication method as publickey for the user. Assign the public key switchkey to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user client002.
Page 374
Figure 102 Specifying the preferred SSH version e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 103 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.
g. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in...
Page 376
# Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the Stelnet server. [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses the address as the destination address of the SSH connection.
Page 377
[SwitchA-pkey-public-key-key1]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B 6FD60FE01941DDD77FE6B12893DA76E [SwitchA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B 68950387811C7DA33021500C773218C [SwitchA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009 14EC474BAF2932E69D3B1F18517AD95 [SwitchA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D0 492B3959EC6499625BC4FA5082E22C5 [SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C 9B09EEF0381840002818000AF995917 [SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5 F257523777D033BEE77FC378145F2AD [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA>...
Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:y client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.
Page 379
If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP.
[SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines. [SwitchB] line vty 0 63 [SwitchB-line-vty0-63] authentication-mode scheme [SwitchB-line-vty0-63] quit # Import the peer public key from the file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user client002.
Page 381
NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an Stelnet client. # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file ssh-client-ecdsa256.p12 to the Stelnet client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server256 for verifying the server's certificate and enter its view.
[SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 # Specify server256 as the PKI domain of the server's certificate. [SwitchB] ssh server pki-domain server256 # Enable the Stelnet server. [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines.
• When the device acts as the SFTP server, it supports only ECDSA and RSA key pairs. If both ECDSA and RSA key pairs exist on the server, the server uses the ECDSA key pair. Password authentication enabled SFTP server configuration example Network requirements As shown in...
Page 386
[Switch] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the SFTP server. [Switch] sftp server enable # Assign an IP address to VLAN-interface 2. The SFTP client uses the address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.45 255.255.255.0 [Switch-Vlan-interface2] quit...
Figure 108 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 109: • You can log in to Switch B through the SFTP client that runs on Switch A. • After login, you are assigned the user role network-admin to execute file management and transfer operations.
Page 388
[SwitchA] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
Page 389
# Assign an IP address to VLAN-interface 2. The SFTP client uses the address as the destination for SSH connection. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Import the peer public key from the file pubkey, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey pubkey # Create an SSH user client001.
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename directory new1 to new2 and verify the result.
Page 391
NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SFTP client. # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server384 for verifying the server's certificate and enter its view.
[SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp384 # Specify server384 as the PKI domain of the server's certificate. [SwitchB] ssh server pki-domain server384 # Enable the SFTP server. [SwitchB] sftp server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines.
Page 395
• After login, you are assigned the user role network-admin and can securely transfer files with Switch B. • Switch B uses the password authentication method. • The client's username and password are saved on Switch B. Figure 111 Network diagram SCP client SCP server Vlan-int2...
[SwitchB-Vlan-interface2] quit # Create a local device management user client001. [SwitchB] local-user client001 class manage # Specify the plaintext password as aabbcc and the service type as ssh for the user. [SwitchB-luser-manage-client001] password simple aabbcc [SwitchB-luser-manage-client001] service-type ssh # Assign the user role network-admin to the user. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Configure an SSH user client001.
Page 397
NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client. # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP.
Page 400
Issuer: C=CN, ST=BJ, L=BJ, O=AA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:08:41 2015 GMT Not After : Aug 19 10:08:41 2016 GMT Subject: C=CN, ST=BJ, O=AA, OU=Software, CN=ssh server Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:4a:33:e5:99:8d:49:45:a7:a3:24:7b:32:6a:ed: b6:36:e1:4d:cc:8c:05:22:f4:3a:7c:5d:b7:be:d1:...
Page 401
Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=BJ, L=BJ, O=AA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:10:59 2015 GMT Not After : Aug 19 10:10:59 2016 GMT Subject: C=CN, ST=BJ, O=AA, OU=Software, CN=ssh client Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit)
Page 402
# Create a PKI domain named client256 for verifying the client's certificate ecdsa256 and import the file of this certificate to this domain. Create a PKI domain named server256 for the server's certificate ecdsa256 and import the file of this certificate to this domain. (Details not shown.) # Create a PKI domain named client384 for verifying the client's certificate ecdsa384 and import the file of this certificate to this domain.
Username: client001 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. src.cfg 100% 4814 4.7KB/s 00:00 <SwitchA> Based on the 192-bit Suite B algorithms: # Specify server384 as the PKI domain of the server's certificate. [SwitchB] ssh server pki-domain server384 # Create an SSH user named client002.
Figure 113 Network diagram NETCONF-over-SSH NETCONF-over-SSH client server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
[Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Create a local device management user client001. [Switch] local-user client001 class manage # Specify the plaintext password as aabbcc and the service type as ssh for the user. [Switch-luser-manage-client001] password simple aabbcc [Switch-luser-manage-client001] service-type ssh # Assign the user role network-admin to the user.
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...
Figure 115 SSL protocol stack Application layer protocol (e.g. HTTP) SSL handshake protocol SSL change cipher spec protocol SSL alert protocol SSL record protocol The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data.
Page 408
Step Command Remarks Enter system view. system-view In Release 1111, SSL 3.0 is enabled on the device by Release 1111: default. ssl version ssl3.0 disable In Release 1121 and later, the In Release 1121 and later: default setting is as follows: (Optional.) Disable specific...
Configuring an SSL client policy An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the server. An SSL client policy takes effect only after it is associated with an application such as DDNS. In Release 1111, you can specify the SSL 3.0 or TLS 1.0 for an SSL client policy: •...
Step Command Remarks rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 In Release 1111: • non-FIPS mode: version { ssl3.0 | tls1.0 } • FIPS mode: By default, an SSL client policy version tls1.0 uses TLS 1.0. Specify protocol In Release 1121 and later: version for the SSL client To ensure security, do not •...
Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface. The IPSG binding table can include global and interface-specific bindings.
• Global static binding—Binds the IP address and MAC address in system view. The binding takes effect on all interfaces to filter packets for user spoofing attack prevention. • Interface-specific static binding—Binds the IP address, MAC address, VLAN, or any combination of the items in interface view.
Tasks at a glance (Optional.) Configuring a static IPv6SG binding Configuring the IPv4SG feature You cannot configure the IPv4SG feature on a service loopback interface. If IPv4SG is enabled on an interface, you cannot assign the interface to a service loopback group. Enabling IPv4SG on an interface When you enable IPSG on an interface, the static and dynamic IPSG are both enabled.
Step Command Remarks • Layer 3 aggregate interface. By default, the IPv6SG feature is disabled on an interface. ipv6 verify source { ip-address | If you configure this command on Enable the IPv6SG feature. ip-address mac-address an interface multiple times, the mac-address } most recent configuration takes effect.
• Enable DHCP snooping on the switch to make sure the DHCP client obtains an IP address from the authorized DHCP server. To generate a DHCP snooping entry for the DHCP client, enable recording of client information in DHCP snooping entries. •...
Enable dynamic IPv4SG on VLAN-interface 100 to filter incoming packets by using the IPv4SG bindings generated based on DHCP relay entries. Figure 119 Network diagram DHCP client DHCP relay agent DHCP server Vlan-int200 Vlan-int100 Host Switch 10.1.1.1/24 MAC: 0001-0203-0406 Configuration procedure Configure dynamic IPv4SG: # Configure IP addresses for the interfaces.
Figure 120 Network diagram GE1/0/1 Internet Switch Host IP: 2001::1 MAC: 0001-0202-0202 Configuration procedure # Enable IPv6SG on GigabitEthernet 1/0/1. <Switch> system-view [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address # On GigabitEthernet 1/0/1, configure a static IPv6SG binding for the host. [Switch-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202 [Switch-GigabitEthernet1/0/1] quit...
Page 423
# Configure the interface connecting to the DHCP server as a trusted interface. [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Switch-GigabitEthernet1/0/2] quit Enable IPv6SG: # Enable IPv6SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address for dynamic IPv6SG.
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
• ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer (25 seconds) is reached or the route becomes reachable. After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request.
Configuration example Network requirements As shown in Figure 122, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack.
Configuration guidelines Configure this feature when MFF, ARP attack detection, or ARP snooping is enabled, or when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. When the number of ARP packets that the interface receives within a period exceeds the rate limit, those packets are discarded.
an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the following methods: • Monitor—Only generates log messages. • Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.
Figure 123 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address.
Step Command Remarks Enter system view. system-view By default, ARP packet source Enable packet source arp valid-check enable address consistency address consistency check. check is disabled. Configuring ARP active acknowledgement Configure this feature on gateways to prevent user spoofing. ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. In strict mode, a gateway performs more strict validity checks before creating an ARP entry: •...
Step Command Remarks Enable authorized ARP on the By default, authorized ARP is arp authorized enable interface. disabled. Configuration example (on a DHCP server) Network requirements As shown in Figure 124, configure authorized ARP on GigabitEthernet 1/0/1 of Switch A (a DHCP server) to ensure user validity.
The output shows that IP address 10.1.1.2 has been assigned to Switch B. Switch B must use the IP address and MAC address in the authorized ARP entry to communicate with Switch A. Otherwise, the communication fails. Thus user validity is ensured. Configuration example (on a DHCP relay agent) Network requirements As shown in...
If a match is found, the ARP packet is considered valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded. Static IP source guard bindings are created by using the ip source binding command. For more information, see "Configuring IP source guard."...
Step Command Remarks Enter VLAN view. vlan vlan-id By default, ARP attack detection is Enable ARP attack detection. arp detection enable disabled. Return to system view. quit Enable ARP packet validity check arp detection validate By default, ARP packet validity and specify the objects to be { dst-mac | ip | src-mac } check is disabled.
The following is an example of an ARP attack detection log message: Detected an inspection occurred on interface GigabitEthernet1/0/1 with IP address 172.18.48.55 (Total 10 packets dropped). To enable ARP attack detection logging: Step Command Remarks Enter system view. system-view Enable attack By default, ARP attack detection...
Configuration procedure Add all interfaces on Switch B to VLAN 10, and specify the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure the DHCP server on Switch A, and configure DHCP address pool 0. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0...
Page 438
Figure 127 Network diagram Gateway DHCP server Switch A GE1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of the VLAN interface.
# Configure port isolation. [SwitchB] port-isolate group 1 [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port-isolate enable group 1 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port-isolate enable group 1 [SwitchB-GigabitEthernet1/0/2] quit After the configurations are completed, Switch B first checks the validity of ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
Configuration example Network requirements As shown in Figure 128, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 128 Network diagram Gateway Switch A...
• If ARP filtering works with ARP attack detection, MFF, and ARP snooping, ARP filtering applies first. Configuration procedure To configure ARP filtering: Step Command Remarks Enter system view. system-view Enter Layer Ethernet interface interface-type interface or Layer 2 aggregate N/A.
Page 443
Verifying the configuration # Verify that GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP packets. # Verify that GigabitEthernet 1/0/2 permits ARP packets from Host B and discards other ARP packets.
Configuring MFF Overview MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain. An MFF enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.
Basic concepts An MFF-enabled device has two types of ports: user port and network port. User port An MFF user port is directly connected to a host and processes the following packets differently: • Allows multicast packets to pass. • Delivers ARP packets to the CPU.
MFF working mechanism An MFF-enabled device implements Layer 3 communication between hosts by intercepting ARP requests from the hosts and replies with the MAC address of a gateway. This mechanism helps reduce the number of broadcast messages. The MFF device processes ARP packets as follows: •...
Enabling periodic gateway probe You can configure the MFF device to detect gateways every 30 seconds for the change of MAC addresses by sending forged ARP packets. The ARP packets use 0.0.0.0 as the sender IP address and bridge MAC address as the sender MAC address. This feature is supported by MFF manual mode.
Task Command Display the MFF configuration information for a VLAN. display mac-forced-forwarding vlan vlan-id MFF configuration examples Manual-mode MFF configuration example in a tree network Network requirements As shown in Figure 131, all the devices are in VLAN 100. Hosts A, B, and C are assigned IP addresses manually.
[SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchB-vlan100] arp snooping enable [SwitchB-vlan100] quit # Configure GigabitEthernet 1/0/6 as a network port. [SwitchB] interface gigabitethernet 1/0/6 [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port Manual-mode MFF configuration example in a ring network Network requirements As shown in Figure...
Page 450
[SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mac-forced-forwarding network-port Configure Switch B: # Enable STP globally to make sure STP is enabled on interfaces. [SwitchB] stp global enable # Configure manual-mode MFF on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server.
Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Page 452
Figure 134 uRPF work flow Checks the received packet Broadcast source address? All-zero source address? Broadcast destination Discards the packet address? Matching FIB entry Default route found? found? Loose uRPF? Loose uRPF? Matching route is a direct Receiving route? interface matches the output interface of the default route?...
Page 453
If yes, uRPF proceeds to step 3. If no, uRPF proceeds to step 6. uRPF checks whether the check mode is loose: If yes, uRPF proceeds to step 8. If no, uRPF checks whether the matching route is a direct route: ...
Network application Figure 135 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User As shown in Figure 135, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs. Enabling uRPF When you enable uRPF, follow these restrictions and guidelines: •...
Task Command display ip urpf [ slot slot-number ] Display uRPF configuration. uRPF configuration example Network requirements As shown in Figure 136, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks. Figure 136 Network diagram Vlan-int10 Vlan-int10...
Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.
e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.
A password that complies with the password control policies in step and step 3. A user role of network-admin. A service type of terminal. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode. Select the manual reboot method.
characters and 4 character types of uppercase and lowercase letters, digits, and special characters. Exiting FIPS mode After you disable FIPS mode and reboot the device, the device operates in non-FIPS mode. The system provides two methods to exit FIPS mode: automatic reboot and manual reboot. Automatic reboot Select the automatic reboot method.
NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests The power-up self-test examines the availability of FIPS-allowed cryptographic algorithms. The device supports the following types of power-up self-tests: • Known-answer test (KAT) A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer.
• Signature and authentication PWCT test—This test is run when a DSA/RSA asymmetrical key pair is generated. It uses the private key to sign the specific data, and then uses the public key to authenticate the signed data. If the authentication is successful, the test succeeds. •...
Confirm password: Waiting for reboot... After reboot, the device will enter FIPS mode. Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode.
Page 464
# Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.
Updating user information. Please wait ..… <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode.
Page 466
[Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to device successfully. [Sysname] quit # Delete the startup configuration file in binary format.
Configuring user profiles Overview A user profile saves a set of predefined parameters, such as a QoS policy. The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.
Configuring parameters for a user profile Configurations in user profile view take effect only after the device applies the user profile to the user. Configuring QoS parameters for traffic management To configure QoS parameters: Step Command Remarks Enter system view. system-view Enter user profile view.
Page 469
Figure 137 Network diagram GE1/0/1 Internet Switch User A User B Domain: user User C Configuration procedure Configure a QoS policy to control the access time for User A: # Create periodic time range for_usera, setting it to be active from 8:30 to 12:00 daily. [Switch] time-range for_usera 8:30 to 12:00 daily # Configure IPv4 basic ACL 2000 to identify packets in time range for_usera.
Page 470
# Create traffic behavior for_userb, and configure a CAR action in traffic behavior database. Set the CIR to 2000 kbps. [Switch] traffic behavior for_userb [Switch-behavior-for_userb] car cir 2000 [Switch-behavior-for_userb] quit # Create QoS policy for_userb, and associate traffic class class with traffic behavior for_userb.
Page 471
# Set the password of local user userb to b12345 in plain text. [Switch-luser-network-userb] password simple b12345 # Specify the service type as lan-access for userb. [Switch-luser-network-userb] service-type lan-access # Configure the authorization user profile as userb. [Switch -luser-network-userb] authorization-attribute user-profile userb [Switch -luser-network-userb] quit # Add local user userc.
Page 472
Network attributes: Interface : GigabitEthernet1/0/1 MAC address : 6805-ca06-557b Service VLAN : 1 User-Profile: userb Inbound: Policy: for_userb slot 1: User -: Authentication type: 802.1X Network attributes: Interface : GigabitEthernet1/0/1 MAC address : 80c1-6ee0-2664 Service VLAN : 1 User-Profile: userc Outbound: Policy: for_userc slot 1:...
Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions, such as packet dropping, to protect a private network. The device supports only TCP fragment attack prevention. Configuring TCP fragment attack prevention The TCP fragment attack prevention feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that traditional packet filter cannot detect.
Configuring MACsec Overview Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec provides services such as data encryption, frame integrity check, and data origin validation for frames on the MAC sublayer of the Data Link Layer. Basic concepts Connectivity association (CA) is a group of participants that use the same key and key algorithm.
MACsec applications MACsec supports the following application modes: • Client-oriented mode—Secures data transmission between the client and the access device. In this mode, the authentication server generates and distributes the CAK-related parameters to the client and the access device. In this mode, MACsec must operate with 802.1X authentication.
The interfaces on HPE 5130/5510 10GBASE-T 2-port Module(JH156A), HPE 5130/5510 10GbE SFP+ 2-port Module(JH157A) interface modules installed on switch models except HPE 5510 24G SFP 4SFP+ HI 1-slot Switch(JH149A). The interface modules do not support hot swapping if MKA is enabled on such interfaces.
MACsec configuration task list In device-oriented mode, the MACsec configuration takes effect on Layer 2 and Layer 3 Ethernet ports. In client-oriented mode, the MACsec configuration takes effect only on 802.1X-enabled ports. To configure MACsec, perform the following tasks: Tasks at a glance Remarks (Required.) Enabling MKA...
• A minimum of one participant is enabled with MACsec desire. To enable MACsec desire: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the port does not Enable MACsec desire. macsec desire expect MACsec protection for outbound frames.
In client-oriented mode, the access device port automatically becomes the key server. You do not have to configure the MKA key server priority. In device-oriented mode, the port that has higher priority becomes the key server. If a port and its peers have the same priority, MACsec compares the secure channel identifier (SCI) values on the ports.
Configuring MACsec replay protection The MACsec replay protection feature allows a MACsec port to accept a number of out-of-order or repeated inbound frames. The configured replay protection window size is effective only when MACsec replay protection is enabled. To configure MACsec replay protection: Step Command Remarks...
Step Command Remarks The settings for parameters in the default policy are the same as the default settings for the parameters on a port. You cannot delete or modify the default MKA policy. You can create multiple MKA policies. The default setting is 0. (Optional.) Configure macsec...
Device-oriented MACsec configuration example Network requirements As shown in Figure 143, Device A is the MACsec key server. To secure data transmission between the two devices by MACsec, perform the following tasks on Device A and Device B, respectively: • Set the MACsec confidentiality offset to 30 bytes.
Page 487
# Set the MKA key server priority to 10. [DeviceB-GigabitEthernet1/0/1] mka priority 10 # Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text. [DeviceB-GigabitEthernet1/0/1] mka psk ckn E9AC cak simple 09DB3EF1 # Set the MACsec confidentiality offset to 30 bytes. [DeviceB-GigabitEthernet1/0/1] macsec confidentiality-offset 30 # Enable MACsec replay protection.
Page 488
Principal actor : Yes MKA session status : Secured Confidentiality offset: 30 bytes Current SAK status : Rx & Tx Current SAK AN Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3) Previous SAK status : N/A Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list:...
Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3) Previous SAK status : N/A Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list: Priority Capability Rx-SCI 85E004AF49934720AC5131D3 1216 00E00100000A0006 Troubleshooting MACsec Symptom The devices cannot establish MKA sessions when the following conditions exist: •...
Configuring ND attack defense Overview IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks. The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. As shown in Figure 144, an attacker can send the following forged ICMPv6 messages to perform ND attacks:...
Configuring ND attack detection About ND attack detection ND attack detection checks incoming ND messages for user validity to prevent spoofing attacks. It is typically configured on access devices. ND attack detection defines the following types of interfaces: • ND trusted interface—The device directly forwards ND messages or data packets received by ND trusted interfaces.
Step Command Remarks disabled. Return to system view. quit Enter Layer 2 Ethernet or interface interface-type aggregate interface view. interface-number (Optional.) Configure the By default, all interfaces are ND interface as ND trusted ipv6 nd detection trust untrusted interfaces. interface. Displaying and maintaining ND attack detection Execute display commands in any view and reset commands in user view.
Verifying the configuration Verify that Device B inspects all ND messages received by GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 based on the ND snooping entries. (Details not shown.) Configuring RA guard About RA guard RA guard allows Layer 2 access devices to analyze and block unwanted and forged RA messages. Upon receiving an RA message, the device makes the forwarding or dropping decision based on the role of the attached device or the RA guard policy.
Step Command Remarks criterion. { ipv6-acl-number | name exists. ipv6-acl-name } if-match prefix Specify prefix match By default, no prefix match criterion { ipv6-acl-number | name criterion. exists. ipv6-acl-name } if-match router-preference Specify a router preference By default, no router preference match maximum { high | low | match criterion.
Task Command interface-number ] reset ipv6 nd raguard statistics [ interface interface-type Clear RA guard statistics. interface-number ] RA guard configuration example Network requirements As shown in Figure 146, GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Device B are in VLAN 10. Configure RA guard on Device B to filter forged and unwanted RA messages.
Page 497
# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 10. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type access [DeviceB-GigabitEthernet1/0/1] port access vlan 10 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type access [DeviceB-GigabitEthernet1/0/2] port access vlan 10 [DeviceB-GigabitEthernet1/0/2] quit # Configure GigabitEthernet 1/0/3 to trunk VLAN 10.
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 502
part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 507
security portal authentication client, AAA RADIUS server SSH user authentication+authorization, security portal authentication server, AAA RADIUS session-control, security user profile configuration, AAA SSH user local authentication+HWTACACS SSH configuration, authorization+RADIUS accounting, SSH methods, MAC authentication authorization VLAN, SSH SCP file transfer+password port security authorization-fail-offline feature, authentication, port security server authorization information...
Page 508
troubleshooting PKI CA certificate import security portal authentication, failure, security portal authentication system troubleshooting PKI CA certificate obtain components, failure, SSL client policy configuration, CA (MACsec), command CAK (MACsec), AAA command accounting method, AAA command authorization method, user profile configuration, comparing certificate 802.1X EAP relay/termination authentication,...
Page 509
security IPsec tunnel for IPv4 packets AAA RADIUS server SSH user (manual), authentication+authorization, security SSH SCP, AAA RADIUS server status detection test profile, security SSH SCP (Suite B), AAA scheme, SSH, AAA SSH user local authentication+HWTACACS SSH client host public key, authorization+RADIUS accounting, SSH SCP file+password authentication, AAA user group attributes,...
Page 510
IPsec IKEv2 policy, port security client macAddressElseUserLoginSecure, IPsec IKEv2 profile, port security client userLoginWithOUI, IPsec IKEv2 proposal, port security features, IPv4 source guard (IPv4SG), port security intrusion protection, IPv4 source guard (IPv4SG) static binding, port security MAC address autoLearn, IPv6 ND attack defense, port security NTK feature, IPv6 ND attack defense RA guard, port security secure MAC addresses,...
Page 511
security portal authentication server detection, security IPsec packet DF bit copy, creating security portal authentication server AAA HWTACACS scheme, detection+user synchronization, AAA ISP domain, security portal authentication source subnet, AAA LDAP scheme, AAA RADIUS scheme, security portal authentication user online local key pair, detection, security LDAP server,...
Page 512
delay MAC authentication (local), 802.1X guest VLAN assignment delay, MAC authentication (RADIUS-based), delaying MAC authentication ACL assignment, MAC authentication delay, MAC authentication configuration, delimiter (802.1X domain name), MACsec (device-oriented), MACsec operation (device-oriented), security IPsec encryption algorithm, MFF server IP address, desire NETCONF-over-SSH+password authentication configuration,...
Page 513
SSH SFTP server configuration (password PKI peer certificate, authentication-enabled), PKI RA certificate, SSH SFTP server enable, PKI RSA Keon CA server certificate request, SSL server policy configuration, PKI storage path, uRPF configuration, PKI verification (CRL checking), DF bit PKI verification (w/o CRL checking), security IPsec packet DF bit clear, PKI Windows 2003 CA server certificate request, security IPsec packet DF bit copy,...
Page 514
802.1X mandatory port authentication 802.1X relay/termination authentication, domain, EAPOL 802.1X supported domain name delimiters, 802.1X authentication (access device initiated), AAA ISP domain accounting method, AAA ISP domain attribute, 802.1X authentication (client-initiated), AAA ISP domain authentication method, 802.1X packet format, AAA ISP domain authorization method, ECDSA MAC authentication, feature and software version compatibility,...
Page 515
SSH SCP server, SSH SFTP server connection, SSH Secure Telnet server, SSH SFTP server connection based on Suite B, SSH SFTP server, Ethernet uRPF, 802.1X overview, encapsulating ARP attack protection configuration, 802.1X RADIUS EAP-Message attribute, exiting security IPsec ACL de-encapsulated packet check, FIPS mode (automatic reboot), 447, 452...
Page 519
IKE profile configuration, troubleshooting IKE negotiation failure (no proposal match), IKE proposal, troubleshooting IKE negotiation failure (no IKE SA max number, proposal or keychain specified correctly), IKE security mechanism, troubleshooting SA negotiation failure (invalid IKE SNMP notification, identity info), IKEv2 configuration, 309, 311, 318 troubleshooting SA negotiation failure (no IKEv2 cookie challenge,...
Page 520
RA guard display, key pair RA guard logging enable, SSH server generation, RA guard maintain, keychain RA guard policy configuration, IPsec IKEv2 keychain, IPv6 ND attack detection security IPsec IKE keychain, configuration, 478, 479 keyword display, security IPsec ACL rule keywords, feature and software version compatibility, maintain, 802.1X overview,...
Page 521
user attribute, logging in versions, AAA concurrent login user max, Lightweight Directory Access Protocol. Use LDAP RADIUS Login-Service attribute, limiting logging out ARP packet rate limit, security portal authentication users, port security secure MAC addresses, login load sharing security password expired login, AAA RADIUS server load sharing, security password user first login, local...
Page 523
ARP attack protection configuration, port security secure MAC learning control, IPsec IKEv2 message retransmission, port security userLogin 802.1X authentication, Message Authentication Code. Use port security userLoginSecure 802.1X authentication, basic concepts, port security userLoginSecureExt 802.1X configuration, 431, 433, 435 authentication, configuration (manual-mode in ring network), port security userLoginWithOUI 802.1X authentication, configuration (manual-mode in tree network),...
Page 524
802.1X related protocols, IPsec IKEv2 keepalive, 802.1X VLAN manipulation, security IPsec IKE keepalive, 802.1X+ACL assignment configuration, ND attack defense AAA device implementation, IPv6. See IPv6 ND attack defense AAA HWTACACS implementation, need to know. Use AAA HWTACACS scheme, negotiating AAA HWTACACS server SSH user, IPsec IKEv2 negotiation, AAA ISP domain accounting method, security IPsec IKE negotiation,...
Page 525
authorized ARP configuration, MAC authentication guest VLAN, 104, 111 authorized ARP configuration (DHCP relay MAC authentication keep-online, agent), MAC authentication multi-VLAN mode, authorized ARP configuration (DHCP server), MAC authentication offline detection enable, MAC authentication timer, dynamic IPv4 source guard (IPv4SG)+DHCP MAC authentication user account format, relay agent configuration, MAC authentication user profile assignment,...
Page 526
port security client security password control global parameters, macAddressElseUserLoginSecure, security password control local user parameters, port security client userLoginWithOUI, port security features, 185, 190 security password control user group parameters, port security intrusion protection, security portal authentication AAA server, port security MAC address autoLearn, security portal authentication client, port security MAC address learning control, security portal authentication domain,...
Page 527
SSH SFTP server connection establishment security IPsec tunnel for IPv4 packets based on Suite B, (IKE-based), SSH SFTP server connection termination, security IPsec tunnel for IPv4 packets (manual), SSH SFTP server enable, security password control, 209, 213 SSH user configuration, security password control configuration, SSH2 algorithms, security portal authentication,...
Page 528
IP source guard (IPSG) configuration, 400, 401, packet IPv6 ND attack defense configuration, 802.1X EAP format, IPv6 ND attack defense RA guard configuration, 802.1X EAPOL format, 481, 483 802.1X format, IPv6 ND attack detection, AAA HWTACACS outgoing packet source IP static IPv4 source guard (IPv4SG) configuration, address, AAA HWTACACS packet exchange process,...
Page 529
password complexity checking, FIPS compliance, password composition checking, local digital certificate, password expiration, 207, 207 MPLS L3VPN support, password history, OpenCA server certificate request, password min length, operation, password not displayed, peer digital certificate, password setting, peer host public key entry, password updating, 207, 207 public key import from file,...
Page 531
direct configuration, Web server configuration, direct configuration (local portal Web server), Web server detection configuration, 144, 179 Web server reference, direct/cross-subnet authentication process power-up self-test, (with CHAP/PAP authentication), PPPoE displaying, security user profile configuration, domain specification, preshared key (PSK) enabling, MACsec configuration, extended cross-subnet, preventing...
Page 532
configuring AAA LDAP user attributes, configuring direct portal authentication (local portal Web server), 144, 179 configuring AAA local user, configuring dynamic IPv4 source guard configuring AAA local user attributes, (IPv4SG)+DHCP snooping, configuring AAA NAS-ID profile, configuring dynamic IPv6 source guard configuring AAA RADIUS accounting-on, (IPv6SG)+DHCPv6 snooping, configuring AAA RADIUS Login-Service...
Page 535
displaying SSH SFTP help information, enabling SSH SFTP server, displaying SSL, enabling uRPF, displaying uRPF, entering FIPS mode (automatic reboot), 445, 449 distributing local host public key, entering FIPS mode (manual reboot), 445, 450 enabling 802.1X, entering peer host public key, 221, 221 enabling 802.1X critical voice VLAN, entering SSH client host public key,...
Page 536
referencing security portal authentication Web specifying AAA HWTACACS scheme VPN, server, specifying AAA HWTACACS shared keys, removing PKI certificate, specifying AAA LDAP authentication server, requesting PKI certificate request, specifying AAA LDAP version, sending EAP-Success packets, specifying AAA RADIUS accounting server parameters, setting 802.1X authentication attempts max number for MAC authenticated users,...
Page 537
troubleshooting PKI local certificate request MACsec protection parameter (MKA policy), failure, MACsec replay protection, 461, 468 troubleshooting PKI storage path set failure, protocols and standards 802.1X overview, troubleshooting port security mode cannot be 802.1X related protocols, set, AAA, troubleshooting port security secure MAC AAA HWTACACS, 6, 13 addresses,...
Page 538
security policy server IP address, server load sharing, server status, IPv6 ND attack defense device role, server status detection test profile, IPv6 ND attack defense RA guard session-control, configuration, 481, 483 shared keys, IPv6 ND attack defense RA guard logging enable, SNMP notification enable, IPv6 ND attack defense RA guard policy,...
Page 539
Remote Authentication Dial-In User Service. Use SSH configuration, RADIUS SSH server configuration, removing PKI certificate, host public key display, replaying host public key export, MACsec replay protection, peer host public key entry, request PKI certificate export, PKI certificate request abort, PKI OpenCA server certificate request, requesting PKI RSA Keon CA server certificate request,...
Page 540
802.1X enable, client device configuration, 802.1X guest VLAN, 74, 87 configuration, 802.1X guest VLAN assignment delay, configuration (Suite B), 802.1X guest VLAN configuration, file transfer+password authentication, 802.1X maintain, server connection establishment, 802.1X mandatory port authentication domain, server connection establishment based on 802.1X online user handshake, Suite B, 802.1X overview,...
Page 541
AAA SSH user local dynamic IPv4 source guard (IPv4SG)+DHCP authentication+HWTACACS snooping configuration, authorization+RADIUS accounting, dynamic IPv6 source guard (IPv6SG)+DHCPv6 about IPv6 ND attack defense, snooping configuration, ARP active acknowledgement, expired password login, ARP attack detection (source MAC-based), FIPS configuration, 444, 449 414, 415 FIPS configuration restrictions, ARP attack detection configuration,...
Page 542
IPsec IKEv2 profile configuration, MAC authentication configuration, IPsec IKEv2 protocols and standards, MAC authentication critical VLAN, IPsec IPv6 routing protocol profile, MAC authentication critical voice VLAN, IPsec IPv6 routing protocols, MAC authentication delay, 110, 110 IPsec packet DF bit, MAC authentication display, IPsec packet logging enable, MAC authentication domain, IPsec policy,...
Page 543
MFF server IP address, PKI OpenCA server certificate request, MFF user port, PKI operation, NETCONF-over-SSH client user line, PKI RSA Keon CA server certificate request, NETCONF-over-SSH enable, PKI storage path, NETCONF-over-SSH+password PKI terminology, authentication configuration, PKI Windows 2003 CA server certificate request, parallel processing with 802.1X authentication, port.