HPE FlexNetwork 5510 HI Series Security Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Switch
  5. FlexNetwork 5510 HI Series
  6. Security configuration manual

HPE FlexNetwork 5510 HI Series Security Configuration Manual

Hide thumbs Also See for FlexNetwork 5510 HI Series:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual , Installation Manual
HPE FlexNetwork 5510 HI Switch Series
Security Configuration Guide
Part number: 5200-0019b
Software version: Release 11xx
Document version: 6W102-20171020

Advertisement

Table of Contents
loading

Related Manuals for HPE FlexNetwork 5510 HI Series

Summary of Contents for HPE FlexNetwork 5510 HI Series

  • Page 1 HPE FlexNetwork 5510 HI Switch Series Security Configuration Guide Part number: 5200-0019b Software version: Release 11xx Document version: 6W102-20171020...
  • Page 2 © Copyright 2015, 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring AAA ·············································································· 1 Overview ·································································································································· 1 RADIUS ···························································································································· 2 HWTACACS ······················································································································ 6 LDAP ································································································································ 9 AAA implementation on the device ························································································ 11 AAA for MPLS L3VPNs ······································································································ 13 Protocols and standards ····································································································· 13 RADIUS attributes ············································································································· 14 FIPS compliance······················································································································ 16 AAA configuration considerations and task list ···············································································...
  • Page 4 Authorization VLAN ··········································································································· 72 Guest VLAN ····················································································································· 74 Auth-Fail VLAN ················································································································· 75 Critical VLAN ···················································································································· 76 Critical voice VLAN ············································································································ 78 Using 802.1X authentication with other features ············································································· 79 ACL assignment ················································································································ 79 User profile assignment ······································································································ 79 EAD assistant ··················································································································· 79 Configuration prerequisites ········································································································...
  • Page 5 ACL assignment ·············································································································· 105 User profile assignment ···································································································· 106 Periodic MAC reauthentication ··························································································· 106 Configuration prerequisites ······································································································ 106 Configuration task list·············································································································· 107 Enabling MAC authentication ···································································································· 107 Specifying a MAC authentication domain ···················································································· 108 Configuring the user account format ··························································································· 108 Configuring MAC authentication timers ·······················································································...
  • Page 6 Configuring a local portal Web server ·················································································· 144 Displaying and maintaining portal ······························································································ 145 Portal configuration examples ··································································································· 145 Configuring direct portal authentication ················································································ 145 Configuring re-DHCP portal authentication ············································································ 153 Configuring cross-subnet portal authentication ······································································· 156 Configuring extended direct portal authentication ··································································· 159 Configuring extended re-DHCP portal authentication ······························································...
  • Page 7 Password control configuration example ····················································································· 213 Network requirements ······································································································ 213 Configuration procedure ··································································································· 214 Verifying the configuration ································································································· 215 Managing public keys ···································································· 217 Overview ······························································································································ 217 FIPS compliance···················································································································· 217 Creating a local key pair ·········································································································· 217 Distributing a local host public key ····························································································· 219 Exporting a host public key ································································································...
  • Page 8 Failed to set the storage path ····························································································· 258 Configuring IPsec ········································································· 259 Overview ······························································································································ 259 Security protocols and encapsulation modes ········································································· 260 Security association ········································································································· 261 Authentication and encryption ···························································································· 262 IPsec implementation ······································································································· 262 Protocols and standards ··································································································· 263 FIPS compliance····················································································································...
  • Page 9 IPsec SA negotiation failed due to invalid identity information ··················································· 305 Configuring IKEv2 ········································································ 309 Overview ······························································································································ 309 IKEv2 negotiation process ································································································· 309 New features in IKEv2 ······································································································ 310 Protocols and standards ··································································································· 310 Feature and software version compatibility ·················································································· 310 IKEv2 configuration task list ·····································································································...
  • Page 10 Specifying algorithms for SSH2 ································································································· 351 Specifying key exchange algorithms for SSH2 ······································································· 352 Specifying public key algorithms for SSH2 ············································································ 352 Specifying encryption algorithms for SSH2 ············································································ 352 Specifying MAC algorithms for SSH2 ··················································································· 353 Displaying and maintaining SSH ······························································································· 353 Stelnet configuration examples ·································································································...
  • Page 11 Configuration procedure ··································································································· 414 Configuring source MAC-based ARP attack detection ···································································· 414 Configuration procedure ··································································································· 415 Displaying and maintaining source MAC-based ARP attack detection ········································· 415 Configuration example ······································································································ 415 Configuring ARP packet source MAC consistency check ································································ 416 Configuring ARP active acknowledgement ·················································································· 417 Configuring authorized ARP ·····································································································...
  • Page 12 Configuration restrictions and guidelines ····················································································· 444 Configuring FIPS mode ··········································································································· 445 Entering FIPS mode ········································································································· 445 Configuration changes in FIPS mode ··················································································· 446 Exiting FIPS mode ··········································································································· 447 FIPS self-tests ······················································································································· 447 Power-up self-tests ·········································································································· 448 Conditional self-tests ········································································································ 448 Triggering self-tests ·········································································································...
  • Page 13 ND attack defense configuration task list ····················································································· 477 Configuring ND attack detection ································································································ 478 About ND attack detection ································································································· 478 Configuration guidelines ··································································································· 478 Configuration procedure ··································································································· 478 Displaying and maintaining ND attack detection ····································································· 479 ND attack detection configuration example ··········································································· 479 Configuring RA guard ·············································································································...

  • Page 14: Configuring Aaa

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.

  • Page 15: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
  • Page 16 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host access the resources...
  • Page 17 Figure 4 RADIUS packet format Code Identifier Length Authenticator (16bytes) Attributes Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Packet type Description...
  • Page 18 Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.  Value—Value of the attribute. Its format and content depend on the Type subfield.  Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.

  • Page 19: Hwtacacs

    Attribute Attribute Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes.
  • Page 20 HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing authentication and obtaining authorized rights, a user logs in to the device and performs operations.
  • Page 21 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 22: Ldap

    10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
  • Page 23 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.

  • Page 24: Aaa Implementation On The Device

    After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server.
  • Page 25 AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.

  • Page 26: Aaa For Mpls L3Vpns

    • Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.

  • Page 27: Radius Attributes

    User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute includes the MAC address of the user in the format HH-HH-HH-HH-HH-HH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
  • Page 28 Attribute Description Authentication method used by the user. Possible values include: • 1—RADIUS. Acct-Authentic • 2—Local. • 3—Remote. CHAP challenge generated by the NAS for MD5 calculation during CHAP CHAP-Challenge authentication. Type of the physical port of the NAS that is authenticating the user. Possible values include: •...

  • Page 29: Fips Compliance

    Subattribute Description types, the Control_Identifier attribute does not take effect. Result of the Trigger-Request or SetPolicy operation, zero for success Result_Code and any other value for failure. Connect_ID Index of the user connection. FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this Ftp_Directory attribute is used to set the working directory for an FTP, SFTP, or SCP...

  • Page 30: Aaa Configuration Considerations And Task List

    AAA configuration considerations and task list To configure AAA, complete the following tasks on the NAS: Configure the required AAA schemes. Local authentication—Configure local users and the related attributes, including the  usernames and passwords, for the users to be authenticated. Remote authentication—Configure the required RADIUS, HWTACACS, and LDAP ...

  • Page 31: Configuring Aaa Schemes

    Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes, and LDAP schemes. Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device. The local users and attributes are stored in the local user database on the device.
  • Page 32 Local user configuration task list Tasks at a glance (Required.) Configuring local user attributes (Optional.) Configuring user group attributes (Optional.) Displaying and maintaining local users and local user groups Configuring local user attributes When you configure local user attributes, follow these guidelines: •...
  • Page 33 Step Command Remarks password provides the correct username and passes attribute checks. enhance security, configure password for each local user. FIPS mode, only password-protected users can pass authentication. • For a network access user: service-type { lan-access | portal } •...
  • Page 34 Step Command Remarks • feature. Configure password composition policy: password-control composition type-number type-number [ type-length type-length ] • Configure password complexity checking policy: password-control complexity same-character user-name } check • Configure the maximum login attempts and the action to take if there is a login failure: password-control login-attempt login-times...

  • Page 35: Configuring Radius Schemes

    Step Command Remarks type-length ] • Configure password complexity checking policy: password-control complexity same-character user-name } check • Configure the maximum login attempts and the action to take login failures: password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] Displaying and maintaining local users and local user groups Execute display commands in any view.
  • Page 36 Tasks at a glance (Optional.) Configuring the IP addresses of the security policy servers (Optional.) Configuring the Login-Service attribute check method for SSH, FTP, and terminal users (Optional.) Enabling SNMP notifications for RADIUS (Optional.) Displaying and maintaining RADIUS Configuring a test profile for RADIUS server status detection IMPORTANT: This feature is available in Release 1121 and later.
  • Page 37 Step Command Remarks The default setting depends on type startup configuration: • If the device starts up with initial settings, no RADIUS scheme is defined. Create a RADIUS scheme • radius scheme If the device starts up with and enter RADIUS scheme radius-scheme-name factory defaults,...
  • Page 38 Step Command Remarks authentication server: feature is enabled for the RADIUS secondary authentication scheme. { host-name | ipv4-address | ipv6 The test-profile profile-name and ipv6-address } [ port-number | weight weight-value options are key { cipher | simple } string | available in Release 1121 and test-profile profile-name...
  • Page 39 Step Command Remarks { host-name | ipv4-address | ipv6 sharing feature is enabled for ipv6-address } [ port-number | key the RADIUS scheme. { cipher | simple } string | weight weight-value vpn-instance vpn-instance-name option is available in Release | weight weight-value ] * 1121 and later.
  • Page 40 The device reports online user traffic statistics in accounting packets. The traffic measurement units are configurable, but they must be the same as the traffic measurement units configured on the RADIUS accounting servers. To set the username format and the traffic statistics units for a RADIUS scheme: Step Command Remarks...
  • Page 41 Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers. The secondary servers act as the backup of the primary server.
  • Page 42 Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: By default, every server state primary accounting { active specified RADIUS | block }...
  • Page 43 receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS. • If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
  • Page 44 timer for the server, and tries to communicate with another server in active state. After the server quiet timer expires, the device changes the status of the server back to active. • Realtime accounting timer (realtime-accounting)—Defines the interval at which the device sends realtime accounting packets to the RADIUS accounting server for online users.
  • Page 45 IP address of the security policy server on the NAS. The security policy server is the management and control center of the HPE EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS.

  • Page 46: Configuring Hwtacacs Schemes

    • RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts. • RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
  • Page 47 Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure a maximum of 16 HWTACACS schemes. An HWTACACS scheme can be used by multiple ISP domains. To create an HWTACACS scheme: Step Command Remarks Enter system view.
  • Page 48 for the secondary servers in the order they are configured. The first secondary server in active state is used for communication. If redundancy is not required, specify only the primary server. An HWTACACS server can function as the primary authorization server of one scheme and as the secondary authorization server of another scheme at the same time.
  • Page 49 To specify HWTACACS accounting servers for an HWTACACS scheme: Step Command Remarks Enter system view. system-view Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS accounting server: primary accounting { host-name ipv4-address ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no accounting server single-connection...
  • Page 50 Step Command Remarks Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name default, HWTACACS Specify vpn-instance vpn-instance-name scheme belongs to the public HWTACACS scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.
  • Page 51 Before sending an HWTACACS packet, the NAS selects a source IP address in the following order: The source IP address specified for the HWTACACS scheme. The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides.
  • Page 52 Changes the server status to blocked.  Starts a quiet timer for the server.  Tries to communicate with the next secondary server in active state that has the highest  priority. • The search process continues until the device finds an available secondary server or has checked all secondary servers in active state.

  • Page 53: Configuring Ldap Schemes

    Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server: • (Required.) Creating an LDAP server • (Required.) Configuring the IP address of the LDAP server • (Optional.) Specifying the LDAP version • (Optional.) Setting the LDAP server timeout period •...
  • Page 54 Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server's response within the server timeout period, the authentication or authorization request times out. Then, the device tries the backup authentication or authorization method. If no backup method is configured in the ISP domain, the device considers the authentication or authorization attempt a failure.
  • Page 55 To configure LDAP user attributes: Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name Specify the user search base By default, no user search base search-base-dn base-dn DN is specified. (Optional.) Specify the user search-scope all-level By default, the user search scope search scope.

  • Page 56: Configuring Aaa Methods For Isp Domains

    Task Command Display the configuration of LDAP schemes. display ldap scheme [ scheme-name ] Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by specifying configured AAA schemes in ISP domain view. Each ISP domain has a set of system-defined AAA methods, which are local authentication, local authorization, and local accounting.

  • Page 57: Configuring Isp Domain Attributes

    Step Command Remarks Return to system view. quit (Optional.) Specify domain default enable By default, the default ISP domain is the default ISP domain. isp-name system-defined ISP domain system. By default, no ISP domain is specified to (Optional.) Specify an ISP accommodate users that are assigned domain accommodate...

  • Page 58: Configuring Authorization Methods For An Isp Domain

    • If a RADIUS scheme is used for authentication but not for authorization, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server also includes the authorization information, but the device ignores the information. •...
  • Page 59 Determine whether to configure the default authorization method for all access types or service types. The default authorization method applies to all access users. However, the method has a lower priority than the authorization method that is specified for an access type or service type. Configuration guidelines When configuring authorization methods, follow these guidelines: •...

  • Page 60: Configuring Accounting Methods For An Isp Domain

    Configuring accounting methods for an ISP domain Configuration prerequisites Before configuring accounting methods, complete the following tasks: Determine the access type or service type to be configured. With AAA, you can configure an accounting method for each access type and service type. Determine whether to configure the default accounting method for all access types or service types.

  • Page 61: Enabling The Session-Control Feature

    Enabling the session-control feature A RADIUS server running on IMC can use session-control packets to inform disconnect or dynamic authorization change requests. This task enables the device to receive RADIUS session-control packets on UDP port 1812. To enable the session-control feature: Step Command Remarks...

  • Page 62: Displaying And Maintaining Aaa

    Step Command Remarks Enter system view. system-view Create a NAS-ID profile and enter NAS-ID profile aaa nas-id profile profile-name view. Configure a NAS-ID and By default, no NAS-ID and VLAN VLAN binding nas-id nas-identifier bind vlan vlan-id binding exists. profile. Displaying and maintaining AAA Execute display commands in any view.

  • Page 63: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users

    # Create an HWTACACS scheme. <Switch> system-view [Switch] hwtacacs scheme hwtac # Specify the primary authentication server. [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 # Specify the primary authorization server. [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 # Specify the primary accounting server. [Switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 # Set the shared keys for secure HWTACACS communication to expert in plain text.
  • Page 64 • Use the HWTACACS server and RADIUS server for SSH user authorization and accounting, respectively. • Exclude domain names from the usernames sent to the servers. • Assign the default user role network-operator to SSH users after they pass authentication. Configure an account with the username hello for the SSH user.

  • Page 65: Authentication And Authorization For Ssh Users By A Radius Server

    [Switch] local-user hello class manage # Assign the SSH service for the local user. [Switch-luser-manage-hello] service-type ssh # Set a password for the local user to 123456TESTplat&! in plain text. In FIPS mode, you must set the password in interactive mode. [Switch-luser-manage-hello] password simple 123456TESTplat&! [Switch-luser-manage-hello] quit # Create ISP domain bbb and configure the login users to use local authentication,...
  • Page 66 Figure 13 Network diagram RADIUS server 10.1.1.1/24 Vlan-int3 10.1.1.2/24 Vlan-int2 192.168.1.70/24 Internet SSH user Switch Configuration procedure Configure the RADIUS server on IMC 5.0: NOTE: This example assumes that the RADIUS server runs on IMC PLAT 5.0 (E0101) and IMC UAM 5.0 (E0101).
  • Page 67 Figure 14 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management account as follows: a.
  • Page 68 Figure 15 Adding an account for device management Configure the switch: # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.

  • Page 69: Authentication For Ssh Users By An Ldap Server

    # Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server.
  • Page 70 NOTE: This example assumes that the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. a. On the LDAP server, select Start > Control Panel > Administrative Tools. b.
  • Page 71 Figure 18 Setting the user password g. Click OK. # Add user aaa to group Users. h. From the navigation tree, click Users under the ldap.com node. i. In the right pane, right-click the user aaa and select Properties. j. In the dialog box, click the Member Of tab and click Add.
  • Page 72 Figure 19 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.
  • Page 73 # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.

  • Page 74: Troubleshooting Radius

    Verifying the configuration # Initiate an SSH connection to the switch, and enter the username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) Troubleshooting RADIUS RADIUS authentication failure...

  • Page 75: Radius Accounting Error

    Solution To resolve the problem: Verify the following items: The link between the NAS and the RADIUS server works well at both the physical and data  link layers. The IP address of the RADIUS server is correctly configured on the NAS. ...
  • Page 76 • The user is not configured on the LDAP server. • The password entered by the user is incorrect. • The administrator DN or password is not configured. • Some user attributes (for example, the username attribute) configured on the NAS are not consistent with those configured on the server.

  • Page 77: 802.1X Overview

    The port controls traffic by using one of the following methods: − Performs bidirectional traffic control to deny traffic to and from the client. − Performs unidirectional traffic control to deny traffic from the client. The HPE devices support only unidirectional traffic control.

  • Page 78: 802.1X-Related Protocols

    Figure 22 Authorization state of a controlled port Authenticator system 1 Authenticator system 2 Controlled port Uncontrolled port Controlled port Uncontrolled port Port authorized Port unauthorized 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server.

  • Page 79: Eap Over Radius

    • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identify) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 24 shows the EAPOL packet format.

  • Page 80: 802.1X Authentication Initiation

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client that can send broadcast EAPOL-Start packets. For example, you can use the HPE iNode 802.1X client.

  • Page 81: 802.1X Authentication Procedures

    • Supports only the following EAP authentication methods: MD5-Challenge Works with any RADIUS server  authentication. EAP termination that supports CHAP authentication. The username and password  EAP authentication initiated by an HPE iNode 802.1X client.

  • Page 82: Eap Relay

    Packet exchange Benefits Limitations method • The processing is complex on the access device. EAP relay Figure 29 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used. Figure 29 802.1X authentication procedure in EAP relay mode Client Device Authentication server...

  • Page 83: Eap Termination

    challenge (EAP-Request/MD5 challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the access device. The access device transmits the EAP-Request/MD5 Challenge packet to the client. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5 Challenge packet to the access device.
  • Page 84 Figure 30 802.1X authentication procedure in EAP termination mode Authentication server Client Device RADIUS EAPOL (1) EAPOL-Start (2) EAP-Request / Identity (3) EAP-Response / Identity (4) EAP-Request / MD5 challenge (5) EAP-Response / MD5 challenge (6) RADIUS Access-Request (CHAP-Response/MD5 challenge) (7) RADIUS Access-Accept (CHAP-Success) (8) EAP-Success...

  • Page 85: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port.
  • Page 86 The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members. NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.

  • Page 87: Guest Vlan

    Table 6 VLAN manipulation Port access control VLAN manipulation method The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. Port-based If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID.

  • Page 88: Auth-Fail Vlan

    Authentication status VLAN manipulation The device assigns the 802.1X guest VLAN to the port as the PVID. All 802.1X users on this port can access only resources in the guest VLAN. A user has not passed 802.1X authentication. If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation.

  • Page 89: Critical Vlan

    The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation user fails 802.1X The device assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X authentication.
  • Page 90 The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation A user that has not been assigned to any The device assigns the critical VLAN to the port as the PVID. VLAN fails 802.1X authentication because The 802.1X user and all subsequent 802.1X users on this port all the RADIUS servers are unreachable.

  • Page 91: Critical Voice Vlan

    Authentication status VLAN manipulation PVID. The device remaps the MAC address of the user to the authorization VLAN. A user in the 802.1X critical VLAN passes If the authentication server (either the local access device 802.1X authentication. or a RADIUS server) does not authorize a VLAN to the user, the device remaps the MAC address of the user to the initial PVID on the port.

  • Page 92: Using 802.1X Authentication With Other Features

    EAD assistant Endpoint Admission Defense (EAD) is an HPE integrated endpoint access control solution to improve the threat defensive capability of a network. The solution enables the security client, security policy server, access device, and third-party server to operate together. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.

  • Page 93: Configuration Prerequisites

    EAD rules are implemented by using ACL resources. When the EAD rule timer expires or the user passes authentication, the rule is removed. If users fail to download EAD client or fail to pass authentication before the timer expires, they must reconnect to the network to access the free IP. Configuration prerequisites Before you configure 802.1X, complete the following tasks: •...

  • Page 94: Enabling Eap Relay Or Eap Termination

    • If the PVID is a voice VLAN, the 802.1X feature cannot take effect on the port. For more information about voice VLANs, see Layer 2—LAN Switching Configuration Guide. • Do not enable 802.1X on a port that is in a link aggregation or service loopback group. To enable 802.1X: Step Command...

  • Page 95: Setting The Port Authorization State

    Setting the port authorization state The port authorization state determines whether the client is granted access to the network or not. You can control the authorization state of a port by using the dot1x port-control command and the following keywords: •...

  • Page 96: Setting The Maximum Number Of Authentication Request Attempts

    Setting the maximum number of authentication request attempts The access device retransmits an authentication request if it does not receive any responses to the request from the client within a period of time. To set the time, use the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command.

  • Page 97: Configuring The Online User Handshake Feature

    • Client timeout timer—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client. • Server timeout timer—Starts when the access device sends a RADIUS Access-Request packet to the authentication server.

  • Page 98: Configuration Procedure

    Configuration procedure To configure the online user handshake feature: Step Command Remarks Enter system view. system-view (Optional.) dot1x timer handshake-period The default is 15 seconds. handshake timer. handshake-period-value Enter Layer Ethernet interface interface-type interface view. interface-number Enable the online handshake dot1x handshake By default, the feature is enabled.

  • Page 99: Specifying A Mandatory Authentication Domain On A Port

    Step Command Remarks interface view. interface-number By default, the multicast trigger is Enable authentication dot1x multicast-trigger enabled, and the unicast trigger is trigger. unicast-trigger } disabled. Specifying a mandatory authentication domain on a port You can place all 802.1X users in a mandatory authentication domain for authentication, authorization, and accounting on a port.

  • Page 100: Enabling The Periodic Online User Reauthentication Feature

    Enabling the periodic online user reauthentication feature Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server. The attributes include the ACL, VLAN, and user profile-based QoS. The reauthentication interval is user configurable. The server-assigned RADIUS Session-Timeout (attribute 27) and Termination-Action (attribute 29) attributes can affect the periodic online user reauthentication feature.

  • Page 101: Configuration Prerequisites

    • Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port. The assignment makes sure the port can correctly process incoming VLAN-tagged traffic. • When you configure multiple security features on a port, follow the guidelines in Table Table 7 Relationships of the 802.1X guest VLAN and other security features Feature...

  • Page 102: Configuring An 802.1X Auth-Fail Vlan

    This feature does not take effect if the 802.1 X authentication is triggered by EAPOL-Start packets from 802.1X clients. To use this feature, the 802.1X-enabled port must be configured with the unicast trigger feature and perform MAC-based access control. When 802.1X authentication is triggered on a port, the device performs the following operations: Sends a unicast EAP-Request/Identity packet to the MAC address that triggers the authentication.

  • Page 103: Configuration Prerequisites

    Configuration prerequisites Before you configure an 802.1X Auth-Fail VLAN, complete the following tasks: • Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port: Configure the port as a hybrid port.

  • Page 104: Configuring The 802.1X Critical Vlan On A Port

    Configuring the 802.1X critical VLAN on a port Step Command Remarks Enter system view. system-view Enter Ethernet interface interface interface-type view. interface-number Configure the 802.1X critical By default, no 802.1X critical dot1x critical vlan vlan-id VLAN on the port. VLAN is configured. Sending EAP-Success packets to users in the 802.1X critical VLAN IMPORTANT:...

  • Page 105: Configuration Prerequisites

    Configuration prerequisites Before you enable the 802.1X critical voice VLAN on a port, complete the following tasks: • Enable LLDP both globally and on the port. The device uses LLDP to identify voice users. For information about LLDP, see Layer 2—LAN Switching Configuration Guide.

  • Page 106: Configuring The Ead Assistant Feature

    Configuring the EAD assistant feature When you configure the EAD assistant feature, follow these restrictions and guidelines: • You must disable MAC authentication and port security globally before you enable the EAD assistant feature. • To make the EAD assistant feature take effect on an 802.1X-enabled port, you must set the port authorization mode to auto.

  • Page 107: 802.1X Authentication Configuration Examples

    192.168.1.2/24 Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.)
  • Page 108 Configure a RADIUS scheme: # Create the RADIUS scheme radius1 and enter RADIUS scheme view. [Device] radius scheme radius1 # Specify the IP addresses of the primary authentication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers.

  • Page 109: Guest Vlan And Authorization Vlan Configuration Example

    802.1X guest VLAN and authorization VLAN configuration example Network requirements As shown in Figure 32, use RADIUS servers to perform authentication, authorization, and accounting for 802.1X users who connect to GigabitEthernet 1/0/2. Implement port-based access control on the port. If no user performs 802.1X authentication on GigabitEthernet 1/0/2 within a period of time, the device adds GigabitEthernet 1/0/2 to the guest VLAN, VLAN 10.
  • Page 110 [Device-vlan10] port gigabitethernet 1/0/1 [Device-vlan10] quit [Device] vlan 2 [Device-vlan2] port gigabitethernet 1/0/4 [Device-vlan2] quit [Device] vlan 5 [Device-vlan5] port gigabitethernet 1/0/3 [Device-vlan5] quit Configure a RADIUS scheme on the access device: # Create RADIUS scheme 2000 and enter RADIUS scheme view. [Device] radius scheme 2000 # Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.

  • Page 111: 802.1X With Acl Assignment Configuration Example

    Verifying the configuration # Verify the 802.1X guest VLAN configuration on GigabitEthernet 1/0/2. [Device] display dot1x interface gigabitethernet 1/0/2 # Verify that GigabitEthernet 1/0/2 is assigned to VLAN 10 when no user passes authentication on the port. [Device] display vlan 10 # After a user passes authentication, display information on GigabitEthernet 1/0/2.
  • Page 112 # Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.1.1.2 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device. [Device-radius-2000] key authentication simple abc # Set the shared key to abc in plain text for secure communication between the accounting server and the device.

  • Page 113: 802.1X With Ead Assistant Configuration Example

    Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 is active on the user, and the user cannot access the FTP server. 802.1X with EAD assistant configuration example Network requirements As shown in Figure...
  • Page 114 [Device-Vlan-interface2] dhcp select relay # Specify the DHCP server 192.168.2.2 on the relay agent interface VLAN-interface 2. [Device-Vlan-interface2] dhcp relay server-address 192.168.2.2 [Device-Vlan-interface2] quit Configure a RADIUS scheme: # Create RADIUS scheme 2000 and enter RADIUS scheme view. [Device] radius scheme 2000 # Specify the server at 10.1.1.1 as the primary authentication server, and set the authentication port to 1812.

  • Page 115: Troubleshooting 802.1X

    # Verify that you can ping an IP address on the free IP subnet from a host. C:\>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),...

  • Page 116: Configuring Mac Authentication

    Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.

  • Page 117: Vlan Assignment

    VLAN assignment Authorization VLAN The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources. The device supports the following VLAN authorization methods: • Remote VLAN authorization—The authorization VLAN information of a MAC authentication user is assigned by a remote server.

  • Page 118: Acl Assignment

    A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN. Table 10 shows the way that the network access device handles guest VLANs for MAC authentication users.

  • Page 119: User Profile Assignment

    The ACL will filter traffic for this user. You must configure ACL rules for the authorization ACL on the access device for the ACL assignment feature. To ensure a successful ACL assignment, make sure the ACL does not contain rules that match source MAC addresses.

  • Page 120: Configuration Task List

    Make sure the port security feature is disabled. For more information about port security, see "Configuring port security." Configuration task list Tasks at a glance (Required.) Enabling MAC authentication (Optional.) Specifying a MAC authentication domain (Optional.) Configuring the user account format (Optional.) Configuring MAC authentication timers (Optional.)

  • Page 121: Specifying A Mac Authentication Domain

    Specifying a MAC authentication domain By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can use one of the following methods to specify authentication domains for MAC authentication users: •...

  • Page 122: Setting The Maximum Number Of Concurrent Mac Authentication Users On A Port

    logs the user out and stops accounting for the user. In Release 1121 and later, this timer takes effect when the MAC authentication offline detection feature is enabled. After you set the offline detect timer, assign the same value to the MAC address aging timer by using the mac-address timer command.

  • Page 123: Configuring Mac Authentication Delay

    This feature improves transmission of data that is vulnerable to delay and interference. It is typically applicable to IP phone users. To enable MAC authentication multi-VLAN mode on a port: Step Command Remarks Enter system view. system-view Enter Layer Ethernet interface interface-type interface view.

  • Page 124: Configuration Restrictions And Guidelines

    After MAC authentication succeeds, the port is assigned to the MAC authentication authorization VLAN. • If 802.1X authentication fails, the MAC authentication result takes effect. • If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result.

  • Page 125: Configuring A Mac Authentication Critical Vlan

    When you configure the MAC authentication guest VLAN on a port, follow the guidelines in Table Table 12 Relationships of the MAC authentication guest VLAN with other security features Feature Relationship description Reference The MAC authentication guest VLAN feature has higher priority. Quiet feature of MAC "Configuring When a user fails MAC authentication, the...

  • Page 126: Enabling The Mac Authentication Critical Voice Vlan

    Table 13 Relationships of the MAC authentication critical VLAN with other security features Feature Relationship description Reference The MAC authentication critical VLAN feature has higher priority. When a user fails MAC authentication because no Quiet feature of MAC "Configuring RADIUS authentication server is reachable, the authentication authentication timers."...

  • Page 127: Configuration Procedure

    For information about voice VLANs, see Layer 2—LAN Switching Configuration Guide. Configuration procedure To enable the MAC authentication critical voice VLAN feature on a port: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Enable default,...

  • Page 128: Displaying And Maintaining Mac Authentication

    Step Command Remarks Enter system view. system-view Enter Layer Ethernet interface interface-type interface view. interface-number Enable MAC authentication mac-authentication By default, MAC authentication offline detection. offline-detect enable offline detection is enabled. Displaying and maintaining MAC authentication IMPORTANT: The reset mac-authentication critical-voice-vlan interface interface-type interface-number [ mac-address mac-address ] command is available in Release 1121 and later.
  • Page 129 • Use the MAC address of each user as the username and password for authentication. A MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. Figure 35 Network diagram Host A GE1/0/1 MAC: 00-e0-fc-12-34-56 IP network Device Host B...

  • Page 130: Radius-Based Mac Authentication Configuration Example

    Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s Authentication domain : bbb Max MAC-auth users : 2048 per slot Online MAC-auth users Silent MAC users: MAC address VLAN ID From port Port index 00e0-fc11-1111 GigabitEthernet1/0/1 GigabitEthernet1/0/1...
  • Page 131 Figure 36 Network diagram RADIUS servers Auth:10.1.1.1 Acct:10.1.1.2 GE1/0/1 IP network Host Device Configuration procedure Make sure the RADIUS server and the access device can reach each other. (Details not shown.) Configure the RADIUS servers: # Create a shared account for MAC authentication users. (Details not shown.) # Set the username aaa and password 123456 for the account.

  • Page 132: Acl Assignment Configuration Example

    [Device] mac-authentication Verifying the configuration # Verify the MAC authentication configuration. [Device] display mac-authentication Global MAC authentication parameters: MAC authentication : Enabled Username format : Fixed account Username : aaa Password : ****** Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s...
  • Page 133 Figure 37 Network diagram RADIUS servers Auth:10.1.1.1 Acct:10.1.1.2 GE1/0/1 Internet Host Device FTP server IP: 192.168.1.10/24 10.0.0.1/24 MAC: 00-e0-fc-12-34-56 Configuration procedure Make sure the RADIUS servers and the access device can reach each other. Configure ACL 3000 to deny packets destined for 10.0.0.1. <Sysname>...
  • Page 134 Configure the RADIUS servers: # Add a user account with 00-e0-fc-12-34-56 as both the username and password on each RADIUS server. (Details not shown.) # Authorize ACL 3000 to the user account. (Details not shown.) Verifying the configuration # Verify the MAC authentication configuration. [Sysname] display mac-authentication Global MAC authentication parameters: MAC authentication...
  • Page 135 Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has been assigned to port GigabitEthernet 1/0/1 to deny access to the FTP server.

  • Page 136: Configuring Portal Authentication

    Users can access more Internet resources after passing security check. Security check must cooperate with the HPE IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device,...
  • Page 137 Figure 38 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.

  • Page 138: Portal System Using The Local Portal Web Server

    Web browser. When receiving the HTTP request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HPE iNode client for extended portal functions.

  • Page 139: Portal Authentication Modes

    HPE iNode client. NOTE: Portal authentication supports NAT traversal whether it is initiated by a Web client or an HPE iNode client. NAT traversal must be configured when the portal client is on a private network and the portal server is on a public network.

  • Page 140: Portal Authentication Process

    Portal authentication process Direct authentication and cross-subnet authentication share the same authentication process. Re-DHCP authentication has a different process as it has two address allocation procedures. Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 40 Direct authentication/cross-subnet authentication process Portal Authentication Portal Web Access...
  • Page 141 10. The security policy server authorizes the user to access certain network resources based on the check result. The access device saves the authorization information and uses it to control access of the user. Re-DHCP authentication process (with CHAP/PAP authentication) Figure 41 Re-DHCP authentication process Portal Security...

  • Page 142: Portal Configuration Task List

    Portal configuration task list Tasks at a glance (Required.) Configuring a portal authentication server (Required.) Configuring a portal Web server (Required.) Enabling portal authentication on an interface (Required.) Referencing a portal Web server for an interface (Optional.) Controlling portal user access •...

  • Page 143: Configuring A Portal Authentication Server

    Configuring a portal authentication server Perform this task to configure the following portal authentication server parameters: • IP address of the portal authentication server • VPN instance of the portal authentication server • Shared encryption key used between the device and the portal authentication server •...

  • Page 144: Enabling Portal Authentication On An Interface

    Step Command Remarks Specify the VPN instance to By default, the portal Web server which the portal Web server vpn-instance vpn-instance-name belongs to the public network. belongs. Specify the URL of the portal url url-string By default, no URL is specified. Web server.

  • Page 145: Referencing A Portal Web Server For An Interface

    Step Command Remarks on the interface. authentication: authentication, IPv6 portal portal enable method { direct | authentication, or both on the layer3 | redhcp } interface. • enable IPv6 portal authentication: portal ipv6 enable method { direct | layer3 } Referencing a portal Web server for an interface After you reference a portal Web server for an interface, the device redirects the HTTP requests of the portal users on the interface to the portal Web server.

  • Page 146: Configuring An Authentication Source Subnet

    Step Command Remarks portal free-rule rule-number destination ip-address { mask-length | mask } | any } [ tcp Configure tcp-port-number default, IPv4-based IPv4-based portal-free udp-port-number source portal-free rule exists. rule. { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] } * portal free-rule...

  • Page 147: Configuring An Authentication Destination Subnet

    In re-DHCP mode, the access device regards the authentication source subnet on an  interface as the subnet to which the private IP address of the interface belongs. • If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnets take effect.

  • Page 148: Setting The Maximum Number Of Portal Users

    To configure an IPv6 portal authentication destination subnet: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number default, IPv6 portal Configure an IPv6 authentication destination subnet is portal ipv6 free-all except destination portal authentication configured, and users accessing ipv6-network-address prefix-length destination subnet.

  • Page 149: Configuring Portal Detection Features

    Step Command Remarks authentication domain. specified for IPv4 portal users on the interface. To specify an IPv6 portal authentication domain: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Specify IPv6 By default, no ISP domain is portal authentication portal ipv6 domain domain-name specified for IPv6 portal users on...

  • Page 150: Configuring Portal Authentication Server Detection

    Step Command Remarks detection IPv4 [ retry retries ] [ interval interval ] [ idle on the interface. portal users. time ] To configure online detection of IPv6 portal users: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure online...

  • Page 151: Configuring Portal Web Server Detection

    Step Command Remarks By default, portal authentication server detection is disabled. Configure portal This feature takes effect authentication server server-detect [ timeout timeout ] log regardless whether portal detection. authentication is enabled on an interface or not. Configuring portal Web server detection A portal authentication process cannot complete if the communication between the access device and the portal Web server is broken.

  • Page 152: Configuring The Portal Fail-Permit Feature

    The portal authentication server sends the online user information to the access device in a synchronization packet at the user heartbeat interval, which is set on the portal authentication server. Upon receiving the synchronization packet, the access device compares the users carried in the packet with its own user list.

  • Page 153: Configuring Bas-Ip For Portal Packets Sent To The Portal Authentication Server

    Step Command Remarks Enable portal portal [ ipv6 ] apply web-server By default, portal fail-permit is fail-permit for a portal server-name fail-permit disabled for a portal Web server. Web server. Configuring BAS-IP for portal packets sent to the portal authentication server If the device runs Portal 2.0, the unsolicited packets sent to the portal authentication server must carry the BAS-IP attribute.

  • Page 154: Applying A Nas-Id Profile To An Interface

    Applying a NAS-ID profile to an interface By default, the device sends its device name in the NAS-Identifier attribute of any RADIUS requests. A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs. The strings can be organization names, service names, or any user categorization criteria, depending on the administrative requirements.

  • Page 155: Logging Out Portal Users

    Step Command Remarks device. Logging out portal users Logging out a user terminates the authentication process for the user or removes the user from the authenticated users list. To log out users: Step Command Enter system view. system-view portal delete-user { ipv4-address | all | interface interface-type Log out IPv4 portal users.
  • Page 156 File name rules The names of the main authentication page files are fixed (see Table 14). You can define the names of the files other than the main authentication page files. File names and directory names are case insensitive. Table 14 Main authentication page file names Main authentication page File name Logon page...

  • Page 157: Configuring A Local Portal Web Server

    <p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;"> </form> Page file compression and saving rules You must compress the authentication pages and their page elements into a standard zip file. • The name of a zip file can contain only letters, numbers, and underscores. •...

  • Page 158: Displaying And Maintaining Portal

    Step Command Remarks portal local-web-server { http | Create a local portal Web https ssl-server-policy By default, no local portal Web server and enter its view. policy-name tcp-port servers exist. port-number ] } default, default Specify default authentication page file authentication page file for default-logon-page filename specified for the local portal Web...
  • Page 159 Figure 42 Network diagram Portal server Vlan-int100 Vlan-int2 192.168.0.111/24 2.2.2.1/24 192.168.0.100/24 Host Switch 2.2.2.2/24 Gateway: 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration prerequisites • Configure IP addresses for the host, switch, and servers as shown in Figure 42 and make sure they can reach each other. •...
  • Page 160 e. Select a service group. This example uses the default group Ungrouped. f. Select Normal from the Action list. g. Click OK. Figure 44 Adding an IP address group Add a portal device: a. Select Access Service > Portal Service Management > Device from the navigation tree to enter the portal device configuration page.
  • Page 161 a. As shown in Figure 46, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. Figure 46 Device list b. Click Add to enter the page shown in Figure Figure 47 Port group configuration c.
  • Page 162 Figure 48 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure c.
  • Page 163 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure c. Enter the device name NAS. d. Enter the IP address of the switch's interface connected to the host. e.
  • Page 164 Figure 52 Adding a port group Select User Access Manager > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the switch Configure a RADIUS scheme: # Create a RADIUS scheme named rs1 and enter its view. <Switch>...

  • Page 165: Authentication Server

    # Configure a portal authentication server. [Switch] portal server newpt New portal server added. [Switch-portal-server-newpt] ip 192.168.0.111 key simple portal [Switch-portal-server-newpt] port 50100 [Switch-portal-server-newpt] quit # Configure a portal Web server. [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable direct portal authentication on VLAN-interface 100.

  • Page 166: Configuring Re-Dhcp Portal Authentication

    Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 167 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 53 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server properly to provide authentication and accounting functions. •...
  • Page 168 # Configure DHCP relay. [Switch] dhcp enable [Switch] dhcp relay client-information record [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0 [Switch–Vlan-interface100] ip address 10.0.0.1 255.255.255.0 sub [Switch-Vlan-interface100] dhcp select relay [Switch-Vlan-interface100] dhcp relay server-address 192.168.0.112 # Enable authorized ARP. [Switch-Vlan-interface100] arp authorized enable [Switch-Vlan-interface100] quit Configure portal authentication:...

  • Page 169: Configuring Cross-Subnet Portal Authentication

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 170 Figure 54 Network diagram Switch A Vlan-int2 192.168.0.100/24 Portal server 192.168.0.111/24 Vlan-int4 20.20.20.1/24 Vlan-int4 20.20.20.2/24 Vlan-int2 8.8.8.1/24 Switch B Host 8.8.8.2/24 RADIUS server 192.168.0.112/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 54 and make sure the host, switch, and servers can reach each other.
  • Page 171 # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [SwitchA] domain default enable dm1 Configure portal authentication: # Configure a portal authentication server.

  • Page 172: Configuring Extended Direct Portal Authentication

    Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal and all Web requests will be redirected to the authentication page.
  • Page 173 Figure 55 Network diagram Portal server 192.168.0.111/24 Vlan-int100 Vlan-int2 2.2.2.1/24 192.168.0.100/24 RADIUS server Host Switch 192.168.0.112/24 2.2.2.2/24 Gateway: 2.2.2.1/24 Security policy server 192.168.0.113/24 Configuration prerequisites • Configure IP addresses for the host, switch, and servers as shown in Figure 55 and make sure they can reach each other.
  • Page 174 [Switch] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL: [Switch] acl number 3000 [Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Switch-acl-adv-3000] rule deny ip [Switch-acl-adv-3000] quit [Switch] acl number 3001 [Switch-acl-adv-3001] rule permit ip [Switch-acl-adv-3001] quit NOTE:...

  • Page 175: Configuring Extended Re-Dhcp Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page.
  • Page 176 Figure 56 Network diagram Portal server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 DHCP server 10.0.0.1/24 sub 192.168.0.100/24 192.168.0.112/24 Host Switch automatically obtains an IP address RADIUS server 192.168.0.113/24 Security policy server 192.168.0.114/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 56 and make sure the host, switch, and servers can reach each other.
  • Page 177 [Switch-radius-rs1] security-policy-server 192.168.0.114 [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...
  • Page 178 [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method redhcp # Reference the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.

  • Page 179: Configuring Extended Cross-Subnet Portal Authentication

    Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page. • If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.
  • Page 180 • Make sure the IP address of the portal device added on the portal server is the IP address (20.20.20.1) of the switch's interface connecting the host. The IP address group associated with the portal device is the subnet of the host (8.8.8.0/24). Configuration procedure Perform the following tasks on Switch A.
  • Page 181 [SwitchA] portal server newpt [SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal [SwitchA-portal-server-newpt] port 50100 [SwitchA-portal-server-newpt] quit # Configure a portal Web server. [SwitchA] portal web-server newpt [SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal [SwitchA-portal-websvr-newpt] quit # Enable cross-subnet portal authentication on VLAN-interface 4. [SwitchA] interface vlan-interface 4 [SwitchA–Vlan-interface4] portal enable method layer3 # Reference the portal Web server newpt on VLAN-interface 4.

  • Page 182: Configuring Portal Server Detection And Portal User Synchronization

    Destination authenticate subnet: IP address Prefix length Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page.
  • Page 183 Figure 58 Network diagram Portal server Vlan-int100 Vlan-int2 192.168.0.111/24 2.2.2.1/24 192.168.0.100/24 Host Switch 2.2.2.2/24 Gateway: 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 58 and make sure the host, switch, and servers can reach each other.
  • Page 184 Figure 59 Portal authentication server configuration Configure the IP address group: a. Select Access Service > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to enter the page shown in Figure c.
  • Page 185 g. Set whether to support the portal server heartbeat and user heartbeat functions. In this example, select Yes for both Support Server Heartbeat and Support User Heartbeat. h. Click OK. Figure 61 Adding a portal device Associate the portal device with the IP address group: a.
  • Page 186 The IP address used by the user to access the network must be within this IP address group. e. User default values for other parameters. f. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations.
  • Page 187 g. Click OK. Figure 65 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to enter the page shown in Figure c.
  • Page 188 a. As shown in Figure 67, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. b. Click Add to enter the page shown in Figure c. Enter the port group name. d.
  • Page 189 [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...

  • Page 190: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns

    [Switch–Vlan-interface100] portal bas-ip 2.2.2.1 [Switch–Vlan-interface100] quit Verifying the configuration # Use the following command to display information about the portal authentication server. [Switch] display portal server newpt Portal server: newpt : 192.168.0.111 VPN instance : Not configured Port : 50100 Server Detection : Timeout 40s Action: log...
  • Page 191 <SwitchA> system-view [SwitchA] radius scheme rs1 # For the RADIUS scheme, specify the VPN instance that is bound to the interface connected to the portal/RADIUS server. This example uses VPN instance vpn3. [SwitchA-radius-rs1] vpn-instance vpn3 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

  • Page 192: Configuring Direct Portal Authentication Using Local Portal Web Server

    # Configure the BAS-IP as 3.3.0.3 for portal packets sent from VLAN-interface 3 to the portal authentication server. [SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3 [SwitchA–Vlan-interface3] quit Verifying the configuration # Verify the portal configuration by executing the display portal interface command. (Details not shown.) # After the user passes authentication, execute the display portal user command to display the portal user information.
  • Page 193 <Switch> system-view [Switch] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.112 [Switch-radius-rs1] primary accounting 192.168.0.112 [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] key accounting simple radius # Configure the switch to remove the ISP domain name from the usernames sent to the RADIUS server.
  • Page 194 Verifying the configuration # Verify that the portal configuration has taken effect. [Switch] display portal interface vlan-interface 100 Portal information of Vlan-interface 100 VSRP instance: -- VSRP state: N/A Authorization Strict checking Disabled User profile Disabled IPv4: Portal status: Enabled Authentication type: Direct Portal Web server: newpt Authentication domain: Not configured...

  • Page 195: Troubleshooting Portal

    Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: -- VLAN Interface 0015-e9a6-7cfe 2.2.2.2 vlan-interface 100 Authorization information: IP pool: N/A User profile: N/A Session group profile: N/A ACL: N/A CAR: N/A Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the IMC portal authentication server, no portal authentication page or error message is prompted for the user.

  • Page 196: Cannot Log Out Portal Users On The Radius Server

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.

  • Page 197: Re-Dhcp Portal Authenticated Users Cannot Log In Successfully

    Re-DHCP portal authenticated users cannot log in successfully Symptom The device performs re-DHCP portal authentication for users. A user enters the correct username and password, and the client successfully obtains the private and public IP addresses. However, the authentication result for the user is failure. Analysis When the access device detects that the client IP address is changed, it sends an unsolicited portal packet to notify of the IP change to the portal authentication server.

  • Page 198: Configuring Port Security

    Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port. Port security provides the following functions: •...
  • Page 199 Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action.
  • Page 200 A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

  • Page 201: Configuration Task List

    In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. • macAddressOrUserLoginSecureExt. This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users. • macAddressElseUserLoginSecure. This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies.

  • Page 202: Setting Port Security's Limit On The Number Of Secure Mac Addresses On A Port

    Step Command Remarks disabled. You can use the undo port-security enable command to disable port security. Because the command logs off the online users, make sure no online users are present. Enabling or disabling port security resets the following security settings to the default: •...

  • Page 203: Configuring Port Security Features

    • If you are configuring the autoLearn mode, set port security's limit on the number of secure MAC addresses. You cannot change the setting when the port is operating in autoLearn mode. When you set the port security mode, follow these guidelines: •...

  • Page 204: Configuring Intrusion Protection

    The NTK feature drops any unicast frame with an unknown destination MAC address. Not all port security modes support triggering the NTK feature. For more information, see Table To configure the NTK feature: Step Command Remarks Enter system view. system-view Enter Layer Ethernet...

  • Page 205: Configuration Prerequisites

    When the maximum number of secure MAC address entries is reached, the port changes to secure mode. In secure mode, the port cannot add or learn any more secure MAC addresses. The port allows only frames sourced from secure MAC addresses or MAC addresses configured by using the mac-address dynamic or mac-address static command to pass through.

  • Page 206: Ignoring Authorization Information From The Server

    Step Command Remarks Enter system view. system-view (Optional.) port-security timer autolearn aging default, secure secure aging time-value addresses do not age out. timer. • system view: port-security mac-address security [ sticky ] mac-address interface interface-type By default, no secure interface-number vlan vlan-id address exists.

  • Page 207: Applying A Nas-Id Profile To Port Security

    As a best practice, enable MAC move for wireless users that roam between ports to access the network. To enable MAC move: Step Command Remarks Enter system view. system-view default, move Enable MAC move. port-security mac-move permit disabled. Applying a NAS-ID profile to port security By default, the device sends its device name in the NAS-Identifier attribute of all RADIUS requests.

  • Page 208: Enabling Snmp Notifications For Port Security

    This feature does not apply to VLAN authorization failure. The device logs off these users directly. To enable the authorization-fail-offline feature: Step Command Remarks Enter system view. system-view By default, this feature is disabled, Enable port-security authorization-fail and the device does not log off authorization-fail-offline offline users who fail ACL or user profile...

  • Page 209: Port Security Configuration Examples

    Port security configuration examples autoLearn configuration example Network requirements As shown in Figure 71, configure port GigabitEthernet 1/0/1 on the device to meet the following requirements: • Accept up to 64 users without authentication. • Be permitted to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes.
  • Page 210 NAS-ID profile is not configured Dot1x-failure trap : Disabled Dot1x-logon trap : Disabled Dot1x-logoff trap : Enabled Intrusion trap : Disabled Address-learned trap : Enabled Mac-auth-failure trap : Disabled Mac-auth-logon trap : Enabled Mac-auth-logoff trap : Disabled OUI value list GigabitEthernet1/0/1 is link-up Port mode : autoLearn...

  • Page 211: Userloginwithoui Configuration Example

    # After the port is re-enabled, delete several secure MAC addresses. [Device] undo port-security mac-address security sticky 0002-0000-0015 vlan 1 [Device] undo port-security mac-address security sticky 0002-0000-0014 vlan 1 # Verify that the port security mode of the port changes to autoLearn, and the port can learn MAC addresses again.

  • Page 212: Configure Port Security

    [Device-radius-radsun] timer response-timeout 5 [Device-radius-radsun] retry 5 [Device-radius-radsun] timer realtime-accounting 15 [Device-radius-radsun] user-name-format without-domain [Device-radius-radsun] quit # Configure ISP domain sun. [Device] domain sun [Device-isp-sun] authentication lan-access radius-scheme radsun [Device-isp-sun] authorization lan-access radius-scheme radsun [Device-isp-sun] accounting lan-access radius-scheme radsun [Device-isp-sun] quit Set the 802.1X authentication method to CHAP.
  • Page 213 retransmission interval(seconds) Timeout Interval(seconds) Retransmission Times Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 15 NAS IP Address : Not configured : Not configured User Name Format : without-domain Data flow unit : Byte Packet unit : one Attribute-15 check-mode...

  • Page 214: Macaddresselseuserloginsecure Configuration Example

    # Display information about the online 802.1X user to verify 802.1X configuration. [Device] display dot1x # Verify that the port also allows one user whose MAC address has an OUI among the specified OUIs to pass authentication. [Device] display mac-address interface gigabitethernet 1/0/1 MAC Address VLAN ID State...
  • Page 215 # Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP. [Device] dot1x authentication-method chap # Set port security's limit on the number of MAC addresses to 64 on the port. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to macAddressElseUserLoginSecure.
  • Page 216 Username : mac Password : Not configured Offline detect period : 60 s Quiet period : 5 s Server timeout : 100 s Authentication domain : sun Max MAC-auth users : 2048 per slot Online MAC-auth users Silent MAC users: MAC address VLAN ID From port...

  • Page 217: Troubleshooting Port Security

    Domain delimiter Max 802.1X users : 2048 per slot Online 802.1X users GigabitEthernet1/0/1 is link-up 802.1X authentication : Enabled Handshake : Enabled Handshake reply : Disabled Handshake security : Disabled Unicast trigger : Disabled Periodic reauth : Disabled Port role : Authenticator Authorization mode : Auto...

  • Page 218: Cannot Configure Secure Mac Addresses

    Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command. Solution To resolve the problem: Set the port security mode to noRestrictions. [Device-GigabitEthernet1/0/1] undo port-security port-mode Set a new port security mode for the port, for example, autoLearn.

  • Page 219: Configuring Password Control

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.

  • Page 220: Password Updating And Expiration

    when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.

  • Page 221: User Login Control

    Current login passwords of device management users are not stored in the password history. This is because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login With the global password control feature enabled, users must change the password at first login before they can access the system.

  • Page 222: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.

  • Page 223: Setting Global Password Control Parameters

    Step Command Remarks Enter system view. system-view • non-FIPS mode, global password control feature disabled default. Enable the global password password-control enable • control feature. In FIPS mode, the global password control feature is enabled default, cannot be disabled. password-control aging (Optional.) Enable a specific By default, all four password...

  • Page 224: Setting User Group Password Control Parameters

    Step Command Remarks each user. Specify maximum By default, the maximum number number of login attempts and password-control login-attempt of login attempts is 3 and a user the action to be taken when a login-times [ exceed { lock | failing to log in after the specified user fails to log in after the lock-time time | unlock } ]...

  • Page 225: Setting Local User Password Control Parameters

    Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local user exists. Local user password control applies to device management Create device local-user user-name class users instead of network access management user and enter manage users.

  • Page 226: Displaying And Maintaining Password Control

    Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • non-FIPS mode, default setting Configure minimum password-control super length characters. length for super passwords. length •...

  • Page 227: Configuration Procedure

    • A password expires after 30 days. • The minimum password update interval is 36 hours. • The maximum account idle time is 30 days. • A password cannot contain the username or the reverse of the username. • No character appears consecutively three or more times in a password. Configure a super password control policy for user role network-operator to meet the following requirements: •...

  • Page 228: Verifying The Configuration

    [Sysname] password-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text. [Sysname] super password role network-operator simple 123456789ABGFTweuix@#$%! Updating user information. Please wait ..# Create a device management user named test. [Sysname] local-user test class manage # Set the service type of the user to Telnet.
  • Page 229 # Display the password control configuration for local user test. <Sysname> display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type: Telnet User group: system Bind attributes: Authorization attributes: Work directory: flash: User role list: network-operator...

  • Page 230: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 74.
  • Page 231 • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default.

  • Page 232: Distributing A Local Host Public Key

    Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...

  • Page 233: Destroying A Local Key Pair

    Task Command display public-key local rsa public [ name Display local RSA public keys. key-name ] Display local ECDSA public keys. display public-key local ecdsa public [ name key-name ] (Available in Release 1121 and later.) display public-key local dsa public [ name Display local DSA public keys.

  • Page 234: Entering A Peer Host Public Key

    Step Command Remarks Enter system view. system-view Import a peer host public key public-key peer keyname import By default, no peer host from a public key file. sshkey filename public keys exist. Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key.
  • Page 235 • Configure Device B to use the asymmetric key algorithm of RSA to authenticate Device A. • Manually specify the host public key of Device A on Device B. Figure 75 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits.

  • Page 236: Example For Importing A Public Key From A Public Key File

    <DeviceB> system-view [DeviceB] public-key peer devicea Enter public key view. Return to system view with "peer-public-key end" command. [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A.
  • Page 237 Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.
  • Page 238 Configure Device B: # Use FTP in binary mode to get the public key file devicea.pub from Device A. <DeviceB> ftp 10.1.1.1 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX.

  • Page 239: Configuring Pki

    Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.

  • Page 240: Pki Architecture

    • The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.

  • Page 241: Pki Applications

    A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.

  • Page 242: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)

  • Page 243: Configuring A Pki Domain

    Step Command Remarks To create multiple PKI entities, repeat this step. Set a common name for the common-name By default, the common name is not entity. common-name-sting set. Set the country code of the country country-code-string By default, the country code is not set. entity.
  • Page 244 Step Command Remarks (Optional.) By default, the switch polls the CA SCEP polling interval server for the certificate request certificate request polling { count maximum status every 20 minutes. The count | interval minutes } number polling maximum number polling attempts.

  • Page 245: Requesting A Certificate

    Step Command Remarks • Specify the source IPv4 address for This task is required if the CA protocol packets: policy requires that the CA server source ip { ip-address | interface accept certificate requests from a 12. (Optional.) Specify a {interface-type interface-number } specific IP address or subnet.

  • Page 246: Configuring Automatic Certificate Request

    Configuring automatic certificate request IMPORTANT: The device does not support automatic certificate rollover. To avoid service interruptions, you must manually submit a certificate renewal request before the current certificate expires. In auto request mode, a PKI entity automatically submits a certificate request to the CA when an application works with the PKI entity that does not have a local certificate.

  • Page 247: Aborting A Certificate Request

    Step Command Remarks a key pair if the key pair specified in the PKI domain does not exist. The name, algorithm, and length of the key pair are configured in the PKI domain. Aborting a certificate request Before the CA issues a certificate, you can abort a certificate request and change its parameters, such as the common name, country code, or FQDN.

  • Page 248: Configuration Procedure

    • If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first. • If local or peer certificates already exist, you can obtain new local or peer certificates to overwrite the existing ones.

  • Page 249: Verifying Certificates Without Crl Checking

    Step Command Remarks Enter system view. system-view Enter PKI domain view. pki domain domain-name (Optional.) Specify the URL crl url url-string [ vpn-instance By default, the URL of the CRL of the CRL repository. vpn-instance-name ] repository is not specified. default, checking Enable CRL checking.

  • Page 250: Exporting Certificates

    After you change the storage path for certificates or CRLs, the certificate files (with the .cer or .p12 extension) and CRL files (with the .crl extension) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Remarks...

  • Page 251: Configuring A Certificate-Based Access Control Policy

    To remove a certificate: Step Command Remarks Enter system view. system-view If you use the peer keyword without pki delete-certificate domain domain-name { ca specifying serial Remove a certificate. | local | peer [ serial serial-num ] } number, the command removes peer certificates.

  • Page 252: Displaying And Maintaining Pki

    Step Command Remarks By default, no certificate access control rules are configured, and all certificates can pass the verification. Create a certificate access rule [ id ] { deny | permit } control rule. group-name You can create multiple access control rules certificate-based access control...
  • Page 253 Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA.  Subject DN—DN attributes of the CA, including the common name (CN), organization unit ...
  • Page 254 ......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain torsa ca The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully.

  • Page 255: Requesting A Certificate From A Windows Server 2003 Ca Server

    Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA...
  • Page 256 a. Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu. b. Select Web Sites from the navigation tree. c. Right-click Default Web Site and select Properties > Home Directory. d. Specify the path for certificate service in the Local path box. e.
  • Page 257 SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain winserver Start to request the general certificate ... …… Certificate requested successfully. Verifying the configuration # Display information about the local certificate in PKI domain winserver.

  • Page 258: Requesting A Certificate From An Openca Server

    herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access: CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03:...
  • Page 259 Configuring the OpenCA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals. When you configure the CA server, use the OpenCA version later than version 0.9.2 because the earlier versions do not support SCEP. Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates.
  • Page 260 fingerprint:5AA3 DEFD 7B23 2A25 16A3 14F4 C81C C0FA SHA1 fingerprint:9668 4E63 D742 4B09 90E0 4C78 E213 F15F DC8E 9122 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain openca Start to request the general certificate ... ……...

  • Page 261: Certificate Import And Export Configuration Example

    Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B X509v3 Authority Key Identifier: keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B X509v3 Issuer Alternative Name: DNS:root@docm.com, DNS:, IP Address:192.168.154.145, IP Address:192.168.154.138 Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl...
  • Page 262 Figure 82 Network diagram Device A 1) Export IP network Host Device B 2) Import IP network Host Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a .pem file. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
  • Page 263 friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...
  • Page 264 Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63: ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:f5:00:...
  • Page 265 Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info:...

  • Page 266: Troubleshooting Pki Configuration

    X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/...

  • Page 267: Failed To Obtain The Ca Certificate

    Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. •...

  • Page 268: Failed To Request Local Certificates

    Check the registration policy on the CR or RA, and make sure the attributes of the PKI entity meet the policy requirements. Obtain the CRL from the CRL repository. Specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator.

  • Page 269: Failed To Import The Ca Certificate

    Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No CA certificate has been obtained before you try to obtain CRLs. • The URL of the CRL repository is not configured and cannot be obtained from the CA certificate or local certificates in the PKI domain.

  • Page 270: Failed To Import A Local Certificate

    Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis • The PKI domain does not have a locally stored CA certificate, and the certificate file to be imported does not contain the CA certificate chain. •...

  • Page 271: Failed To Set The Storage Path

    If the problem persists, contact Hewlett Packard Enterprise Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis • The specified storage path does not exist. • The specified storage path is illegal. •...

  • Page 272: Configuring Ipsec

    Configuring IPsec The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide). CAUTION: •...

  • Page 273: Security Protocols And Encapsulation Modes

    Security protocols and encapsulation modes Security protocols IPsec comes with two security protocols, AH and ESP. They define how to encapsulate IP packets and the security services that they can provide. • AH (protocol 51) defines the encapsulation of the AH header in an IP packet, as shown in Figure 85.

  • Page 274: Security Association

    Figure 85 shows how the security protocols encapsulate an IP packet in different encapsulation modes. Figure 85 Security protocol encapsulations in different modes Mode Transport Tunnel Protocol Data AH IP Data Data ESP-T ESP IP Data ESP-T AH-ESP Data ESP-T Data ESP-T Security association...

  • Page 275: Authentication And Encryption

    Authentication and encryption Authentication algorithms IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. The receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid.

  • Page 276: Protocols And Standards

    • Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it. • Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL.

  • Page 277: Implementing Acl-Based Ipsec

    Implementing ACL-based IPsec Feature restrictions and guidelines ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for the device. They do not take effect on traffic forwarded through the device. For example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it cannot protect all the data flows and voice flows that are forwarded by the device.

  • Page 278: Configuring An Acl

    Configuring an ACL IPsec uses ACLs to identify the traffic to be protected. Keywords in ACL rules An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec.
  • Page 279 Step Command Remarks Create IPsec ipsec transform-set By default, no IPsec transform transform set and enter transform-set-name set exists. its view. Optional. Specify security By default, the IPsec transform protocol for the IPsec protocol { ah | ah-esp | esp } set uses ESP as the security transform set.

  • Page 280: Configuring A Manual Ipsec Policy

    Step Command Remarks authentication algorithm for AH: • non-FIPS mode: authentication-algorithm { md5 | sha1 } * • FIPS mode: authentication-algorithm sha1 (Release 1121 and later.) Specify the authentication algorithm for AH: • non-FIPS mode: authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } * •...
  • Page 281 • The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols, security algorithms, and encapsulation mode. • The remote IPv4 address configured on the local end must be the same as the primary IPv4 address of the interface applied with the IPsec policy at the remote end.

  • Page 282: Configuring An Ike-Based Ipsec Policy

    Step Command Remarks • Configure an authentication key in hexadecimal format sa hex-key authentication { inbound | outbound } ah cipher simple key-value • Configure an authentication key in character format for By default, no keys are configured for the IPsec SA. sa string-key { inbound | outbound } ah { cipher | Configure keys correctly for the security...
  • Page 283 • The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional on the responder. The remote IP address specified on the local end must be the same as the local IP address specified on the remote end. For an IPsec SA established through IKE negotiation: •...
  • Page 284 Step Command Remarks address of the interface to which the IPsec policy is applied. The local IP address specified by this command must be the same as the IP address used as the local IKE identity. remote-address ipv6 By default, the remote IP address Specify remote host-name | ipv4-address | ipv6...
  • Page 285 Step Command Remarks By default, no ACL is specified for security acl [ ipv6 ] { acl-number | an IPsec policy template. (Optional.) Specify an ACL name acl-name } [ aggregation | for the IPsec policy template. You can specify only one ACL for per-host ] an IPsec policy template.

  • Page 286: Applying An Ipsec Policy To An Interface

    Step Command Remarks 13. Return to system view. quit By default, time-based SA lifetime ipsec global-duration 14. Configure the global SA 3600 seconds, time-based seconds lifetime. traffic-based lifetime traffic-based kilobytes } 1843200 kilobytes. 15. (Optional.) Enable the global IPsec idle timeout By default, the global IPsec SA ipsec sa idle-time seconds...

  • Page 287: Configuring Ipsec Anti-Replay

    To enable ACL checking for de-encapsulated packets: Step Command Remarks Enter system view. system-view Enable ACL checking for ipsec decrypt-check enable By default, this feature is enabled. de-encapsulated packets. Configuring IPsec anti-replay The IPsec anti-replay feature protects networks against anti-replay attacks by using a sliding window mechanism called anti-replay window.

  • Page 288: Binding A Source Interface To An Ipsec Policy

    • IPsec anti-replay sequence numbers for outbound packets. This feature, used together with IPsec redundancy, ensures uninterrupted IPsec traffic forwarding and anti-replay protection when the master device in an IRF fabric fails. To configure IPsec anti-replay redundancy: Step Command Remarks Enter system view.

  • Page 289: Enabling Qos Pre-Classify

    Step Command Remarks interface-type interface-number Enabling QoS pre-classify If you apply both an IPsec policy and a QoS policy to an interface, QoS classifies packets by using the new headers added by IPsec. If you want QoS to classify packets by using the headers of the original IP packets, enable the QoS pre-classify feature.

  • Page 290: Configuring Ipsec For Ipv6 Routing Protocols

    You can configure the DF bit in system view and interface view. The interface-view DF bit setting takes precedence over the system-view DF bit setting. If the interface-view DF bit setting is not configured, the interface uses the system-view DF bit setting. Follow these guidelines when you configure the DF bit: •...

  • Page 291: Configuring A Manual Ipsec Profile

    Configuring a manual IPsec profile An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified by a name and it does not support ACL configuration. An IPsec profile defines the IPsec transform set used for protecting data flows, and specifies SPIs and the keys used by the SAs.

  • Page 292: Configuring Snmp Notifications For Ipsec

    Step Command Remarks • Configure an authentication key in hexadecimal format for AH: hex-key authentication { inbound | outbound } ah { cipher | simple } key-value • Configure an authentication key By default, no keys are configured in character format for AH: for the IPsec SA.

  • Page 293: Displaying And Maintaining Ipsec

    Displaying and maintaining IPsec Execute display commands in any view and reset commands in user view. Task Command display ipsec { ipv6-policy | policy } [ policy-name Display IPsec policy information. [ seq-number ] ] display ipsec ipv6-policy-template Display IPsec policy template information. policy-template } [ template-name [ seq-number ] ] Display IPsec profile information.
  • Page 294 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Configure an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel.
  • Page 295 # Specify the encapsulation mode as tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create a manual IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.

  • Page 296: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets

    remote address: 2.2.3.1 Flow: as defined in ACL 3101 [Inbound ESP SA] SPI: 54321 (0x0000d431) Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1 No duration limit for this SA [Outbound ESP SA] SPI: 12345 (0x00003039) Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1 No duration limit for this SA Configuring an IKE-based IPsec tunnel for IPv4 packets Network requirements As shown in...
  • Page 297 # Create the IKE keychain named keychain1. [SwitchA] ike keychain keychain1 # Specify 12345zxcvb!@#$%ZXCVB in plain text as the pre-shared key to be used with the peer 2.2.3.1. [SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchA-ike-keychain-keychain1] quit # Create the IKE profile named profile1. [SwitchA] ike profile profile1 # Specify the keychain keychain1.

  • Page 298: Configuring Ipsec For Ripng

    # Specify the ESP encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit # Create the IKE keychain named keychain1. [SwitchB] ike keychain keychain1 # Specify 12345zxcvb!@#$%ZXCVB in plain text as the pre-shared key to be used with the peer 2.2.2.1.
  • Page 299 Figure 88 Network diagram Vlan-int100 Vlan-int200 1::1/64 3::2/64 Vlan-int100 Vlan-int200 1::2/64 3::1/64 Switch A Switch C Switch B Requirements analysis To meet the network requirements, perform the following tasks: Configure basic RIPng. For more information about RIPng configurations, see Layer 3—IP Routing Configuration Guide.
  • Page 300 Configure Switch B: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. <SwitchB> system-view [SwitchB] ripng 1 [SwitchB-ripng-1] quit [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Create and configure the IPsec transform set named tran1.
  • Page 301 # Create and configure the IPsec profile named profile001. [SwitchC] ipsec profile profile001 manual [SwitchC-ipsec-profile-profile001] transform-set tran1 [SwitchC-ipsec-profile-profile001] sa spi outbound esp 123456 [SwitchC-ipsec-profile-profile001] sa spi inbound esp 123456 [SwitchC-ipsec-profile-profile001] sa string-key outbound esp simple abcdefg [SwitchC-ipsec-profile-profile001] sa string-key inbound esp simple abcdefg [SwitchC-ipsec-profile-profile001] quit # Apply the IPsec profile to RIPng process 1.
  • Page 302 No duration limit for this SA...

  • Page 303: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).

  • Page 304: Ike Security Mechanism

    Figure 90 IKE exchange process in main mode Peer 1 Peer 2 Algorithm negotiation Initiator’s policy Send local IKE policy Search for matched policy Confirmed policy Receive the SA exchange confirmed policy Key generation Initiator’s keying data Generate the key Receiver’s keying data Identity...

  • Page 305: Protocols And Standards

    DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.

  • Page 306: Configuring An Ike Profile

    Tasks at a glance Remarks (Optional.) Configuring the IKE keepalive feature (Optional.) Configuring the IKE NAT keepalive feature (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation.
  • Page 307 Step Command Remarks Enter system view. system-view Create an IKE profile and By default, no IKE profile is ike profile profile-name enter its view. configured. match remote certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] By default, an IKE profile has range low-ipv4-address...

  • Page 308: Configuring An Ike Proposal

    Step Command Remarks By default, no inside VPN instance is specified for an IKE profile, device 10. (Optional.) Specify an inside inside-vpn vpn-instance vpn-name forwards protected data to the VPN instance. instance where interface receiving the data resides. 11. (Optional.) Specify a priority By default, the priority of an priority number for the IKE profile.

  • Page 309: Configuring An Ike Keychain

    Step Command Remarks In Release 1111: • non-FIPS mode: authentication-algorithm By default, an IKE proposal uses { md5 | sha } the HMAC-SHA1 authentication • FIPS mode: algorithm in Release 1111. authentication-algorithm sha Specify an authentication By default, an IKE proposal uses In Release 1121 and later: algorithm the HMAC-SHA1 authentication...

  • Page 310: Configuring The Global Identity Information

    Step Command Remarks { ipv4-address [ mask | mask-length ] | security purposes, ipv6 ipv6-address [ prefix-length ] } | pre-shared keys, including those hostname host-name } key { cipher configured in plain text, are cipher-key | simple simple-key } saved in cipher text to the configuration file.

  • Page 311: Configuring The Ike Keepalive Feature

    Step Command Remarks supports only DN for signature authentication. Configuring the IKE keepalive feature IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval on the local device. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.

  • Page 312: Enabling Invalid Spi Recovery

    • On-demand DPD—Sends a DPD message based on traffic. When the device has traffic to send and is not aware of the liveness of the peer, it sends a DPD message to query the status of the peer. If the device has no traffic to send, it never sends DPD messages. As a best practice, use the on-demand mode.

  • Page 313: Setting The Maximum Number Of Ike Sas

    Step Command Remarks invalid-spi-recovery By default, the invalid SPI recovery Enable invalid SPI recovery. enable is disabled. Setting the maximum number of IKE SAs You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.

  • Page 314: Displaying And Maintaining Ike

    Step Command Remarks delete | tunnel-start | tunnel-stop | unsupport-exch-type ] * Displaying and maintaining IKE Execute display commands in any view and reset commands in user view. Task Command Display configuration information about all IKE display ike proposal proposals. display verbose connection-id...
  • Page 315 [SwitchA-acl-adv-3101] quit # Create IPsec transform set tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [SwitchA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-192 [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit...
  • Page 316 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch B and Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv-3101] quit # Create IPsec transform set tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.

  • Page 317: Verifying The Configuration

    Verifying the configuration # Initiate a connection from Switch A to Switch B to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two switches is IPsec protected. Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom The IKE SA is in Unknown state.

  • Page 318: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found

    IKE packet debugging message: Construct notification packet: PAYLOAD_MALFORMED. Analysis • If the following debugging information appeared, the matched IKE profile is not using the matched IKE proposal: Failed to find proposal 1 in profile profile1. • If the following debugging information appeared, the matched IKE profile is not using the matched IKE keychain: Failed to find keychain keychain1 in profile profile1.
  • Page 319 Analysis Certain IPsec policy settings of the responder are incorrect. Verify the settings as follows: Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy has an IKE profile specified, the IPsec SA negotiation fails.
  • Page 320 IKE profile: profile1 SA duration(time based): SA duration(traffic based): SA idle time: Verify that the ACL used by the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail.
  • Page 321 For example: [Sysname] display acl 3000 Advanced ACL 3000, named -none-, 2 rules, ACL's step is 5 rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255 Configure the missing settings (for example, the remote address).

  • Page 322: Configuring Ikev2

    Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.

  • Page 323: New Features In Ikev2

    New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.

  • Page 324: Ikev2 Configuration Task List

    IKEv2 configuration task list Determine the following parameters prior to IKEv2 configuration: • The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources.
  • Page 325 The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2 profiles will be compared in descending order of their priorities. Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address.
  • Page 326 Step Command Remarks remote identity remote dsa-signature authentication method is configured. ecdsa-signature | pre-share | authentication methods. rsa-signature } By default, no keychain is specified for an IKEv2 profile. Specify a keychain. keychain keychain-name Perform this task when pre-shared authentication method is specified.

  • Page 327: Configuring An Ikev2 Policy

    Step Command Remarks interval. 15. (Optional.) Enable the config-exchange { request | set default, configuration configuration exchange { accept | send } } exchange options are disabled. feature. Configuring an IKEv2 policy During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion.
  • Page 328 A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group. You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.

  • Page 329: Configuring An Ikev2 Keychain

    Step Command Remarks In FIPS mode: prf { sha1 | sha256 | sha384 | sha512 } * In non-FIPS mode: dh { group1 | group14 | group19 | group2 | group20 | group24 | By default, an IKEv2 proposal does group5 } * Specify the DH groups.

  • Page 330: Configure Global Ikev2 Parameters

    Configure global IKEv2 parameters Enabling the cookie challenging feature Enable cookie challenging on responders to protect them against DoS attacks that use a large number of source IP addresses to forge IKE_SA_INIT requests. To enable cookie challenging: Step Command Remarks Enter system view.

  • Page 331: Displaying And Maintaining Ikev2

    Step Command Remarks Set the IKEv2 NAT keepalive default, IKEv2 ikev2 nat-keepalive seconds interval. keepalive interval is 10 seconds. Displaying and maintaining IKEv2 Execute display commands in any view and reset commands in user view. Task Command Display the IKEv2 proposal configuration. display ikev2 proposal [ name | default ] Display the IKEv2 policy configuration.
  • Page 332 # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl advanced 3101 [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
  • Page 333 [SwitchA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 [SwitchA-Vlan-interface1] quit Configure Switch B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B.

  • Page 334: Ikev2 With Rsa Signature Authentication Configuration Example

    [SwitchB-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [SwitchB-ikev2-profile-profile1] quit # Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10. [SwitchB] ipsec policy use1 10 isakmp # Specify remote IP address 1.1.1.1 for the IPsec tunnel. [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1 # Specify ACL 3101 to identify the traffic to be protected.
  • Page 335 [SwitchA-vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl advanced 3101 [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
  • Page 336 [SwitchA-ikev2-profile-profile1] certificate domain domain1 # Set the local ID to FQDN name www.switcha.com. [SwitchA-ikev2-profile-profile1] identity local fqdn www.switcha.com # Specify the peer ID that the IKEv2 profile matches. The peer ID is FQDN name www.routerb.com. [SwitchA-ikev2-profile-profile1] match remote identity fqdn www.routerb.com [SwitchA-ikev2-profile-profile1] quit # Create an IKEv2 proposal named 10.
  • Page 337 [SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms.
  • Page 338 [SwitchB-ikev2-profile-profile2] match remote identity fqdn www.switcha.com [SwitchB-ikev2-profile-profile2] quit # Create an IKEv2 proposal named 10. [SwitchB] ikev2 proposal 10 # Specify the integrity protection algorithm as HMAC-MD5. [SwitchB-ikev2-proposal-10] integrity md5 # Specify the encryption algorithm as 3DES-CBC. [SwitchB-ikev2-proposal-10] encryption 3des-cbc # Specify the DH group as Group 1.

  • Page 339: Troubleshooting Ikev2

    Troubleshooting IKEv2 IKEv2 negotiation failed because no matching IKEv2 proposals were found Symptom The IKEv2 SA is in IN-NEGO status. <Sysname> display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 123.234.234.124/500 123.234.234.123/500 IN-NEGO Status: IN-NEGO: Negotiating, EST: Establish, DEL:Deleting Analysis Certain IKEv2 proposal settings are incorrect.
  • Page 340 Solution Use the display ikev2 sa command to examine whether an IKEv2 SA exists on both ends. If the IKEv2 SA on one end is lost, delete the IKEv2 SA on the other end by using the reset ikev2 sa command and trigger new negotiation. If an IKEv2 SA exists on both ends, go to the next step.

  • Page 341: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.

  • Page 342: Ssh Authentication Methods

    Stages Description TCP connection. Version negotiation The two parties determine a version to use. SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation •...

  • Page 343: Ssh Support For Suite B

    NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.

  • Page 344: Feature And Software Version Compatibility

    Feature and software version compatibility The following algorithms are available in Release 1121 and later: • Public key algorithm ECDSA. • Suite B algorithms. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode.

  • Page 345: Generating Local Key Pairs

    Generating local key pairs The DSA, ECDSA, or RSA key pairs are required for generating the session keys and session ID in the key exchange stage. They can also be used by a client to authenticate the server. When a client authenticates the server, it compares the public key received from the server with the server's public key that the client saved locally.

  • Page 346: Enabling The Sftp Server

    Step Command Remarks Enter system view. system-view By default, the Stelnet server is Enable the Stelnet server. ssh server enable disabled. Enabling the SFTP server After you enable the SFTP server on the device, a client can log in to the device through SFTP. To enable the SFTP server: Step Command...

  • Page 347: Configuring User Lines For Ssh Login

    Configuring user lines for SSH login Depending on the SSH application, an SSH client can be an Stelnet client, SFTP client, SCP client, or NETCONF-over-SSH client. Only Stelnet and NETCONF-over-SSH clients require the user line configuration. The user line configuration takes effect on the clients at the next login. To configure the user lines for Stelnet and NETCONF-over-SSH clients: Step Command...

  • Page 348: Configuring An Ssh User

    Step Command Remarks and carriage returns are removed automatically. For more information, see "Managing public keys." Return to system view. peer-public-key end Importing the client's host public key from the public key file Before you import the host public key, upload the client's public key file (in binary) to the server, for example, through FTP or TFTP.

  • Page 349: Configuring The Ssh Management Parameters

    If the authentication method is password, the user role is authorized by the remote AAA  server or the local device. If the authentication method is publickey or password-publickey, the user role is specified  by the authorization-attribute command in the associated local user view. •...

  • Page 350: Specifying A Pki Domain For The Ssh Server

    Step Command Remarks default, server supports SSH1 clients. Enable the SSH server to ssh server compatible-ssh1x support SSH1 clients. enable This command is not available in FIPS mode. By default, the device does not update the RSA server key pair. Set the RSA server key pair This command takes effect only ssh server rekey-interval hours...

  • Page 351: Configuring The Device As An Stelnet Client

    The PKI domain specified for the SSH server has the following functions: • The SSH server uses the PKI domain to send its certificate to the client in the key exchange stage. • The SSH server uses the PKI domain to authenticate the client's certificate if no PKI domain is specified for the client authentication by using the ssh user command.

  • Page 352: Establishing A Connection To An Stelnet Server

    Establishing a connection to an Stelnet server When you try to access an Stelnet server, the device must use the server's host public key to authenticate the server. If the server's host public key is not configured on the device, the device will notify you to confirm whether to continue with the access.
  • Page 353 Task Command Remarks interface-number identity-key prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 prefer-kex dh-group14 prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ escape character | publickey keyname | source interface interface-type...
  • Page 354 Task Command Remarks domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm aes256-gcm prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm...

  • Page 355: Establishing A Connection To An Stelnet Server Based On Suite B

    Establishing a connection to an Stelnet server based on Suite Task Command Remarks • Establish a connection to an IPv4 Stelnet server based Suite ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ip...

  • Page 356: Establishing A Connection To An Sftp Server

    To specify the source IP address for SFTP packets: Step Command Remarks Enter system view. system-view By default, the source IP address SFTP packets • Specify the source IPv4 address configured. IPv4 SFTP SFTP packets: packets, the device uses the sftp client source { ip ip-address primary IPv4 address of the interface...
  • Page 357 Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 SFTP server: sftp server port-number vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 sha1 sha1-96...
  • Page 358 Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 SFTP server: sftp server port-number vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 pki-domain domain-name prefer-compress zlib prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |...

  • Page 359: Establishing A Connection To An Sftp Server Based On Suite B

    Task Command Remarks dscp-value public-key keyname server-pki-domain domain-name source { interface interface-type interface-number | ipv6 ipv6-addres} ] * • In FIPS mode, establish a connection to an IPv6 SFTP server: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name interface-type interface-number ] [ identity-key { ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256...

  • Page 360: Working With Sftp Directories

    Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return upper-level cdup Available in SFTP client view. directory. Display current working Available in SFTP client view. directory on the SFTP server.

  • Page 361: Terminating The Connection With The Sftp Server

    Terminating the connection with the SFTP server Task Command Remarks • Available in SFTP client view. Terminate the connection with the • exit SFTP server and return to user These three commands have the • view. quit same function. Configuring the device as an SCP client This section describes how to configure the device as an SCP client to establish a connection with an SCP server and transfer files with the server.
  • Page 362 Task Command Remarks • In non-FIPS mode, connect to the IPv6 SCP server, and transfer files with this server: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | prefer-compress zlib prefer-ctos-cipher { 3des | aes128 | aes256 |...
  • Page 363 Task Command Remarks vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { ecdsa | x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 pki-domain domain-name } | prefer-compress zlib prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr aes192-ctr aes256-ctr aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex dh-group14-sha1...

  • Page 364: Establishing A Connection To An Scp Server Based On Suite B

    Task Command Remarks [ { public-key keyname | server-pki-domain domain-name source interface interface-type interface-number ipv6 ipv6-address } ] * Establishing a connection to an SCP server based on Suite B Task Command Remarks • Establish a connection to an IPv4 SCP server based Suite scp server [ port-number ] [ vpn-instance...

  • Page 365: Specifying Key Exchange Algorithms For Ssh2

    If you specify algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The client uses the specified algorithms to initiate the negotiation, and the server uses the matching algorithms to negotiate with the client. If multiple algorithms of the same type are specified, the algorithm specified earlier has a higher priority during negotiation.

  • Page 366: Specifying Mac Algorithms For Ssh2

    Step Command Remarks aes256-gcm } * descending order of priority for • algorithm negotiation. FIPS mode: ssh2 algorithm cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } * Specifying MAC algorithms for SSH2 Step Command Remarks...

  • Page 367: Password Authentication Enabled Stelnet Server Configuration Example

    Password authentication enabled Stelnet server configuration example Network requirements As shown in Figure • You can log in to Switch through the Stelnet client that runs on the host. • After login, you are assigned the user role network-admin for configuration management. •...
  • Page 368 Create the key pair successfully. # Enable the Stelnet server. [Switch] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses this IP address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines.

  • Page 369: Publickey Authentication Enabled Stelnet Server Configuration Example

    Figure 96 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server.
  • Page 370 Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
  • Page 371 Figure 99 Generating process c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. d. Enter a file name (key.pub in this example), and click Save. Figure 100 Saving a key pair on the client...
  • Page 372 e. On the page as shown in Figure 100, click Save private key to save the private key. A confirmation dialog box appears. f. Click Yes. A file saving window appears. g. Enter a file name (private.ppk in this example), and click Save. h.
  • Page 373 # Import the client's public key from file key.pub and name it switchkey. [Switch] public-key peer switchkey import sshkey key.pub # Create an SSH user client002. Specify the authentication method as publickey for the user. Assign the public key switchkey to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey # Create a local device management user client002.
  • Page 374 Figure 102 Specifying the preferred SSH version e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 103 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.

  • Page 375: Password Authentication Enabled Stelnet Client Configuration Example

    g. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in...
  • Page 376 # Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the Stelnet server. [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. The Stelnet client uses the address as the destination address of the SSH connection.
  • Page 377 [SwitchA-pkey-public-key-key1]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B 6FD60FE01941DDD77FE6B12893DA76E [SwitchA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B 68950387811C7DA33021500C773218C [SwitchA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009 14EC474BAF2932E69D3B1F18517AD95 [SwitchA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D0 492B3959EC6499625BC4FA5082E22C5 [SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C 9B09EEF0381840002818000AF995917 [SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5 F257523777D033BEE77FC378145F2AD [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA>...

  • Page 378: Publickey Authentication Enabled Stelnet Client Configuration Example

    Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:y client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.
  • Page 379 If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit # Transmit the public key file key.pub to the server through FTP or TFTP.

  • Page 380: Stelnet Configuration Example Based On 128-Bit Suite B Algorithms

    [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines. [SwitchB] line vty 0 63 [SwitchB-line-vty0-63] authentication-mode scheme [SwitchB-line-vty0-63] quit # Import the peer public key from the file key.pub, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey key.pub # Create an SSH user client002.
  • Page 381 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an Stelnet client. # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file ssh-client-ecdsa256.p12 to the Stelnet client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server256 for verifying the server's certificate and enter its view.
  • Page 382 Subject: C=CN, ST=BJ, O=AA, OU=Software, CN=SSH Server secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52: 6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef: 0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81: 3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e: c7:61:4a:52:51 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier:...
  • Page 383 Validity Not Before: Aug 21 08:41:09 2015 GMT Not After : Aug 20 08:41:09 2016 GMT Subject: C=CN, ST=BJ, O=AA, OU=Software, CN=SSH Client secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5: 96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39: b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34: 29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16: 12:d0:b4:8a:92 ASN1 OID: prime256v1 NIST CURVE: P-256...

  • Page 384: Sftp Configuration Examples

    [SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 # Specify server256 as the PKI domain of the server's certificate. [SwitchB] ssh server pki-domain server256 # Enable the Stelnet server. [SwitchB] ssh server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines.

  • Page 385: Password Authentication Enabled Sftp Server Configuration Example

    • When the device acts as the SFTP server, it supports only ECDSA and RSA key pairs. If both ECDSA and RSA key pairs exist on the server, the server uses the ECDSA key pair. Password authentication enabled SFTP server configuration example Network requirements As shown in...
  • Page 386 [Switch] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the SFTP server. [Switch] sftp server enable # Assign an IP address to VLAN-interface 2. The SFTP client uses the address as the destination for SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.45 255.255.255.0 [Switch-Vlan-interface2] quit...

  • Page 387: Publickey Authentication Enabled Sftp Client Configuration Example

    Figure 108 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 109: • You can log in to Switch B through the SFTP client that runs on Switch A. • After login, you are assigned the user role network-admin to execute file management and transfer operations.
  • Page 388 [SwitchA] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...
  • Page 389 # Assign an IP address to VLAN-interface 2. The SFTP client uses the address as the destination for SSH connection. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Import the peer public key from the file pubkey, and name it switchkey. [SwitchB] public-key peer switchkey import sshkey pubkey # Create an SSH user client001.

  • Page 390: Sftp Configuration Example Based On 192-Bit Suite B Algorithms

    -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1 # Rename directory new1 to new2 and verify the result.
  • Page 391 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SFTP client. # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server384 for verifying the server's certificate and enter its view.
  • Page 392 Public-Key: (384 bit) pub: 04:4a:33:e5:99:8d:49:45:a7:a3:24:7b:32:6a:ed: b6:36:e1:4d:cc:8c:05:22:f4:3a:7c:5d:b7:be:d1: e6:9e:f0:ce:95:39:ca:fd:a0:86:cd:54:ab:49:60: 10:be:67:9f:90:3a:18:e2:7d:d9:5f:72:27:09:e7: bf:7e:64:0a:59:bb:b3:7d:ae:88:14:94:45:b9:34: d2:f3:93:e1:ba:b4:50:15:eb:e5:45:24:31:10:c7: 07:01:f9:dc:a5:6f:81 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:16:64:2C:DA:C1:D1:29:CD:C0:74:40:A9:70:BD:62:8A:BB:F4:D5 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:80:50:7a:4f:c5:cd:6a:c3:57:13:7f:e9:da: c1:72:7f:45:30:17:c2:a7:d3:ec:73:3d:5f:4d:e3:96:f6:a3: 33:fb:e4:b9:ff:47:f1:af:9d:e3:03:d2:24:53:40:09:5b:02:...
  • Page 393 Not Before: Aug 20 10:10:59 2015 GMT Not After : Aug 19 10:10:59 2016 GMT Subject: C=CN, ST=BJ, O=AA, OU=Software, CN=ssh client Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:85:7c:8b:f4:7a:36:bf:74:f6:7c:72:f9:08:69: d0:b9:ac:89:98:17:c9:fc:89:94:43:da:9a:a6:89: 41:d3:72:24:9b:9a:29:a8:d1:ba:b4:e5:77:ba:fc: df:ae:c6:dd:46:72:ab:bc:d1:7f:18:7d:54:88:f6: b4:06:54:7e:e7:4d:49:b4:07:dc:30:54:4b:b6:5b: 01:10:51:6b:0c:6d:a3:b1:4b:c9:d9:6c:d6:be:13: 91:70:31:2a:92:00:76 ASN1 OID: secp384r1 NIST CURVE: P-384...

  • Page 394: Scp Configuration Examples

    [SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp384 # Specify server384 as the PKI domain of the server's certificate. [SwitchB] ssh server pki-domain server384 # Enable the SFTP server. [SwitchB] sftp server enable # Assign an IP address to VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit # Set the authentication mode to AAA for user lines.
  • Page 395 • After login, you are assigned the user role network-admin and can securely transfer files with Switch B. • Switch B uses the password authentication method. • The client's username and password are saved on Switch B. Figure 111 Network diagram SCP client SCP server Vlan-int2...

  • Page 396: Scp Configuration Example Based On Suite B Algorithms

    [SwitchB-Vlan-interface2] quit # Create a local device management user client001. [SwitchB] local-user client001 class manage # Specify the plaintext password as aabbcc and the service type as ssh for the user. [SwitchB-luser-manage-client001] password simple aabbcc [SwitchB-luser-manage-client001] service-type ssh # Assign the user role network-admin to the user. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Configure an SSH user client001.
  • Page 397 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client. # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP.
  • Page 398 Public-Key: (256 bit) pub: 04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52: 6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef: 0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81: 3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e: c7:61:4a:52:51 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c:...
  • Page 399 Subject: C=CN, ST=BJ, O=AA, OU=Software, CN=SSH Client secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5: 96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39: b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34: 29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16: 12:d0:b4:8a:92 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier:...
  • Page 400 Issuer: C=CN, ST=BJ, L=BJ, O=AA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:08:41 2015 GMT Not After : Aug 19 10:08:41 2016 GMT Subject: C=CN, ST=BJ, O=AA, OU=Software, CN=ssh server Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:4a:33:e5:99:8d:49:45:a7:a3:24:7b:32:6a:ed: b6:36:e1:4d:cc:8c:05:22:f4:3a:7c:5d:b7:be:d1:...
  • Page 401 Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=BJ, L=BJ, O=AA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:10:59 2015 GMT Not After : Aug 19 10:10:59 2016 GMT Subject: C=CN, ST=BJ, O=AA, OU=Software, CN=ssh client Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit)
  • Page 402 # Create a PKI domain named client256 for verifying the client's certificate ecdsa256 and import the file of this certificate to this domain. Create a PKI domain named server256 for the server's certificate ecdsa256 and import the file of this certificate to this domain. (Details not shown.) # Create a PKI domain named client384 for verifying the client's certificate ecdsa384 and import the file of this certificate to this domain.

  • Page 403: Netconf Over Ssh Configuration Example With Password Authentication

    Username: client001 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. src.cfg 100% 4814 4.7KB/s 00:00 <SwitchA> Based on the 192-bit Suite B algorithms:  # Specify server384 as the PKI domain of the server's certificate. [SwitchB] ssh server pki-domain server384 # Create an SSH user named client002.

  • Page 404: Configuration Procedure

    Figure 113 Network diagram NETCONF-over-SSH NETCONF-over-SSH client server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.

  • Page 405: Verifying The Configuration

    [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Create a local device management user client001. [Switch] local-user client001 class manage # Specify the plaintext password as aabbcc and the service type as ssh for the user. [Switch-luser-manage-client001] password simple aabbcc [Switch-luser-manage-client001] service-type ssh # Assign the user role network-admin to the user.

  • Page 406: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...

  • Page 407: Fips Compliance

    Figure 115 SSL protocol stack Application layer protocol (e.g. HTTP) SSL handshake protocol SSL change cipher spec protocol SSL alert protocol SSL record protocol The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data.
  • Page 408 Step Command Remarks Enter system view. system-view In Release 1111, SSL 3.0 is enabled on the device by Release 1111: default. ssl version ssl3.0 disable In Release 1121 and later, the In Release 1121 and later: default setting is as follows: (Optional.) Disable specific...
  • Page 409 Step Command Remarks dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha dhe_rsa_aes_256_cbc_sha ecdhe_ecdsa_aes_128_cbc _sha256 ecdhe_ecdsa_aes_128_gc m_sha256 ecdhe_ecdsa_aes_256_cbc _sha384 ecdhe_ecdsa_aes_256_gc m_sha384 ecdhe_rsa_aes_128_cbc_s ha256 ecdhe_rsa_aes_128_gcm_s ha256 ecdhe_rsa_aes_256_cbc_s ha384 ecdhe_rsa_aes_256_gcm_s ha384 exp_rsa_des_cbc_sha exp_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha256 | rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha } * • FIPS mode: ciphersuite { ecdhe_ecdsa_aes_128_cb c_sha256...

  • Page 410: Configuring An Ssl Client Policy

    Configuring an SSL client policy An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the server. An SSL client policy takes effect only after it is associated with an application such as DDNS. In Release 1111, you can specify the SSL 3.0 or TLS 1.0 for an SSL client policy: •...
  • Page 411 Step Command Remarks prefer-cipher { dhe_rsa_aes_128_cbc_s dhe_rsa_aes_256_cbc_sh a | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha } In Release 1121 and later: • non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_s dhe_rsa_aes_128_cbc_sh a256 dhe_rsa_aes_256_cbc_sh dhe_rsa_aes_256_cbc_sh a256 ecdhe_ecdsa_aes_128_c bc_sha256 ecdhe_ecdsa_aes_128_g cm_sha256 ecdhe_ecdsa_aes_256_c bc_sha384 ecdhe_ecdsa_aes_256_g cm_sha384 ecdhe_rsa_aes_128_cbc_ sha256 ecdhe_rsa_aes_128_gcm _sha256 ecdhe_rsa_aes_256_cbc_ sha384...

  • Page 412: Displaying And Maintaining Ssl

    Step Command Remarks rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 In Release 1111: • non-FIPS mode: version { ssl3.0 | tls1.0 } • FIPS mode: By default, an SSL client policy version tls1.0 uses TLS 1.0. Specify protocol In Release 1121 and later: version for the SSL client To ensure security, do not •...

  • Page 413: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface. The IPSG binding table can include global and interface-specific bindings.

  • Page 414: Dynamic Ipsg Bindings

    • Global static binding—Binds the IP address and MAC address in system view. The binding takes effect on all interfaces to filter packets for user spoofing attack prevention. • Interface-specific static binding—Binds the IP address, MAC address, VLAN, or any combination of the items in interface view.

  • Page 415: Configuring The Ipv4Sg Feature

    Tasks at a glance (Optional.) Configuring a static IPv6SG binding Configuring the IPv4SG feature You cannot configure the IPv4SG feature on a service loopback interface. If IPv4SG is enabled on an interface, you cannot assign the interface to a service loopback group. Enabling IPv4SG on an interface When you enable IPSG on an interface, the static and dynamic IPSG are both enabled.

  • Page 416: Configuring The Ipv6Sg Feature

    Step Command Remarks static IPv4SG mac-address mac-address binding exists. binding. Configuring a static IPv4SG binding on an interface Step Command Remarks Enter system view. system-view following interface types supported: interface interface-type • Enter interface view. Layer 2 Ethernet interface. interface-number •...

  • Page 417: Configuring A Static Ipv6Sg Binding

    Step Command Remarks • Layer 3 aggregate interface. By default, the IPv6SG feature is disabled on an interface. ipv6 verify source { ip-address | If you configure this command on Enable the IPv6SG feature. ip-address mac-address an interface multiple times, the mac-address } most recent configuration takes effect.

  • Page 418: Displaying And Maintaining Ipsg

    Displaying and maintaining IPSG Execute display commands in any view and reset commands in user view. Task Command display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] Display IPv4SG bindings.

  • Page 419: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example

    [SwitchA-GigabitEthernet1/0/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [SwitchA-GigabitEthernet1/0/2] quit # Enable IPv4SG on GigabitEthernet 1/0/1. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] ip verify source ip-address mac-address # On GigabitEthernet 1/0/1, configure a static IPv4SG binding for Host A. [SwitchA-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [SwitchA-GigabitEthernet1/0/1] quit Configure Switch B:...

  • Page 420: Dynamic Ipv4Sg Using Dhcp Relay Agent Configuration Example

    • Enable DHCP snooping on the switch to make sure the DHCP client obtains an IP address from the authorized DHCP server. To generate a DHCP snooping entry for the DHCP client, enable recording of client information in DHCP snooping entries. •...

  • Page 421: Static Ipv6Sg Configuration Example

    Enable dynamic IPv4SG on VLAN-interface 100 to filter incoming packets by using the IPv4SG bindings generated based on DHCP relay entries. Figure 119 Network diagram DHCP client DHCP relay agent DHCP server Vlan-int200 Vlan-int100 Host Switch 10.1.1.1/24 MAC: 0001-0203-0406 Configuration procedure Configure dynamic IPv4SG: # Configure IP addresses for the interfaces.

  • Page 422: Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example

    Figure 120 Network diagram GE1/0/1 Internet Switch Host IP: 2001::1 MAC: 0001-0202-0202 Configuration procedure # Enable IPv6SG on GigabitEthernet 1/0/1. <Switch> system-view [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address # On GigabitEthernet 1/0/1, configure a static IPv6SG binding for the host. [Switch-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202 [Switch-GigabitEthernet1/0/1] quit...
  • Page 423 # Configure the interface connecting to the DHCP server as a trusted interface. [Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Switch-GigabitEthernet1/0/2] quit Enable IPv6SG: # Enable IPv6SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address for dynamic IPv6SG.

  • Page 424: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 425: Configuring Arp Source Suppression

    • ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer (25 seconds) is reached or the route becomes reachable. After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request.

  • Page 426: Configuration Example

    Configuration example Network requirements As shown in Figure 122, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack.

  • Page 427: Configuration Guidelines

    Configuration guidelines Configure this feature when MFF, ARP attack detection, or ARP snooping is enabled, or when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. When the number of ARP packets that the interface receives within a period exceeds the rate limit, those packets are discarded.

  • Page 428: Configuration Procedure

    an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the following methods: • Monitor—Only generates log messages. • Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.

  • Page 429: Configuring Arp Packet Source Mac Consistency Check

    Figure 123 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address.

  • Page 430: Configuring Arp Active Acknowledgement

    Step Command Remarks Enter system view. system-view By default, ARP packet source Enable packet source arp valid-check enable address consistency address consistency check. check is disabled. Configuring ARP active acknowledgement Configure this feature on gateways to prevent user spoofing. ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. In strict mode, a gateway performs more strict validity checks before creating an ARP entry: •...

  • Page 431: Configuration Example (On A Dhcp Server)

    Step Command Remarks Enable authorized ARP on the By default, authorized ARP is arp authorized enable interface. disabled. Configuration example (on a DHCP server) Network requirements As shown in Figure 124, configure authorized ARP on GigabitEthernet 1/0/1 of Switch A (a DHCP server) to ensure user validity.

  • Page 432: Configuration Example (On A Dhcp Relay Agent)

    The output shows that IP address 10.1.1.2 has been assigned to Switch B. Switch B must use the IP address and MAC address in the authorized ARP entry to communicate with Switch A. Otherwise, the communication fails. Thus user validity is ensured. Configuration example (on a DHCP relay agent) Network requirements As shown in...

  • Page 433: Configuring Arp Attack Detection

    # Enable DHCP relay agent on GigabitEthernet 1/0/2. [SwitchB-GigabitEthernet1/0/2] dhcp select relay # Add the DHCP server 10.1.1.1 to DHCP server group 1. [SwitchB-GigabitEthernet1/0/2] dhcp relay server-address 10.1.1.1 # Enable authorized ARP. [SwitchB-GigabitEthernet1/0/2] arp authorized enable [SwitchB-GigabitEthernet1/0/2] quit # Enable recording of relay entries on the relay agent. [SwitchB] dhcp relay client-information record Configure Switch C: <SwitchC>...

  • Page 434: Configuring Arp Packet Validity Check

    If a match is found, the ARP packet is considered valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded. Static IP source guard bindings are created by using the ip source binding command. For more information, see "Configuring IP source guard."...

  • Page 435: Configuring Arp Restricted Forwarding

    Step Command Remarks Enter VLAN view. vlan vlan-id By default, ARP attack detection is Enable ARP attack detection. arp detection enable disabled. Return to system view. quit Enable ARP packet validity check arp detection validate By default, ARP packet validity and specify the objects to be { dst-mac | ip | src-mac } check is disabled.

  • Page 436: Displaying And Maintaining Arp Attack Detection

    The following is an example of an ARP attack detection log message: Detected an inspection occurred on interface GigabitEthernet1/0/1 with IP address 172.18.48.55 (Total 10 packets dropped). To enable ARP attack detection logging: Step Command Remarks Enter system view. system-view Enable attack By default, ARP attack detection...

  • Page 437: Arp Restricted Forwarding Configuration Example

    Configuration procedure Add all interfaces on Switch B to VLAN 10, and specify the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure the DHCP server on Switch A, and configure DHCP address pool 0. <SwitchA> system-view [SwitchA] dhcp enable [SwitchA] dhcp server ip-pool 0 [SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0...
  • Page 438 Figure 127 Network diagram Gateway DHCP server Switch A GE1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of the VLAN interface.

  • Page 439: Configuring Arp Scanning And Fixed Arp

    # Configure port isolation. [SwitchB] port-isolate group 1 [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port-isolate enable group 1 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port-isolate enable group 1 [SwitchB-GigabitEthernet1/0/2] quit After the configurations are completed, Switch B first checks the validity of ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

  • Page 440: Configuration Procedure

    Configuration procedure To configure ARP scanning and fixed ARP: Step Command Enter system view. system-view Enter Layer 3 Ethernet interface/VLAN interface/Layer 3 aggregate interface interface interface-type interface-number view. Trigger an ARP scanning. arp scan [ start-ip-address to end-ip-address ] Return to system view. quit Enable fixed ARP.

  • Page 441: Configuration Example

    Configuration example Network requirements As shown in Figure 128, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 128 Network diagram Gateway Switch A...

  • Page 442: Configuration Procedure

    • If ARP filtering works with ARP attack detection, MFF, and ARP snooping, ARP filtering applies first. Configuration procedure To configure ARP filtering: Step Command Remarks Enter system view. system-view Enter Layer Ethernet interface interface-type interface or Layer 2 aggregate N/A.
  • Page 443 Verifying the configuration # Verify that GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP packets. # Verify that GigabitEthernet 1/0/2 permits ARP packets from Host B and discards other ARP packets.

  • Page 444: Configuring Mff

    Configuring MFF Overview MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain. An MFF enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.

  • Page 445: Basic Concepts

    Basic concepts An MFF-enabled device has two types of ports: user port and network port. User port An MFF user port is directly connected to a host and processes the following packets differently: • Allows multicast packets to pass. • Delivers ARP packets to the CPU.

  • Page 446: Mff Working Mechanism

    MFF working mechanism An MFF-enabled device implements Layer 3 communication between hosts by intercepting ARP requests from the hosts and replies with the MAC address of a gateway. This mechanism helps reduce the number of broadcast messages. The MFF device processes ARP packets as follows: •...

  • Page 447: Enabling Periodic Gateway Probe

    Enabling periodic gateway probe You can configure the MFF device to detect gateways every 30 seconds for the change of MAC addresses by sending forged ARP packets. The ARP packets use 0.0.0.0 as the sender IP address and bridge MAC address as the sender MAC address. This feature is supported by MFF manual mode.

  • Page 448: Mff Configuration Examples

    Task Command Display the MFF configuration information for a VLAN. display mac-forced-forwarding vlan vlan-id MFF configuration examples Manual-mode MFF configuration example in a tree network Network requirements As shown in Figure 131, all the devices are in VLAN 100. Hosts A, B, and C are assigned IP addresses manually.

  • Page 449: Manual-Mode Mff Configuration Example In A Ring Network

    [SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchB-vlan100] arp snooping enable [SwitchB-vlan100] quit # Configure GigabitEthernet 1/0/6 as a network port. [SwitchB] interface gigabitethernet 1/0/6 [SwitchB-GigabitEthernet1/0/6] mac-forced-forwarding network-port Manual-mode MFF configuration example in a ring network Network requirements As shown in Figure...
  • Page 450 [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mac-forced-forwarding network-port Configure Switch B: # Enable STP globally to make sure STP is enabled on interfaces. [SwitchB] stp global enable # Configure manual-mode MFF on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server.

  • Page 451: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
  • Page 452 Figure 134 uRPF work flow Checks the received packet Broadcast source address? All-zero source address? Broadcast destination Discards the packet address? Matching FIB entry Default route found? found? Loose uRPF? Loose uRPF? Matching route is a direct Receiving route? interface matches the output interface of the default route?...
  • Page 453 If yes, uRPF proceeds to step 3.  If no, uRPF proceeds to step 6.  uRPF checks whether the check mode is loose: If yes, uRPF proceeds to step 8.  If no, uRPF checks whether the matching route is a direct route: ...

  • Page 454: Network Application

    Network application Figure 135 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User As shown in Figure 135, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs. Enabling uRPF When you enable uRPF, follow these restrictions and guidelines: •...

  • Page 455: Urpf Configuration Example

    Task Command display ip urpf [ slot slot-number ] Display uRPF configuration. uRPF configuration example Network requirements As shown in Figure 136, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks. Figure 136 Network diagram Vlan-int10 Vlan-int10...

  • Page 456: Configuring Crypto Engines

    Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.

  • Page 457: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.

  • Page 458: Configuring Fips Mode

    e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.

  • Page 459: Configuration Changes In Fips Mode

    A password that complies with the password control policies in step and step 3.  A user role of network-admin.  A service type of terminal.  Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode. Select the manual reboot method.

  • Page 460: Exiting Fips Mode

    characters and 4 character types of uppercase and lowercase letters, digits, and special characters. Exiting FIPS mode After you disable FIPS mode and reboot the device, the device operates in non-FIPS mode. The system provides two methods to exit FIPS mode: automatic reboot and manual reboot. Automatic reboot Select the automatic reboot method.

  • Page 461: Power-Up Self-Tests

    NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests The power-up self-test examines the availability of FIPS-allowed cryptographic algorithms. The device supports the following types of power-up self-tests: • Known-answer test (KAT) A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer.

  • Page 462: Triggering Self-Tests

    • Signature and authentication PWCT test—This test is run when a DSA/RSA asymmetrical key pair is generated. It uses the private key to sign the specific data, and then uses the public key to authenticate the signed data. If the authentication is successful, the test succeeds. •...

  • Page 463: Entering Fips Mode Through Manual Reboot

    Confirm password: Waiting for reboot... After reboot, the device will enter FIPS mode. Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode.
  • Page 464 # Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character. [Sysname] password-control composition type-number 4 type-length 1 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.

  • Page 465: Exiting Fips Mode Through Automatic Reboot

    Updating user information. Please wait ..… <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode.
  • Page 466 [Sysname] save The current configuration will be written to the device. Are you sure? [Y/N]:y Please input the file name(*.cfg)[flash:/startup.cfg] (To leave the existing filename unchanged, press the enter key): flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to device successfully. [Sysname] quit # Delete the startup configuration file in binary format.

  • Page 467: Configuring User Profiles

    Configuring user profiles Overview A user profile saves a set of predefined parameters, such as a QoS policy. The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.

  • Page 468: Configuring Parameters For A User Profile

    Configuring parameters for a user profile Configurations in user profile view take effect only after the device applies the user profile to the user. Configuring QoS parameters for traffic management To configure QoS parameters: Step Command Remarks Enter system view. system-view Enter user profile view.
  • Page 469 Figure 137 Network diagram GE1/0/1 Internet Switch User A User B Domain: user User C Configuration procedure Configure a QoS policy to control the access time for User A: # Create periodic time range for_usera, setting it to be active from 8:30 to 12:00 daily. [Switch] time-range for_usera 8:30 to 12:00 daily # Configure IPv4 basic ACL 2000 to identify packets in time range for_usera.
  • Page 470 # Create traffic behavior for_userb, and configure a CAR action in traffic behavior database. Set the CIR to 2000 kbps. [Switch] traffic behavior for_userb [Switch-behavior-for_userb] car cir 2000 [Switch-behavior-for_userb] quit # Create QoS policy for_userb, and associate traffic class class with traffic behavior for_userb.
  • Page 471 # Set the password of local user userb to b12345 in plain text. [Switch-luser-network-userb] password simple b12345 # Specify the service type as lan-access for userb. [Switch-luser-network-userb] service-type lan-access # Configure the authorization user profile as userb. [Switch -luser-network-userb] authorization-attribute user-profile userb [Switch -luser-network-userb] quit # Add local user userc.
  • Page 472 Network attributes: Interface : GigabitEthernet1/0/1 MAC address : 6805-ca06-557b Service VLAN : 1 User-Profile: userb Inbound: Policy: for_userb slot 1: User -: Authentication type: 802.1X Network attributes: Interface : GigabitEthernet1/0/1 MAC address : 80c1-6ee0-2664 Service VLAN : 1 User-Profile: userc Outbound: Policy: for_userc slot 1:...

  • Page 473: Configuring Attack Detection And Prevention

    Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions, such as packet dropping, to protect a private network. The device supports only TCP fragment attack prevention. Configuring TCP fragment attack prevention The TCP fragment attack prevention feature enables the device to drop attack TCP fragments to prevent TCP fragment attacks that traditional packet filter cannot detect.

  • Page 474: Configuring Macsec

    Configuring MACsec Overview Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec provides services such as data encryption, frame integrity check, and data origin validation for frames on the MAC sublayer of the Data Link Layer. Basic concepts Connectivity association (CA) is a group of participants that use the same key and key algorithm.

  • Page 475: Macsec Applications

    MACsec applications MACsec supports the following application modes: • Client-oriented mode—Secures data transmission between the client and the access device. In this mode, the authentication server generates and distributes the CAK-related parameters to the client and the access device. In this mode, MACsec must operate with 802.1X authentication.
  • Page 476 Figure 140 MACsec interactive process in client-oriented mode Client Device Authentication server RADIUS EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity Identity RADIUS Access-Request authentication RADIUS Access-Accept EAP-Success EAPOL-MKA: key server EAPOL-MKA: MACsec capable Session negotiation EAPOL-MKA: key name, SAK EAPOL-MKA: SAK installed Secured frames Secure...

  • Page 477: Protocols And Standards

    The interfaces on HPE 5130/5510 10GBASE-T 2-port Module(JH156A), HPE 5130/5510 10GbE SFP+ 2-port Module(JH157A) interface modules installed on switch models except HPE 5510 24G SFP 4SFP+ HI 1-slot Switch(JH149A). The interface modules do not support hot swapping if MKA is enabled on such interfaces.

  • Page 478: Macsec Configuration Task List

    MACsec configuration task list In device-oriented mode, the MACsec configuration takes effect on Layer 2 and Layer 3 Ethernet ports. In client-oriented mode, the MACsec configuration takes effect only on 802.1X-enabled ports. To configure MACsec, perform the following tasks: Tasks at a glance Remarks (Required.) Enabling MKA...

  • Page 479: Configuring A Preshared Key

    • A minimum of one participant is enabled with MACsec desire. To enable MACsec desire: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the port does not Enable MACsec desire. macsec desire expect MACsec protection for outbound frames.

  • Page 480: Configuring Macsec Protection Parameters In Interface View

    In client-oriented mode, the access device port automatically becomes the key server. You do not have to configure the MKA key server priority. In device-oriented mode, the port that has higher priority becomes the key server. If a port and its peers have the same priority, MACsec compares the secure channel identifier (SCI) values on the ports.

  • Page 481: Configuring Macsec Replay Protection

    Configuring MACsec replay protection The MACsec replay protection feature allows a MACsec port to accept a number of out-of-order or repeated inbound frames. The configured replay protection window size is effective only when MACsec replay protection is enabled. To configure MACsec replay protection: Step Command Remarks...

  • Page 482: Applying An Mka Policy

    Step Command Remarks The settings for parameters in the default policy are the same as the default settings for the parameters on a port. You cannot delete or modify the default MKA policy. You can create multiple MKA policies. The default setting is 0. (Optional.) Configure macsec...

  • Page 483: Macsec Configuration Examples

    Task Command display macsec interface interface-type Display MACsec information on ports. interface-number ] [ verbose ] display mka session [ interface interface-type Display MKA session information. interface-number | local-sci sci-id ] [ verbose ] display mka { default-policy | policy [ name Display MKA policy information.
  • Page 484 # Enter system view. <Device> system-view # Configure RADIUS scheme radius1. [Device] radius scheme radius1 [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 [Device-radius-radius1] key authentication simple name [Device-radius-radius1] key accounting simple money [Device-radius-radius1] user-name-format without-domain [Device-radius-radius1] quit # Configure authentication domain bbb for 802.1X users. [Device] domain bbb [Device-isp-bbb] authentication lan-access radius-scheme radius1 [Device-isp-bbb] authorization lan-access radius-scheme radius1...
  • Page 485 [Device-GigabitEthernet1/0/1] quit Verifying the configuration # Display MACsec information on GigabitEthernet 1/0/1. [Device] display macsec interface gigabitethernet 1/0/1 verbose Interface GigabitEthernet1/0/1 Protect frames : Yes Active MKA policy : pls Replay protection : Enabled Replay window size : 100 frames Confidentiality offset : 30 bytes Validation mode : Strict...

  • Page 486: Device-Oriented Macsec Configuration Example

    Device-oriented MACsec configuration example Network requirements As shown in Figure 143, Device A is the MACsec key server. To secure data transmission between the two devices by MACsec, perform the following tasks on Device A and Device B, respectively: • Set the MACsec confidentiality offset to 30 bytes.
  • Page 487 # Set the MKA key server priority to 10. [DeviceB-GigabitEthernet1/0/1] mka priority 10 # Configure the CKN as E9AC and the CAK as 09DB3EF1 in plain text. [DeviceB-GigabitEthernet1/0/1] mka psk ckn E9AC cak simple 09DB3EF1 # Set the MACsec confidentiality offset to 30 bytes. [DeviceB-GigabitEthernet1/0/1] macsec confidentiality-offset 30 # Enable MACsec replay protection.
  • Page 488 Principal actor : Yes MKA session status : Secured Confidentiality offset: 30 bytes Current SAK status : Rx & Tx Current SAK AN Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3) Previous SAK status : N/A Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list:...

  • Page 489: Troubleshooting Macsec

    Current SAK KI (KN) : 85E004AF49934720AC5131D300000003 (3) Previous SAK status : N/A Previous SAK AN : N/A Previous SAK KI (KN) : N/A Live peer list: Priority Capability Rx-SCI 85E004AF49934720AC5131D3 1216 00E00100000A0006 Troubleshooting MACsec Symptom The devices cannot establish MKA sessions when the following conditions exist: •...

  • Page 490: Configuring Nd Attack Defense

    Configuring ND attack defense Overview IPv6 Neighbor Discovery (ND) attack defense is able to identify forged ND messages to prevent ND attacks. The IPv6 ND protocol does not provide any security mechanisms and is vulnerable to network attacks. As shown in Figure 144, an attacker can send the following forged ICMPv6 messages to perform ND attacks:...

  • Page 491: Configuring Nd Attack Detection

    Configuring ND attack detection About ND attack detection ND attack detection checks incoming ND messages for user validity to prevent spoofing attacks. It is typically configured on access devices. ND attack detection defines the following types of interfaces: • ND trusted interface—The device directly forwards ND messages or data packets received by ND trusted interfaces.

  • Page 492: Displaying And Maintaining Nd Attack Detection

    Step Command Remarks disabled. Return to system view. quit Enter Layer 2 Ethernet or interface interface-type aggregate interface view. interface-number (Optional.) Configure the By default, all interfaces are ND interface as ND trusted ipv6 nd detection trust untrusted interfaces. interface. Displaying and maintaining ND attack detection Execute display commands in any view and reset commands in user view.
  • Page 493 Configuration procedure Configure Device A: # Create VLAN 10. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit # Configure GigabitEthernet 1/0/3 to trunk VLAN 10. [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-GigabitEthernet1/0/3] port link-type trunk [DeviceA-GigabitEthernet1/0/3] port trunk permit vlan 10 [DeviceA-GigabitEthernet1/0/3] quit # Assign IPv6 address 10::1/64 to VLAN-interface 10.

  • Page 494: Configuring Ra Guard

    Verifying the configuration Verify that Device B inspects all ND messages received by GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 based on the ND snooping entries. (Details not shown.) Configuring RA guard About RA guard RA guard allows Layer 2 access devices to analyze and block unwanted and forged RA messages. Upon receiving an RA message, the device makes the forwarding or dropping decision based on the role of the attached device or the RA guard policy.

  • Page 495: Enabling The Ra Guard Logging Feature

    Step Command Remarks criterion. { ipv6-acl-number | name exists. ipv6-acl-name } if-match prefix Specify prefix match By default, no prefix match criterion { ipv6-acl-number | name criterion. exists. ipv6-acl-name } if-match router-preference Specify a router preference By default, no router preference match maximum { high | low | match criterion.

  • Page 496: Ra Guard Configuration Example

    Task Command interface-number ] reset ipv6 nd raguard statistics [ interface interface-type Clear RA guard statistics. interface-number ] RA guard configuration example Network requirements As shown in Figure 146, GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Device B are in VLAN 10. Configure RA guard on Device B to filter forged and unwanted RA messages.
  • Page 497 # Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 10. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type access [DeviceB-GigabitEthernet1/0/1] port access vlan 10 [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type access [DeviceB-GigabitEthernet1/0/2] port access vlan 10 [DeviceB-GigabitEthernet1/0/2] quit # Configure GigabitEthernet 1/0/3 to trunk VLAN 10.

  • Page 498: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 499: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 500: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 501: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 502 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

  • Page 503: Index

    Index EAP-Success packets sending, Numerics enable, 3DES feature cooperation, security IPsec encryption algorithm, guest VLAN, guest VLAN assignment delay, MACsec configuration, 461, 465, 470 guest VLAN configuration, 87, 96 802.1X, See also under 802 MAC authentication delay, access control method, MAC-based access control, ACL assignment configuration, maintain,...
  • Page 504 HWTACACS accounting server, RADIUS scheme VPN, HWTACACS authentication server, RADIUS security policy server IP address, HWTACACS authorization server, RADIUS server load sharing, HWTACACS display, RADIUS server SSH user authentication+authorization, HWTACACS implementation, RADIUS server status, HWTACACS maintain, RADIUS session-control, HWTACACS outgoing packet source IP address, RADIUS shared keys, HWTACACS scheme,...
  • Page 505 architecture 802.1X authentication+ACL assignment, 802.1X, 802.1X+ACL assignment configuration, PKI, MAC authentication ACL assignment, 105, attack protection. See ARP attack protection security IPsec ACL, MFF configuration, 431, 433, 435 security IPsec ACL de-encapsulated packet MFF configuration (manual-mode in ring check, network), security IPsec ACL rule keywords, MFF configuration (manual-mode in tree security IPsec ACL-based implementation,...
  • Page 506 security IPsec SA, 802.1X periodic online user reauthentication, attack 802.1X RADIUS Message-Authentication attribute, ARP attack protection configuration, 802.1X timeout timers, attack D&P 802.1X VLAN manipulation, configuration, AAA configuration, 1, 17, 49 TCP fragment attack prevention configuration, AAA ISP domain authentication method, attack detection and prevention.
  • Page 507 security portal authentication client, AAA RADIUS server SSH user authentication+authorization, security portal authentication server, AAA RADIUS session-control, security user profile configuration, AAA SSH user local authentication+HWTACACS SSH configuration, authorization+RADIUS accounting, SSH methods, MAC authentication authorization VLAN, SSH SCP file transfer+password port security authorization-fail-offline feature, authentication, port security server authorization information...
  • Page 508 troubleshooting PKI CA certificate import security portal authentication, failure, security portal authentication system troubleshooting PKI CA certificate obtain components, failure, SSL client policy configuration, CA (MACsec), command CAK (MACsec), AAA command accounting method, AAA command authorization method, user profile configuration, comparing certificate 802.1X EAP relay/termination authentication,...
  • Page 509 security IPsec tunnel for IPv4 packets AAA RADIUS server SSH user (manual), authentication+authorization, security SSH SCP, AAA RADIUS server status detection test profile, security SSH SCP (Suite B), AAA scheme, SSH, AAA SSH user local authentication+HWTACACS SSH client host public key, authorization+RADIUS accounting, SSH SCP file+password authentication, AAA user group attributes,...
  • Page 510 IPsec IKEv2 policy, port security client macAddressElseUserLoginSecure, IPsec IKEv2 profile, port security client userLoginWithOUI, IPsec IKEv2 proposal, port security features, IPv4 source guard (IPv4SG), port security intrusion protection, IPv4 source guard (IPv4SG) static binding, port security MAC address autoLearn, IPv6 ND attack defense, port security NTK feature, IPv6 ND attack defense RA guard, port security secure MAC addresses,...
  • Page 511 security portal authentication server detection, security IPsec packet DF bit copy, creating security portal authentication server AAA HWTACACS scheme, detection+user synchronization, AAA ISP domain, security portal authentication source subnet, AAA LDAP scheme, AAA RADIUS scheme, security portal authentication user online local key pair, detection, security LDAP server,...
  • Page 512 delay MAC authentication (local), 802.1X guest VLAN assignment delay, MAC authentication (RADIUS-based), delaying MAC authentication ACL assignment, MAC authentication delay, MAC authentication configuration, delimiter (802.1X domain name), MACsec (device-oriented), MACsec operation (device-oriented), security IPsec encryption algorithm, MFF server IP address, desire NETCONF-over-SSH+password authentication configuration,...
  • Page 513 SSH SFTP server configuration (password PKI peer certificate, authentication-enabled), PKI RA certificate, SSH SFTP server enable, PKI RSA Keon CA server certificate request, SSL server policy configuration, PKI storage path, uRPF configuration, PKI verification (CRL checking), DF bit PKI verification (w/o CRL checking), security IPsec packet DF bit clear, PKI Windows 2003 CA server certificate request, security IPsec packet DF bit copy,...
  • Page 514 802.1X mandatory port authentication 802.1X relay/termination authentication, domain, EAPOL 802.1X supported domain name delimiters, 802.1X authentication (access device initiated), AAA ISP domain accounting method, AAA ISP domain attribute, 802.1X authentication (client-initiated), AAA ISP domain authentication method, 802.1X packet format, AAA ISP domain authorization method, ECDSA MAC authentication, feature and software version compatibility,...
  • Page 515 SSH SCP server, SSH SFTP server connection, SSH Secure Telnet server, SSH SFTP server connection based on Suite B, SSH SFTP server, Ethernet uRPF, 802.1X overview, encapsulating ARP attack protection configuration, 802.1X RADIUS EAP-Message attribute, exiting security IPsec ACL de-encapsulated packet check, FIPS mode (automatic reboot), 447, 452...
  • Page 516 PKI, SSH SFTP client configuration (publickey authentication-enabled), public key, SSH SFTP client device, security IPsec, SSH SFTP configuration, security IPsec IKE, SSH SFTP configuration (192-bit Suite B), SSH, SSH SFTP directories, SSL, SSH SFTP files, fixed ARP SSH SFTP packet source IP address, configuration, SSH SFTP server configuration (password configuration restrictions,...
  • Page 517 public key display, identity authentication, public key export, invalid SPI recovery, SSH client host public key configuration, IPsec negotiation mode, HTTP IPsec policy (IKE-based), SSL configuration, 393, 394 IPsec policy (IKE-based/direct), HW Terminal Access Controller Access Control IPsec policy (IKE-based/template), System.
  • Page 518 802.1X MAC-based access control, ARP attack protection configuration, 802.1X port-based access control, ARP filtering configuration, AAA for MPLS L3VPNs, ARP gateway protection, AAA HWTACACS, authorized ARP configuration (DHCP relay agent), AAA LDAP, authorized ARP configuration (DHCP server), AAA on device, MFF server IP address, AAA RADIUS, SSH Secure Telnet packet source IP address,...
  • Page 519 IKE profile configuration, troubleshooting IKE negotiation failure (no proposal match), IKE proposal, troubleshooting IKE negotiation failure (no IKE SA max number, proposal or keychain specified correctly), IKE security mechanism, troubleshooting SA negotiation failure (invalid IKE SNMP notification, identity info), IKEv2 configuration, 309, 311, 318 troubleshooting SA negotiation failure (no IKEv2 cookie challenge,...
  • Page 520 RA guard display, key pair RA guard logging enable, SSH server generation, RA guard maintain, keychain RA guard policy configuration, IPsec IKEv2 keychain, IPv6 ND attack detection security IPsec IKE keychain, configuration, 478, 479 keyword display, security IPsec ACL rule keywords, feature and software version compatibility, maintain, 802.1X overview,...
  • Page 521 user attribute, logging in versions, AAA concurrent login user max, Lightweight Directory Access Protocol. Use LDAP RADIUS Login-Service attribute, limiting logging out ARP packet rate limit, security portal authentication users, port security secure MAC addresses, login load sharing security password expired login, AAA RADIUS server load sharing, security password user first login, local...
  • Page 522 static IPv6 source guard (IPv6SG) MACsec configuration, application mode, troubleshooting port security secure MAC basic concepts, addresses, client-oriented configuration, MAC authentication confidentiality offset configuration, ACL assignment, 105, 119 configuration, 461, 465, 470 authorization VLAN, desire enable, concurrent port users max, device-oriented configuration, configuration, 103, 107, 115...
  • Page 523 ARP attack protection configuration, port security secure MAC learning control, IPsec IKEv2 message retransmission, port security userLogin 802.1X authentication, Message Authentication Code. Use port security userLoginSecure 802.1X authentication, basic concepts, port security userLoginSecureExt 802.1X configuration, 431, 433, 435 authentication, configuration (manual-mode in ring network), port security userLoginWithOUI 802.1X authentication, configuration (manual-mode in tree network),...
  • Page 524 802.1X related protocols, IPsec IKEv2 keepalive, 802.1X VLAN manipulation, security IPsec IKE keepalive, 802.1X+ACL assignment configuration, ND attack defense AAA device implementation, IPv6. See IPv6 ND attack defense AAA HWTACACS implementation, need to know. Use AAA HWTACACS scheme, negotiating AAA HWTACACS server SSH user, IPsec IKEv2 negotiation, AAA ISP domain accounting method, security IPsec IKE negotiation,...
  • Page 525 authorized ARP configuration, MAC authentication guest VLAN, 104, 111 authorized ARP configuration (DHCP relay MAC authentication keep-online, agent), MAC authentication multi-VLAN mode, authorized ARP configuration (DHCP server), MAC authentication offline detection enable, MAC authentication timer, dynamic IPv4 source guard (IPv4SG)+DHCP MAC authentication user account format, relay agent configuration, MAC authentication user profile assignment,...
  • Page 526 port security client security password control global parameters, macAddressElseUserLoginSecure, security password control local user parameters, port security client userLoginWithOUI, port security features, 185, 190 security password control user group parameters, port security intrusion protection, security portal authentication AAA server, port security MAC address autoLearn, security portal authentication client, port security MAC address learning control, security portal authentication domain,...
  • Page 527 SSH SFTP server connection establishment security IPsec tunnel for IPv4 packets based on Suite B, (IKE-based), SSH SFTP server connection termination, security IPsec tunnel for IPv4 packets (manual), SSH SFTP server enable, security password control, 209, 213 SSH user configuration, security password control configuration, SSH2 algorithms, security portal authentication,...
  • Page 528 IP source guard (IPSG) configuration, 400, 401, packet IPv6 ND attack defense configuration, 802.1X EAP format, IPv6 ND attack defense RA guard configuration, 802.1X EAPOL format, 481, 483 802.1X format, IPv6 ND attack detection, AAA HWTACACS outgoing packet source IP static IPv4 source guard (IPv4SG) configuration, address, AAA HWTACACS packet exchange process,...
  • Page 529 password complexity checking, FIPS compliance, password composition checking, local digital certificate, password expiration, 207, 207 MPLS L3VPN support, password history, OpenCA server certificate request, password min length, operation, password not displayed, peer digital certificate, password setting, peer host public key entry, password updating, 207, 207 public key import from file,...
  • Page 530 SSL server policy configuration, 802.1X controlled/uncontrolled port, port 802.1X guest VLAN configuration, 802.1X Auth-Fail VLAN, 802.1X mandatory port authentication domain, 802.1X critical VLAN, 90, 91 802.1X overview, 802.1X critical voice VLAN, 802.1X+ACL assignment configuration, 802.1X guest VLAN, authentication modes, applying interface NAS-ID profile, authorization-fail-offline, direct portal authentication configuration (local client macAddressElseUserLoginSecure,...
  • Page 531 direct configuration, Web server configuration, direct configuration (local portal Web server), Web server detection configuration, 144, 179 Web server reference, direct/cross-subnet authentication process power-up self-test, (with CHAP/PAP authentication), PPPoE displaying, security user profile configuration, domain specification, preshared key (PSK) enabling, MACsec configuration, extended cross-subnet, preventing...
  • Page 532 configuring AAA LDAP user attributes, configuring direct portal authentication (local portal Web server), 144, 179 configuring AAA local user, configuring dynamic IPv4 source guard configuring AAA local user attributes, (IPv4SG)+DHCP snooping, configuring AAA NAS-ID profile, configuring dynamic IPv6 source guard configuring AAA RADIUS accounting-on, (IPv6SG)+DHCPv6 snooping, configuring AAA RADIUS Login-Service...
  • Page 533 configuring MACsec preshared key, configuring relay agent IPv4 source guard (IPv4SG)+DHCP relay agent, configuring MACsec protection parameters (interface view), configuring Secure Telnet client user line, configuring MACsec protection parameters configuring security IPsec, (MKA policy), configuring security IPsec ACL, configuring MACsec replay protection, configuring security IPsec ACL anti-replay, configuring MACsec validation mode, configuring security IPsec anti-replay window and...
  • Page 534 configuring security portal authentication configuring SSL server policy, fail-permit, configuring static IPv4 source guard (IPv4SG), configuring security portal authentication portal-free rule, configuring static IPv6 source guard (IPv6SG), configuring security portal authentication server, configuring TCP fragment attack prevention, configuring security portal authentication configuring uRPF, server BAS-IP, configuring user profile,...
  • Page 535 displaying SSH SFTP help information, enabling SSH SFTP server, displaying SSL, enabling uRPF, displaying uRPF, entering FIPS mode (automatic reboot), 445, 449 distributing local host public key, entering FIPS mode (manual reboot), 445, 450 enabling 802.1X, entering peer host public key, 221, 221 enabling 802.1X critical voice VLAN, entering SSH client host public key,...
  • Page 536 referencing security portal authentication Web specifying AAA HWTACACS scheme VPN, server, specifying AAA HWTACACS shared keys, removing PKI certificate, specifying AAA LDAP authentication server, requesting PKI certificate request, specifying AAA LDAP version, sending EAP-Success packets, specifying AAA RADIUS accounting server parameters, setting 802.1X authentication attempts max number for MAC authenticated users,...
  • Page 537 troubleshooting PKI local certificate request MACsec protection parameter (MKA policy), failure, MACsec replay protection, 461, 468 troubleshooting PKI storage path set failure, protocols and standards 802.1X overview, troubleshooting port security mode cannot be 802.1X related protocols, set, AAA, troubleshooting port security secure MAC AAA HWTACACS, 6, 13 addresses,...
  • Page 538 security policy server IP address, server load sharing, server status, IPv6 ND attack defense device role, server status detection test profile, IPv6 ND attack defense RA guard session-control, configuration, 481, 483 shared keys, IPv6 ND attack defense RA guard logging enable, SNMP notification enable, IPv6 ND attack defense RA guard policy,...
  • Page 539 Remote Authentication Dial-In User Service. Use SSH configuration, RADIUS SSH server configuration, removing PKI certificate, host public key display, replaying host public key export, MACsec replay protection, peer host public key entry, request PKI certificate export, PKI certificate request abort, PKI OpenCA server certificate request, requesting PKI RSA Keon CA server certificate request,...
  • Page 540 802.1X enable, client device configuration, 802.1X guest VLAN, 74, 87 configuration, 802.1X guest VLAN assignment delay, configuration (Suite B), 802.1X guest VLAN configuration, file transfer+password authentication, 802.1X maintain, server connection establishment, 802.1X mandatory port authentication domain, server connection establishment based on 802.1X online user handshake, Suite B, 802.1X overview,...
  • Page 541 AAA SSH user local dynamic IPv4 source guard (IPv4SG)+DHCP authentication+HWTACACS snooping configuration, authorization+RADIUS accounting, dynamic IPv6 source guard (IPv6SG)+DHCPv6 about IPv6 ND attack defense, snooping configuration, ARP active acknowledgement, expired password login, ARP attack detection (source MAC-based), FIPS configuration, 444, 449 414, 415 FIPS configuration restrictions, ARP attack detection configuration,...
  • Page 542 IPsec IKEv2 profile configuration, MAC authentication configuration, IPsec IKEv2 protocols and standards, MAC authentication critical VLAN, IPsec IPv6 routing protocol profile, MAC authentication critical voice VLAN, IPsec IPv6 routing protocols, MAC authentication delay, 110, 110 IPsec packet DF bit, MAC authentication display, IPsec packet logging enable, MAC authentication domain, IPsec policy,...
  • Page 543 MFF server IP address, PKI OpenCA server certificate request, MFF user port, PKI operation, NETCONF-over-SSH client user line, PKI RSA Keon CA server certificate request, NETCONF-over-SSH enable, PKI storage path, NETCONF-over-SSH+password PKI terminology, authentication configuration, PKI Windows 2003 CA server certificate request, parallel processing with 802.1X authentication, port.
  • Page 544 SSH local key pair configuration restrictions, SSH user configuration, SSH user configuration restrictions, SSH management parameters, SSH2 algorithms, SSH SCP client device, SSH2 algorithms (encryption), SSH SCP configuration, SSH2 algorithms (key exchange), SSH SCP configuration (Suite B), SSH2 algorithms (MAC), SSH SCP file transfer+password SSH2 algorithms (public key), authentication,...
  • Page 545 troubleshooting PKI storage path set failure, AAA RADIUS session-control, setting uRPF configuration, 438, 442 802.1X authentication attempts max number for uRPF display, MAC authenticated users, uRPF enable, 802.1X authentication request attempts max, sending 802.1X authentication timeout timers, 802.1X EAP-Success packets, 802.1X concurrent port users max, server 802.1X port authorization state,...
  • Page 546 SSH management parameters, shared key security IPsec IKE invalid SPI recovery, AAA HWTACACS, spoofing AAA RADIUS, uRPF configuration, 438, 442 signature authentication (IKE), uRPF enable, SNMP AAA RADIUS notifications, AAA HWTACACS server SSH user, port security enable, AAA LDAP server SSH user authentication, security IPsec IKE SNMP notification, AAA RADIUS Login-Service attribute check method,...
  • Page 547 Secure Telnet server configuration (publickey static authentication-enabled), IP source guard (IPSG) static binding, Secure Telnet server connection IPv4 source guard (IPv4SG) configuration, establishment, IPv4 source guard (IPv4SG) static binding Secure Telnet server connection configuration, establishment based on Suite B, IPv6 source guard (IPv6SG) configuration, Secure Telnet server enable, IPv6 source guard (IPv6SG) static binding security SCP configuration,...
  • Page 548 security portal authentication configuration, 802.1X quiet, AAA HWTACACS realtime accounting, SSH authentication methods, AAA HWTACACS server quiet, SSH configuration, AAA HWTACACS server response timeout, SSH server local key pair generation, AAA RADIUS realtime accounting, TCP fragment attack prevention, AAA RADIUS server quiet, AAA RADIUS server response timeout, MAC authentication offline detect, MAC authentication quiet,...
  • Page 549 AAA RADIUS packet delivery failure, IPsec IKEv2, AAA RADIUS implementation, IPsec IKEv2 negotiation failure (no proposal AAA RADIUS packet format, match), AAA RADIUS request transmission attempts max, IPsec SA negotiation failure (no transform set match), AAA RADIUS session-control, IPsec SA negotiation failure (tunnel failure), uncontrolled port (802.1X), unicast MACsec,...
  • Page 550 dynamic IPv4 source guard (IPv4SG)+DHCP AAA HWTACACS format, relay agent configuration, AAA RADIUS format, dynamic IPv4 source guard (IPv4SG)+DHCP snooping configuration, validating dynamic IPv6 source guard (IPv6SG)+DHCPv6 snooping configuration, MACsec validation mode, validity check IP source guard (IPSG) configuration, 400, ARP attack detection configuration (user+packet validity check), static IPv4 source guard (IPv4SG)
  • Page 551 security portal authentication roaming, security portal authentication Web server detection, static IPv4 source guard (IPv4SG) configuration, security portal authentication Web server reference, static IPv6 source guard (IPv6SG) configuration, troubleshooting 802.1X EAD assistant browser users, Windows AAA HWTACACS scheme VPN, 2000 PKI CA server SCEP add-on, AAA MPLS L3VPN implementation, 2000 PKI entity configuration, AAA RADIUS scheme VPN,...

Table of Contents