HPE FlexNetwork MSR Series Configuration Manual
  1. Manuals
  2. Brands
  3. HPE Manuals
  4. Network Router
  5. FlexNetwork MSR Series
  6. Configuration manual

HPE FlexNetwork MSR Series Configuration Manual

Comware 7 security
Hide thumbs Also See for FlexNetwork MSR Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
Table Of Contents
740
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual
HPE FlexNetwork MSR Router Series
Comware 7 Security Configuration Guide
Part number: 5200-2403
Software version: MSR-CMW710-R0411
Document version: 6W101-20161114

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for HPE FlexNetwork MSR Series

Summary of Contents for HPE FlexNetwork MSR Series

  • Page 1 HPE FlexNetwork MSR Router Series Comware 7 Security Configuration Guide Part number: 5200-2403 Software version: MSR-CMW710-R0411 Document version: 6W101-20161114...
  • Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
  • Page 3 Contents Configuring AAA ··············································································1 Overview ···································································································································· 1 RADIUS ······························································································································ 2 HWTACACS ························································································································ 6 LDAP ·································································································································· 9 AAA implementation on the device ························································································· 12 AAA for MPLS L3VPNs ········································································································ 14 Protocols and standards ······································································································· 14 RADIUS attributes ··············································································································· 15 FIPS compliance ························································································································ 17 AAA configuration considerations and task list ·················································································...
  • Page 4 Comparing EAP relay and EAP termination ·············································································· 85 EAP relay ·························································································································· 85 EAP termination ·················································································································· 87 Configuring 802.1X ········································································· 89 Access control methods ·············································································································· 89 802.1X VLAN manipulation ·········································································································· 89 Authorization VLAN ············································································································· 89 Guest VLAN ······················································································································· 91 Auth-Fail VLAN ··················································································································· 92 Critical VLAN ······················································································································...
  • Page 5 Authentication methods ······································································································ 122 VLAN assignment·············································································································· 123 ACL assignment ················································································································ 123 Periodic MAC reauthentication ····························································································· 124 Compatibility information ··········································································································· 124 Feature and hardware compatibility ······················································································ 124 Command and hardware compatibility ··················································································· 124 Configuration prerequisites ········································································································ 125 Configuration task list················································································································ 125 Enabling MAC authentication ·····································································································...
  • Page 6 Configuring portal user synchronization ················································································· 163 Configuring the portal fail-permit feature ······················································································· 163 Configuring BAS-IP for portal packets sent to the portal authentication server ····································· 164 Specifying a format for the NAS-Port-ID attribute ··········································································· 165 Specifying the device ID ············································································································ 166 Enabling portal roaming ············································································································...
  • Page 7 Enabling port security ··············································································································· 255 Setting port security's limit on the number of secure MAC addresses on a port ···································· 255 Setting the port security mode ···································································································· 256 Configuring port security features ································································································ 257 Configuring NTK ··············································································································· 257 Configuring intrusion protection ···························································································· 258 Configuring secure MAC addresses ·····························································································...
  • Page 8 Creating a local key pair ············································································································ 292 Distributing a local host public key ······························································································· 294 Exporting a host public key·································································································· 294 Displaying a host public key ································································································ 294 Destroying a local key pair ········································································································· 295 Configuring a peer host public key ······························································································· 295 Importing a peer host public key from a public key file ······························································...
  • Page 9 Authentication and encryption ······························································································ 341 IPsec implementation ········································································································· 342 IPsec RRI ························································································································ 344 Protocols and standards ····································································································· 345 FIPS compliance ······················································································································ 345 IPsec tunnel establishment ········································································································ 345 Implementing ACL-based IPsec ·································································································· 346 Configuring an ACL ··········································································································· 347 Configuring an IPsec transform set ······················································································· 350 Configuring a manual IPsec policy ························································································...
  • Page 10 Main mode IKE with pre-shared key authentication configuration example ··································· 403 Aggressive mode with RSA signature authentication configuration example ································· 407 Aggressive mode with NAT traversal configuration example ······················································ 414 IKE remote extended authentication configuration example ······················································· 419 IKE local extended authentication and address pool authorization configuration example ················ 422 Troubleshooting IKE ·················································································································...
  • Page 11 Working with SFTP directories ····························································································· 474 Working with SFTP files ······································································································ 475 Displaying help information ································································································· 475 Terminating the connection with the SFTP server ···································································· 475 Configuring the device as an SCP client ······················································································· 475 SCP client configuration task list ·························································································· 475 Generating local key pairs ···································································································...
  • Page 12 ASPF application to a zone pair configuration example ····························································· 524 Configuring APR ·········································································· 527 Overview ································································································································ 527 PBAR ······························································································································ 527 NBAR ····························································································································· 527 Application group ·············································································································· 527 APR signature database management ·················································································· 528 Command and hardware compatibility·························································································· 528 Licensing requirements ············································································································· 529 APR configuration task list ·········································································································...
  • Page 13 Configuring object policies ····························································· 559 Overview ································································································································ 559 Object policy rules ···················································································································· 559 Rule numbering ················································································································ 559 Rule match order ··············································································································· 559 Rule description ················································································································ 559 Command and hardware compatibility·························································································· 559 Object policy configuration task list ······························································································ 560 Configuration prerequisites ········································································································ 560 Creating object policies ·············································································································...
  • Page 14 Attack detection and prevention configuration examples ·································································· 595 Interface-based attack detection and prevention configuration example ······································· 595 IP blacklist configuration example ························································································· 599 User blacklist configuration example ····················································································· 599 Address object group blacklist configuration example ······························································· 600 Address object group whitelist configuration example ······························································· 601 Interface-based TCP client verification configuration example ····················································...
  • Page 15 Configuration guidelines ····································································································· 633 Configuration procedure ····································································································· 633 Configuration example ······································································································· 633 Configuring uRPF ········································································· 635 Overview ································································································································ 635 uRPF check modes ··········································································································· 635 Features ·························································································································· 635 uRPF operation ················································································································· 636 Network application ··········································································································· 639 Command and hardware compatibility·························································································· 639 Enabling uRPF ························································································································...
  • Page 16 Index ························································································· 665...

  • Page 17: Overview

    Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.

  • Page 18: Radius

    RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
  • Page 19 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host access the resources...
  • Page 20 Figure 4 RADIUS packet format Code Identifier Length Authenticator (16bytes) Attributes Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Code Packet type...
  • Page 21 Length—Length of the attribute in bytes, including the Type, Length, and Value subfields.  Value—Value of the attribute. Its format and content depend on the Type subfield.  Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.

  • Page 22: Hwtacacs

    Attribute Attribute Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-ID Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes.
  • Page 23 HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing authentication and obtaining authorized rights, a user logs in to the device and performs operations.
  • Page 24 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) C ont i nue- aut hent i cat i on packet with the username 7) Authentication response requesting the password 8) Request for password...

  • Page 25: Ldap

    10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
  • Page 26 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
  • Page 27 The LDAP server processes the request, and sends a response to notify the LDAP client of the bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the parameter to send a user DN bind request to the LDAP server. This process continues until a DN is bound successfully or all DNs fail to be bound.

  • Page 28: Aaa Implementation On The Device

    The LDAP client sends an authorization search request with the username of the Telnet user to the LDAP server. If the user uses the same LDAP server for authentication and authorization, the client sends the request with the saved user DN of the Telnet user to the LDAP server. After receiving the request, the LDAP server searches for the user information by the base DN, search scope, filtering conditions, and LDAP attributes.
  • Page 29 AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.

  • Page 30: Aaa For Mpls L3Vpns

    • Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.

  • Page 31: Radius Attributes

    User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
  • Page 32 Attribute Description Authentication method used by the user. Possible values include: • 1—RADIUS. Acct-Authentic • 2—Local. • 3—Remote. CHAP challenge generated by the NAS for MD5 calculation during CHAP-Challenge CHAP authentication. Type of the physical port of the NAS that is authenticating the user. Possible values include: •...

  • Page 33: Fips Compliance

    Subattribute Description Identification for retransmitted packets. For retransmitted packets from the same session, this attribute must be the same value. For retransmitted packets from different sessions, this attribute does not have to be the same value. The client response of a retransmitted Control_Identifier packet must also include this attribute and the value of this attribute must be the same.

  • Page 34: Aaa Configuration Considerations And Task List

    AAA configuration considerations and task list To configure AAA, complete the following tasks on the NAS: Configure the required AAA schemes: Local authentication—Configure local users and the related attributes, including the  usernames and passwords, for the users to be authenticated. Remote authentication—Configure the required RADIUS, HWTACACS, and LDAP ...

  • Page 35: Configuring Aaa Schemes

    Tasks at a glance (Optional.) Setting the maximum number of concurrent login users (Optional.) Configuring and applying an ITA policy (Optional.) Configuring a NAS-ID profile (Optional.) Configuring the device ID Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes, and LDAP schemes.
  • Page 36 The attribute configured in user group view takes effect on all local users in the user group.  The attribute configured in local user view takes effect only on the local user.  • Password control attributes—Password control attributes help control password security for device management users.
  • Page 37 Step Command Remarks • For a network access user: The default settings are as follows: password { cipher | simple } • In non-FIPS mode, no password is string configured for a local user. A local • For a device management (Optional.) Configure user can pass authentication after user:...
  • Page 38 Step Command Remarks • Set the password aging time: password-control aging aging-time • Set the minimum password length: password-control length length • Configure password composition policy: password-control composition type-number default, local user uses 12. (Optional.) Configure type-number [ type-length password control attributes of the user password control type-length ]...
  • Page 39 Step Command Remarks authorization-attribute acl-number callback-number callback-number | idle-cut minute | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name ipv6-prefix 17. Configure authorization ipv6-prefix prefix-length By default, no authorization attributes user { primary-dns | secondary-dns } attributes are configured for a group. ipv4-address ipv6 user group.
  • Page 40 Step Command Remarks 24. Specify the company of the By default, no company is specified company company-name local guest. for a local guest. 25. Specify the phone number of By default, no phone number is phone phone-number the local guest. specified for a local guest.
  • Page 41 The guest manager adds supplementary information as needed and approves the registration information. The guest manager must process the registration request before the waiting-approval timeout timer expires. The device automatically deletes expired registration request information. The device creates a local guest account and sends an email notification to the user and guest sponsor.

  • Page 42: Configuring Radius Schemes

    Step Command Remarks 43. Send email notifications to local-guest send-email The email contents include the the local guest or the guest user-name user-name to { guest user name, password, and validity sponsor. | sponsor } period of the guest account. Displaying and maintaining local users and local user groups Execute display commands in any view.
  • Page 43 Tasks at a glance (Optional.) Enabling SNMP notifications for RADIUS (Optional.) Displaying and maintaining RADIUS Configuring a test profile for RADIUS server status detection Use a test profile to detect whether a RADIUS authentication server is reachable at a detection interval.
  • Page 44 You can specify one primary authentication server and a maximum of 16 secondary authentication servers for a RADIUS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured. The first secondary server in active state is used for communication.
  • Page 45 Step Command Remarks • Specify the primary RADIUS accounting server: primary accounting ipv4-address ipv6 ipv6-address } [ port-number | key By default, no accounting { cipher | simple } string | servers are specified. vpn-instance Two accounting servers in a vpn-instance-name ] * 53.
  • Page 46 Step Command Remarks default, RADIUS 60. Specify a VPN instance for the vpn-instance vpn-instance-name scheme belongs to the public RADIUS scheme. network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name.
  • Page 47 Setting the status of RADIUS servers To control the RADIUS servers with which the device communicates when the current servers are no longer available, set the status of RADIUS servers to blocked or active. You can specify one primary RADIUS server and multiple secondary RADIUS servers. The secondary servers function as the backup of the primary server.
  • Page 48 Step Command Remarks • Set the status of the primary RADIUS authentication server: state primary authentication { active | block } • Set the status of the primary RADIUS accounting server: state primary accounting { active By default, a RADIUS server | block } is in active state.
  • Page 49 Step Command Remarks radius nas-ip { ipv4-address | By default, the IP address of the 72. Specify a source IP address ipv6 ipv6-address RADIUS packet outbound outgoing RADIUS vpn-instance interface is used as the source IP packets. vpn-instance-name ] address. To specify a source IP address for a RADIUS scheme: Step Command...
  • Page 50 Step Command Remarks 76. Enter system view. system-view radius scheme 77. Enter RADIUS scheme view. radius-scheme-name 78. Set RADIUS server timer response-timeout The default setting is 3 seconds. response timeout timer. seconds 79. Set the quiet timer for the timer quiet minutes The default setting is 5 minutes.
  • Page 51 Step Command Remarks radius scheme 86. Enter RADIUS scheme view. radius-scheme-name 87. Interpret the RADIUS class By default, the RADIUS class attribute attribute 25 car attribute as CAR parameters. is not interpreted as CAR parameters. Configuring the Login-Service attribute check method for SSH, FTP, and terminal users The device supports the following check methods for the Login-Service attribute (RADIUS attribute 15) of SSH, FTP, and terminal users: •...

  • Page 52: Configuring Hwtacacs Schemes

    • RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it does not receive a response to an accounting or authentication request within the specified number of RADIUS request transmission attempts. • RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
  • Page 53 Creating an HWTACACS scheme Create an HWTACACS scheme before performing any other HWTACACS configurations. You can configure a maximum of 16 HWTACACS schemes. An HWTACACS scheme can be used by multiple ISP domains. To create an HWTACACS scheme: Step Command Remarks 96.
  • Page 54 Step Command Remarks 101. Enter system view. system-view 102. Enter HWTACACS hwtacacs scheme scheme view. hwtacacs-scheme-name • Specify the primary HWTACACS authorization server: primary authorization ipv4-address ipv6 ipv6-address } [ port-number | key { cipher | simple } string | default, authorization single-connection...
  • Page 55 Specifying the shared keys for secure HWTACACS communication The HWTACACS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password encryption. The client and server must use the same key for each type of communication. Perform this task to configure shared keys for servers in an HWTACACS scheme.
  • Page 56 Step Command Remarks 114. Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name 115. Set the format of usernames user-name-format { keep-original By default, the ISP domain name sent to the HWTACACS | with-domain | without-domain } is included in a username. servers.
  • Page 57 Step Command Remarks By default, the source IP address specified by the hwtacacs nas-ip 121. Specify source nas-ip { ipv4-address | ipv6 command in system view is used. address outgoing ipv6-address } If the source IP address is not HWTACACS packets. specified, the IP address of the outbound interface is used.

  • Page 58: Configuring Ldap Schemes

    To set HWTACACS timers: Step Command Remarks 122. Enter system view. system-view 123. Enter HWTACACS scheme hwtacacs scheme view. hwtacacs-scheme-name default, HWTACACS 124. Set the HWTACACS server timer response-timeout server response timeout timer is 5 response timeout timer. seconds seconds. default, real-time accounting interval is 12 minutes.
  • Page 59 Creating an LDAP server Step Command Remarks 127. Enter system view. system-view 128. Create an LDAP server and enter LDAP server ldap server server-name By default, no LDAP servers exist. view. Configuring the IP address of the LDAP server Step Command Remarks 129.
  • Page 60 Configuring administrator attributes To configure the administrator DN and password for binding with the LDAP server during LDAP authentication: Step Command Remarks 138. Enter system view. system-view 139. Enter LDAP server view. ldap server server-name By default, no administrator DN is specified.
  • Page 61 Step Command Remarks user-parameters 147. (Optional.) Specify user-name-format By default, the username format username format. with-domain is without-domain. without-domain } By default, no user object class is specified, and the default user object class on the LDAP server is user-parameters 148.

  • Page 62: Configuring Aaa Methods For Isp Domains

    Specifying the LDAP authentication server Step Command Remarks 154. Enter system view. system-view 155. Enter LDAP scheme view. ldap scheme ldap-scheme-name 156. Specify LDAP authentication-server By default, no LDAP authentication authentication server. server-name server is specified. Specifying the LDAP authorization server Step Command Remarks...

  • Page 63: Configuration Prerequisites

    Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts on the device first. See "Configuring local user attributes." To use remote authentication, authorization, and accounting, create the required RADIUS, HWTACACS, or LDAP schemes. For more information about the scheme configuration, see "Configuring RADIUS schemes,"...

  • Page 64: Configuring Isp Domain Attributes

    Step Command Remarks 167. (Optional.) Specify the ISP By default, no ISP domain is specified to domain accommodate domain if-unknown accommodate users who are assigned users who are assigned to isp-domain-name to nonexistent domains. nonexistent domains. Configuring ISP domain attributes In an ISP domain, you can configure the following attributes: •...
  • Page 65 Maximum number of multicast groups—The attribute restricts the maximum number of  multicast groups that an authenticated user can join concurrently. • User online duration including idle cut period—If a user goes offline due to connection failure or malfunction, its online duration sent to the server includes the idle cut period or user online detection period.

  • Page 66: Configuring Authentication Methods For An Isp Domain

    Configuring authentication methods for an ISP domain Configuration prerequisites Before configuring authentication methods, complete the following tasks: Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type. Determine whether to configure the default authentication method for all access types or service types.

  • Page 67: Configuring Authorization Methods For An Isp Domain

    Step Command Remarks By default, the default authentication method is 181. Specify authentication ipoe { local [ none ] | none | used for IPoE users. authentication method for radius-scheme radius-scheme-name IPoE users. [ local ] [ none ] } The none keyword is not supported in FIPS mode.
  • Page 68 Configuration procedure To configure authorization methods for an ISP domain: Step Command Remarks 187. Enter system view. system-view 188. Enter ISP domain view. domain isp-name authorization default hwtacacs-scheme hwtacacs-scheme-name By default, the authorization 189. Specify default [ radius-scheme radius-scheme-name ] method is local.

  • Page 69: Configuring Accounting Methods For An Isp Domain

    Step Command Remarks authorization ppp { hwtacacs-scheme hwtacacs-scheme-name default, default [ radius-scheme radius-scheme-name ] authorization method is used 197. Specify the authorization [ local ] [ none ] | local [ none ] | none | for PPP users. method for PPP users. radius-scheme radius-scheme-name The none keyword is not...
  • Page 70 Step Command Remarks accounting ipoe broadcast By default, the default radius-scheme radius-scheme-name1 accounting method is used 203. Specify accounting radius-scheme radius-scheme-name2 for IPoE users. method for IPoE users. [ local ] [ none ] | local [ none ] | none | The none keyword is not radius-scheme radius-scheme-name...

  • Page 71: Configuring The Session-Control Feature

    Configuring the session-control feature A RADIUS server running on IMC can use session-control packets to inform disconnect or dynamic authorization change requests. This task enables the device to receive RADIUS session-control packets on UDP port 1812. You can specify the RADIUS server as a session-control client on the device to verify the session-control packets sent from the RADIUS server.

  • Page 72: Changing The Dscp Priority For Radius Packets

    Step Command Remarks 214. Enter system view. system-view 215. Enable the RADIUS DAE By default, the RADIUS DAE server feature and enter radius dynamic-author server server feature is disabled. RADIUS DAE server view. client { ip ipv4-address | ipv6 216. Specify a RADIUS DAE ipv6-address } [ key { cipher | By default, no RADIUS DAE clients client.

  • Page 73: Configuring And Applying An Ita Policy

    Configuring and applying an ITA policy Intelligent Target Accounting (ITA) provides a flexible accounting solution for users who request services of different charge rates. By defining different traffic levels based on the destination addresses of users' traffic, you can use ITA to separate the traffic accounting statistics of different levels for each user.

  • Page 74: Configuring A Nas-Id Profile

    Step Command Remarks 228. (Optional.) Exclude By default, the amount of ITA amount of ITA traffic from traffic is included in the overall the overall traffic statistics traffic-separate enable traffic statistics that are sent to that sent the accounting server. accounting server.

  • Page 75: Aaa Configuration Examples

    Task Command display domain [ isp-name ] Display the configuration of ISP domains. AAA configuration examples Authentication and authorization for SSH users by a RADIUS server Network requirements As shown in Figure 12, configure the router to meet the following requirements: •...
  • Page 76 e. Select the access device from the device list or manually add the access device (with IP address 10.1.1.2). f. Use the default values for other parameters and click OK. The IP address of the access device specified here must be the same as the source IP address of the RADIUS packets sent from the router.
  • Page 77 Figure 14 Adding an account for device management Configure the router: # Configure the IP address of interface GigabitEthernet 1/0/1, through which the SSH user accesses the router. <Router> system-view [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet1/0/1] quit # Configure the IP address of interface GigabitEthernet 1/0/2, through which the router communicates with the server.

  • Page 78: Local Authentication And Authorization For Ssh Users

    # Create a RADIUS scheme. [Router] radius scheme rad # Specify the primary authentication server. [Router-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key to expert in plaintext form for secure communication with the server. [Router-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server.

  • Page 79: Aaa For Ssh Users By An Hwtacacs Server

    # Enable the SSH service. [Router] ssh server enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Create a device management user. [Router] local-user ssh class manage # Assign the SSH service to the local user.
  • Page 80 Figure 16 Network diagram HWTACACS server 10.1.1.1/24 GE1/0/2 10.1.1.2/24 GE1/0/1 192.168.1.70/24 Internet Router SSH user 192.168.1.58/24 Configuration procedure Configure the HWTACACS server: # Set the shared keys to expert for secure communication with the router. (Details not shown.) # Add an account for the SSH user and specify the password. (Details not shown.) Configure the router: # Create an HWTACACS scheme.

  • Page 81: Authentication For Ssh Users By An Ldap Server

    [Router] role default-role enable # Enable scheme authentication for user lines VTY 0 through VTY 63. [Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit # Configure the IP address of interface GigabitEthernet 1/0/1, through which the SSH user accesses the router.
  • Page 82 NOTE: In this example, the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. a. On the LDAP server, select Start > Control Panel > Administrative Tools. b. Double-click Active Directory Users and Computers. The Active Directory Users and Computers window is displayed.
  • Page 83 Figure 19 Setting the user's password a. Click OK. # Add user aaa to group Users. b. From the navigation tree, click Users under the ldap.com node. c. In the right pane, right-click user aaa and select Properties. d. In the dialog box, click the Member Of tab and click Add.
  • Page 84 Figure 20 Modifying user properties a. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 21 Adding user aaa to group Users # Set the administrator password to admin!123456.
  • Page 85 # Configure the IP address of interface GigabitEthernet 1/0/1, through which the SSH user accesses the router. <Router> system-view [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 192.168.1.20 24 [Router-GigabitEthernet1/0/1] quit # Configure the IP address of interface GigabitEthernet 1/0/2, through which the router communicates with the server.

  • Page 86: Aaa For Ppp Users By An Hwtacacs Server

    Verifying the configuration # Initiate an SSH connection to the router, and enter username aaa@bbb and password ldap!123456. The user logs in to the router. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) AAA for PPP users by an HWTACACS server Network requirements...

  • Page 87: Ita Configuration Example For Ipoe Users

    [RouterA-hwtacacs-hwtac] user-name-format without-domain [RouterA-hwtacacs-hwtac] quit # Create an ISP domain named bbb and configure the domain to use the HWTACACS scheme for authentication, authorization, and accounting for PPP users. [RouterA] domain bbb [RouterA-isp-bbb] authentication ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] authorization ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] accounting ppp hwtacacs-scheme hwtac [RouterA-isp-bbb] quit # Enable PPP encapsulation on Serial 2/1/0.
  • Page 88 Figure 23 Network diagram RADIUS server1 4.4.4.1/24 Router GE1/0/1 2.2.2.1/24 Host RADIUS server2 2.2.2.2/24 5.5.5.1/24 FTP server 1.1.1.1/24 Configuration procedure Configure RADIUS server 1 and RADIUS server 2: This example uses FreeRADIUS servers. # Configure the clients.conf file. client 4.4.4.2/32 { ipaddr = 4.4.4.2 netmask=32 secret=radius...
  • Page 89 [Router-radius-rs1] user-name-format without-domain [Router-radius-rs1] quit c. Configure a RADIUS scheme for the ITA service: # Create a RADIUS scheme named rs2 and enter RADIUS scheme view. [Router] radius scheme rs2 # Specify the primary accounting server at 5.5.5.1. [Router-radius-rs2] primary accounting 5.5.5.1 # Set the accounting shared key to radius in plaintext form for secure communication between the router and RADIUS server 2.
  • Page 90 [Router-ita-policy-ita] accounting-method radius-scheme rs2 # Specify level-1 traffic for ITA accounting and count the traffic as IPv4 traffic. [Router-ita-policy-ita] accounting-level 1 ipv4 # Exclude the amount of ITA traffic from the overall traffic statistics that are sent to RADIUS server 1. [Router-ita-policy-ita] traffic-separate enable # Prohibit users from accessing the authorized IP subnets after their ITA data quotas are used up.

  • Page 91: Local Guest Configuration And Management Example

    Local guest configuration and management example Network requirements As shown in Figure 24, create a local guest named user1 for Jack. Configure local guest attributes and manage the local guest on the router as follows: • Configure attributes for the local guest, including the password, user group, validity period, and sponsor information.
  • Page 92 [Router-ugroup-guest1] quit # Create a local guest named user1 and enter local guest view. [Router] local-user user1 class network guest # Set the guest password to 123456 in plain text. [Router-luser-network(guest)-user1] password simple 123456 # Assign the guest to user group guest1. [Router-luser-network(guest)-user1] group guest1 # Specify the name of the local guest.

  • Page 93: Troubleshooting Radius

    Sponsor full name: Sponsor department: security Sponsor email: Sam@aa.com Period of validity: Start date and time: 2015/04/01-08:00:00 Expiration date and time:2015/04/03-18:00:00 # Verify that Jack can use username user1 and password 123456 to pass local authentication and come online during the validity period. (Details not shown.) Troubleshooting RADIUS RADIUS authentication failure Symptom...

  • Page 94: Radius Accounting Error

    • The RADIUS server's authentication and accounting port numbers are being used by other applications. Solution To resolve the problem: Verify the following items: The link between the NAS and the RADIUS server works well at both the physical and data ...
  • Page 95 • The username is not in the userid@isp-name format, or the ISP domain is not correctly configured on the NAS. • The user is not configured on the LDAP server. • The password entered by the user is incorrect. • The administrator DN or password is not configured.

  • Page 96: X Overview

    The port controls traffic by using one of the following methods: − Performs bidirectional traffic control to deny traffic to and from the client. − Performs unidirectional traffic control to deny traffic from the client. The HPE devices support only unidirectional traffic control.

  • Page 97: X-Related Protocols

    Figure 26 Authorization state of a controlled port Authenticator system 1 Authenticator system 2 Controlled port Uncontrolled port Controlled port Uncontrolled port Port authorized Port unauthorized 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server.

  • Page 98: Eap Over Radius

    • Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field. EAPOL packet format Figure 28 shows the EAPOL packet format.

  • Page 99: X Authentication Initiation

    01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client that can send broadcast EAPOL-Start packets. For example, you can use the HPE iNode 802.1X client.

  • Page 100: Access Device As The Initiator

    Access device as the initiator The access device initiates authentication, if a client cannot send EAPOL-Start packets. One example is the 802.1X client available with Windows XP. The access device supports the following modes: • Multicast trigger mode—The access device multicasts EAP-Request/Identity packets to initiate 802.1X authentication at the identity request interval.

  • Page 101: Comparing Eap Relay And Eap Termination

    EAP termination that supports PAP or CHAP The username and password  authentication. EAP authentication initiated by an HPE iNode 802.1X client. • The processing is complex on the access device. EAP relay Figure 33 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that...
  • Page 102 Figure 33 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge (EAP-Request/MD5-Challenge) (6) EAP-Request/MD5-Challenge (7) EAP-Response/MD5-Challenge (8) RADIUS Access-Request (EAP-Response/MD5-Challenge) (9) RADIUS Access-Accept (EAP-Success) (10) EAP-Success Port authorized...

  • Page 103: Eap Termination

    10. Upon receiving the RADIUS Access-Accept packet, the access device performs the following operations: a. Sends an EAP-Success packet to the client. b. Sets the controlled port in authorized state. The client can access the network. 11. After the client comes online, the access device periodically sends handshake requests to check whether the client is still online.
  • Page 104 Figure 34 802.1X authentication procedure in EAP termination mode Client Device Authentication server RADIUS EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) EAP-Request/MD5-Challenge (5) EAP-Response/MD5-Challenge (6) RADIUS Access-Request (CHAP-Response/MD5-Challenge) (7) RADIUS Access-Accept (CHAP-Success) (8) EAP-Success Port authorized (9) EAP-Request/Identity (10) EAP-Response/Identity (11) EAPOL-Logoff Port unauthorized (12) EAP-Failure...

  • Page 105: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different authentication methods for different users on a port.
  • Page 106 The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members or not. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members. NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.

  • Page 107: Guest Vlan

    Table 6 VLAN manipulation Port access control VLAN manipulation method The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. Port-based If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID.

  • Page 108: Auth-Fail Vlan

    Authentication status VLAN manipulation • The device assigns the authorization VLAN of the user to the port as the PVID, and it removes the port from the 802.1X guest VLAN. After the user logs off, the initial PVID of the port is restored. •...
  • Page 109 The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA."...

  • Page 110: Using 802.1X Authentication With Other Features

    Using 802.1X authentication with other features ACL assignment The following matrix shows the feature and hardware compatibility: Hardware ACL assignment compatibility MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A) MSR958 (JH300A/JH301A) MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 MSR1002-4/1003-8S You can specify an ACL for an 802.1X user to control the user's access to network resources. After the user passes 802.1X authentication, the authentication server assigns the ACL to the access port to filter traffic from this user.

  • Page 111: Smarton

    The EAD assistant feature enables the access device to redirect a user who is seeking to access the network to download and install an EAD client. This feature eliminates the administrative task to deploy EAD clients. EAD assistant is implemented by the following functionality: •...

  • Page 112: Compatibility Information

    If the user attempts to use another 802.1X client for authentication, it will fail SmartOn authentication. The access device stops 802.1X authentication for the user. NOTE: After you install the SmartOn client software, add two values QX_ID and QX_PASSWORD to the Windows registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Soliton Systems K.K.\SmartOn Client\Clients\1XGate].

  • Page 113: X Configuration Task List

    802.1X configuration task list Tasks at a glance (Required.) Enabling 802.1X (Required.) Enabling EAP relay or EAP termination (Optional.) Setting the port authorization state (Optional.) Specifying an access control method (Optional.) Setting the maximum number of concurrent 802.1X users on a port (Optional.) Setting the maximum number of authentication request attempts (Optional.)

  • Page 114: Setting The Port Authorization State

    CHAP authentication on the access device. • The client is an HPE iNode 802.1X client and initiates only the username and password EAP authentication. If EAP termination is used, you can enable either PAP or CHAP authentication on the access device. However, if the password is required to be transmitted in cipher text, you must use CHAP authentication on the access device.

  • Page 115: Specifying An Access Control Method

    Step Command Remarks dot1x port-control 244. Set the port authorization default, auto state authorized-force auto state. applies. unauthorized-force } Specifying an access control method You can specify port-based or MAC-based access control method for 802.1X authentication. The MAC-based access control method is supported only on the following ports: •...

  • Page 116: Setting The Maximum Number Of Authentication Request Attempts

    Setting the maximum number of authentication request attempts The access device retransmits an authentication request if it does not receive any responses to the request from the client within a period of time. To set the time, use the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command.

  • Page 117: Configuration Guidelines

    Typically, the device does not reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets. Some 802.1X clients will go offline if they do not receive the EAP-Success packets for handshake. To avoid this problem, enable the online user handshake reply feature. If iNode clients are deployed, you can also enable the online user handshake security feature to check authentication information in the handshake packets from clients.

  • Page 118: Configuration Guidelines

    This feature provides the multicast trigger and unicast trigger (see 802.1X authentication initiation in "802.1X overview"). Configuration guidelines When you configure the authentication trigger feature, follow these guidelines: • Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start packets to initiate 802.1X authentication.

  • Page 119: Setting The Quiet Timer

    Setting the quiet timer The quiet timer enables the access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can edit the quiet timer, depending on the network conditions. •...

  • Page 120: Configuring An 802.1X Guest Vlan

    Step Command Remarks default, this feature 276. (Optional.) Enable dot1x re-authenticate disabled. The device logs off keep-online feature server-unreachable online 802.1X users 802.1X users. keep-online authentication server is reachable for 802.1X reauthentication. Configuring an 802.1X guest VLAN Configuration guidelines When you configure an 802.1X guest VLAN, follow these guidelines: •...

  • Page 121: Configuring An 802.1X Critical Vlan

    Step Command Remarks 280. Enter system view. system-view 281. Enter Ethernet interface interface interface-type view. interface-number 282. Configure 802.1X dot1x auth-fail vlan By default, no 802.1X Auth-Fail Auth-Fail VLAN on the port. authfail-vlan-id VLAN exists. Configuring an 802.1X critical VLAN Configuration guidelines When you configure an 802.1X critical VLAN, follow these restrictions and guidelines: •...

  • Page 122: Configuring The Ead Assistant Feature

    Step Command Remarks 286. Enter system view. system-view 287. Specify a set of domain By default, only the at sign (@) name delimiters for 802.1X dot1x domain-delimiter string delimiter is supported. users. NOTE: If you configure the access device to send usernames with domain names to the RADIUS server, make sure the domain delimiter can be recognized by the RADIUS server.

  • Page 123: Displaying And Maintaining 802.1X

    When the device sends a unicast EAP-Request/Notification packet to the client, it starts the SmartOn client timeout timer (set by using the dot1x smarton timer supp-timeout command). • If the device does not receive any EAP-Response/Notification packets from the client within the timeout timer, it retransmits the EAP-Request/Notification packet to the client.

  • Page 124: X Authentication Configuration Examples

    192.168.1.2/24 Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.)
  • Page 125 # Add a local network access user with username localuser and password localpass in plaintext. (Make sure the username and password are the same as those configured on the RADIUS servers.) <Device> system-view [Device] local-user localuser class network [Device-luser-network-localuser] password simple localpass # Set the service type to lan-access.

  • Page 126: X Guest Vlan And Authorization Vlan Configuration Example

    [Device-GigabitEthernet1/0/1] quit # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Verify the 802.1X configuration on GigabitEthernet 1/0/1. [Device] display dot1x interface gigabitethernet 1/0/1 # Display the user connection information after an 802.1X user passes authentication. [Device] display dot1x connection 802.1X guest VLAN and authorization VLAN configuration example Network requirements...
  • Page 127 Configuration procedure Configure the 802.1X client. Make sure the 802.1X client can update its IP address after the access port is assigned to the guest VLAN or an authorization VLAN. (Details not shown.) Configure the RADIUS server to provide authentication, authorization, and accounting services. Configure user accounts and authorization VLAN (VLAN 5 in this example) for the users.

  • Page 128: X With Acl Assignment Configuration Example

    # Enable 802.1X on GigabitEthernet 1/0/2. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] dot1x # Implement port-based access control on the port. [Device-GigabitEthernet1/0/2] dot1x port-method portbased # Set the port authorization mode to auto. By default, the port uses the auto mode. [Device-GigabitEthernet1/0/2] dot1x port-control auto # Specify VLAN 10 as the 802.1X guest VLAN on GigabitEthernet 1/0/2.
  • Page 129 Configuration procedure Configure the 802.1X client. Make sure the client is able to update its IP address after the access port is assigned to the 802.1X guest VLAN or an authorization VLAN. (Details not shown.) Configure the RADIUS servers to provide authentication, authorization, and accounting services.

  • Page 130: X With Ead Assistant Configuration Example (With Dhcp Relay Agent)

    # Enable 802.1X globally. [Device] dot1x Verifying the configuration # Use the user account to pass authentication. (Details not shown.) # Verify that the user cannot ping the FTP server at any time from 8:00 to 18:00 on any weekday. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out.
  • Page 131 Figure 39 Network diagram Internet Free IP: WEB server 192.168.2.3/24 Device GE1/0/3 192.168.1.0/24 GE1/0/1 192.168.2.1/24 192.168.2.0/24 Vlan-int 2 192.168.1.1/24 GE1/0/2 10.1.1.10/24 DHCP server 192.168.2.2/24 Authentication servers 10.1.1.1/10.1.1.2 Configuration procedure Make sure the DHCP server, the Web server, and the authentication servers have been configured correctly.
  • Page 132 # Exclude the ISP domain names from the usernames sent to the RADIUS server. [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure an ISP domain: # Create an ISP domain named bbb and enter ISP domain view. [Device] domain bbb # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting.

  • Page 133: X With Ead Assistant Configuration Example (With Dhcp Server)

    802.1X with EAD assistant configuration example (with DHCP server) Network requirements As shown in Figure • The intranet 192.168.1.0/24 is attached to GigabitEthernet 1/0/1 of the access device. • The hosts use DHCP to obtain IP addresses. • A Web server is deployed on the 192.168.2.0/24 subnet for users to download client software. Deploy an EAD solution for the intranet to meet the following requirements: •...
  • Page 134 [Device] dhcp server ip-pool 0 # Specify subnet 192.168.1.0/24 in DHCP address pool 0. [Device-dhcp-pool-0] network 192.168.1.0 mask 255.255.255.0 # Specify the gateway address 192.168.1.1 in DHCP address pool 0. [Device-dhcp-pool-0] gateway-list 192.168.1.1 [Device-dhcp-pool-0] quit Configure a RADIUS scheme: # Create RADIUS scheme 2000 and enter RADIUS scheme view. [Device] radius scheme 2000 # Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812.

  • Page 135: X Smarton Configuration Example

    Verifying the configuration # Verify the 802.1X configuration. [Device] display dot1x # Verify that you can ping an IP address on the free IP subnet from a host. C:\>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128...

  • Page 136: Troubleshooting 802.1X

    # Specify the server at 10.11.1.1 as the primary authentication server, and set the authentication port to 1812. [Device-radius-2000] primary authentication 10.11.1.1 1812 # Specify the server at 10.11.1.2 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.11.1.2 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device.
  • Page 137 Analysis Redirection will not happen for one of the following reasons: • The address is in the string format. The operating system of the host regards the string as a website name and tries to resolve the string. If the resolution fails, the operating system sends an ARP request, but the target address is not in the dotted decimal notation.

  • Page 138: Configuring Mac Authentication

    Configuring MAC authentication The term "AP" in this document refers to MSR routers that support WLAN. Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access.

  • Page 139: Vlan Assignment

    VLAN assignment The device uses the authorization VLAN to control the access of a MAC authentication user to authorized network resources. The device supports the following VLAN authorization methods: • Remote VLAN authorization—The authorization VLAN information of a MAC authentication user is assigned by a remote server.

  • Page 140: Periodic Mac Reauthentication

    To ensure a successful ACL assignment, make sure the ACL does not contain rules that match source MAC addresses. To change the access control criteria for the user, you can use one of the following methods: • Modify ACL rules on the access device. •...

  • Page 141: Configuration Prerequisites

    • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR1002-4/1003-8S. Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. Configuration prerequisites Before you configure MAC authentication, complete the following tasks: Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA."...

  • Page 142: Specifying A Mac Authentication Domain

    Step Command Remarks 301. Enter system view. system-view 302. Enable MAC authentication By default, MAC authentication mac-authentication globally. is disabled globally. interface interface-type 303. Enter interface view. interface-number 304. Enable MAC authentication on By default, MAC authentication mac-authentication the port. is disabled on a port.

  • Page 143: Configuring Mac Authentication Timers

    Step Command Remarks • MAC-based user account each user: mac-authentication user-name-format mac-address By default, the device uses the with-hyphen MAC address of a user as the without-hyphen } [ lowercase | 308. Configure username and password for uppercase ] ] authentication user MAC authentication.

  • Page 144: Configuring Mac Authentication Delay

    Step Command Remarks 313. Set the maximum number of concurrent mac-authentication max-user default setting authentication users on the max-number 4294967295. port Configuring MAC authentication delay When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered.

  • Page 145: Configuring The Keep-Online Feature

    Step Command Remarks By default, this feature is disabled on a port. When the port receives packet sourced from 319. Enable MAC authentication mac-authentication host-mode authenticated user in a VLAN not multi-VLAN mode. multi-vlan matching the existing MAC-VLAN mapping, the device logs off and reauthenticates the user.

  • Page 146: Displaying And Maintaining Mac Authentication

    Step Command Remarks 323. Enter system view. system-view interface interface-type 324. Enter Ethernet interface view. interface-number default, 325. Include user IP addresses in mac-authentication carry authentication request does not MAC authentication requests. user-ip include the user IP address. Displaying and maintaining MAC authentication Execute display commands in any view and reset commands in user view.
  • Page 147 Figure 42 Network diagram Host A GE1/0/1 MAC: 00-e0-fc-12-34-56 IP network Device Host B MAC: 00-e0-fc-11-11-11 Configuration procedure # Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc-12-34-56. <Device>...

  • Page 148: Radius-Based Mac Authentication Configuration Example

    Server timeout : 100 s Authentication domain : bbb Online MAC-auth wired users : 1 Silent MAC users: MAC address VLAN ID From port Port index 00e0-fc11-1111 Gigabitethernet1/0/1 Gigabitethernet1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled...
  • Page 149 Configuration procedure Make sure the RADIUS server and the access device can reach each other. (Details not shown.) Configure the RADIUS servers: # Create a shared account for MAC authentication users. (Details not shown.) # Set username aaa and password 123456 for the account. (Details not shown.) Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme.

  • Page 150: Acl Assignment Configuration Example

    Online MAC-auth wired users : 1 Silent MAC users: MAC address VLAN ID From port Port index GigabitEthernet1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Host mode : Single VLAN Max online users...
  • Page 151 # Configure a RADIUS scheme. [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication simple abc [Device-radius-2000] key accounting simple abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.

  • Page 152: Ftp Server

    Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Host mode : Single VLAN Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users MAC address Auth state 00e0-fc12-3456 Authenticated # Verify that you cannot ping the FTP server from the host.

  • Page 153: Configuring Portal Authentication

    Users can access more network resources after passing security check. Security check must cooperate with the HPE IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device,...
  • Page 154 Figure 45 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.

  • Page 155: Portal System Using The Local Portal Web Server

    Web browser. When receiving the HTTP or HTTPS request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HPE iNode client for extended portal functions.

  • Page 156: Portal Authentication Modes

    The whole authentication process is finished. NOTE: Portal authentication supports NAT traversal whether it is initiated by a Web client or an HPE iNode client. NAT traversal must be configured when the portal client is on a private network and the portal server is on a public network.

  • Page 157: Portal Support For Eap

    NOTE: • To use portal authentication that supports EAP, the portal authentication server and client must be the HPE IMC portal server and the HPE iNode portal client. • Local portal authentication does not support EAP authentication. Portal authentication process Direct authentication and cross-subnet authentication share the same authentication process.
  • Page 158 A portal user access the Internet through HTTP, and the HTTP packet arrives at the access device. If the packet matches a portal free rule, the access device allows the packet to pass.  If the packet does not match any portal-free rule, the access device redirects the packet to ...

  • Page 159: Portal Packet Filtering Rules

    Re-DHCP authentication process (with CHAP/PAP authentication) Figure 49 Re-DHCP authentication process Portal Security Authentication Portal Web Access authentication AAA server policy server server device client server 1) Initiate a connection 2) User information 3) CHAP authentication 4) Authentication request 5) RADIUS authentication Timer 6) Authentication reply...

  • Page 160: Byod Support

    Based on the configuration and authentication status of portal users, the device generates the following categories of portal packet filtering rules: • First category—The rule permits user packets that are destined for the portal Web server and packets that match the portal-free rules to pass through. •...

  • Page 161: Compatibility Information

    MAC-based quick portal authentication modes include local authentication and remote authentication. The authentication is implemented as follows: When a user accesses the network, the access device generates a MAC-trigger entry that records the user's MAC address and access interface. The user can access the network without performing portal authentication if the user's network traffic is below the free-traffic threshold.

  • Page 162: Portal Configuration Task List

    • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. Portal configuration task list Tasks at a glance (Optional.) Configuring a portal authentication server (Required.) Configuring a portal Web server (Required.) Enabling portal authentication (Required.)

  • Page 163: Configuration Prerequisites

    Tasks at a glance (Optional.) Enabling ARP or ND entry conversion for portal clients (Optional.) Configuring HTTPS redirect (Optional.) Configuring MAC-based quick portal authentication (Required.) Configuring NAS-Port-Type (Optional.) Configuring portal safe-redirect (Optional.) Setting the interval at which an AP reports traffic statistics to the AC (Optional.) Excluding an attribute from portal protocol packets (Optional.)

  • Page 164: Configuring A Portal Web Server

    Do not delete a portal authentication server in use. Otherwise, users authenticated by that server cannot log out normally. To configure a portal authentication server: Step Command Remarks 326. Enter system view. system-view 327. Create portal default, portal authentication server, portal server server-name authentication servers exist.

  • Page 165: Enabling Portal Authentication

    are configured for a portal Web server, the if-match command takes priority to perform URL redirection. The device does not detect the reachabiity of the redirection URL configured by the if-match command. If the if-match command rather than the url command is configured to redirect HTTP requests to portal Web servers, the device does not trigger the following features: The fail-permit feature for the portal Web servers.

  • Page 166: Configuration Restrictions And Guidelines

    • If the packet matches a locally configured portal authentication server, the device regards the packet valid and sends an authentication response packet to the portal authentication server. After a user logs in to the device, the user interacts with the portal authentication server as needed.

  • Page 167: Specifying A Portal Web Server

    Step Command Remarks 342. Enter system view. system-view wlan service-template 343. Enter service template view. service-template-name 344. Enable IPv4 direct portal By default, IPv4 direct portal portal enable method direct authentication. authentication is disabled. Specifying a portal Web server With a portal Web server specified on an interface, the device redirects the HTTP or HTTPS requests of portal users on the interface to the portal Web server.

  • Page 168: Controlling Portal User Access

    Controlling portal user access Configuring a portal-free rule A portal-free rule allows specified users to access specified external websites without portal authentication. The matching items for a portal-free rule include the host name, source/destination IP address, TCP/UDP port number, source MAC address, access interface, and VLAN. Packets matching a portal-free rule will not trigger portal authentication, so users sending the packets can directly access the specified external websites.

  • Page 169: Configuring An Authentication Source Subnet

    Step Command Remarks 356. Enter system view. system-view 357. Configure portal free-rule rule-number By default, no destination-based destination-based destination host-name portal-free rule exists. portal-free rule. Configuring an authentication source subnet By configuring authentication source subnets, you specify that only HTTP packets from users on the authentication source subnets can trigger portal authentication.

  • Page 170: Configuring An Authentication Destination Subnet

    Configuring an authentication destination subnet By configuring authentication destination subnets, you specify that users trigger portal authentication only when they accessing the specified subnets (excluding the destination IP addresses and subnets specified in portal-free rules). Users can access other subnets without portal authentication. If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnets take effect.

  • Page 171: Specifying A Portal Authentication Domain

    Step Command Remarks 370. Enter system view. system-view By default, no limit is set on the 371. Set the maximum number portal max-user max-number number of portal users in the of total portal users. system. To set the maximum number of portal users on an interface: Step Command Remarks...

  • Page 172: Specifying A Preauthentication Domain

    To specify an IPv4 portal authentication domain on a service template: Step Command Remarks 381. Enter system view. system-view wlan service-template 382. Enter service template view. service-template-name By default, no ISP domain is 383. Specify IPv4 portal portal domain domain-name specified for IPv4 portal users on authentication domain.

  • Page 173: Specifying A Preauthentication Ip Address Pool For Portal Users

    Step Command Remarks 387. Enter system view. system-view interface interface-type 388. Enter interface view. interface-number By default, no preauthentication 389. Specify a preauthentication portal [ ipv6 ] pre-auth domain domain specified domain. domain-name interface. Specifying a preauthentication IP address pool for portal users You must specify a preauthentication IP address pool on a portal-enabled interface in the following situation:...

  • Page 174: Enabling Strict-Checking On Portal Authorization Information

    Step Command Remarks 392. Specify a preauthentication By default, no preauthentication portal [ ipv6 ] pre-auth ip-pool IP address pool for portal IP address pool is specified on an pool-name users. interface. Enabling strict-checking on portal authorization information The strict checking mode allows a portal user to stay online only when the authorized information for the user is successfully deployed on the interface or service template.

  • Page 175: Enabling Portal Authentication Only For Dhcp Users

    Enabling portal authentication only for DHCP users IMPORTANT: IPv6 wireless users use IPv6 temporary addresses to access the IPv6 network even though they have been assigned DHCPv6 addresses. To prevent such IPv6 users from failing authentication when the user-dhcp-only feature is enabled, make sure the IPv6 temporary address feature is disabled on the terminal devices.

  • Page 176: Configuring Portal Detection Features

    • Packets whose destination IP addresses are IP addresses of authenticated portal users. • Packets that match portal-free rules. Other outgoing packets on the interface are dropped. To enable outgoing packets filtering on a portal-enabled interface: Step Command Remarks 405. Enter system view. system-view interface interface-type...

  • Page 177: Configuring Portal Authentication Server Detection

    Step Command Remarks 410. Configure online portal user-detect type { arp | icmp } By default, this feature is disabled detection IPv4 [ retry retries ] [ interval interval ] [ idle on the interface. portal users. time ] To configure online detection of IPv6 portal users: Step Command Remarks...

  • Page 178: Configuring Portal Web Server Detection

    Step Command Remarks 415. Enter portal authentication server portal server server-name view. By default, portal authentication server detection is disabled. This feature takes effect regardless whether portal 416. Configure portal server-detect [ timeout timeout ] { log | authentication is enabled on an authentication server trap } *...

  • Page 179: Configuring Portal User Synchronization

    Configuring portal user synchronization Once the access device loses communication with a portal authentication server, the portal user information on the access device and that on the portal authentication server might be inconsistent after the communication resumes. To address this problem, the device provides the portal user synchronization feature.

  • Page 180: Configuring Bas-Ip For Portal Packets Sent To The Portal Authentication Server

    authentication and unauthenticated portal users need to pass authentication to access network resources. Portal users who have passed authentication can continue accessing network resources. On the same interface or service template, the portal Web server is unreachable when both primary and backup portal Web servers are unreachable.

  • Page 181: Specifying A Format For The Nas-Port-Id Attribute

    Step Command Remarks 430. Enter system view. system-view interface interface-type 431. Enter interface view. interface-number By default: • The BAS-IP attribute of an IPv4 portal reply packet sent to the 432. Configure BAS-IP for IPv4 portal authentication server is the portal packets sent to the source IPv4 address of the packet.

  • Page 182: Specifying The Device Id

    Step Command Remarks 437. Enter system view. system-view 438. Specify the format for the portal nas-port-id format { 1 | 2 | By default, the format for the NAS-Port-ID attribute. 3 | 4 } NAS-Port-ID attribute is format 2. Specifying the device ID The portal authentication server uses device IDs to identify the devices that send protocol packets to the portal server.

  • Page 183: Disabling Traffic Accounting For Portal Users

    If any device in a VSRP group executes the portal delete-user command to log out a user, all devices in this group log out the user. When the number of online users exceeds 2000, executing the portal delete-user command takes a few minutes.

  • Page 184: Applying A Nas-Id Profile To An Interface

    • The Web redirect feature takes effect only on HTTP packets that use the default port number • Web redirect does not work when both Web redirect and portal authentication are enabled. To configure Web redirect on an interface: Step Command Remarks 448.

  • Page 185: Configuring The Local Portal Web Server Feature

    Step Command Remarks 457. Return to system view. quit interface interface-type 458. Enter interface view. interface-number 459. Specify the NAS-ID profile portal nas-id-profile By default, no NAS-ID profile is on the interface. profile-name specified on the interface. Configuring the local portal Web server feature To perform local portal authentication for users, perform the following tasks: •...
  • Page 186 Table 7 Main authentication page file names Main authentication page File name Logon page logon.htm Logon success page logonSuccess.htm Logon failure page logonFail.htm Online page online.htm Pushed after the user gets online for online notification System busy page busy.htm Pushed when the system is busy or the user is in the logon process Logoff success page logoffSuccess.htm Page request rules...

  • Page 187: Configuring A Local Portal Web Server

    • The name of a zip file can contain only letters, numbers, and underscores. • The authentication pages must be placed in the root directory of the zip file. • Zip files can be transferred to the device through FTP or TFTP and must be saved in the root directory of the device.

  • Page 188: Enabling Validity Check On Wireless Clients

    Step Command Remarks portal local-web-server { http | 461. Configure a local portal Web By default, no local portal Web https ssl-server-policy server and enter its view. servers exist. policy-name ] } default, default 462. Specify default authentication page file authentication page file for default-logon-page filename specified for the local portal Web...

  • Page 189: Automatically Logging Out Wireless Portal Users

    Automatically logging out wireless portal users The following matrix shows the feature and hardware compatibility: Hardware Feature compatibility MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A) MSR958 (JH300A/JH301A) MSR1002-4/1003-8S MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 With this feature enabled, the device automatically logs out portal users after the wireless clients are disconnected from the network.

  • Page 190: Configuring Https Redirect

    Configuring HTTPS redirect The device can redirect HTTPS requests to the portal Web server for portal authentication. During SSL connection establishment, the user browser might display a message that it cannot verify server identity by certificate. For users to perform portal authentication without checking such a message, configure an SSL server policy to request a client-trusted certificate on the device.

  • Page 191: Configuring A Local Mac Binding Server

    Step Command Remarks 477. (Optional.) Specify default, free-traffic free-traffic threshold value free-traffic threshold. threshold is 0 bytes. 478. (Optional.) Specify By default, the NAS-Port-Type NAS-Port-Type value carried nas-port-type value value carried in RADIUS requests in RADIUS requests sent to is 0. the RADIUS server.

  • Page 192: Specifying A Mac Binding Server On An Interface

    Step Command Remarks By default, the aging time for 491. (Optional.) Set the aging aging-time seconds MAC-trigger entries time for MAC-trigger entries. seconds. 492. (Optional.) Enable By default, AAA failure unbinding aaa-fail nobinding enable failure unbinding. is disabled. Specifying a MAC binding server on an interface After a MAC binding server is specified on an interface, the device can implement MAC-based quick portal authentication for portal users on the interface.

  • Page 193: Configuring Portal Safe-Redirect

    Hardware Interface view Service template view MSR2003 MSR2004-24/2004-48 MSR3012/3024/3044/3064 MSR4060/4080 The NAS-Port-Type attribute carried in RADIUS requests represents the user's access interface type. When a portal user log in from an interface or a service template, the value of the NAS-Port-Type attribute is as follows: •...
  • Page 194 Table 8 Browser types supported by portal safe-redirect Browser type Description Safari Apple browser Chrome Google browser Firefox Firefox browser UC browser QQBrowser QQ browser LBBROWSER Cheetah browser TaoBrowser Taobao browser Maxthon Maxthon browser BIDUBrowser Baidu browser MSIE 10.0 Microsoft IE 10.0 browser MSIE 9.0 Microsoft IE 9.0 browser MSIE 8.0...

  • Page 195: Setting The Interval At Which An Ap Reports Traffic Statistics To The Ac

    Setting the interval at which an AP reports traffic statistics to the AC When the client traffic forwarding location is at APs, an AP reports traffic statistics to the AC at a regular interval. To set the interval at which an AP reports traffic statistics to the AC: Step Command Remarks...

  • Page 196: Configuring Portal Support For Third-Party Authentication

    Step Command Remarks 518. Enable logging for portal By default, portal redirect logging portal redirect log enable redirect. is disabled. Configuring portal support for third-party authentication You can configure the device to support QQ authentication or email authentication as third-party authentication for portal.

  • Page 197: Configuring A Third-Party Authentication Server

    When you edit the email authentication page, follow the rules in "Customizing authentication pages" and the following rules: • Set the action attribute of the beginning form tag to maillogin.html. Otherwise, the device cannot send the user information • Save the login page as emailLogon.htm. The following example shows part of the script of the emailLogon.htm page.

  • Page 198: Specifying An Authentication Domain For Third-Party Authentication

    Step Command Remarks 524. Specify the APP key for QQ By default, an APP key for QQ app-key app-key authentication. authentication exists. Configuring the email authentication server If a user chooses email authentication, the user can access the network after passing email authentication.

  • Page 199: Displaying And Maintaining Portal

    authentication. During the temporary pass period, the user can provide WeChat authentication information to the WeChat server for the server to interact with the access device to finish portal authentication. To configure portal temporary pass on an interface: Step Command Remarks 534.
  • Page 200 Task Command display portal rule { all | dynamic | static } { ap Display portal rules (distributed devices ap-name [ radio radio-id ] | interface interface-type standalone mode). interface-number [ slot slot-number ] } display portal rule { all | dynamic | static } { ap ap-name [ radio radio-id ] | interface interface-type Display portal rules (distributed devices in IRF interface-number [ chassis chassis-number slot...

  • Page 201: Portal Configuration Examples (Wired Application)

    Portal configuration examples (wired application) Configuring direct portal authentication Network requirements As shown in Figure 56, the host is directly connected to the router (the access device). The host is assigned a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server portal...
  • Page 202 Figure 51 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
  • Page 203 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the router's interface connected to the host. e.
  • Page 204 Figure 55 Adding a port group Configuring the portal authentication server on IMC PLAT 7.1 In this example, the portal server runs on IMC PLAT 7.1(E0303) and IMC EIA 7.1(F0303). Configure the portal authentication server: a. Log in to IMC and click the User tab. b.
  • Page 205 Figure 56 Portal server configuration Configure the IP address group: a. Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
  • Page 206 Figure 57 Adding an IP address group Add a portal device: a. Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 64.
  • Page 207 Associate the portal device with the IP address group: a. As shown in Figure 65, click the Port Group Information Management icon for device NAS to open the port group configuration page. b. Click Add to open the page as shown in Figure 66.
  • Page 208 [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] primary accounting 192.168.0.112 [Router-radius-rs1] key authentication simple radius [Router-radius-rs1] key accounting simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.
  • Page 209 Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page...

  • Page 210: Configuring Re-Dhcp Portal Authentication

    http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources. # After the user passes authentication, use the following command to display information about the portal user.
  • Page 211 • For re-DHCP portal authentication, configure a public address pool (20.20.20.0/24) and a private address pool (10.0.0.0/24) on the DHCP server. (Details not shown.) • For re-DHCP portal authentication: The router must be configured as a DHCP relay agent.  The portal-enabled interface must be configured with a primary IP address (a public IP ...
  • Page 212 [Router–GigabitEthernet1/0/2] ip address 10.0.0.1 255.255.255.0 sub [Router-GigabitEthernet1/0/2] dhcp select relay [Router-GigabitEthernet1/0/2] dhcp relay server-address 192.168.0.112 # Enable authorized ARP. [Router-GigabitEthernet1/0/2] arp authorized enable [Router-GigabitEthernet1/0/2] quit Configure portal authentication: # Configure a portal authentication server. [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server.
  • Page 213 IP address Prefix length Before passing the authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.

  • Page 214: Configuring Cross-Subnet Portal Authentication

    Configuring cross-subnet portal authentication Network requirements As shown in Figure 68, Router A supports portal authentication. The host accesses Router A through Router B. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.
  • Page 215 Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [RouterA] domain dm1 # Configure AAA methods for the ISP domain. [RouterA-isp-dm1] authentication portal radius-scheme rs1 [RouterA-isp-dm1] authorization portal radius-scheme rs1 [RouterA-isp-dm1] accounting portal radius-scheme rs1 [RouterA-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
  • Page 216 Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal.

  • Page 217: Configuring Extended Direct Portal Authentication

    DHCP IP pool: N/A User profile: N/A ACL: N/A CAR: N/A Configuring extended direct portal authentication Network requirements As shown in Figure 69, the host is directly connected to the router (the access device). The host is assigned a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server portal...
  • Page 218 [Router] radius session-control enable # Specify a session-control client with IP address 192.168.0.113 and shared key 12345 in plain text. [Router] radius session-control client ip 192.168.0.113 key simple 12345 Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain.
  • Page 219 Verifying the configuration # Verify that the portal configuration has taken effect. [Router] display portal interface gigabitethernet 1/0/2 Portal information of GigabitEthernet1/0/2 NAS-ID profile: Not configured VSRP instance : Not configured VSRP state : N/A Authorization : Strict checking : Disabled User profile : Disabled IPv4:...

  • Page 220: Configuring Extended Re-Dhcp Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 221 Figure 64 Network diagram Portal server 192.168.0.111/24 GE1/0/2 20.20.20.1/24 GE1/0/1 DHCP server 10.0.0.1/24 sub 192.168.0.100/24 192.168.0.112/24 Host Router automatically obtains an IP address RADIUS server 192.168.0.113/24 Security policy server 192.168.0.114/24 Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 70 and make sure the host, router, and servers can reach each other.
  • Page 222 # Specify a session-control client with IP address 192.168.0.114 and shared key 12345 in plain text. [Router] radius session-control client ip 192.168.0.114 key simple 12345 Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain.
  • Page 223 [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on GigabitEthernet 1/0/2. [Router] interface gigabitethernet 1/0/2 [Router-GigabitEthernet1/0/2] portal enable method redhcp # Reference the portal Web server newpt on GigabitEthernet 1/0/2. [Router–GigabitEthernet1/0/2] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from GigabitEthernet 1/0/2 to the portal authentication server.

  • Page 224: Configuring Extended Cross-Subnet Portal Authentication

    Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. •...
  • Page 225 Figure 65 Network diagram Router A Portal server GE1/0/1 192.168.0.100/24 192.168.0.111/24 GE1/0/2 20.20.20.1/24 GE1/0/1 20.20.20.2/24 RADIUS server GE1/0/2 192.168.0.112/24 8.8.8.1/24 Router B Host 8.8.8.2/24 Security policy server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 71 and make sure the host, router, and servers can reach each other.
  • Page 226 # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user. [RouterA] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.
  • Page 227 Prefix length Destination authenticate subnet: IP address Prefix length Before passing portal authentication, a user that uses the HPE iNode client can access only the authentication page http://192.168.0.111:8080/portal. All Web requests from the user are redirected to the authentication page. •...

  • Page 228: Configuring Portal Server Detection And Portal User Synchronization

    [RouterA] display portal user interface gigabitethernet 1/0/2 Total portal users: 1 Username: abc Portal server: newpt State: Online VPN instance: N/A VLAN Interface 0015-e9a6-7cfe 8.8.8.2 GigabitEthernet1/0/2 Authorization information: DHCP IP pool: N/A User profile: N/A ACL: 3001 CAR: N/A Configuring portal server detection and portal user synchronization Network requirements As shown in...
  • Page 229 • Configure the portal authentication server. Be sure to enable the server heartbeat function and the user heartbeat function. • Configure the router (access device) as follows: Configure direct portal authentication on GigabitEthernet 1/0/2, the interface to which the  host is connected.
  • Page 230 e. Select a service group. This example uses the default group Ungrouped. f. Select Normal from the Action list. g. Click OK. Figure 68 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page.
  • Page 231 Figure 69 Adding a portal device Associate the portal device with the IP address group: a. As shown in Figure 76, click the icon in the Port Group Information Management column of device NAS to open the port group configuration page. b.
  • Page 232 Figure 71 Adding a port group Configuring the portal authentication server on IMC PLAT 7.1 In this example, the portal server runs on IMC PLAT 7.1(E0303) and IMC EIA 7.1(F0303). Configure the portal authentication server: a. Log in to IMC and click the User tab. b.
  • Page 233 Figure 72 Portal authentication server configuration Configure the IP address group: a. Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure 79.
  • Page 234 Figure 73 Adding an IP address group Add a portal device: a. Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 80.
  • Page 235 Associate the portal device with the IP address group: a. As shown in Figure 81 click the Port Group Information Management icon for device NAS to open the port group configuration page. b. Click Add to open the page as shown in Figure 82.
  • Page 236 <Router> system-view [Router] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Router-radius-rs1] primary authentication 192.168.0.112 [Router-radius-rs1] primary accounting 192.168.0.112 [Router-radius-rs1] key authentication simple radius [Router-radius-rs1] key accounting simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.

  • Page 237: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns

    # Enable direct portal authentication on GigabitEthernet 1/0/2. [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] portal enable method direct # Enable portal fail-permit for the portal authentication server newpt. [Router–GigabitEthernet1/0/2] portal fail-permit server newpt # Reference the portal Web server newpt on GigabitEthernet 1/0/2. [Router–GigabitEthernet1/0/2] portal apply web-server newpt # Configure the BAS-IP as 2.2.2.1 for portal packets sent from GigabitEthernet 1/0/2 to the portal authentication server.
  • Page 238 Configuration prerequisites • Before enabling portal authentication, configure MPLS L3VPN and specify VPN targets for VPN 1 and VPN 3 so that VPN 1 and VPN 3 can communicate with each other. This example describes only the access authentication configuration on the user-side PE. For information about MPLS L3VPN configurations, see MPLS Configuration Guide.

  • Page 239: Configuring Direct Portal Authentication With A Preauthentication Domain

    [RouterA] portal server newpt [RouterA-portal-server-newpt] ip 192.168.0.111 vpn-instance vpn3 key simple portal [RouterA-portal-server-newpt] port 50100 [RouterA-portal-server-newpt] quit # Configure a portal Web server. [RouterA] portal web-server newpt [RouterA-portal-websvr-newpt] url http://192.168.0.111:8080/portal [RouterA-portal-websvr-newpt] vpn-instance vpn3 [RouterA-portal-websvr-newpt] quit # Enable cross-subnet portal authentication on GigabitEthernet 1/0/1. [RouterA] interface gigabitethernet 1/0/1 [RouterA–GigabitEthernet1/0/1] portal enable method layer3 # Reference the portal Web server newpt on GigabitEthernet 1/0/1.
  • Page 240 Figure 78 Network diagram Portal server GE1/0/2 GE1/0/1 192.168.0.111/24 2.2.2.1/24 192.168.0.100/24 Host Router 2.2.2.2/24 Gateway: 2.2.2.1/24 RADIUS server 192.168.0.112/24 Configuration prerequisites • Configure IP addresses for the host, router, and servers as shown in Figure 84 and make sure they can reach each other. •...

  • Page 241: Configuring Re-Dhcp Portal Authentication With A Preauthentication Domain

    [Router] portal server newpt [Router-portal-server-newpt] ip 192.168.0.111 key simple portal [Router-portal-server-newpt] port 50100 [Router-portal-server-newpt] quit # Configure a portal Web server. [Router] portal web-server newpt [Router-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Router-portal-websvr-newpt] quit # Enable direct portal authentication on GigabitEthernet 1/0/2. [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] portal enable method direct # Reference the portal Web server newpt on GigabitEthernet 1/0/2.
  • Page 242 Figure 79 Network diagram Portal server 192.168.0.111/24 GE1/0/2 20.20.20.1/24 GE1/0/1 10.0.0.1/24 sub 192.168.0.100/24 DHCP server Host Router 192.168.0.112/24 Automatically obtains an IP address RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the router and servers as shown in Figure 85 and make sure the host, router, and servers can reach each other.
  • Page 243 [Router-acl-ipv4-adv-3010] rule 1 permit ip destination 192.168.0.0 24 [Router-acl-ipv4-adv-3010] quit # Configure preauthentication domain abc on GigabitEthernet 1/0/2. [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] portal pre-auth domain abc [Router–GigabitEthernet1/0/2] quit Configure DHCP relay and authorized ARP. # Configure DHCP relay. [Router] dhcp enable [Router] dhcp relay client-information record [Router] interface gigabitethernet 1/0/2 [Router–GigabitEthernet1/0/2] ip address 20.20.20.1 255.255.255.0...

  • Page 244: Configuring Direct Portal Authentication Using The Local Portal Web Server

    User profile: N/A ACL number: 3010 Inbound CAR: N/A Outbound CAR: N/A Configuring direct portal authentication using the local portal Web server Network requirements As shown in Figure 86, the host is directly connected to the router (the access device). The host is assigned a public IP address either manually or through DHCP.
  • Page 245 # Create an ISP domain named dm1 and enter its view. [Router] domain dm1 # Configure AAA methods for the ISP domain. [Router-isp-dm1] authentication portal radius-scheme rs1 [Router-isp-dm1] authorization portal radius-scheme rs1 [Router-isp-dm1] accounting portal radius-scheme rs1 [Router-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
  • Page 246 User-dhcp-only: Disabled Pre-auth IP pool: Not configured Max portal users: Not configured Bas-ip: Not configured User detection: Not configured Action for server detection: Server type Server name Action Layer3 source network: IP address Mask Destination authenticate subnet: IP address Mask IPv6: Portal status: Disabled Authentication type: Disabled...

  • Page 247: Portal Configuration Examples (Wireless Application)

    User profile: N/A ACL: N/A CAR: N/A Portal configuration examples (wireless application) The term "AP" in the configuration examples refers to MSR routers that support WLAN. WLAN is not supported on the following routers: • MSR4060. • MSR4080. Configuring direct portal authentication Network requirements As shown in Figure...
  • Page 248 d. Click OK. Figure 82 Portal server configuration Configure the IP address group: a. Select User Access Manager > Portal Service Management > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure Figure 83 Adding an IP address group c.
  • Page 249 a. Select User Access Manager > Portal Service Management > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure c. Enter the device name NAS. d. Enter the IP address of the router's interface connected to the client. e.
  • Page 250 Figure 86 Adding a port group c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group. e. Use the default settings for other parameters. f.
  • Page 251 Figure 87 Portal authentication server configuration Configure the IP address group: a. Select User Access Policy > Portal Service > IP Group from the navigation tree to open the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
  • Page 252 Figure 88 Adding an IP address group Add a portal device: a. Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 95.
  • Page 253 Associate the portal device with the IP address group: a. As shown in Figure 96 click the Port Group Information Management icon for device NAS to open the port group configuration page. b. Click Add to open the page as shown in Figure 97.
  • Page 254 <AP> system-view [AP] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [AP-radius-rs1] primary authentication 192.168.0.112 [AP-radius-rs1] primary accounting 192.168.0.112 [AP-radius-rs1] key authentication simple radius [AP-radius-rs1] key accounting simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.

  • Page 255: Verifying The Configuration

    # Set the working channel to channel 11 for radio 2 of the AP. [AP] wlan ap ap2 [AP-wlan-ap-ap2] radio 2 [AP-wlan-ap-ap2-radio-2] channel 11 # Enable radio 2 and bind service template newst and VLAN 2 to radio 2. [AP-wlan-ap-ap2-radio-2] radio enable [AP-wlan-ap-ap2-radio-2] service-template newst vlan 2 [AP-wlan-ap-ap2-radio-2] quit [AP-wlan-ap-ap2] quit...

  • Page 256: Configuring Mac-Based Quick Portal Authentication

    A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal. All Web requests from the user will be redirected to the authentication page. After passing the authentication, the user can access other network resources.
  • Page 257 • Configure the RADIUS server correctly to provide authentication and accounting functions. Configuring the portal server on IMC PLAT 7.1 In this example, the portal server runs on IMC PLAT 7.1(E0303), IMC EIA 7.1(F0303), and IMC EIP 7.1(F0303). Configure the portal authentication server: a.
  • Page 258 Figure 94 Adding an IP address group Add a portal device: a. Select User Access Policy > Portal Service > Device from the navigation tree to open the portal device configuration page. b. Click Add to open the page as shown in Figure 101.
  • Page 259 Figure 96 Device list a. Click Add to open the page as shown in Figure 103. b. Enter the port group name. c. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group.
  • Page 260 Figure 98 Adding an access policy Add an access service: a. Select User Access Policy > Access Service from the navigation tree to open the access service page. b. Click Add to open the page as shown in Figure 105. c.
  • Page 261 Figure 100 Adding an access user Configure system parameters: a. Select User Access Policy > Service Parameters > System Settings from the navigation tree to open the system settings page. b. Click the Configure icon for User Endpoint Settings to open the page as shown in Figure 107.
  • Page 262 # Create a RADIUS scheme named rs1 and enter its view. <AP> system-view [AP] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [AP-radius-rs1] primary authentication 192.168.0.112 [AP-radius-rs1] primary accounting 192.168.0.112 [AP-radius-rs1] key authentication simple radius [AP-radius-rs1] key accounting simple radius...
  • Page 263 : Not configured Binding retry times Binding retry interval : 1 seconds Authentication timeout : 3 minutes A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal.

  • Page 264: Troubleshooting Portal

    VPN instance: N/A VLAN Interface 0015-e9a6-7cfe 2.2.2.2 WLAN-BSS1/0/1 Authorization information: DHCP IP pool: N/A User profile: N/A ACL: N/A CAR: N/A Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the IMC portal authentication server, no portal authentication page or error message is prompted for the user.

  • Page 265: Cannot Log Out Portal Users On The Radius Server

    Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
  • Page 266 Analysis When the access device detects that the client IP address is changed, it sends an unsolicited portal packet to notify of the IP change to the portal authentication server. The portal authentication server notifies of the authentication success only after it receives the IP change notification from both the access device and the client.

  • Page 267: Configuring Port Security

    Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port. Port security provides the following functions: •...

  • Page 268: Port Security Modes

    Intrusion protection The intrusion protection feature checks the source MAC address in inbound frames for illegal frames, and takes a predefined action on each detected illegal frame. The action can be disabling the port temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for 3 minutes (not user configurable).
  • Page 269 TIP: • userLogin specifies 802.1X authentication and port-based access control. userLogin with Secure specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.

  • Page 270: Feature And Hardware Compatibility

    In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication. NOTE: An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI.

  • Page 271: Enabling Port Security

    Tasks at a glance Remarks (Required.) Setting the port security mode (Required.) Configuring port security features: Configure one or more port security • Configuring NTK features according to the network • requirements. Configuring intrusion protection (Optional.) Configuring secure MAC addresses (Optional.) Ignoring authorization information from the server (Optional.)

  • Page 272: Setting The Port Security Mode

    • Controlling the number of secure MAC addresses on the port in autoLearn mode. The port security's limit on the number of secure MAC addresses on a port is independent of the MAC learning limit described in MAC address table configuration. For more information about MAC address table configuration, see Layer 2—LAN Switching Configuration Guide.

  • Page 273: Configuring Port Security Features

    Step Command Remarks By default, no OUI values are configured user authentication. This command is required for the port-security index userlogin-withoui mode. 546. (Optional.) Set an OUI value index-value mac-address for user authentication. You can set multiple OUIs, but oui-value when the port security mode is userlogin-withoui, port...

  • Page 274: Configuring Intrusion Protection

    Step Command Remarks interface interface-type 550. Enter interface view. interface-number port-security ntk-mode By default, NTK is disabled on a 551. Configure the NTK feature. ntk-withbroadcasts port and all frames are allowed to ntk-withmulticasts | ntkonly } be sent. Configuring intrusion protection Intrusion protection enables a device to take one of the following actions in response to illegal frames: •...

  • Page 275: Configuration Prerequisites

    Table 10 Comparison of static, sticky, and dynamic secure MAC addresses Can be saved and Type Address sources Aging mechanism survive a device reboot? Not available. The static secure MAC addresses Manually added (by using never age out unless you perform any port-security of the following tasks: mac-address...

  • Page 276: Ignoring Authorization Information From The Server

    Step Command Remarks 557. Enter system view. system-view 558. (Optional.) port-security timer autolearn aging default, secure secure aging time-value addresses do not age out. timer. • system view: port-security mac-address security [ sticky ] mac-address interface interface-type default, manually interface-number vlan vlan-id configured secure addresses exist.

  • Page 277: Enabling The Authorization-Fail-Offline Feature

    802.1X or MAC authenticated users cannot move between ports on a device if the number of online users on the authentication server has reached the upper limit. As a best practice, enable MAC move for wireless users that roam between ports to access the network.

  • Page 278: Enabling Snmp Notifications For Port Security

    Step Command Remarks 570. Enter system view. system-view • system view: port-security nas-id-profile profile-name • In interface view: By default, no NAS-ID profile is 571. Apply a NAS-ID profile. applied in system view or in a. interface interface-type interface view. interface-number b.
  • Page 279 • Be permitted to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes. • Stop learning MAC addresses after the number of secure MAC addresses reaches 64. If any frame with an unknown MAC address arrives, intrusion protection starts, and the port shuts down and stays silent for 30 seconds.
  • Page 280 OUI value list Index : Value : 123401 GigabitEthernet1/0/1 is link-up Port mode : autoLearn NeedToKnow mode : Disabled Intrusion protection mode : DisablePortTemporarily Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses Authorization...

  • Page 281: Userloginwithoui Configuration Example

    userLoginWithOUI configuration example Network requirements As shown in Figure 110, a client is connected to the device through GigabitEthernet 1/0/1. The device authenticates the client with a RADIUS server in ISP domain sun. If the authentication succeeds, the client is authorized to access the Internet. •...
  • Page 282 [Device] domain sun [Device-isp-sun] authentication lan-access radius-scheme radsun [Device-isp-sun] authorization lan-access radius-scheme radsun [Device-isp-sun] accounting lan-access radius-scheme radsun [Device-isp-sun] quit Configure 802.1X: # Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP. [Device] dot1x authentication-method chap # Specify ISP domain sun as the mandatory authentication domain for 802.1X users on GigabitEthernet 1/0/1.
  • Page 283 VPN : Not configured State: Active Test profile: Not configured Second accounting server: : 192.168.1.2 Port: 1813 VPN : Not configured State: Active Accounting-On function : Disabled extended function : Disabled retransmission times : 50 retransmission interval(seconds) Timeout Interval(seconds) Retransmission Times Retransmission Times for Accounting Update : 5 Server Quiet Period(minutes) Realtime Accounting Interval(minutes)

  • Page 284: Macaddresselseuserloginsecure Configuration Example

    Index : Value : 123404 Index : Value : 123405 GigabitEthernet1/0/1 is link-up Port mode : userLoginWithOUI NeedToKnow mode : Disabled Intrusion protection mode : NoAction Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : Not configured Current secure MAC addresses Authorization...
  • Page 285 Configuration procedure Make sure the host and the RADIUS server can reach each other. Configure RADIUS authentication/accounting and ISP domain settings. (See "userLoginWithOUI configuration example.") Configure port security: # Enable port security. <Device> system-view [Device] port-security enable # Use MAC-based accounts for MAC authentication. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.
  • Page 286 Port mode : macAddressElseUserLoginSecure NeedToKnow mode : NeedToKnowOnly Intrusion protection mode : NoAction Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses Authorization : Permitted NAS-ID profile : Not configured # After users pass authentication, display MAC authentication information.
  • Page 287 Handshake period : 15 s Quiet timer : Disabled Quiet period : 60 s Supp timeout : 30 s Server timeout : 100 s Reauth period : 3600 s Max auth requests SmartOn supp timeout : 30 s SmartOn retry counts EAD assistant function : Disabled EAD timeout : 30 min...

  • Page 288: Troubleshooting Port Security

    Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode for a port. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command. Solution To resolve the problem: Set the port security mode to noRestrictions.

  • Page 289: Configuring User Profiles

    Configuring user profiles Overview A user profile saves a set of predefined parameters, such as a CAR policy, a QoS policy, or a connection limit policy. The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.

  • Page 290: Displaying And Maintaining User Profiles

    Step Command Remarks By default, no user profiles exist. 575. Create a user profile and You can use the command to user-profile profile-name enter user profile view. enter the view of an existing user profile. For information about QoS policy, CAR, and GTS configuration, see Configuration 576.

  • Page 291: Configuring Password Control

    Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.

  • Page 292: Password Updating And Expiration

    when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.

  • Page 293: User Login Control

    Current login passwords of device management users are not stored in the password history, because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login If the global password control feature is enabled, users must change the password at first login before they can access the system.

  • Page 294: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.

  • Page 295: Setting Global Password Control Parameters

    Step Command Remarks • non-FIPS mode, global password control feature disabled default. 578. Enable the global password password-control enable • control feature. In FIPS mode, the global password control feature is enabled, and cannot be disabled by default. password-control aging 579.

  • Page 296: Setting User Group Password Control Parameters

    Step Command Remarks 586. Set the maximum number of password-control history history password records for The default setting is 4. max-record-number each user. By default, the maximum number password-control login-attempt of login attempts is 3 and a user 587. Configure the login attempt login-times [ exceed { lock | failing to log in after the specified limit.

  • Page 297: Setting Local User Password Control Parameters

    Setting local user password control parameters Step Command Remarks 598. Enter system view. system-view By default, no local users exist. Local user password control applies to device management 599. Create device local-user user-name class users instead of network access management user and enter manage users.

  • Page 298: Displaying And Maintaining Password Control

    Step Command Remarks 605. Enter system view. system-view 606. Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • non-FIPS mode, default setting 607. Configure minimum password-control super length characters. length for super passwords. length •...

  • Page 299: Configuration Procedure

    • An FTP or VTY user failing to provide the correct password in two successive login attempts is permanently prohibited from logging in. • A user can log in five times within 60 days after the password expires. • A password expires after 30 days. •...

  • Page 300: Verifying The Configuration

    [Sysname] password-control super length 24 # Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type. [Sysname] password-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text.
  • Page 301 Password length: Enabled (24 characters) Password composition: Enabled (4 types, 5 characters per type) # Display the password control configuration for local user test. <Sysname> display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type:...

  • Page 302: Configuring Keychains

    Configuring keychains Overview A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption. Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime.

  • Page 303: Keychain Configuration Example

    Task Command display keychain [ name keychain-name [ key key-id ] ] Display keychain information. Keychain configuration example Network requirements As shown in Figure 112, establish an OSPF neighbor relationship between Router A and Router B, and use a keychain to authenticate packets between the routers. Configure key 1 and key 2 for the keychain and make sure key 2 is used immediately when key 1 expires.

  • Page 304: Verifying The Configuration

    [RouterA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [RouterA-keychain-abc-key-2] quit [RouterA-keychain-abc] quit # Configure GigabitEthernet 1/0/1 to use the keychain abc for authentication. [RouterA] interface GigabitEthernet 1/0/1 [RouterA-GigabitEthernet1/0/1] ospf authentication-mode keychain abc [RouterA-GigabitEthernet1/0/1] quit Configuring Router B # Configure IP addresses for interfaces. (Details not shown.) # Configure OSPF.
  • Page 305 # Display keychain information on Router A. The output shows that key 1 is the valid key. [RouterA] display keychain Keychain name : abc Mode : absolute Accept tolerance TCP kind value : 254 TCP algorithm value HMAC-MD5 Default send key ID : None Active send key ID Active accept key IDs: 1...
  • Page 306 Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Active Key ID Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-md5 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Inactive Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Inactive When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06,...
  • Page 307 TCP kind value : 254 TCP algorithm value HMAC-MD5 Default send key ID : None Active send key ID Active accept key IDs: 1 Key ID Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg== Algorithm : md5 Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Send status : Inactive Accept lifetime...

  • Page 308: Managing Public Keys

    Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 113.
  • Page 309 • When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, the longer the key generation time. When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve determines the ECDSA key length.

  • Page 310: Distributing A Local Host Public Key

    Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: • Use the public key to encrypt information sent to the local device. •...

  • Page 311: Destroying A Local Key Pair

    Task Command display public-key local dsa public [ name key-name ] Display local DSA public keys. NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs: •...

  • Page 312: Entering A Peer Host Public Key

    Entering a peer host public key Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key." Use the display public-key local public command to display the public key on the peer device.
  • Page 313 Figure 108 Network diagram Device A Device B Configuration procedure Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048).

  • Page 314: Example For Importing A Public Key From A Public Key File

    [DeviceB-pkey-public-key-devicea]30819F300D06092A864886F70D010101050003818D003081 2818100DA3B90F59237347B [DeviceB-pkey-public-key-devicea]8D41B58F8143512880139EC9111BFD31EB84B6B7C7A14700 C8F04A827B30C2CAF79242E [DeviceB-pkey-public-key-devicea]45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A744 88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the peer host public key configured on Device B is the same as the key displayed on Device A.
  • Page 315 # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 316 Connected to 10.1.1.1 (10.1.1.1). 220 FTP service ready. User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred...

  • Page 317: Configuring Pki

    Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.

  • Page 318: Pki Architecture

    • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.

  • Page 319: Pki Applications

    The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.

  • Page 320: Fips Compliance

    FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)

  • Page 321: Configuring A Pki Domain

    Step Command Remarks By default, no PKI entities exist. 629. Create a PKI entity and pki entity entity-name enter its view. create multiple entities, repeat this step. • Configure individual DN attributes to construct the subject DN string: Set the common name attribute: ...
  • Page 322 Step Command Remarks By default, no trusted CA is specified. To obtain a CA certificate, the trusted name must provided. The trusted CA name 635. Specify the trusted ca identifier name uniquely identifies the CA to be used if multiple CAs exist on the same CA server.

  • Page 323: Requesting A Certificate

    Step Command Remarks • Specify pair: public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name signature-key-name [ length key-length ] } * | general name default, pair key-name [ length key-length ] } specified. • Specify an ECDSA key pair: If the specified key pair does not non-FIPS...

  • Page 324: Configuration Guidelines

    Configuration guidelines The following guidelines apply to certificate request for an entity in a PKI domain: • Make sure the device is time synchronized with the CA server. Otherwise, the certificate request might fail because the certificate might be considered to be outside of the validity period. For information about how to configure the system time, see Fundamentals Configuration Guide.

  • Page 325: Manually Requesting A Certificate

    Manually requesting a certificate Before you manually submit a certificate request, make sure the CA certificate exists and a key pair is specified for the PKI domain: • The CA certificate is used to verify the authenticity and validity of the obtained local certificate. •...

  • Page 326: Configuration Prerequisites

    • In offline mode, obtain the certificates by an out-of-band means like FTP, disk, or email, and then import them locally. Use this mode when the CRL repository is not specified, the CA server does not support SCEP, or the CA server generates the key pair for the certificates. •...

  • Page 327: Verifying Pki Certificates

    Verifying PKI certificates A certificate is automatically verified when it is requested, obtained, or used by an application. If the certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used. You can also manually verify a certificate.

  • Page 328: Verifying Certificates Without Crl Checking

    Step Command Remarks 665. Manually verify the validity pki validate-certificate domain of the certificates. domain-name { ca | local } Verifying certificates without CRL checking Step Command Remarks 666. Enter system view. system-view 667. Enter PKI domain view. pki domain domain-name By default, CRL checking is 668.

  • Page 329: Removing A Certificate

    To export certificates: Step Command Remarks 672. Enter system system-view view. If you do not specify a file name when you export a certificate in PEM format, this • Export certificates format: command displays pki export domain domain-name der { all certificate content | ca | local } filename filename...

  • Page 330: Configuring A Certificate-Based Access Control Policy

    Configuring a certificate-based access control policy Certificate-based access control policies allow you to authorize access to a device (for example, an HTTPS server) based on the attributes of an authenticated client's certificate. A certificate-based access control policy is a set of access control rules (permit or deny statements), each associated with a certificate attribute group.

  • Page 331: Displaying And Maintaining Pki

    Displaying and maintaining PKI Execute display commands in any view. Task Command display pki certificate domain domain-name { ca | local | peer Display the contents of a certificate. [ serial serial-num ] } Display the certificate renewal status, display pki certificate renew-status [ domain domain-name ] display pki certificate request-status [ domain domain-name ] Display certificate request status.
  • Page 332 Configure parameters in the Jurisdiction Configuration section on the management page of the CA server: Select the correct extension profiles.  Enable the SCEP autovetting function to enable the CA server to automatically approve  certificate requests without manual intervention. Specify the IP address list for SCEP autovetting.
  • Page 333 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually and set the certificate revocation password to 1111. The certificate revocation password is required when an RSA Keon CA server is used.

  • Page 334: Requesting A Certificate From A Windows Server 2003 Ca Server

    f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA server.
  • Page 335 Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates. (Details not shown.) Create an entity named aaa and set the common name to test. <Device> system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name test [Device-pki-entity-aaa] quit Configure a PKI domain:...
  • Page 336 Verifying the configuration # Display information about the local certificate in PKI domain winserver. [Device] display pki certificate domain winserver local Certificate: Data: Version: 3 (0x2) Serial Number: (Negative)01:03:99:ff:ff:ff:ff:fd:11 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=sec Validity Not Before: Dec 24 07:09:42 2012 GMT Not After : Dec 24 07:19:42 2013 GMT Subject: CN=test Subject Public Key Info:...

  • Page 337: Requesting A Certificate From An Openca Server

    Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access: CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03: bf:53:c6:c4:85:95:fb:32:70:e6:1b:f3:e4:10:ed:7f:93:27: 90:6b:30:e7:81:36:bb:e2:ec:f2:dd:2b:bb:b9:03:1c:54:0a: 00:3f:14:88:de:b8:92:63:1e:f5:b3:c2:cf:0a:d5:f4:80:47: 6f:fa:7e:2d:e3:a7:38:46:f6:9e:c7:57:9d:7f:82:c7:46:06: 7d:7c:39:c4:94:41:bd:9e:5c:97:86:c8:48:de:35:1e:80:14: 02:09:ad:08 To display detailed information about the CA certificate, use the display pki certificate domain command.
  • Page 338 Create a PKI entity named aaa and configure the common name, country code, organization name, and OU for the entity. <Device> system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name rnd [Device-pki-entity-aaa] country CN [Device-pki-entity-aaa] organization test [Device-pki-entity-aaa] organization-unit software [Device-pki-entity-aaa] quit Configure a PKI domain: # Create a PKI domain named openca and enter its view.
  • Page 339 Verifying the configuration # Display information about the local certificate in PKI domain openca. [Device] display pki certificate domain openca local Certificate: Data: Version: 3 (0x2) Serial Number: 21:1d:b8:d2:e4:a9:21:28:e4:de Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=mysubUnit, CN=sub-ca, DC=pki-subdomain, DC=mydomain-sub, DC=com Validity Not Before: Jun 30 09:09:09 2011 GMT...

  • Page 340: Ike Negotiation With Rsa Digital Signature From A Windows Server 2003 Ca Server

    Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 5c:4c:ba:d0:a1:35:79:e6:e5:98:69:91:f6:66:2a:4f:7f:8b: 0e:80:de:79:45:b9:d9:12:5e:13:28:17:36:42:d5:ae:fc:4e: ba:b9:61:f1:0a:76:42:e7:a6:34:43:3e:2d:02:5e:c7:32:f7: 6b:64:bb:2d:f5:10:6c:68:4d:e7:69:f7:47:25:f5:dc:97:af: ae:33:40:44:f3:ab:e4:5a:a0:06:8f:af:22:a9:05:74:43:b6: e4:96:a5:d4:52:32:c2:a8:53:37:58:c7:2f:75:cf:3e:8e:ed: 46:c9:5a:24:b1:f5:51:1d:0f:5a:07:e6:15:7a:02:31:05:8c: 03:72:52:7c:ff:28:37:1e:7e:14:97:80:0b:4e:b9:51:2d:50: 98:f2:e4:5a:60:be:25:06:f6:ea:7c:aa:df:7b:8d:59:79:57: 8f:d4:3e:4f:51:c1:34:e6:c1:1e:71:b5:0d:85:86:a5:ed:63: 1e:08:7f:d2:50:ac:a0:a3:9e:88:48:10:0b:4a:7d:ed:c1:03: 9f:87:97:a3:5e:7d:75:1d:ac:7b:6f:bb:43:4d:12:17:9a:76: b0:bf:2f:6a:cc:4b:cd:3d:a1:dd:e0:dc:5a:f3:7c:fb:c3:29: b0:12:49:5c:12:4c:51:6e:62:43:8b:73:b9:26:2a:f9:3d:a4: 81:99:31:89 To display detailed information about the CA certificate, use the display pki certificate domain command.
  • Page 341 Figure 115 Network diagram PKI certificate system CA 1 1.1.1.101/32 LDAP 1 1.1.1.102/32 RA 1 1.1.1.100/32 Device A Device B GE2/0/1 GE2/0/1 3.3.3.1/24 2.2.2.1/24 Internet Host A Host B 10.1.1.2/24 11.1.1.2/24 Configuring the Windows Server 2003 CA server "Requesting a certificate from a Windows Server 2003 CA server."...
  • Page 342 Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ........++++++ Create the key pair successfully. # Obtain the CA certificate and save it locally. [DeviceA] pki retrieve-certificate domain 1 ca # Submit a certificate request manually. [DeviceA] pki request-certificate domain 1 # Create IKE proposal 1, and configure the authentication method as RSA digital signature.

  • Page 343: Certificate-Based Access Control Policy Configuration Example

    [DeviceB] pki retrieve-certificate ca domain 1 # Submit a certificate request manually. [DeviceB] pki request-certificate domain 1 # Create IKE proposal 1, and configure the authentication method as RSA digital signature. [DeviceB] ike proposal 1 [DeviceB-ike-proposal-1] authentication-method rsa-signature [DeviceB-ike-proposal-1] quit # Reference the PKI domain used in IKE negotiation for IKE profile peer.

  • Page 344: Certificate Import And Export Configuration Example

    # Create a certificate attribute group named mygroup1 and add two attribute rules. The first rule defines that the DN in the subject DN contains the string of aabbcc. The second rule defines that the IP address of the certificate issuer is 10.0.0.1. [Device] pki certificate attribute-group mygroup1 [Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc [Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1...
  • Page 345 Transfer the certificate files from Device A to Device B through the FTP host. Import the certificate files to PKI domain importdomain on Device B. Figure 117 Network diagram Device A 1) Export IP network Host Device B 2) Import IP network Host Configuration procedure...
  • Page 346 -----END ENCRYPTED PRIVATE KEY----- # Display the local certificate file pkilocal.pem-encryption. <DeviceA> more pkicachain.pem-encr Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD...
  • Page 347 Version: 3 (0x2) Serial Number: 98:2c:79:ba:5e:8d:97:39:53:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)
  • Page 348 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.130/pki/pub/crl/cacrl.crl Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT...
  • Page 349 X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: VPN Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt...

  • Page 350: Troubleshooting Pki Configuration

    Troubleshooting PKI configuration This section provides troubleshooting information for common problems with PKI. Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact.

  • Page 351: Failed To Request Local Certificates

    Solution Fix the network connection problems, if any. Obtain or import the CA certificate. Configure the correct LDAP server parameters. Specify the key pair used for certificate request in the PKI domain, or remove the existing key pair and submit a certificate request again. Check the registration policy on the CA or RA, and make sure the attributes of the PKI entity meet the policy requirements.

  • Page 352: Failed To Obtain Crls

    Failed to obtain CRLs Symptom CRLs cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • The PKI domain does not have a CA certificate before you try to obtain CRLs. •...

  • Page 353: Failed To Import A Local Certificate

    Solution Use the undo crl check enable command to disable CRL checking. Make sure the format of the imported file is correct. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis •...

  • Page 354: Failed To Set The Storage Path

    Solution Obtain or request local certificates first. Use the mkdir command to create the required path. Specify a correct export path. Configure the correct key pair in the PKI domain. Clear up the storage space of the device. If the problem persists, contact Hewlett Packard Enterprise Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set.

  • Page 355: Configuring Ipsec

    Configuring IPsec Overview IP Security (IPsec) is defined by the IETF to provide interoperable, high-quality, cryptography-based security for IP communications. It is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
  • Page 356 algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.

  • Page 357: Security Association

    Security association A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers. An SA includes the following parameters for data protection: • Security protocols (AH, ESP, or both). • Encapsulation mode (transport mode or tunnel mode). •...

  • Page 358: Ipsec Implementation

    • AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest security strength and is slower than 3DES. Crypto engine The IPsec feature is resource intensive for its complex encryption/decryption and authentication algorithms. To improve processing performance, you can use crypto engine to offload IPsec tasks. The crypto engine processes all IPsec protected packets and hands the processed packets back to the device for forwarding.
  • Page 359 Tunnel interface-based IPsec To implement tunnel interface-based IPsec, configure an IPsec profile and apply the IPsec profile to a tunnel interface. All traffic, including multicast traffic, routed to the tunnel interface is protected by IPsec. Tunnel interface-based IPsec only supports the tunnel encapsulation mode. In the current software version, tunnel interface-based IPsec is supported only on ADVPN and IPsec tunnel interfaces.

  • Page 360: Ipsec Rri

    Figure 122 Tunnel interface de-encapsulation Device Encapsulated Clear text packets packets Input Output Forwarding interface interface Tunnel De-encapsulation interface Inbound Outbound IPsec tunnel As shown in Figure 128, a tunnel interface de-encapsulates an IP packet as follows: Upon receiving an encapsulated packet, the inbound interface sends the packet to the forwarding module.

  • Page 361: Protocols And Standards

    Figure 123 IPsec VPN Branch A ip route-static BranchA_network … ip route-static BranchB_network … ip route-static BranchC_network ... Enterprise Center Branch B Internet IPsec tunnel Branch C IPsec Reverse Route Injection (RRI) enables an IPsec tunnel gateway to automatically add static routes destined for protected private networks or static routes destined for peer IPsec tunnel gateways to a routing table.

  • Page 362: Implementing Acl-Based Ipsec

    IPsec tunnels can be established in different methods. Choose a correct method to establish IPsec tunnels according to your network conditions: • ACL-based IPsec tunnel—Protects packets identified by an ACL. To establish an ACL-based IPsec tunnel, configure an IPsec policy, specify an ACL in the policy, and apply the policy to an interface (see "Implementing ACL-based IPsec").

  • Page 363: Configuring An Acl

    Tasks at a glance (Optional.) Configuring SNMP notifications for IPsec (Optional.) Configuring IPsec fragmentation (Optional.) Setting the maximum number of IPsec tunnels (Optional.) Enabling logging for IPsec negotiation Configuring an ACL IPsec uses ACLs to identify the traffic to be protected. Keywords in ACL rules An ACL is a collection of ACL rules.
  • Page 364 rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255 rule 1 deny ip acl advanced 3001 rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255 rule 1 deny ip ipsec policy testa 1 isakmp <---IPsec policy entry with a higher priority security acl 3000 ike-profile aa transform-set 1...
  • Page 365 Figure 124 Mirror image ACLs ACL1: rule permit 1.1.1.1 -> 2.2.2.2 ACL2: rule permit 1.1.1.0/24 -> 2.2.2.0/24 Host A Host C 1.1.1.1 2.2.2.2 GE1/0/1 GE1/0/2 Network 1 Network 2 IP network 1.1.1.0/24 2.2.2.0/24 Router A Router B ACL1: rule permit 2.2.2.2 -> 1.1.1.1 ACL2: rule permit 2.2.2.0/24 ->...

  • Page 366: Configuring An Ipsec Transform Set

    ike profile vpn1 keychain vpn1 match remote identity address 8.8.8.1 255.255.255.255 inside-vpn vpn-instance vpn1 Figure 126 IPsec for MPLS L3VPN VPN1 1.1.1.1/24 3.3.3.1/24 2.2.2.1/16 8.8.8.1/16 IP network Device A Device B Configuring an IPsec transform set An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms.
  • Page 367 Step Command Remarks • (In non-FIPS mode.) Specify the encryption algorithm for ESP: encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 aes-ctr-192 Configure at least one command. aes-ctr-256 | camellia-cbc-128 | By default, no security algorithm camellia-cbc-192 is specified.

  • Page 368: Configuring A Manual Ipsec Policy

    Step Command Remarks By default, the PFS feature is not used for SA negotiation. For more information about PFS, • "Configuring IKE." non-FIPS mode: pfs { dh-group1 | dh-group2 | security level dh-group5 dh-group14 687. (Optional.) Enable the Diffie-Hellman (DH) group of the dh-group24 dh-group19 Perfect...
  • Page 369 Step Command Remarks 691. (Optional.) Configure a description description text By default, no description is configured. IPsec policy. By default, no ACL is specified for an IPsec policy. 692. Specify an ACL for the security acl [ ipv6 ] { acl-number IPsec policy.

  • Page 370: Configuring An Ike-Based Ipsec Policy

    Configuring an IKE-based IPsec policy In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE. To configure an IKE-based IPsec policy, use one of the following methods: • Directly configure it by configuring the parameters in IPsec policy view. •...
  • Page 371 Step Command Remarks By default, no IKE profile is specified for an IPsec policy, and the device selects an IKE profile configured in system view for negotiation. If no IKE profile is 702. Specify an IKE profile for the configured, globally ike-profile profile-name IPsec policy.
  • Page 372 Configuring an IKE-based IPsec policy by using an IPsec policy template The configurable parameters for an IPsec policy template are the same as those when you directly configure an IKE-based IPsec policy. The difference is that more parameters are optional for an IPsec policy template.

  • Page 373: Applying An Ipsec Policy To An Interface

    Step Command Remarks By default, the local IPv4 address of IPsec tunnel is the primary IPv4 address of the interface to which the IPsec policy is applied, and the local IPv6 address of the IPsec tunnel is the first IPv6 address of the interface to which the IPsec policy is applied.

  • Page 374: Enabling Acl Checking For De-Encapsulated Packets

    When the interface receives an IPsec packet destined for the local device, it searches for the inbound IPsec SA according to the SPI in the IPsec packet header for de-encapsulation. If the de-encapsulated packet matches a permit rule of the ACL, the device processes the packet. If the de-encapsulated packet does not match any permit rule of the ACL, the device drops the packet.

  • Page 375: Configuring Ipsec Anti-Replay Redundancy

    IPsec anti-replay does not affect manually created IPsec SAs. According to the IPsec protocol, only IKE-based IPsec SAs support anti-replay checking. IMPORTANT: • Failure to detect anti-replay attacks might result in denial of services. If you want to disable IPsec anti-replay, make sure you understand the impact of the operation on network security.

  • Page 376: Binding A Source Interface To An Ipsec Policy

    Binding a source interface to an IPsec policy For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively.

  • Page 377: Enabling Logging Of Ipsec Packets

    Step Command Remarks • To enter IPsec policy view: ipsec policy ipv6-policy } policy-name seq-number isakmp manual ] 743. Enter IPsec policy view or • IPsec policy template view. enter IPsec policy template view: ipsec { policy-template | ipv6-policy-template template-name seq-number By default, QoS pre-classify is 744.

  • Page 378: Configuring Ipsec Rri

    Step Command Remarks 747. Enter system view. system-view interface interface-type 748. Enter interface view. interface-number 749. Configure the DF bit of By default, the interface uses the IPsec packets on the ipsec df-bit { clear | copy | set } global DF bit setting.

  • Page 379: Configuring Ipsec For Ipv6 Routing Protocols

    Step Command Remarks • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number isakmp 753. Enter IPsec policy view or • To enter IPsec policy template IPsec policy template view. view: ipsec policy-template ipv6-policy-template template-name seq-number default, IPsec disabled.
  • Page 380 • The IPsec transform set specified in the IPsec profile at the two tunnel ends must have the same security protocol, encryption and authentication algorithms, and packet encapsulation mode. • The local inbound and outbound IPsec SAs must have the same SPI and key. •...

  • Page 381: Configuring Ipsec For Tunnels

    Configuring IPsec for tunnels Configuration task list Complete the following tasks to configure IPsec for tunnels: Tasks at a glance (Required.) Configuring an IPsec transform set (Required.) Configuring an IKE-based IPsec profile (Required.) Applying an IKE-based IPsec profile to a tunnel interface (Optional.) Enabling logging of IPsec packets (Optional.)

  • Page 382: Applying An Ike-Based Ipsec Profile To A Tunnel Interface

    Step Command Remarks 765. (Optional.) Configure a By default, no description is description for the IPsec description text configured. profile. By default, no IPsec transform sets are specified in an IPsec 766. Specify IPsec transform transform-set profile. sets. transform-set-name&<1-6> The specified IPsec transform sets must use the tunnel mode.

  • Page 383: Configuring Snmp Notifications For Ipsec

    Step Command Remarks 775. Apply an IKE-based IPsec tunnel protection ipsec profile By default, no IPsec profile is profile to the tunnel interface. profile-name applied to the tunnel interface. To apply an IKE-based IPsec profile to an IPsec tunnel interface: Step Command Remarks...

  • Page 384: Setting The Maximum Number Of Ipsec Tunnels

    If you configure the device to fragment packets after IPsec encapsulation, the device directly encapsulates the packets and fragments the encapsulated packets in subsequent service modules. This feature takes effect on IPsec protected IPv4 packets. To configure IPsec fragmentation: Step Command Remarks 782.

  • Page 385: Ipsec Configuration Examples

    Task Command display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name Display IPsec SA information. [ seq-number ] | profile policy-name | remote [ ipv6 ] ip-address ] display ipsec statistics [ tunnel-id tunnel-id ] Display IPsec statistics.
  • Page 386 # Configure a static route to the subnet where Host B resides. The command uses the direct next hop address (2.2.2.3) as an example. [RouterA] ip route-static 10.1.2.0 255.255.255.0 gigabitethernet 2/0/2 2.2.2.3 # Create an IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel.
  • Page 387 # Specify the encapsulation mode as tunnel. [RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterB-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms. [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create a manual IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.

  • Page 388: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets

    Tunnel: local address: 2.2.2.1 remote address: 2.2.3.1 Flow: as defined in ACL 3101 [Inbound ESP SA] SPI: 54321 (0x0000d431) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA [Outbound ESP SA] SPI: 12345 (0x00003039) Connection ID: 2 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA Configuring an IKE-based IPsec tunnel for IPv4 packets...
  • Page 389 [RouterA] ip route-static 10.1.2.0 255.255.255.0 gigabitethernet 2/0/2 2.2.2.3 # Create an IPsec transform set named tran1. [RouterA] ipsec transform-set tran1 # Specify the encapsulation mode as tunnel. [RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Specify the security protocol as ESP. [RouterA-ipsec-transform-set-tran1] protocol esp # Specify the ESP encryption and authentication algorithms.
  • Page 390 [RouterB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [RouterB-acl-ipv4-adv-3101] quit # Configure a static route to Host A. The command uses the direct next hop address (2.2.3.3) as an example. [RouterB] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet 2/0/2 2.2.3.3 # Create an IPsec transform set named tran1.
  • Page 391 Verifying the configuration # Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec protected. # Use the display ipsec sa command to display IPsec SAs on Router A and Router B. This example uses Router A to verify the configuration.

  • Page 392: Configuring An Ike-Based Ipsec Tunnel For Ipv6 Packets

    SA remaining duration (kilobytes/sec): 2312/797 Max sent sequence-number: 1 UDP encapsulation used for NAT traversal: N Status: Active Configuring an IKE-based IPsec tunnel for IPv6 packets Network requirements As shown in Figure 135, establish an IPsec tunnel between Router A and Router B to protect data flows between subnet 333::/64 and subnet 555::/64.
  • Page 393 # Create and configure the IKE keychain named keychain1. [RouterA] ike keychain keychain1 [RouterA-ike-keychain-keychain1] pre-shared-key address ipv6 222::1 64 key simple 123456TESTplat&! [RouterA-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1. [RouterA] ike profile profile1 [RouterA-ike-profile-profile1] keychain keychain1 [RouterA-ike-profile-profile1] match remote identity address ipv6 222::1 64 [RouterA-ike-profile-profile1] quit # Create an IKE-based IPsec policy entry.
  • Page 394 [RouterB-ipsec-transform-set-tran1] quit # Create and configure the IKE keychain named keychain1. [RouterB] ike keychain keychain1 [RouterB-ike-keychain-keychain1] pre-shared-key address ipv6 111::1 64 key simple 123456TESTplat&! [RouterB-ike-keychain-keychain1] quit # Create and configure the IKE profile named profile1. [RouterB] ike profile profile1 [RouterB-ike-profile-profile1] keychain keychain1 [RouterB-ike-profile-profile1] match remote identity address ipv6 111::1 64 [RouterB-ike-profile-profile1] quit # Create an IKE-based IPsec policy entry.

  • Page 395: Configuring Ipsec For Ripng

    Inside VRF: Path MTU: 1423 Tunnel: local address: 111::1 remote address: 222::1 Flow: sour addr: 111::1/0 port: 0 protocol: ipv6 dest addr: 222::1/0 port: 0 protocol: ipv6 [Inbound ESP SAs] SPI: 3769702703 (0xe0b1192f) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 3000/28800 SA remaining duration (kilobytes/sec): 2300/797 Max received sequence-number: 1...
  • Page 396 For more information about RIPng configuration, see Layer 3—IP Routing Configuration Guide. Configure an IPsec profile. The IPsec profiles on all the routers must have IPsec transform sets that use the same  security protocol, authentication and encryption algorithms, and encapsulation mode. The SPI and key configured for the inbound SA and those for the outbound SA must be the ...
  • Page 397 [RouterB-GigabitEthernet2/0/2] ripng 1 enable [RouterB-GigabitEthernet2/0/2] quit # Create and configure the IPsec transform set named tran1. [RouterB] ipsec transform-set tran1 [RouterB-ipsec-transform-set-tran1] encapsulation-mode transport [RouterB-ipsec-transform-set-tran1] protocol esp [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit # Create and configure the IPsec profile named profile001. [RouterB] ipsec profile profile001 manual [RouterB-ipsec-profile-manual-profile001] transform-set tran1 [RouterB-ipsec-profile-manual-profile001] sa spi outbound esp 123456...

  • Page 398: Configuring Ipsec Rri

    [RouterC-ripng-1] enable ipsec-profile profile001 [RouterC-ripng-1] quit Verifying the configuration After the configuration is completed, Router A, Router B, and Router C learn IPv6 routing information through RIPng. IPsec SAs are set up successfully on the routers to protect RIPng packets. This example uses Router A to verify the configuration.
  • Page 399 • Configure an IPsec tunnel between Router A and each branch gateway (Router B, Router C, and Router D) to protect traffic between subnets 4.4.4.0/24 and 5.5.5.0/24. • Configure the tunnels to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96.
  • Page 400 [RouterA] ipsec policy map1 10 isakmp template temp1 # Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1 as the authentication algorithm, and pre-share as the authentication method. [RouterA] ike proposal 1 [RouterA-ike-proposal-1] encryption-algorithm 3des-cbc [RouterA-ike-proposal-1] authentication-algorithm sha [RouterA-ike-proposal-1] authentication-method pre-share [RouterA-ike-proposal-1] quit...
  • Page 401 [RouterB] ike keychain key1 [RouterB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123 [RouterB-ike-keychain-key1] quit # Apply the IPsec policy map1 to interface GigabitEthernet 2/0/1. [RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] ipsec apply policy map1 [RouterB-GigabitEthernet2/0/1] quit Make sure Router B has a route to the peer private network, with the outgoing interface as GigabitEthernet 2/0/1.

  • Page 402: Configuring Ipsec Tunnel Interface-Based Ipsec For Ipv4 Packets

    [Outbound ESP SAs] SPI: 4011716027 (0xef1dedbb) Connection ID: 2 Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843199/3590 Max sent sequence-number: 4 UDP encapsulation used for nat traversal: N Status: Active # Verify that IPsec RRI has created a static route to reach Router B. [RouterA] display ip routing-table verbose Verify that Router A can automatically create static routes to Router C and Router D in the same way that you verify the IPsec RRI feature by using Router A and Router B.
  • Page 403 [RouterA-ike-keychain-abc] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&! [RouterA-ike-keychain-abc] quit # Create an IKE profile named abc. [RouterA] ike profile abc # Specify IKE keychain abc for the IKE profile. [RouterA-ike-profile-abc] keychain abc # Configure the local ID with the identity type as IP address and the value as 2.2.2.1. [RouterA-ike-profile-abc] local-identity address 2.2.2.1 # Configure a peer ID with the identity type as IP address and the value as 2.2.3.1/24.
  • Page 404 # Configure 123456TESTplat&! in plain text as the pre-shared key to be used with the remote peer at 2.2.2.1. [RouterB-ike-keychain-abc] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&! [RouterB-ike-keychain-abc] quit # Create an IKE profile named abc. [RouterB] ike profile abc # Specify IKE keychain abc for the IKE profile.
  • Page 405 Verifying the configuration After the configuration is completed, Router A will automatically initiate IKE negotiation with Router B. After IKE negotiation succeeds, the tunnel interface links will become up. After IPsec SAs are established, traffic between the branch and the headquarters will be IPsec protected. This example uses Router A to verify the configuration.
  • Page 406 local address: 2.2.2.1 remote address: 2.2.3.1 Flow: sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 2701952073 (0xa10c8449) Connection ID: 4294967296 Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3180 Max received sequence-number: 0 Anti-replay check enable: Y Anti-replay window size: 64...

  • Page 407: Configuring Ike

    Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec. IKE provides the following benefits for IPsec: •...

  • Page 408: Ike Security Mechanism

    Figure 134 IKE exchange process in main mode Peer 1 Peer 2 Algorithm negotiation Initiator’s policy Send local IKE policy Search for matched policy Confirmed policy Receive the SA exchange confirmed policy Key generation Initiator’s keying data Generate the key Receiver’s keying data Identity...

  • Page 409: Protocols And Standards

    DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.

  • Page 410: Configuring An Ike Profile

    Tasks at a glance Remarks Required when pre-shared authentication is (Optional.) Configuring an IKE keychain used in IKE negotiation phase 1. (Optional.) Configuring the global identity information (Optional.) Configuring the IKE keepalive feature (Optional.) Configuring the IKE NAT keepalive feature (Optional.) Configuring IKE DPD (Optional.)
  • Page 411 instance, the device looks for a route in the VPN instance where the receiving interface resides to forward the data. Specify a priority number for the IKE profile. To determine the priority of an IKE profile: a. First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority.

  • Page 412: Configuring An Ike Proposal

    Step Command Remarks By default, no IKE proposals are specified for an IKE profile 793. Specify IKE proposals for proposal proposal-number&<1-6> proposals the IKE profile. configured in system view are used for IKE negotiation. By default, no local ID is configured for an IKE profile, and an IKE profile uses the local ID configured in system...

  • Page 413: Configuring An Ike Keychain

    If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals  specified in the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority. If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE ...

  • Page 414: Configuring The Global Identity Information

    Follow these guidelines when you configure an IKE keychain: Two peers must be configured with the same pre-shared key to pass pre-shared key authentication. You can specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for the IKE keychain to be applied. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.

  • Page 415: Configuring The Ike Keepalive Feature

    Step Command Remarks 814. Enter system view. system-view identity address By default, the IP address of the ipv6 ipv4-address 815. Configure the global identity interface to which the IPsec policy or ipv6-address } | dn | fqdn to be used by the local end. IPsec policy template is applied is [ fqdn-name ] | user-fqdn used as the IKE identity.

  • Page 416: Configuring Ike Dpd

    To configure the IKE NAT keepalive feature: Step Command Remarks 820. Enter system view. system-view 821. Set the IKE NAT keepalive ike nat-keepalive seconds The default interval is 20 seconds. interval. Configuring IKE DPD DPD detects dead peers. It can operate in periodic mode or on-demand mode. •...

  • Page 417: Setting The Maximum Number Of Ike Sas

    IKE SA. Because no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic. The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent.

  • Page 418: Configuring Snmp Notifications For Ike

    Step Command Remarks address-group 829. Configure IPv4 group-name start-ipv4-address By default, no IKE IPv4 address address pool. end-ipv4-address mask pool exists. mask-length ] Configuring SNMP notifications for IKE After you enable SNMP notifications for IKE, the IKE module notifies the NMS of important module events.

  • Page 419: Ike Configuration Examples

    Task Command Display configuration information about all IKE display ike proposal proposals. display ike sa [ verbose [ connection-id connection-id remote-address ipv6 Display information about the current IKE SAs. remote-address vpn-instance vpn-instance-name ] ] ] display ike statistics Display IKE statistics. reset ike sa [ connection-id connection-id ] Delete IKE SAs.
  • Page 420 # Create an IPsec transform set named tran1. [DeviceA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [DeviceA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [DeviceA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [DeviceA-ipsec-transform-set-tran1] quit...
  • Page 421 # Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24. <DeviceB> system-view [DeviceB] acl advanced 3101 [DeviceB-acl-ipv4-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [DeviceB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [DeviceB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
  • Page 422 # Configure a static route to the subnet where Host A resides. The command uses the direct next hop address (2.2.2.1) as an example. [DeviceB] ip route-static 10.1.1.0 255.255.255.0 2.2.2.1 Verifying the configuration # Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After IPsec SAs are successfully negotiated by IKE, traffic between the two subnets is IPsec protected.

  • Page 423: Aggressive Mode With Rsa Signature Authentication Configuration Example

    Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 3264152513 (0xc28f03c1) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/3484 Max received sequence-number: Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for NAT traversal: N...
  • Page 424 Figure 136 Network diagram CA server CA server GE2/0/1 GE2/0/1 1.1.1.1/16 2.2.2.2/16 Internet Device A Device B GE2/0/2 GE2/0/2 10.1.1.1/24 10.1.2.1/24 Host A Host B 10.1.1.2/24 10.1.2.2/24 Configuration procedure Configure Device A: # Assign an IP address to each interface. (Details not shown.) # Configure IPv4 advanced ACL 3101 to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
  • Page 425 # Specify the trusted CA 8088. [DeviceA-pki-domain-domain1] ca identifier 8088 # Specify the URL of the registration server for certificate request through the SCEP protocol. This example uses http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7. [DeviceA-pki-domain-domain1] certificate request url http://192.168.222.1:446/eadbf9af4f2c4641e685f7a6021e7b298373feb7 # Specify the CA to accept certificate requests. [DeviceA-pki-domain-domain1] certificate request from ca # Specify the PKI entity for certificate request as entity1.
  • Page 426 # Configure a static route to the subnet where Host B resides. The command uses the direct next hop address (1.1.1.2) as an example. [DeviceA] ip route-static 10.1.2.0 255.255.255.0 1.1.1.2 Configure Device B: # Assign an IP address to each interface. (Details not shown.) # Create an IPsec transform set named tran1.
  • Page 427 # Configure a peer ID with the identity type of FQDN name and the value of www.routera.com. [DeviceB-ike-profile-profile2] match remote identity fqdn www.routera.com [DeviceB-ike-profile-profile2] quit # Create an IKE proposal named 10. [DeviceB] ike proposal 10 # Specify the authentication algorithm as HMAC-MD5. [DeviceB-ike-proposal-10] authentication-algorithm md5 # Specify the RSA authentication method.
  • Page 428 Connection-ID Remote Flag ------------------------------------------------------------------ 2.2.2.2 IPSEC Flags: RD--READY RL--REPLACED FD-FADING # Display information about the CA certificate on Device A. [DeviceA] display pki certificate domain domain1 ca Certificate: Data: Version: 1 (0x0) Serial Number: b9:14:fb:25:c9:08:2c:9d:f6:94:20:30:37:4e:00:00 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=rnd, OU=sec, CN=8088 Validity Not Before: Sep 6 01:53:58 2012 GMT...
  • Page 429 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=rnd, OU=sec, CN=8088 Validity Not Before: Sep 26 02:06:43 2012 GMT Not After : Sep 26 02:06:43 2013 GMT Subject: CN=devicea Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b0:a1:cd:24:6e:1a:1d:51:79:f0:2a:3e:9f:e9: 84:07:16:78:49:1b:7d:0b:22:f0:0a:ed:75:91:a4: 17:fd:c7:ef:d0:66:5c:aa:e3:2a:d9:71:12:e4:c6: 25:77:f0:1d:97:bb:92:a8:bd:66:f8:f8:e8:d5:0d: d2:c8:01:dd:ea:e6:e0:80:ad:db:9d:c8:d9:5f:03:...

  • Page 430: Aggressive Mode With Nat Traversal Configuration Example

    Encapsulation mode: tunnel Perfect forward secrecy: Inside VRF: Extended Sequence Number enable: N Traffic Flow Confidentiality enable: N Path MTU: 1456 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 3264152513 (0xc28f03c1)
  • Page 431 Configure an IKE-based IPsec tunnel between Device A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. • Configure Device A and Device B to use the default IKE proposal for the aggressive IKE negotiation to set up the IPsec SAs. •...
  • Page 432 # Specify that IKE negotiation operates in aggressive mode. [DeviceA-ike-profile-profile1] exchange-mode aggressive # Set the local identity to the FQDN name www.devicea.com. [DeviceA-ike-profile-profile1] local-identity fqdn www.devicea.com # Configure a peer ID with the identity type as IP address and the value as 2.2.2.2/16. [DeviceA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0 [DeviceA-ike-profile-profile1] quit # Create an IKE-based IPsec policy entry.
  • Page 433 # Specify the IKE keychain keychain1. [DeviceB-ike-profile-profile1] keychain keychain1 # Specify that IKE negotiation operates in aggressive mode. [DeviceB-ike-profile-profile1] exchange-mode aggressive # Configure a peer ID with the identity type of FQDN name and the value of www.devicea.com. [DeviceB-ike-profile-profile1] match remote identity fqdn www.devicea.com [DeviceB-ike-profile-profile1] quit # Create an IPsec policy template entry.
  • Page 434 Local ID: www.devicea.com Remote IP: 2.2.2.2 Remote ID type: IPV4_ADDR Remote ID: 2.2.2.2 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 84565 Exchange-mode: Aggressive Diffie-Hellman group: Group 1 NAT traversal: Detected # Display the IPsec SAs generated on Device A. [DeviceA] display ipsec sa ------------------------------- Interface: GigabitEthernet2/0/1...

  • Page 435: Ike Remote Extended Authentication Configuration Example

    Anti-replay check enable: Y Anti-replay window size: 64 UDP encapsulation used for nat traversal: Y Status: Active [Outbound ESP SAs] SPI: 3516214669 (0xd1952d8d) Connection ID: 2 Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number: UDP encapsulation used for nat traversal: Y Status: Active IKE remote extended authentication configuration example...
  • Page 436 [Device-radius-ike-scheme] quit # Create an ISP domain named ike and specify the RADIUS scheme used for authenticating the IKE users. [Device] domain ike [Device-isp-ike] authentication ike radius-scheme ike-scheme [Device-isp-ike] quit # Configure an IPv4 advanced ACL to identify the packets to be protected. [Device] acl advanced 3101 [Device-acl-ipv4-adv-3101] rule permit ip source 2.2.2.2 0.0.0.0 destination 1.1.1.1 0.0.0.0...
  • Page 437 [Device-ipsec-policy-isakmp-map1-10] transform-set tran1 # Specify the IKE profile. [Device-ipsec-policy-isakmp-map1-10] ike-profile profile1 [Device-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy to GigabitEthernet 2/0/1. [Device] interface gigabitethernet 2/0/1 [Device-GigabitEthernet2/0/1] ipsec apply policy map1 [Device-GigabitEthernet2/0/1] quit Configure the host: Perform the following tasks on the host and make sure the configuration matches that on the device: Specify the IP address of the remote security gateway.

  • Page 438: Ike Local Extended Authentication And Address Pool Authorization Configuration Example

    NAT traversal: Detected Extend authentication: Enabled Assigned IP address: # On the host, enter the correct username and password for extended authentication. After the authentication succeeds, the IPsec tunnel will be established. (Details not shown.) # Verify that IPsec SAs have been established on the device. [Device] display ipsec sa IKE local extended authentication and address pool authorization configuration example...
  • Page 439 [Device-luser-network-ike] service-type ike # Specify the IPv4 address pool pool as the authorized IPv4 address pool for the user ike. [Device-luser-network-ike] authorization-attribute ip-pool pool [Device-luser-network-ike] quit # Add a network user named test. [Device] local-user test class network # Authorize the user test to use the IKE service. [Device-luser-network-test] service-type ike # Configure a password for the user test.
  • Page 440 [Device-ipsec-policy-template-pt-1] ike-profile profile1 # Enable IPsec RRI. [Device-ipsec-policy-template-pt-1] reverse-route dynamic [Device-ipsec-policy-template-pt-1] quit # Use IPsec policy template pt to create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 1. [Device] ipsec policy map1 1 isakmp template pt # Apply the IPsec policy to GigabitEthernet 2/0/1.
  • Page 441 Remaining key duration(sec): 84565 Exchange-mode: Main Diffie-Hellman group: Group 2 NAT traversal: Detected Extend authentication: Enabled Assigned IP address: 20.1.1.2 # On the host, enter the correct username and password for client authentication. After the authentication succeeds, the IPsec tunnel will be established. (Details not shown.) # Verify that IPsec SAs are established on the device.

  • Page 442: Troubleshooting Ike

    Max sent sequence-number: 2793 UDP encapsulation used for NAT traversal: N Status: Active Troubleshooting IKE IKE negotiation failed because no matching IKE proposals were found Symptom The IKE SA is in Unknown state. <Sysname> display ike sa Connection-ID Remote Flag ------------------------------------------------------------------ 192.168.222.5 Unknown...

  • Page 443: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found

    Construct notification packet: PAYLOAD_MALFORMED. Analysis • If the following debugging information appeared, the matched IKE profile is not using the matched IKE proposal: Failed to find proposal 1 in profile profile1. • If the following debugging information appeared, the matched IKE profile is not using the matched IKE keychain: Failed to find keychain keychain1 in profile profile1.
  • Page 444 Use the display ike sa verbose command to verify that matching IKE profiles were found in IKE negotiation phase 1. If no matching IKE profiles were found and the IPsec policy is using an IKE profile, the IPsec SA negotiation fails. # Verify that matching IKE profiles were found in IKE negotiation phase 1.
  • Page 445 SA idle time: Verify that the ACL specified for the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than that defined by the initiator's ACL, IPsec proposal matching will fail. For example, if the initiator's ACL defines a flow from one network segment to another but the responder's ACL defines a flow from one host to another host, IPsec proposal matching will fail.
  • Page 446 [Sysname] display acl 3000 Advanced IPv4 ACL 3000, 2 rules, ACL's step is 5 rule 0 permit ip source 192.168.222.0 0.0.0.255 destination 192.168.222.0 0.0.0.255 Configure the missing settings (for example, the remote address).

  • Page 447: Configuring Ikev2

    Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.

  • Page 448: New Features In Ikev2

    New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.

  • Page 449: Configuring An Ikev2 Profile

    • The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
  • Page 450 Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
  • Page 451 Step Command Remarks authentication-method { local | 837. Configure the local and remote dsa-signature By default, no local or remote identity remote identity ecdsa-signature | pre-share | authentication method is configured. authentication methods. rsa-signature } By default, no keychain is specified for an IKEv2 profile.

  • Page 452: Configuring An Ikev2 Policy

    Step Command Remarks 848. (Optional.) By default, the global IKEv2 NAT IKEv2 NAT keepalive nat-keepalive seconds keepalive setting is used. interval. 849. (Optional.) Enable the config-exchange { request | set default, configuration configuration exchange { accept | send } } exchange options are disabled.

  • Page 453: Configuring An Ikev2 Proposal

    Configuring an IKEv2 proposal An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority. A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

  • Page 454: Configuring An Ikev2 Keychain

    Step Command Remarks In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } By default, an IKEv2 proposal does 860. Specify integrity not have any integrity protection protection algorithms. algorithms. In FIPS mode: integrity { sha1 | sha256 | sha384 | sha512 } * In non-FIPS mode:...

  • Page 455: Configure Global Ikev2 Parameters

    Step Command Remarks • To configure a host name for peer: hostname host-name • configure host address or address range for peer: By default, no hostname, host IP address ipv4-address address, address range, [ mask | mask-length ] | ipv6 identity information is configured 866.

  • Page 456: Configuring The Ikev2 Nat Keepalive Feature

    Step Command Remarks 870. Enter system view. system-view 871. Configure global IKEv2 ikev2 dpd interval interval [ retry By default, global DPD is DPD. seconds ] { on-demand | periodic } disabled. Configuring the IKEv2 NAT keepalive feature Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.

  • Page 457: Ikev2 Configuration Examples

    Task Command display ikev2 policy [ policy-name | default ] Display the IKEv2 policy configuration. display ikev2 profile [ profile-name ] Display the IKEv2 profile configuration. display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance Display the IKEv2 SA information.
  • Page 458 [DeviceA-acl-ipv4-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [DeviceA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [DeviceA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [DeviceA-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [DeviceA-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms.
  • Page 459 [DeviceA-ipsec-policy-isakmp-map1-10] quit # Apply the IPsec policy map1 to interface GigabitEthernet 2/0/1. [DeviceA] interface gigabitethernet 2/0/1 [DeviceA-GigabitEthernet2/0/1] ipsec apply policy map1 [DeviceA-GigabitEthernet2/0/1] quit # Configure a static route to the subnet where Host B resides. The command uses the direct next hop address (1.1.1.2) as an example.
  • Page 460 # Specify the peer ID that the IKEv2 profile matches. The peer ID is the IP address 1.1.1.1/16. [DeviceA-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.0.0 [DeviceA-ikev2-profile-profile1] quit # Create an IKE-based IPsec policy entry. Specify the policy name as use1 and set the sequence number to 10.
  • Page 461 ------------------------------- ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect forward secrecy: Path MTU: 1456 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: IP [Inbound ESP SAs]...

  • Page 462: Ikev2 With Rsa Signature Authentication Configuration Example

    IKEv2 with RSA signature authentication configuration example Network requirements As shown in Figure 148, configure an IKE-based IPsec tunnel between Device A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure Device A and Device B to use IKEv2 negotiation and RSA signature authentication. Device A acts as the initiator and the subnet where Device A resides uses IP addresses dynamically allocated.
  • Page 463 # Set the common name as routera for the PKI entity. [DeviceA-pki-entity-entity1] common-name routera [DeviceA-pki-entity-entity1] quit # Create a PKI domain named domain1. [DeviceA] pki domain domain1 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [DeviceA-pki-domain-domain1] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate.
  • Page 464 [DeviceA-ikev2-proposal-10] quit # Create an IKEv2 policy named 1. [DeviceA] ikev2 policy 1 # Specify the IKEv2 proposal 10 for the IKEv2 policy. [DeviceA-ikev2-policy-1] proposal 10 [DeviceA-ikev2-policy-1] quit # Create an IKE-based IPsec policy entry. Specify the policy name as map1 and set the sequence number to 10.
  • Page 465 [DeviceB-pki-entity-entity2] common-name routerb [DeviceB-pki-entity-entity2] quit # Create a PKI domain named domain2. [DeviceB] pki domain domain2 # Set the certificate request mode to auto and set the password to 123 for certificate revocation. [DeviceB-pki-domain-domain2] certificate request mode auto password simple 123 # Set an MD5 fingerprint for verifying the validity of the CA root certificate.
  • Page 466 # Specify the IKEv2 proposal 10 for the IKEv2 policy. [DeviceB-ikev2-policy-1] proposal 10 [DeviceB-ikev2-policy-1] quit # Create an IPsec policy template entry. Specify the template name as template1 and set the sequence number to 1. [DeviceB] ipsec policy-template template1 1 # Specify the remote IP address 1.1.1.1 for the IPsec tunnel.
  • Page 467 Proposal : 1 [DeviceB] display ikev2 policy 1 IKEv2 policy : 1 Match Local : any Match VRF : public Proposal : 1 # Display the IKEv2 SA on Device A. [DeviceA] display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 1.1.1.1/500 2.2.2.2/500...
  • Page 468 82:16 # Display the local certificate on Device A. [DeviceA]display pki certificate domain domain1 local Certificate: Data: Version: 3 (0x2) Serial Number: a1:f4:d4:fd:cc:54:c3:07:c4:9e:15:2d:5f:64:57:77 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, O=rnd, OU=sec, CN=8088 Validity Not Before: Sep 26 02:06:43 2012 GMT Not After : Sep 26 02:06:43 2013 GMT Subject: CN=devicea Subject Public Key Info: Public Key Algorithm: rsaEncryption...
  • Page 469 ----------------------------- IPsec policy: map1 Sequence number: 10 Mode: ISAKMP ----------------------------- Tunnel id: 0 Encapsulation mode: tunnel Perfect forward secrecy: Path MTU: 1456 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: ip dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs]...

  • Page 470: Ikev2 With Nat Traversal Configuration Example

    IKEv2 with NAT traversal configuration example Network requirements As shown in Figure 149, Device A is behind the NAT device. Configure an IKE-based IPsec tunnel between Device A and Deice B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. •...
  • Page 471 [DeviceA-ikev2-keychain-keychain1-peer-peer1] identity address 2.2.2.2 # Specify 123 in plain text as the pre-shared key to be used with the peer. [DeviceA-ikev2-keychain-keychain1-peer-peer1] pre-shared-key plaintext 123 [DeviceA-ikev2-keychain-keychain1-peer-peer1] quit [DeviceA-ikev2-keychain-keychain1] quit # Create an IKEv2 profile named profile1. [DeviceA] ikev2 profile profile1 # Specify the IKEv2 keychain keychain1. [DeviceA-ikev2-profile-profile1] keychain keychain1 # Set the local ID to the FQDN name www.devicea.com.
  • Page 472 # Specify the encryption and authentication algorithms. [DeviceB-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc [DeviceB-ipsec-transform-set-transform1] esp authentication-algorithm md5 [DeviceB-ipsec-transform-set-transform1] quit # Create an IKEv2 keychain named keychain1. [DeviceB]ikev2 keychain keychain1 # Create an IKEv2 peer named peer1. [DeviceB-ikev2-keychain-keychain1] peer peer1 # Specify the peer IP address 1.1.1.1/16. [DeviceB-ikev2-keychain-keychain1-peer-peer1] address 1.1.1.1 16 # Specify the peer ID, which is the IP address 1.1.1.1.
  • Page 473 Verifying the configuration # Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKEv2 negotiation. After IPsec SAs are successfully negotiated by IKEv2, traffic between the two subnets is IPsec protected. # Display the IKEv2 SA on Device A. [DeviceA] display ikev2 sa Tunnel ID Local...

  • Page 474: Troubleshooting Ikev2

    Encapsulation mode: tunnel Perfect forward secrecy: Path MTU: 1435 Tunnel: local address: 1.1.1.1 remote address: 2.2.2.2 Flow: sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP dest addr: 10.2.1.0/255.255.255.0 port: 0 protocol: IP [Inbound ESP SAs] SPI: 830667426 (0x3182faa2) Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5 SA duration (kilobytes/sec): 1843200/3600 SA remaining duration (kilobytes/sec): 1843200/2313 Max received sequence-number:...

  • Page 475: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found

    Analysis Certain IKEv2 proposal settings are incorrect. Solution Examine the IKEv2 proposal configuration to see whether the two ends have matching IKEv2 proposals. Modify the IKEv2 proposal configuration to make sure the two ends have matching IKEv2 proposals. IPsec SA negotiation failed because no matching IPsec transform sets were found Symptom The display ikev2 sa command shows that the IKEv2 SA negotiation succeeded and the IKEv2 SA...

  • Page 476: Configuring Ssh

    Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.

  • Page 477: Ssh Authentication Methods

    Stages Description SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation • Encryption algorithm for encrypting data. • Public key algorithm for the digital signature and authentication. •...

  • Page 478: Fips Compliance

    Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name. If the digital certificate of the client is required in authentication, the client also encapsulates the digital certificate in the authentication request.

  • Page 479: Generating Local Key Pairs

    Tasks at a glance Remarks See "Configuring PKI." Required if the following conditions exist: • The authentication method is publickey. Configuring the PKI domain for verifying the client's • The client sends its public key to the server digital certificate through a digital certificate for validity check.

  • Page 480: Enabling The Stelnet Server

    Step Command Remarks 877. Enter system view. system-view public-key local create { dsa | By default, no local key pairs exist 878. Generate local key pairs. ecdsa secp256r1 | rsa } on the server. Enabling the Stelnet server After you enable the Stelnet server on the device, a client can log in to the device through Stelnet. To enable the Stelnet server: Step Command...

  • Page 481: Configuring The User Lines For Ssh Login

    When acting as a server in the NETCONF-over-SSH connection, the device does not support connection requests initiated by SSH1 clients. To enable NETCONF over SSH: Step Command Remark 885. Enter system view. system-view By default, NETCONF over SSH is disabled. 886.

  • Page 482: Configuring An Ssh User

    Entering a client's host public key Before you enter the client's host public key, you must use the display public-key local public command on the client to obtain the client's host public key. To enter a client's host public key: Step Command Remarks...
  • Page 483 For local authentication, configure a local user on the SSH server.  For remote authentication, configure an SSH user on a remote authentication server, for  example, a RADIUS server. In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user.

  • Page 484: Configuring The Ssh Management Parameters

    Configuring the SSH management parameters Step Command Remarks 898. Enter system view. system-view By default, the SSH server does not support SSH1 clients. 899. Enable the SSH server to ssh server compatible-ssh1x support SSH1 clients. enable This command is not available in FIPS mode.

  • Page 485: Configuring The Device As An Stelnet Client

    Step Command Remarks The default setting is 32. When the number of online SSH 906. Set the maximum number of users reaches the upper limit, the session-limit concurrent online system denies max-sessions users. connection requests. Changing the upper limit does not affect online SSH users.

  • Page 486: Establishing A Connection To An Stelnet Server

    To specify the source IP address for SSH packets: Step Command Remarks 909. Enter system view. system-view By default, the source IP address for SSH packets is not • Specify the source IPv4 address configured. For IPv4 SSH packets: packets, the device uses the ssh client source { interface primary IPv4 address of the interface-type interface-number | ip...
  • Page 487 Task Command Remarks • non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 } | prefer-stoc-cipher...

  • Page 488: Configuring The Device As An Sftp Client

    Configuring the device as an SFTP client SFTP client configuration task list Tasks at a glance Remarks Only required when the SFTP server uses authentication method (Required.) Generating local key pairs publickey, password-publickey, any. (Optional.) Specifying the source IP address for SFTP packets (Required.) Establishing a connection to an SFTP server (Optional.)

  • Page 489: Establishing A Connection To An Sftp Server

    Step Command Remarks 913. Enter system view. system-view By default, the source IP address SFTP packets • Specify the source IPv4 address configured. IPv4 SFTP SFTP packets: packets, the device uses the sftp client source { ip ip-address primary IPv4 address of the interface interface-type 914.

  • Page 490: Working With Sftp Directories

    To establish a connection to an IPv6 SFTP server: Task Command Remarks • non-FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name interface-type interface-number ] [ identity-key { dsa | ecdsa | rsa } prefer-compress zlib prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } prefer-kex dh-group-exchange-sha1...

  • Page 491: Working With Sftp Files

    Working with SFTP files Task Command Remarks Change the name of a file on the rename old-name new-name Available in SFTP client view. SFTP server. Download a file from the SFTP get remote-file [ local-file ] Available in SFTP client view. server and save it locally.

  • Page 492: Generating Local Key Pairs

    Generating local key pairs Generate local key pairs on the SCP client when the SCP server uses the authentication method publickey, password-publickey, or any. Configuration restrictions and guidelines When you generate local key pairs on an SCP client, follow these restrictions and guidelines: •...
  • Page 493 Task Command Remarks • non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name source-file-name destination-file-name [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 sha1-96 prefer-kex...

  • Page 494: Specifying Algorithms For Ssh2

    Task Command Remarks • non-FIPS mode: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex...

  • Page 495: Specifying Public Key Algorithms For Ssh2

    Step Command Remarks • non-FIPS mode: By default, SSH2 uses the • non-FIPS mode: exchange algorithms ssh2 algorithm dh-group-exchange-sha1, key-exchange dh-group14-sha1, { dh-group-exchange-sha1 dh-group1-sha1 dh-group14-sha1 918. Specify exchange descending order of priority dh-group1-sha1 } * algorithms for SSH2. for algorithm negotiation. •...

  • Page 496: Specifying Mac Algorithms For Ssh2

    Specifying MAC algorithms for SSH2 Step Command Remarks 923. Enter system view. system-view • non-FIPS mode: By default, SSH2 uses the algorithms sha1, sha1-96, md5, and md5-96 • non-FIPS mode: descending order ssh2 algorithm mac { sha1 priority algorithm | sha1-96 | md5 | md5-96 } * 924.

  • Page 497: Feature And Hardware Compatibility

    Launch an SSH client software on the PC to establish a connection. Configure connection parameters according to the authentication method. Enter IP address 192.168.1.1 of the SSH redirect server and SSH listening port 22. Enter the username and password to enter user view of Device A. The username is in the username:idx format, where the idx argument specifies the absolute number of the user line.

  • Page 498: Configuration Procedure

    Configuration procedure Configuring the asynchronous serial interface Step Command Remarks 925. Enter system view. system-view • Enter synchronous/asynchronous serial interface view configure operate asynchronous mode: 926. Enter synchronous/asynchronous a. interface serial synchronous/asynchronous serial interface, you must use a interface-number serial interface view connector...

  • Page 499: Displaying And Maintaining Ssh

    Configuring SSH redirect Step Command Remarks default, redirect 935. Enable SSH redirect. ssh redirect enable disabled. By default, the listening port 936. (Optional.) Specify an SSH redirect listen-port number of SSH redirect is the redirect listening port. port-number absolute user line number plus 4000.

  • Page 500: Password Authentication Enabled Stelnet Server Configuration Example

    Password authentication enabled Stelnet server configuration example Network requirements As shown in Figure 152: • The router acts as the Stelnet server and uses password authentication. • The username and password of the client are saved on the router. Establish an Stelnet connection between the host and the router, so you can log in to the router as a network administrator to configure and manage the router.
  • Page 501 Create the key pair successfully. # Enable the Stelnet server. [Router] ssh server enable # Assign an IP address to interface GigabitEthernet 1/0/1. The Stelnet client uses this IP address as the destination for SSH connection. [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 192.168.1.40 255.255.255.0 [Router-GigabitEthernet1/0/1] quit # Set the authentication mode to AAA for the user lines.

  • Page 502: Publickey Authentication Enabled Stelnet Server Configuration Example

    Figure 147 Specifying the host name (or IP address) c. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server.
  • Page 503 Configuration procedure In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
  • Page 504 Figure 150 Generating process a. After the key pair is generated, click Save public key to save the public key. A file saving window appears. Figure 151 Saving a key pair on the client d. Enter a file name (key.pub in this example), and click Save.
  • Page 505 e. On the page as shown in Figure 157, click Save private key to save the private key. A confirmation dialog box appears. f. Click Yes. A file saving window appears. g. Enter a file name (private.ppk in this example), and click Save. h.
  • Page 506 # Import the peer public key from the public key file key.pub and name it clientkey. [Router] public-key peer clientkey import sshkey key.pub # Create an SSH user named client002. Specify the authentication method as publickey for the user, and assign the public key clientkey to the user. [Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey clientkey # Create a local device management user named client002.
  • Page 507 Figure 153 Specifying the preferred SSH version a. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 160 appears. b. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK.

  • Page 508: Password Authentication Enabled Stelnet Client Configuration Example

    g. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username. After entering the username (client002), you can enter the CLI of the server. Password authentication enabled Stelnet client configuration example Network requirements As shown in...
  • Page 509 # Generate an ECDSA key pair. [RouterB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the Stelnet server. [RouterB] ssh server enable # Assign an IP address to interface GigabitEthernet 1/0/1. The Stelnet client uses this address as the destination address for SSH connection.
  • Page 510 65BE6C265854889DC1EDBD13EC8B274 [RouterA-pkey-public-key-key1]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B 6FD60FE01941DDD77FE6B12893DA76E [RouterA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B 68950387811C7DA33021500C773218C [RouterA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009 14EC474BAF2932E69D3B1F18517AD95 [RouterA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D0 492B3959EC6499625BC4FA5082E22C5 [RouterA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2 88317C1BD8171D41ECB83E210C03CC9 [RouterA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718C 9B09EEF0381840002818000AF995917 [RouterA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5 F257523777D033BEE77FC378145F2AD [RouterA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [RouterA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [RouterA-pkey-public-key-key1]485348 [RouterA-pkey-public-key-key1] peer-public-key end [RouterA] quit # Establish an SSH connection to the server, and specify the host public key of the server as key1.

  • Page 511: Publickey Authentication Enabled Stelnet Client Configuration Example

    <RouterA> ssh2 192.168.1.40 Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:y client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent,...
  • Page 512 Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully. # Export the DSA host public key to a public key file named key.pub. [RouterA] public-key local export dsa ssh2 key.pub [RouterA] quit # Transmit the public key file key.pub to the server through FTP or TFTP.

  • Page 513: Sftp Configuration Examples

    # Set the authentication mode to AAA for the user lines. [RouterB] line vty 0 63 [RouterB-line-vty0-63] authentication-mode scheme [RouterB-line-vty0-63] quit # Import the peer public key from the public key file key.pub, and name it clientkey. [RouterB] public-key peer clientkey import sshkey key.pub # Create an SSH user named client002.
  • Page 514 • The router acts as the SFTP server and uses password authentication. • The username and password of the client are saved on the router. Establish an SFTP connection between the host and the router, so you can log in to the router as a network administrator to manage and transfer files.
  • Page 515 [Router-GigabitEthernet1/0/1] quit # Create a local device management user named client002. [Router] local-user client002 class manage # Set the password to aabbcc in plain text for local user client002. [Router-luser-manage-client002] password simple aabbcc # Authorize local user client002 to use the SSH service. [Router-luser-manage-client002] service-type ssh # Assign the network-admin user role and the working directory flash:/ to local user client002.

  • Page 516: Publickey Authentication Enabled Sftp Client Configuration Example

    Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 165, Router B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm. Establish an SFTP connection between Router A and Router B, so you can log in to Router B as a network administrator to manage and transfer files.
  • Page 517 Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
  • Page 518 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n sftp> # Display files under the current directory of the server, delete the file z, and verify the result. sftp>...

  • Page 519: Scp Configuration Example

    -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub -rwxrwxrwx 1 noone...
  • Page 520 # Generate a DSA key pair. [RouterB] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys...

  • Page 521: Netconf Over Ssh Configuration Example

    Do you want to save the server public key? [Y/N]:n client001@192.168.0.1’s password: remote.bin 100% 2875 2.8KB/s 00:00 NETCONF over SSH configuration example Unless otherwise noted, the device in the configuration example operates in non-FIPS mode. When the device acts as a NETCONF-over-SSH server operating in FIPS mode, only ECDSA and RSA key pairs are supported.

  • Page 522: Verifying The Configuration

    .++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+. Create the key pair successfully. # Generate an ECDSA key pair. [Router] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable NETCONF over SSH. [Router] netconf ssh server enable # Configure an IP address for GigabitEthernet 1/0/1. The client uses this address as the destination for NETCONF-over-SSH connection.

  • Page 523: Configuring Ssl

    Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...

  • Page 524: Fips Compliance

    Figure 163 SSL protocol stack Application layer protocol (e.g. HTTP) SSL handshake protocol SSL change cipher spec protocol SSL alert protocol SSL record protocol The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data.
  • Page 525 Step Command Remarks 941. Enter system view. system-view 942. (Optional.) Disable SSL 3.0 on By default, SSL 3.0 is enabled ssl version ssl3.0 disable the device. on the device. 943. (Optional.) Disable default, session session renegotiation for the ssl renegotiation disable renegotiation is enabled.

  • Page 526: Configuring An Ssl Client Policy

    Step Command Remarks By default, the SSL server 949. Enable the SSL server to send sends the server certificate the complete certificate chain certificate-chain-sending enable rather than complete client during certificate chain to the client negotiation. during negotiation. Configuring an SSL client policy An SSL client policy is a set of SSL parameters that the client uses to establish a connection to the server.

  • Page 527: Displaying And Maintaining Ssl

    Step Command Remarks • non-FIPS mode: prefer-cipher { dhe_rsa_aes_128_cbc_s dhe_rsa_aes_256_cbc_sh • a | exp_rsa_des_cbc_sha non-FIPS mode: exp_rsa_rc2_md5 default preferred exp_rsa_rc4_md5 cipher suite rsa_rc4_128_md5. rsa_3des_ede_cbc_sha | 955. Specify the preferred cipher rsa_aes_128_cbc_sha • suite for the SSL client policy. FIPS mode: rsa_aes_256_cbc_sha default preferred...

  • Page 528: Configuration Considerations

    Figure 164 Network diagram Device 10.1.2.1/24 10.1.1.1/24 10.1.1.2/24 10.1.2.2/24 Host Configuration considerations To meet the network requirements, perform the following tasks: • Configure the device as the HTTPS server and request a server certificate for the device. For more information about HTTPS, see Fundamentals Configuration Guide. •...
  • Page 529 ......++++++ ........++++++ Create the key pair successfully. # Obtain the CA certificate. [Device] pki retrieve-certificate domain 1 ca The trusted CA's finger print is: fingerprint:7682 5865 ACC2 7B16 6F52 D60F D998 4484 SHA1 fingerprint:DF6B C53A E645 5C81 D6FC 09B0 3459 DFD1 94F6 3DDE Is the finger print correct?(Y/N):y Retrieved the certificates successfully.

  • Page 530: Configuring Aspf

    Configuring ASPF Overview Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall cannot solve. An ASPF provides the following main functions: • Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and inspects the application layer protocol status for each connection.

  • Page 531: Aspf Inspections

    • Destination zone—A security zone for which the first packet of a traffic flow is destined. For information about security zones, see Fundamentals Configuration Guide. ASPF inspections This section introduces the basic idea of ASPF inspection on application layer and transport layer protocols.
  • Page 532 Figure 166 FTP inspection Device FTP client FTP server An FTP client initiates a FTP connection to FTP Port:1333 Port:21 server A session entry is created for control connection Control channel Analyzes FTP instructions and responses, and creates associated entries for data connection A session entry for data connection is created and Port:1600 Port:20...

  • Page 533: Command And Hardware Compatibility

    Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064. • MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A). • MSR958 (JH300A/JH301A). Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers. ASPF configuration task list Tasks at a glance (Required.)

  • Page 534: Applying An Aspf Policy To An Interface

    Step Command Remarks By default, ASPF inspection for application protocols configured. ASPF inspection for transport layer protocols is always enabled and is not configurable. ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323, HTTP, SCCP, SIP, and SMTP.

  • Page 535: Applying An Aspf Policy To A Zone Pair

    Step Command Remarks interface interface-type 964. Enter interface view. interface-number aspf apply policy 965. Apply an ASPF policy to the By default, no ASPF policy is aspf-policy-number { inbound | interface. applied to the interface. outbound } Applying an ASPF policy to a zone pair You can apply an ASPF policy to a zone pair to inspect traffic from the source zone to the destination zone.

  • Page 536: Displaying And Maintaining Aspf

    Step Command Remarks 970. Enable the device to send By default, the device does not ICMP error messages for send ICMP error messages when packet dropping by security aspf icmp-error reply the device drops packets that do policies applied to zone match security policies...

  • Page 537: Aspf Tcp Application Inspection Configuration Example

    Figure 167 Network diagram Router A Router B GE1/0/1 10.1.1.1/24 GE1/0/2 Internal network External network 192.168.1.1/24 Server Host 2.2.2.11/24 192.168.1.2/24 Configuration procedure # Configure ACL 3111 to deny all IP packets. <RouterA> system-view [RouterA] acl advanced 3111 [RouterA-acl-ipv4-adv-3111] rule deny ip [RouterA-acl-ipv4-adv-3111] quit # Create ASPF policy 1 for FTP inspection.
  • Page 538 on Router A. Router A can then drop faked ICMP error messages and non-SYN packets that are the first packets over TCP connections. Figure 168 Network diagram Router A Router B GE1/0/1 10.1.1.1/24 GE1/0/2 Internal network External network 192.168.1.1/24 Server Host 2.2.2.11/24 192.168.1.2/24...

  • Page 539: Aspf H.323 Application Inspection Configuration Example

    ASPF H.323 application inspection configuration example Network requirements Figure 175 displays a typical H.323 application network. Gateway B on the external network needs to access the H.323 Gatekeeper, and with the assistance of Gatekeeper, to establish a connection with the H.323 Gateway A. Other protocol packets from the external network are dropped. Configure a packet filter on Router A to permit only packets destined to the Gatekeeper.

  • Page 540: Aspf Application To A Zone Pair Configuration Example

    VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet1/0/1 Initiator: Source IP/port: 1.1.1.111/1719 Destination IP/port: 192.168.1.2/1719 VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet1/0/1 Initiator: Source IP/port: 1.1.1.111/3521 Destination IP/port: 192.168.1.2/20155 VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 Initiator: Source...
  • Page 541 Figure 170 Network diagram Trust Untrust Router GE1/0/2 GE1/0/1 192.168.1.1/24 10.1.1.1/24 Server 2.2.2.11/24 Host 192.168.1.2/24 Configuration procedure # Configure ACL 3500 to permit IP packets. <Router> system-view [Router] acl advanced 3500 [Router-acl-ipv4-adv-3500] rule permit ip [Router-acl-ipv4-adv-3500] quit # Add GigabitEthernet 1/0/2 to the security zone Trust. [Router] security-zone name trust [Router-security-zone-Trust] import interface gigabitethernet 1/0/2 [Router-security-zone-Trust] quit...
  • Page 542 Source security zone: Trust Total sessions found: 1 # Verify that only return packets that match the entries can enter the internal network. (Details not shown.)

  • Page 543: Configuring Apr

    Configuring APR Overview The application recognition (APR) feature recognizes application protocols of packets for features such as QoS, ASPF, and bandwidth management. APR uses the following methods to recognize an application protocol: • Port-based application recognition (PBAR). • Network-based application recognition (NBAR). PBAR PBAR maps a port to an application protocol and recognizes packets of the application protocol according to the port-protocol mapping.

  • Page 544: Apr Signature Database Management

    You can add application protocols to a user-defined application group by using the following methods: • Add application protocols one by one to the application group. • Copy application protocols from another application group to the application group. APR signature database management APR signature database APR signature database is a resource library of character string signatures for application recognition.

  • Page 545: Licensing Requirements

    Licensing requirements APR configuration task list Tasks at a glance (Optional.) Configuring PBAR (Optional.) Configuring a user-defined NBAR rule (Optional.) Configuring application groups (Optional.) Enabling application statistics on an interface (Optional.) Managing the APR signature database IMPORTANT: For user-defined NBAR rules to take effect, you must configure the inspect activate command. For information about the inspect activate command, see DPI Command Reference.

  • Page 546: Configuring A User-Defined Nbar Rule

    Configuring a user-defined NBAR rule You can configure user-defined NBAR rules if predefined NBAR rules cannot meet the user needs. The predefined NBAR rules cannot be deleted or modified. For all NBAR rules to take effect, create a DPI application profile on the device. For information about DPI application profiles, see DPI Configuration Guide.

  • Page 547: Configuring Application Groups

    Step Command Remarks 979. (Optional.) Specify direction to-client By default, the NBAR rule matches direction. to-server } packets in both directions. 980. (Optional.) Specify a port service-port { port-num | range By default, the NBAR rule matches number or port range. start-port end-port } packets of all port numbers.

  • Page 548: Managing The Apr Signature Database

    When the application statistics feature is enabled on an interface, the device separately counts the number of packets or bytes that the interface has received or sent for each application protocol. It also calculates the transmission rates of the interface for these protocols. To display application statistics, use the display application statistics command.

  • Page 549: Triggering An Automatic Update For The Apr Signature Database

    Step Command Remarks update schedule { daily | weekly default, device 992. Configure update { mon | tue | wed | thu | fri | sat | automatically updates the APR schedule. sun } } start-time time tingle signature database between minutes 01:01:00 to 05:01:00 every day.

  • Page 550: Rolling Back The Apr Signature Database

    Step Command 996. Enter system view. system-view 997. Manually update the signature apr signature update [ override-current ] file-path database. Rolling back the APR signature database Each time a rollback operation is performed, the device backs up the APR signature database of the current version.

  • Page 551: Apr Configuration Examples

    Task Command Display statistics for application protocols display application statistics top number { bps | bytes | on an interface in descending order based packets | pps } interface interface-type interface-number on the specified criteria (distributed devices [ slot slot-number ] in standalone mode/centralized devices in IRF mode).

  • Page 552: Nbar Configuration Example

    [Router-classifier-classifier_1] quit # Create a traffic behavior named bdeny, and configure the action as deny. [Router] traffic behavior bdeny [Router-behavior-bdeny] filter deny [Router-behavior-bdeny] quit # Create QoS policy 1, associate classifier_1 with traffic behavior bdeny to create a class-behavior association in the QoS policy. [Router] qos policy 1 [Router-qospolicy-1] classifier classifier_1 behavior bdeny [Router-qospolicy-1] quit...
  • Page 553 [Router-obj-grp-ip-ipsfilter] quit Create a DPI application profile named sec and enter its view. [Router] app-profile sec Create an object policy and rule: # Create an IPv4 object policy named ipsfilter and enter its view. [Router] object-policy ip ipsfilter # Configure a rule to apply DPI application profile sec to packets that match source IPv4 address object group ipsfilter.

  • Page 554: Managing Sessions

    Managing sessions Overview Session management is a common module, providing basic services for NAT, ASPF, and intrusion detection and protection to implement their session-based services. Session management can be applied for the follow purposes: • Fast match between packets and sessions. •...

  • Page 555: Session Management Functions

    Session management functions Session management enables the device to provide the following functions: • Creates sessions for protocol packets, updates session states, and sets aging time for sessions in different protocol states. • Supports port mapping for application layer protocols (see "Configuring APR"), enabling application layer protocols to use customized ports.

  • Page 556: Setting The Session Aging Time For Different Protocol States

    Setting the session aging time for different protocol states IMPORTANT: If more than 800000 sessions exist, do not set the aging time shorter than the default for a certain protocol state. Short aging time settings can make the device slow in response. If a session in a certain protocol state has no packet hit before the aging time expires, the device automatically removes the session.
  • Page 557 Supported application layer protocols or applications specified in this feature depend on the APR module. For information about APR, see "Configuring APR." To set the session aging time for different application layer protocols or applications: Step Command Remarks 1002. Enter system view. system-view By default, the session aging time is 1200 seconds except for the...

  • Page 558: Specifying Persistent Sessions

    Specifying persistent sessions This task is only for TCP sessions in ESTABLISHED state. You can specify TCP sessions that match the permit statements in the specified ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions. A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries.

  • Page 559: Configuring Session Logging

    To specify the loose mode for session state machine: Step Command Remarks 1008. Enter system view. system-view 1009. Specify loose session state-machine mode By default, session state machine mode for session state loose is in strict mode. machine. Configuring session logging Session logs provide information about user access, IP address translation, and network traffic for security auditing.

  • Page 560: Displaying And Maintaining Session Management

    NOTE: To configure session logging, you must use a minimum of one command from the following commands: • session log time-active. • session log packets-active. • session log bytes-active. • session log flow-begin. • session log flow-end. Displaying and maintaining session management Execute display commands in any view and reset commands in user view.
  • Page 561 Task Command display session table ipv6 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] Display IPv6 unicast session table entries [ destination-ip start-destination-ip [ end-destination-ip ] ] (distributed devices in IRF mode). [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-name ] [ verbose ] display session statistics ipv4 { source-ip source-ip |...
  • Page 562 Task Command display session table multicast ipv4 chassis chassis-number slot slot-number source-ip Display IPv4 multicast session table entries start-source-ip end-source-ip destination-ip (distributed devices in IRF mode). start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ] display session table...
  • Page 563 Task Command reset session table ipv6 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | Clear IPv6 unicast session table entries raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port (centralized devices in standalone mode).
  • Page 564 Task Command reset session table multicast ipv6 [ slot slot-number ] Clear IPv6 multicast session table entries [ source-ip source-ip ] [ destination-ip destination-ip ] (distributed devices standalone [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | mode/centralized devices in IRF mode).

  • Page 565: Configuring Connection Limits

    Configuring connection limits Overview The connection limit feature enables the device to monitor and limit the number of established connections. As shown in Figure 179, use the connection limit feature to resolve the following problems: • If Host B initiates a large number of connections in a short period of time, it might exhaust system resources and cause Host A to be unable to access the Internet.

  • Page 566: Creating A Connection Limit Policy

    Creating a connection limit policy A connection limit policy contains a set of connection limit rules, each of which defines a range of connections and the criteria for limiting the connections. To create a connection limit policy: Step Command Remarks 1017.

  • Page 567: Applying The Connection Limit Policy

    Step Command Remarks • IPv4 connection limit policy view: limit limit-id  { acl-number | name acl-name per-destination per-service per-source ] * { amount max-amount min-amount rate rate [ description text ] limit limit-id acl ipv6  { acl-number | name 1021.

  • Page 568: Displaying And Maintaining Connection Limits

    Step Command Remarks 1023. Enter system view. system-view • Apply a connection limit policy globally: connection-limit apply By default, no connection limit is global ipv6-policy applied. policy } policy-id Only one IPv4 connection limit • Apply a connection limit 1024. Apply connection policy and one IPv6 connection...

  • Page 569: Connection Limit Configuration Example

    Task Command display connection-limit { ipv6-stat-nodes | stat-nodes } { global | interface interface-type interface-number } [ chassis Display statistics about IPv6 chassis-number slot slot-number ] [ destination destination-ip | connections matching connection limit service-port port-number | source source-ip ] * [ count ] rules globally or on an interface display connection-limit stat-nodes { global | interface (distributed devices in IRF mode).

  • Page 570: Configuration Procedure

    Configuration procedure The following example only describes how to configure connection limits. For information about NAT configuration and internal server configuration, see Layer 3—IP Services Configuration Guide. # Create ACL 3000 to permit packets from all hosts on the internal network. <Router>...

  • Page 571: Troubleshooting Connection Limits

    100000 95000 3000 10000 9800 3001 Applied list: Global [Router] display connection-limit policy 2 IPv4 connection limit policy 2 has been applied 1 times, and has 1 limit rules. Limit rule list: Policy Rule StatType HiThres LoThres rate ------------------------------------------------------------ 3000 Applied list: GigabitEthernet1/0/1 Troubleshooting connection limits...

  • Page 572: Configuring Object Groups

    Configuring object groups Overview An object group is a group of objects that can be used by an ACL, object policy, or object group to identify packets. Object groups are divided into the following types: • IPv4 address object group—A group of IPv4 address objects used to match the IPv4 address in a packet.

  • Page 573: Configuring A Port Object Group

    Step Command Remarks [ object-id ] network { host { address ipv6-address | name host-name subnet 1032. Configure IPv6 ipv6-address prefix-length | range By default, no objects exist. address object. ipv6-address1 ipv6-address2 | group-object object-group-name } Configuring a port object group Step Command Remarks...
  • Page 574 Task Command display object-group [ { { ip | ipv6 } address | service | Display information about object groups. port } [ default ] [ name object-group-name ] | name object-group-name ]...

  • Page 575: Configuring Object Policies

    Configuring object policies Overview An object policy is a set of rules for security control over packets between a source and a destination security zone. These two zones define a zone pair. The object policy matches the first packet of a traffic flow against the rules.

  • Page 576: Object Policy Configuration Task List

    Object policy configuration task list Tasks at a glance (Required.) Creating object policies: • Creating an IPv4 object policy • Creating an IPv6 object policy (Required.) Configuring object policy rules: • Configuring an IPv4 object policy rule • Configuring an IPv6 object policy rule (Required.) Applying object policies to zone pairs (Optional.)

  • Page 577: Configuring Object Policy Rules

    Configuring object policy rules Configuring an IPv4 object policy rule You can specify an existing object group in an IPv4 object policy rule for matching target IPv4 packets. If no object group is specified for a rule, the rule applies to all IPv4 packets. The following object groups can be used in a rule for packet matching: •...

  • Page 578: Applying Object Policies To Zone Pairs

    • VRF instance—Used for matching the MPLS L3VPN instances of packets. • Application/application group—Used for matching PBAR-classified application IDs of packets. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see "Configuring ARP." For more information about object groups, see "Configuring object groups." To configure an IPv6 object policy rule: Step Command...

  • Page 579: Changing The Rule Match Order

    Step Command Remarks • Apply an IPv4 object policy to the zone pair: object-policy apply default, object object-policy-name 1058. Apply an object policy is applied to a zone • policy to the zone pair. Apply an IPv6 object policy to the zone pair.

  • Page 580: Displaying And Maintaining Object Policies

    Displaying and maintaining object policies Execute display commands in any view. Task Command Display acceleration information for display object-policy accelerate { summary { ip | ipv6 } | object policies (centralized devices in verbose { ip object-policy-name | ipv6 object-policy-name } } standalone mode).

  • Page 581: Configuration Procedure

    Figure 175 Network diagram Financial database server 192.168.0.100/24 GE2/0/1 GE2/0/2 GE2/0/4 Device A GE2/0/3 President office Financial office Marketing office 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 Configuration procedure Create a time range named work to cover 8:00 to 18:00 on weekdays. <DeviceA> system-view [DeviceA] time-range work 08:00 to 18:00 working-day Create security zones: # Create a security zone named president, and add GigabitEthernet 2/0/2 to the zone.
  • Page 582 [DeviceA] object-group ip address finance [DeviceA-obj-grp-ip-finance] network subnet 192.168.2.0 24 [DeviceA-obj-grp-ip-finance] quit # Create an IPv4 address object group named market. Configure an IPv4 address object with the subnet address of 192.168.3.0/24 for the group. [DeviceA] object-group ip address market [DeviceA-obj-grp-ip-market] network subnet 192.168.3.0 24 [DeviceA-obj-grp-ip-market] quit # Create an IPv4 address object group named database.

  • Page 583: Verifying The Configuration

    # Create a zone pair from security zone market to security zone database. Apply IPv4 object policy market-database to the zone pair. [DeviceA] zone-pair security source market destination database [DeviceA-zone-pair-security-market-database] object-policy apply ip market-database [DeviceA-zone-pair-security-market-database] quit Verifying the configuration # Use a PC in each office to access the Web service of the financial database server through the browser.

  • Page 584: Configuring Attack Detection And Prevention

    Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions to protect a private network. Prevention actions include logging, packet dropping, blacklisting, and client verification. Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: •...
  • Page 585 Single-packet attack Description A receiver responds to an ICMP packet according to its type. An attacker ICMP type sends forged ICMP packets of a specific type to affect the packet processing of the victim. A receiver responds to an ICMPv6 packet according to its type. An ICMPv6 type attacker sends forged ICMPv6 packets of specific types to affect the packet processing of the victim.

  • Page 586: Scanning Attacks

    Single-packet attack Description An attacker sends a stream of overlapping fragments. The victim will crash Teardrop when it tries to reassemble the overlapping fragments. An attacker sends the victim an ICMP echo request larger than 65535 Ping of death bytes that violates the IP protocol. When the victim reassembles the packet, a buffer overflow can occur, which causes a system crash.

  • Page 587: Login Dictionary Attack

    An RST flood attacker sends a large number of forged RST packets to a server. The victim might shut down correct connections, or be unable to provide services because it is busy searching for matching connections. • DNS flood attack. The DNS server processes and replies all DNS queries that it receives.

  • Page 588: Address Object Group Blacklist

    Address object group blacklist The address object group blacklist feature is an attack prevention method that filters packets by address object group. The address object group blacklist feature must be used together with the address object group feature. An address object group is a set of IP address objects. For more information about address object groups, see "Configuring object groups."...
  • Page 589 • SYN cookie—Enables bidirectional TCP proxy for TCP clients and servers. As shown in Figure 183, if packets from clients and servers pass through the TCP proxy device, either safe reset or SYN cookie can be used. Figure 177 Safe reset/SYN cookie mode application TCP client TCP proxy TCP server...

  • Page 590: Dns Client Verification

    In SYN cookie mode, the TCP proxy is the server proxy that communicates with clients and the client proxy that communicates with server. Choose this mode when the following requirements are met: • The TCP proxy device is deployed on the key path that passes through the ingress and egress of the protected server.

  • Page 591: Http Client Verification

    Figure 180 DNS client verification process DNS client DNS client authenticator DNS server (1) DNS Query(UDP) (2) DNS(TC) (3) DNS Query(TCP SYN) (4) TCP SYN-ACK+cookie (5) TCP RST+cookie (6) DNS Query(UDP) (7) DNS Query(UDP)(forwarding) The DNS client verification feature requires that clients use the standard TCP/IP protocol suite and DNS protocol.

  • Page 592: Attack Detection And Prevention Configuration Task List

    Figure 181 HTTP client verification process HTTP client HTTP client authenticator HTTP server SYN (seq=x) SYN ACK (seq=cookie, ack=x+1) ACK (seq=x+1, ack=cookie+1) HTTP Get (URI) Redirect (URI+string) The first redirect verification TCP three-way handshake HTTP Get (URI+string) Redirect (URI) The second redirect verification SYN ACK...

  • Page 593: Configuring An Attack Defense Policy

    Tasks at a glance (Optional.) Configuring the user blacklist (Optional.) Configuring the address object group blacklist (Optional.) Configuring the address object group whitelist (Optional.) Enabling the login delay Configuring an attack defense policy Creating an attack defense policy An attack defense policy can contain a set of attack detection and prevention configuration against multiple attacks.
  • Page 594 Step Command Remarks • signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf snork tcp-all-flags tcp-fin-only | tcp-invalid-flags | tcp-null-flag tcp-syn-fin tiny-fragment traceroute udp-bomb | winnuke } [ action { { drop | logging } * | none } ] •...

  • Page 595: Configuring A Scanning Attack Defense Policy

    Step Command Remarks 1072. (Optional.) Enable By default, signature detection signature detection for signature level { high | info | low | is disabled for all levels of single-packet attacks of a medium } detect single-packet attacks. specific level. Configuring a scanning attack defense policy Apply a scanning attack defense policy to the interface that is connected to the external network.
  • Page 596 Step Command Remarks 1077. Enter attack defense attack-defense policy policy view. policy-name 1078. Enable global SYN By default, global SYN flood attack syn-flood detect non-specific flood attack detection. detection is disabled. 1079. Set the global trigger syn-flood threshold threshold for SYN flood The default setting is 1000.
  • Page 597 Step Command Remarks 1092. Specify global actions By default, no global action is syn-ack-flood action against SYN-ACK flood specified SYN-ACK flood { client-verify | drop | logging } * attacks. attacks. syn-ack-flood detect ipv6 ipv4-address 1093. Configure ipv6-address } [ vpn-instance By default, IP address-specific address-specific SYN-ACK vpn-instance-name ] [ threshold...
  • Page 598 Step Command Remarks rst-flood detect ipv4-address ipv6 1105. Configure ipv6-address } [ vpn-instance By default, IP address-specific RST address-specific RST flood vpn-instance-name ] [ threshold flood attack detection attack detection. threshold-value action configured. { { client-verify | drop | logging } * | none } ] Configuring an ICMP flood attack defense policy Step...
  • Page 599 Configuring a UDP flood attack defense policy Step Command Remarks 1118. Enter system view. system-view 1119. Enter attack defense attack-defense policy policy view. policy-name 1120. Enable global UDP By default, global UDP flood attack udp-flood detect non-specific flood attack detection. detection is disabled.

  • Page 600: Configuring Attack Detection Exemption

    Step Command Remarks 1133. Enable global HTTP By default, global HTTP flood attack http-flood detect non-specific flood attack detection. detection is disabled. 1134. Set the global trigger http-flood threshold threshold for HTTP flood The default setting is 1000. threshold-value attack prevention. 1135.

  • Page 601: Applying An Attack Defense Policy To An Interface

    Applying an attack defense policy to an interface An attack defense policy does not take effect unless you apply it to an interface. If you apply an attack defense policy to a global interface, specify a service card to process traffic for the interface.

  • Page 602: Enabling Log Non-Aggregation For Single-Packet Attack Events

    Enabling log non-aggregation for single-packet attack events Log aggregation aggregates all logs generated in a period and sends one log. The logs with the same attributes for the following items can be aggregated: • Interface where the attack is detected. •...

  • Page 603: Configuring Dns Client Verification

    Step Command Remarks client-verify tcp protected { ip 1150. (Optional.) Specify an destination-ip-address ipv6 By default, the TCP client IP address to be protected destination-ipv6-address verification feature does not client [ vpn-instance vpn-instance-name ] protect any IP address. verification feature. [ port port-number ] interface interface-type...

  • Page 604: Configuring Http Client Verification

    Configuring HTTP client verification Configure HTTP client verification on the interface that is connected to the external network. The HTTP client verification protects internal HTTP servers against HTTP flood attacks. IP addresses protected by HTTP client verification can be manually added or automatically learned: •...

  • Page 605: Configuring The User Blacklist

    Step Command Remarks 1161. Enter system view. system-view By default, the global blacklist feature is disabled. 1162. (Optional.) Enable global blacklist blacklist global enable If the global blacklist feature is feature. enabled, the blacklist feature is enabled on all interfaces. blacklist source-ip-address 1163.

  • Page 606: Configuring The Address Object Group Blacklist

    Configuring the address object group blacklist The address object group blacklist feature filters packets sourced from the subnets specified in the blacklisted address object group. An address object group can only be manually added to or deleted from the blacklist. The address object group blacklist feature must be used together with the address object group feature.

  • Page 607: Enabling The Login Delay

    Enabling the login delay The login delay feature delays the device from accepting a login request from a user after the user fails a login attempt. This feature can slow down login dictionary attacks. Login delay is independent of the attack defense policy. To enable the login delay: Step Command...
  • Page 608 Task Command display attack-defense scan attacker ip [ [ interface Display information about IPv4 scanning interface-type interface-number | local ] [ chassis attackers (distributed devices in IRF mode). chassis-number slot slot-number ] ] [ count ] Display information about IPv6 scanning display attack-defense scan attacker ipv6 [ interface attackers (centralized devices in standalone...
  • Page 609 Task Command display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood Display flood attack detection and prevention | syn-ack-flood | syn-flood | udp-flood } statistics statistics for an IPv6 address (centralized ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] devices in standalone mode).
  • Page 610 Task Command Display IPv4 blacklist entries (distributed devices display blacklist ip [ source-ip-address [ vpn-instance in standalone mode/centralized devices in IRF vpn-instance-name ds-lite-peer mode). ds-lite-peer-address ] ] [ slot slot-number ] [ count ] display blacklist ip [ source-ip-address [ vpn-instance ds-lite-peer Display IPv4 blacklist entries (distributed devices vpn-instance-name...

  • Page 611: Attack Detection And Prevention Configuration Examples

    Task Command display client-verify { dns | http | tcp } trusted ipv6 Display trusted IPv6 addresses for client [ ipv6-address [ vpn vpn-instance-name ] ] [ chassis verification (distributed devices in IRF mode). chassis-number slot slot-number ] [ count ] reset attack-defense statistics...
  • Page 612 Figure 182 Network diagram Host A Host B Attacker Router GE1/0/1 GE1/0/2 192.168.1.1/16 202.1.0.1/16 Internet GE1/0/3 Host D 10.1.1.1/24 5.5.5.5/24 Host C Server 10.1.1.2/24 Configuration procedure # Configure IP addresses for the interfaces on the router. (Details not shown.) # Enable the global blacklist feature. <Router>...
  • Page 613 -------------------------------------------------------------------------- Actions: CV-Client verify BS-Block source L-Logging D-Drop N-None Signature attack defense configuration: Signature name Defense Level Actions Fragment Disabled Impossible Disabled medium Teardrop Disabled medium Tiny fragment Disabled IP option abnormal Disabled medium Smurf Enabled medium Traceroute Disabled Ping of death Disabled medium Large ICMP...
  • Page 614 ICMPv6 echo reply Disabled info ICMPv6 group membership query Disabled info ICMPv6 group membership report Disabled info ICMPv6 group membership reduction Disabled info ICMPv6 destination unreachable Disabled info ICMPv6 time exceeded Disabled info ICMPv6 parameter problem Disabled info ICMPv6 packet too big Disabled info Scan attack defense configuration:...

  • Page 615: Ip Blacklist Configuration Example

    IP blacklist configuration example Network requirements As shown in Figure 189, configure the IP blacklist feature on the router to block packets from the attacker Host D permanently and from Host C for 50 minutes. Figure 183 Network diagram Host A Host B Attacker Router...

  • Page 616: Address Object Group Blacklist Configuration Example

    Figure 184 Network diagram User A User B Router GE1/0/1 GE1/0/2 Internet User C IP:1.2.3.4 MAC:0001-0001-0001 Configuration procedure Configure IP addresses for the interfaces on the router. (Details not shown.) Configure user identification: # Add a network access user named userc. <Router>...

  • Page 617: Address Object Group Whitelist Configuration Example

    Figure 185 Network diagram Router GE1/0/1 GE1/0/2 Host A 202.1.0.1/16 192.168.1.1/16 IP network Attacker 5.5.5.0/24 Host B Configuration procedure # Configure IP addresses for the interfaces on the router. (Details not shown.) # Enable the global blacklist feature. <Router> system-view [Router] blacklist global enable # Create IPv4 address object group obj1.

  • Page 618: Interface-Based Tcp Client Verification Configuration Example

    [Router] object-group ip address obj1 [Router-obj-grp-ip-obj1] network subnet 5.5.5.0 24 [Router] quit # Add IPv4 address object group obj1 to the whitelist. [Router] whitelist object-group obj1 Verifying the configuration # Verify that the router allows all packets from subnet 5.5.5.0/24 to pass through unless you execute the undo whitelist object-group obj1 command on the router.

  • Page 619: Interface-Based Dns Client Verification Configuration Example

    [Router-GigabitEthernet1/0/1] quit Verifying the configuration # Launch a SYN flood attack. (Details not shown.) # Verify that the victim's IP address is added to the protected IP list for TCP client verification. [Router] display client-verify tcp protected ip IP address VPN instance Port Type...

  • Page 620: Interface-Based Http Client Verification Configuration Example

    [Router-GigabitEthernet1/0/1] client-verify dns enable [Router-GigabitEthernet1/0/1] quit Verifying the configuration # Launch a DNS flood attack. (Details not shown.) # Verify that the victim's IP address is added to the protected IP list for DNS client verification. [Router] display client-verify dns protected ip IP address VPN instance Port...
  • Page 621 [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] client-verify http enable [Router-GigabitEthernet1/0/1] quit Verifying the configuration # Launch an HTTP flood attack. (Details not shown.) # Verify that the victim's IP address is added to the protected IP list for HTTP client verification. [Router] display client-verify http protected ip IP address VPN instance...

  • Page 622: Configuring Ip Source Guard

    Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops packets that do not match the table. IPSG is a per-interface packet filter. Configuring the feature on one interface does not affect packet forwarding on another interface. The IPSG bindings fall into the following types: •...

  • Page 623: Dynamic Ipsg Bindings

    MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).  MSR958 (JH300A/JH301A).  Static IPSG bindings are configured manually. They are suitable for scenarios where few hosts exist on a LAN and their IP addresses are manually configured. For example, you can configure a static IPSG binding on an interface that connects to a server. This binding allows the interface to receive packets only from the server.

  • Page 624: Command And Hardware Compatibility

    In a WLAN network, IPv6SG can generate bindings based on WLAN snooping for modules to provide security services. Command and hardware compatibility Commands and descriptions for centralized devices apply to the following routers: • MSR1002-4/1003-8S. • MSR2003. • MSR2004-24/2004-48. • MSR3012/3024/3044/3064.

  • Page 625: Configuring A Static Ipv4Sg Binding

    Step Command Remarks 1186. Enter system system-view view. 1187. Enter Layer interface interface-type Ethernet interface view. interface-number By default, the IPv4SG feature is disabled verify source on an interface. 1188. Enable { ip-address | ip-address If you configure this command on an IPv4SG feature.

  • Page 626: Configuring A Static Ipv6Sg Binding

    Step Command Remarks 1193. Enter Layer interface interface-type Ethernet interface view. interface-number By default, the IPv6SG feature is disabled on an interface. ipv6 verify source 1194. Enable ip-address | ip-address If you configure this command on an IPv6SG feature. mac-address | mac-address } interface multiple times, the most recent configuration takes effect.

  • Page 627: Ipsg Configuration Examples

    Task Command display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] Display IPv6 bindings [ dhcpv6-snooping | wlan-snooping ] ] [ ip-address ipv6-address ] (distributed devices in IRF [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type mode).

  • Page 628: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example

    [DeviceA-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [DeviceA-GigabitEthernet1/0/1] quit Configure Device B: # Configure an IP address for each interface. (Details not shown.) # Enable IPv4SG on GigabitEthernet 1/0/2. <DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] ip verify source ip-address mac-address [DeviceB-GigabitEthernet1/0/2] quit # On GigabitEthernet 1/0/2, configure a static IPv4SG binding for Host A.

  • Page 629: Static Ipv6Sg Configuration Example

    • Enable dynamic IPv4SG on GigabitEthernet 1/0/1 to filter incoming packets by using the IPv4SG bindings generated based on DHCP snooping entries. Only packets from the DHCP client are allowed to pass. Figure 192 Network diagram DHCP client DHCP snooping DHCP server GE1/0/1 GE1/0/2...

  • Page 630: Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example

    Figure 193 Network diagram GE1/0/1 Internet Device Host IP: 2001::1 MAC: 0001-0202-0202 Configuration procedure # Enable IPv6SG on GigabitEthernet 1/0/1. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address # On GigabitEthernet 1/0/1, configure a static IPv6SG binding for the host. [Device-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202 [Device-GigabitEthernet1/0/1] quit...
  • Page 631 # Configure GigabitEthernet 1/0/2 as a trusted interface. [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] ipv6 dhcp snooping trust [Device-GigabitEthernet1/0/2] quit Enable IPv6SG: # Enable IPv6SG on GigabitEthernet 1/0/1 and verify the source IP address and MAC address for dynamic IPv6SG. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address # Enable recording of client information in DHCPv6 snooping entries on GigabitEthernet 1/0/1.

  • Page 632: Configuring Arp Attack Protection

    Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.

  • Page 633: Configuring Unresolvable Ip Attack Protection

    Configuring unresolvable IP attack protection If a device receives a large number of unresolvable IP packets from a host, the following situations can occur: • The device sends a large number of ARP requests, overloading the target subnets. • The device keeps trying to resolve the destination IP addresses, overloading its CPU. To protect the device from such IP attacks, you can configure the following features: •...

  • Page 634: Displaying And Maintaining Unresolvable Ip Attack Protection

    Displaying and maintaining unresolvable IP attack protection Execute display commands in any view. Task Command Display source suppression configuration display arp source-suppression information. Configuration example Network requirements As shown in Figure 201, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20.

  • Page 635: Configuring Source Mac-Based Arp Attack Detection

    Configuring source MAC-based ARP attack detection This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry.

  • Page 636: Configuration Example

    Task Command Display ARP attack entries detected by source display arp source-mac [ interface interface-type MAC-based ARP attack detection (centralized interface-number ] devices in standalone mode). Display ARP attack entries detected by source MAC-based ARP attack detection (distributed display arp source-mac { slot slot-number | interface interface-type interface-number } devices standalone...

  • Page 637: Configuring Arp Packet Source Mac Consistency Check

    Configuration procedure # Enable source MAC-based ARP attack detection, and specify the handling method as filter. <Device> system-view [Device] arp source-mac filter # Set the threshold to 30. [Device] arp source-mac threshold 30 # Set the lifetime for ARP attack entries to 60 seconds. [Device] arp source-mac aging-time 60 # Exclude MAC address 0012-3f86-e94c from this detection.

  • Page 638: Configuring Authorized Arp

    Configuring authorized ARP Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide. With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries.

  • Page 639: Configuration Example (On A Dhcp Relay Agent)

    # Enter Layer 3 Ethernet interface view. [DeviceA] interface gigabitethernet 1/0/1 # Enable authorized ARP. [DeviceA-GigabitEthernet1/0/1] arp authorized enable [DeviceA-GigabitEthernet1/0/1] quit Configure Device B: <DeviceB> system-view [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address dhcp-alloc [DeviceB-GigabitEthernet1/0/1] quit Verifying the configuration # Display authorized ARP entry information on Device A. [DeviceA] display arp all Type: S-Static D-Dynamic...

  • Page 640: Configuring Arp Attack Detection

    [DeviceA] dhcp server ip-pool 1 [DeviceA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0 [DeviceA-dhcp-pool-1] gateway-list 10.10.1.1 [DeviceA-dhcp-pool-1] quit [DeviceA] ip route-static 10.10.1.0 24 10.1.1.2 Configure Device B: # Enable DHCP. <DeviceB> system-view [DeviceB] dhcp enable # Specify the IP addresses of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip address 10.1.1.2 24 [DeviceB-GigabitEthernet1/0/1] quit...

  • Page 641: Configuring User Validity Check

    HMIM-24GSW.  HMIM-24GSW-PoE.  SIC-4GSW.  SIC-4GSWP.  • Fixed Layer 2 Ethernet ports on the following routers: MSR1002-4  MSR1003-8S.  MSR2004-24  MSR2004-48.  MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).  MSR958 (JH300A/JH301A).  ARP attack detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks.

  • Page 642: Configuring Arp Packet Validity Check

    Configuration procedure To configure user validity check: Step Command Remarks 1217. Enter system view. system-view arp detection rule rule-id deny permit 1218. (Optional.) Configure a By default, no user validity check { ip-address [ mask ] | any } user validity check rule. rule is configured.

  • Page 643: Configuring Arp Restricted Forwarding

    Step Command Remarks 1230. (Optional.) Configure interface as a trusted interface arp detection trust By default, an interface is untrusted. excluded from attack detection. Configuring ARP restricted forwarding NOTE: ARP restricted forwarding does not apply to ARP packets with multiport MAC as their destination MAC addresses.
  • Page 644 Figure 199 Network diagram Gateway DHCP server Router A GE1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping GE1/0/3 Router B GE1/0/1 GE1/0/2 Host A Host B 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Add all interfaces on Router B to VLAN 10, and specify the IP address of VLAN-interface 10 on Router A.

  • Page 645: Arp Restricted Forwarding Configuration Example

    [RouterB] interface gigabitethernet 1/0/2 [RouterB-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [RouterB-GigabitEthernet1/0/2] quit # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [RouterB] arp detection validate dst-mac ip src-mac After the configurations are completed, Router B first checks the validity of ARP packets received on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

  • Page 646: Configuring Arp Scanning And Fixed Arp

    [RouterB] interface gigabitethernet 1/0/3 [RouterB-GigabitEthernet1/0/3] dhcp snooping trust [RouterB-GigabitEthernet1/0/3] quit # Enable ARP attack detection for user validity check. [RouterB] vlan 10 [RouterB-vlan10] arp detection enable # Configure GigabitEthernet 1/0/3 as an ARP trusted interface. [RouterB-vlan10] interface gigabitethernet 1/0/3 [RouterB-GigabitEthernet1/0/3] arp detection trust [RouterB-GigabitEthernet1/0/3] quit # Configure a static IP source guard entry on interface GigabitEthernet 1/0/2.

  • Page 647: Configuration Restrictions And Guidelines

    Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning) to static ARP entries. This feature prevents ARP entries from being modified by attackers. Static ARP entries can also be manually configured by the arp static command. Configuration restrictions and guidelines Follow these restrictions and guidelines when you configure ARP scanning and fixed ARP: •...

  • Page 648: Configuration Procedure

    Configuration procedure To configure ARP gateway protection: Step Command Remarks 1239. Enter system view. system-view 1240. Enter Layer 2 Ethernet interface interface-type interface and Layer 2 aggregate interface-number interface view. 1241. Enable gateway By default, ARP gateway protection specified arp filter source ip-address protection is disabled.

  • Page 649: Configuring Arp Filtering

    Configuring ARP filtering The ARP filtering feature can prevent gateway spoofing and user spoofing attacks. An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded.
  • Page 650 Figure 202 Network diagram Gateway Router A 10.1.1.1/24 GE1/0/3 Router B GE1/0/1 GE1/0/2 Host A Host B Configuration procedure # Configure ARP filtering on Router B. <RouterB> system-view [RouterB] interface gigabitethernet 1/0/1 [RouterB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233 [RouterB-GigabitEthernet1/0/1] quit [RouterB] interface gigabitethernet 1/0/2 [RouterB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234 Verifying the configuration...

  • Page 651: Configuring Urpf

    Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 652: Urpf Operation

    Link layer check—Strict uRPF check can further perform link layer check on a packet. It uses the next hop address in the matching FIB entry to look up the ARP table for a matching entry. If the source MAC address of the packet matches the MAC address in the matching ARP entry, the packet passes strict uRPF check.
  • Page 653 Figure 204 uRPF work flow Checks the received packet Multicast destination address? All-zero source Broadcast address? destination address? Uses source address to look up the FIB table Matching FIB entry found? InLoop interface InLoop receiving found? interface? Default route Default route found? allowed? Do interfaces match? Loose check?
  • Page 654 uRPF checks address validity: uRPF permits a packet with a multicast destination address.  For a packet with an all-zero source address, uRPF permits the packet if it has a broadcast  destination address. (A packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet and cannot be discarded.) uRPF proceeds to step 7 if the packet has a non-broadcast destination address.

  • Page 655: Network Application

    Network application Figure 205 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User As shown in Figure 211, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs. For special packets or users, you can configure ACLs.

  • Page 656: Displaying And Maintaining Urpf

    • Do not configure the allow-default-route keyword for loose uRPF check. Otherwise, uRPF might fail to work. To enable uRPF on an interface: Step Command Remarks 1245. Enter system view. system-view interface interface-type 1246. Enter interface view. interface-number urpf loose [ allow-default-route ] [ acl 1247.
  • Page 657 [RouterB-acl-ipv4-basic-2010] rule permit source 10.1.1.0 0.0.0.255 [RouterB-acl-ipv4-basic-2010] quit # Specify an IP address for GigabitEthernet 1/0/1. [RouterB] interface gigabitethernet 1/0/1 [RouterB-GigabitEthernet1/0/1] ip address 1.1.1.2 255.255.255.0 # Configure strict uRPF check on GigabitEthernet 1/0/1. [RouterB-GigabitEthernet1/0/1] ip urpf strict acl 2010 Configure Router A: # Specify an IP address for GigabitEthernet 1/0/1.

  • Page 658: Configuring Ipv6 Urpf

    Configuring IPv6 uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.

  • Page 659: Ipv6 Urpf Operation

    IPv6 ACLs—To identify specific packets as valid packets, you can use an IPv6 ACL to match these packets. Even if the packets do not pass IPv6 uRPF check, they are still forwarded. IPv6 uRPF operation IPv6 uRPF does not check multicast packets. Figure 214 shows how IPv6 uRPF works.
  • Page 660 If no, IPv6 uRPF proceeds to step 2.  IPv6 uRPF checks whether the source address matches a unicast route: If yes, IPv6 uRPF proceeds to step 3.  If no, IPv6 uRPF proceeds to step 6. A non-unicast source address matches a non-unicast ...

  • Page 661: Network Application

    Network application Figure 209 Network diagram ISP B IPv6 uRPF (loose) ISP A ISP C IPv6 uRPF (strict) User As shown in Figure 215, strict IPv6 uRPF check is configured between an ISP network and a customer network. Loose IPv6 uRPF check is configured between ISPs. For special packets or users, you can configure IPv6 ACLs.

  • Page 662: Displaying And Maintaining Ipv6 Urpf

    • Do not configure the allow-default-route keyword for loose IPv6 uRPF check. Otherwise, IPv6 uRPF might fail to work. To enable IPv6 uRPF on an interface: Step Command Remarks 1248. Enter system view. system-view interface interface-type 1249. Enter interface view. interface-number By default, IPv6 uRPF is disabled.
  • Page 663 [RouterB-acl-ipv6-basic-2010] quit # Specify an IPv6 address for GigabitEthernet 1/0/1. [RouterB] interface gigabitethernet 1/0/1 [RouterB-GigabitEthernet1/0/1] ipv6 address 1000::2/64 # Configure strict uRPF check on GigabitEthernet 1/0/1. [RouterB-GigabitEthernet1/0/1] ipv6 urpf strict acl 2010 Configure Router A: # Specify an IPv6 address for GigabitEthernet 1/0/1. <RouterA>...

  • Page 664: Configuring Crypto Engines

    Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.
  • Page 665 Task Command display crypto-engine statistics [ engine-id engine-id Display crypto engine statistics (distributed chassis chassis-number slot slot-number ] devices in IRF mode). Clear crypto engine statistics (centralized reset crypto-engine statistics [ engine-id engine-id ] devices in standalone mode). Clear crypto engine statistics (distributed devices reset crypto-engine statistics [ engine-id engine-id in standalone mode/centralized devices in IRF slot slot-number ]...

  • Page 666: Configuring Fips

    Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.

  • Page 667: Configuring Fips Mode

    e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.

  • Page 668: Configuration Changes In Fips Mode

    A password that complies with the password control policies as described in step and step  A user role of network-admin.  A service type of terminal.  Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode. Select the manual reboot method.

  • Page 669: Exiting Fips Mode

    Exiting FIPS mode After you disable FIPS mode and reboot the device, the device operates in non-FIPS mode. The system provides two methods to exit FIPS mode: automatic reboot and manual reboot. Automatic reboot Select the automatic reboot method. The system automatically creates a default non-FIPS configuration file named non-fips-startup.cfg, and specifies the file as the startup configuration file.

  • Page 670: Power-Up Self-Tests

    NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests The power-up self-test, also called known-answer test, examines the availability of FIPS-allowed cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer. If they are not identical, the known-answer test fails.

  • Page 671: Displaying And Maintaining Fips

    To trigger a self-test: Step Command 1255. Enter system view. system-view 1256. Trigger a self-test. fips self-test Displaying and maintaining FIPS Execute display commands in any view. Task Command display fips status Display the FIPS mode state. FIPS configuration examples Entering FIPS mode through automatic reboot Network requirements Use the automatic reboot method to enter FIPS mode, and use a console/AUX/Async port to log in to...

  • Page 672: Entering Fips Mode Through Manual Reboot

    First login or password reset. For security reason, you need to change your password. Please enter your password. old password: new password: confirm: Updating user information. Please wait ..… <Sysname> # Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled.

  • Page 673: Exiting Fips Mode Through Automatic Reboot

    # Enable FIPS mode, and choose the manual reboot method to enter FIPS mode. [Sysname] fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y Reboot the device automatically? [Y/N]:n Change the configuration to meet FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode.

  • Page 674: Exiting Fips Mode Through Manual Reboot

    Use the automatic reboot method to exit FIPS mode. Configuration procedure # Disable FIPS mode. [Sysname] undo fips mode enable FIPS mode change requires a device reboot. Continue? [Y/N]:y The system will create a new startup configuration file for non-FIPS mode and then reboot automatically.
  • Page 675 # Reboot the device. <Sysname> reboot Verifying the configuration After the device reboots, enter a username of test and a password of 12345zxcvb!@#$%ZXCVB to enter non-FIPS mode. Press ENTER to get started. login: test Password: Last successfully login time:… … <Sysname>...

  • Page 676: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.

  • Page 677: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 678: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 679: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 680 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
  • Page 681 Index maintain, Numerics mandatory port authentication domain, 3DES online user handshake, IPsec encryption algorithm, overview, 802.1X, See also under 802 packet format, access control method, periodic online user reauthentication, ACL assignment configuration, port authorization state, architecture, port authorization status, authentication, port security authentication control mode, authentication (access device initiated), port security client...
  • Page 682 HWTACACS outgoing packet source IP RADIUS display, address, RADIUS implementation, HWTACACS scheme, RADIUS maintain, HWTACACS scheme creation, RADIUS packet DSCP priority, HWTACACS scheme VPN instance, RADIUS request transmission attempts max, HWTACACS server PPP user, RADIUS scheme, HWTACACS server SSH user, RADIUS scheme creation, HWTACACS shared keys, RADIUS scheme VPN instance,...
  • Page 683 IPsec encryption (AES), 802.1X+ACL assignment configuration, IPsec encryption (DES), APR PBAR host port mapping (ACL-based), IPsec IKE DH algorithm, keychain configuration, 286, 287 attack D&P detection exemption, SSH negotiation, IPsec ACL, SSH2, IPsec ACL de-encapsulated packet check, SSH2 encryption, SSH2 key exchange, IPsec ACL rule keywords, SSH2 MAC, IPsec ACL-based implementation,...
  • Page 684 PKI, policy application (zone pair), 519, 524 policy configuration, attack protection. See ARP attack protection session management, scanning configuration restrictions, transport layer protocol inspection, ARP attack protection assigning active acknowledgement, 802.1Xauthentication+ACL assignment, ARP attack detection display, MAC authentication ACL, ARP attack detection maintain, associating IPsec SA, authorized ARP configuration,...
  • Page 685 defense policy configuration (SYN flood AAA RADIUS Remanent_Volume attribute data attack), measurement unit, defense policy configuration (SYN-ACK flood AAA RADIUS scheme, attack), AAA RADIUS subattributes (vendor ID 25506), defense policy configuration (UDP flood AAA scheme, attack), AAA user group attribute, defense policy creation, RADIUS NAS-Port-Type, detection exemption configuration,...
  • Page 686 IPsec IKE DSA signature authentication, 802.1X configuration, IPsec IKE pre-shared key authentication, authorization IPsec IKE RSA signature authentication, AAA LDAP process, IPsec IKEv2+pre-shared key authentication, IPsec IKE IPv4 address pool, IPsec IKEv2 address pool, IPsec IKEv2+RSA signature authentication, authorization VLAN 802.1X assignment, IPsec RIPng configuration, 802.1X configuration,...
  • Page 687 IPv6 source guard (IPv6SG) static binding PKI certificate verification (w/o CRL checking), configuration, blackhole PKI certificate-based access control policy, ARP attack protection blackhole routing revocation list. Use (unresolvable IP attack), challenging blacklisting IPsec IKEv2 cookie challenge, attack D&P, changing attack D&P address object group blacklist, AAA RADIUS packet DSCP priority, SSL change cipher spec protocol, attack D&P address object group blacklist...
  • Page 688 portal authentication, AAA ISP domain method, portal authentication system components, AAA ITA IPoE user, SSL client policy configuration, AAA ITA policy, command AAA LDAP administrator attributes, AAA command accounting method, AAA LDAP attribute map, AAA command authorization method, AAA LDAP scheme, attack D&P command and hardware AAA LDAP server IP address, compatibility,...
  • Page 689 ARP gateway protection, 631, 632 attack D&P IP blacklist, 588, 599 ARP packet source MAC consistency check, attack D&P policy application (interface), attack D&P user blacklist, 589, 599 ARP scanning, authorized ARP, ASPF, 514, 517, 520 authorized ARP (DHCP relay agent), ASPF application inspection (FTP), authorized ARP (DHCP server), ASPF application inspection (H.323),...
  • Page 690 IPsec IKEv2 NAT keepalive, NETCONF-over-SSH+password authentication, IPsec IKEv2 policy, object group, IPsec IKEv2 profile, object policy, 559, 560, 564 IPsec IKEv2 proposal, password control, 275, 278, 282 IPsec IKEv2+NAT traversal, peer host public key, IPsec IKEv2+pre-shared key authentication, PKI, 301, 304, 315 PKI certificate import/export, IPsec IKEv2+RSA signature authentication, PKI certificate request (automatic),...
  • Page 691 portal authentication server detection+user SSH user, synchronization, 212, 221 SSH2 algorithms (encryption ), portal authentication source subnet, SSH2 algorithms (key exchange), portal authentication user online detection, SSH2 algorithms (MAC), SSH2 algorithms (public key), portal authentication user synchronization, SSL, 507, 508 SSL client policy, portal authentication Web redirect, SSL server policy,...
  • Page 692 PKI, attack D&P defense policy (single-packet attack), PKI architecture, attack D&P defense policy (UDP flood attack), PKI CA policy, PKI certificate export, attack D&P defense policy configuration (ACK PKI certificate removal, flood attack), PKI certificate-based access control policy, attack D&P defense policy configuration (DNS flood attack), PKI storage path, attack D&P defense policy configuration (FIN...
  • Page 693 802.1X configuration, 89, 97 attack D&P address object group blacklist configuration, 802.1X EAD assistant, attack D&P address object group whitelist 802.1X guest VLAN configuration, configuration, 802.1X SmartOn, attack D&P client verification configuration 802.1X+ACL assignment configuration, (DNS)(interface-based), 802.1X+EAD assistant configuration (DHCP attack D&P client verification configuration relay agent), (HTTP)(interface-based),...
  • Page 694 portal authentication re-DHCP configuration, dynamic IPv6 source guard (IPv6SG)+DHCPv6 snooping configuration, portal authentication re-DHCP portal authentication extended re-DHCP configuration+preauthentication domain, configuration, portal authentication server, portal authentication modes, portal authentication server detection+user portal authentication process, synchronization, 212, 221 portal authentication re-DHCP configuration, portal authentication Web server, portal authentication re-DHCP SSH SCP client,...
  • Page 695 disabling attack D&P DNS client verification configuration (interface-based), portal user traffic accounting, domain displaying 802.1X mandatory port authentication domain, 802.1X, AAA, 802.1X supported domain name delimiters, AAA HWTACACS, AAA ISP domain accounting method, AAA LDAP, AAA ISP domain attribute, AAA local users/user groups, AAA ISP domain authentication method, AAA RADIUS, AAA ISP domain authorization method,...
  • Page 696 802.1X EAP over RADIUS, MAC authentication, 802.1X EAP relay enable, MAC authentication multi-VLAN mode, 802.1X EAP termination enable, NETCONF-over-SSH, 802.1X packet format, outgoing packets filtering on portal interface, 802.1X RADIUS EAP-Message attribute, password control, 802.1X RADIUS Message-Authentication port security, attribute, port security authorization-fail-offline, 802.1X relay authentication, port security MAC move,...
  • Page 697 SSH configuration, SSH SFTP, SSH server configuration, filtering SSL services, ARP packet filtering configuration, 633, 633 entering attack D&P address object group blacklist, FIPS mode (automatic reboot), 651, 655 attack D&P address object group whitelist, FIPS mode (manual reboot), 651, 656 attack D&P blacklist, peer host public key, 296, 296...
  • Page 698 attack D&P defense policy (HTTP flood SSH SCP server connection establishment, attack), SSH SFTP client configuration (publickey attack D&P defense policy (ICMP flood authentication-enabled), attack), SSH SFTP client device, attack D&P defense policy (ICMPv6 flood SSH SFTP configuration, attack), SSH SFTP directories, attack D&P defense policy (RST flood attack), SSH SFTP files, SSH SFTP packet source IP address,...
  • Page 699 host username format, local host public key distribution, Hypertext Transfer Protocol. Use HTTP peer host public key configuration, peer host public key entry, 296, 296 ICMP peer host public key import from file, ASPF ICMP error message sending for packet, public key display, public key export, attack D&P defense policy (ICMP flood attack),...
  • Page 700 negotiation, IPsec application-based implementation, negotitation logging enable, IPsec tunnel interface-based implementation, PFS, importing profile configuration, peer host public key from file, proposal configuration, PKI certificate import/export, protocols and standards, public key from file, SA max, SSH client host public key, security mechanism, troubleshooting PKI CA certificate import failure, SNMP notification,...
  • Page 701 AAA HWTACACS outgoing packet source IP ACL-based IPsec, address, anti-replay redundancy, AAA LDAP server IP address, application-based IPsec, AAA RADIUS outgoing packet source IP authentication, address, authentication algorithms, APR PBAR host port mapping (IP configuration, 339, 369 address-based), crypto engine, ARP attack detection configuration display, (user+packet validity check),...
  • Page 702 IKEv2 policy configuration, tunnel configuration, IKEv2 profile configuration, tunnel establishment, IKEv2 proposal configuration, tunnel for IPv4 packets (manual), IKEv2+NAT traversal, tunnel interface-based IPsec, IKEv2+pre-shared key authentication, IPv4 IKEv2+RSA signature authentication, address object group, implementation, address object group configuration, IPsec anti-replay, IKE-based IPsec tunnel for IPv4 packets, IPsec tunnel for IPv4 packets (manual), IPsec tunnel interface-based IPsec for IPv4...
  • Page 703 maintain, static binding configuration, IPsec IKE pre-shared key authentication, static configuration, PKI configuration, 301, 304, 315 IPv6 uRPF key pair check modes, Secure Telnet client server key pair, command and hardware compatibility, SSH SCP client server key pair, configuration, SSH server generation, configuration (interface), SSH SFTP client server key pair, keychain...
  • Page 704 server creation, AAA concurrent login user max, server IP address, password expired login, server timeout period, password user first login, troubleshooting, password user login attempt limit, troubleshooting authentication failure, password user login control, user attribute, RADIUS Login-Service attribute, versions, logging out licensing portal authentication online users, wireless portal authentication users automatically,...
  • Page 705 MAC authentication IP source guard (IPSG), ACL assignment, 123, 134 IPsec, concurrent port users max, IPsec IKE, configuration, 122, 125, 130 IPsec IKEv2, delay configuration, IPv4 source guard (IPv4SG), display, IPv6 source guard (IPv6SG), domain specification, MAC authentication, enable, password control, portal authentication, including IP address in MAC authentication request,...
  • Page 706 IPsec ACL-based implementation standard, AAA LDAP implementation, AAA MPLS L3VPN implementation, IPsec application-based implementation, AAA NAS-ID profile configuration, IPsec encapsulation transport, AAA RADIUS implementation, IPsec encapsulation tunnel, NAS-ID IPsec IKE negotiation, portal authentication interface profile (RADIUS), IPsec IKE negotiation (time-based lifetime), NAS-Port-ID IPsec IKE negotiation (traffic-based lifetime), specifying format for portal authentication,...
  • Page 707 802.1X EAP relay enable, APR application statistics enable, 802.1X EAP relay/termination, APR configuration, 802.1X EAP termination enable, APR NBAR configuration, 802.1X EAP termination mode authentication, APR NBAR rule configuration (user-defined), APR PBAR configuration, 529, 535 802.1X guest VLAN, 91, 104 APR signature database management, 528, 532 802.1X guest VLAN configuration,...
  • Page 708 authorized ARP configuration (DHCP relay IPsec IKEv2+RSA signature authentication, agent), IPsec implementation, authorized ARP configuration (DHCP server), IPsec IPv6 routing protocols, IPsec negotitation logging enable, connection limit policy application, IPsec packet DF bit, connection limit policy configuration, IPsec packet logging enable, connection limit policy creation, IPsec policy (IKE-based/direct), dynamic IPv4 source guard (IPv4SG)+DHCP...
  • Page 709 MAC authentication user account format, port security secure MAC address port limit, MAC authentication VLAN assignment, portal authentication AAA server, MAC-based quick portal authentication, portal authentication client, NETCONF-over-SSH client user line, portal authentication configuration, 185, 231 NETCONF-over-SSH enable, portal authentication cross-subnet configuration, NETCONF-over-SSH+password portal authentication direct configuration, authentication configuration,...
  • Page 710 SSH Secure Telnet client configuration ARP attack protection configuration, (publickey authentication-enabled), ASPF configuration, 514, 517, 520 SSH Secure Telnet client device, attack D&P configuration, 568, 576, 595 SSH Secure Telnet configuration, connection limit configuration, 549, 553 SSH Secure Telnet packet source IP address, crypto engine configuration, FIPS configuration, 650, 655...
  • Page 711 attack D&P address object group blacklist, AAA HWTACACS packet exchange process, 572, 590 AAA RADIUS outgoing packet source IP address, attack D&P address object group whitelist, 572, 590 AAA RADIUS packet exchange process, configuration, AAA RADIUS packet format, display, ARP active acknowledgement, IPv4 address object group, ARP attack detection configuration (user+packet IPv4 address object group configuration,...
  • Page 712 dynamic IPv6 source guard parameters (super), (IPv6SG)+DHCPv6 snooping configuration, parameters (user group), password complexity checking, IP source guard (IPSG) configuration, 606, password composition checking, 608, 611 password expiration, 276, 276 static IPv4 source guard (IPv4SG) password history, configuration, password minimum length, static IPv6 source guard (IPv6SG) password not displayed, configuration,...
  • Page 713 certificate verification (CRL checking), connection limit policy configuration, certificate verification (w/o CRL checking), connection limit policy creation, certificate-based access control policy, 314, IPsec application to interface, IPsec configuration (manual), configuration, 301, 304, 315 IPsec IKEv2 configuration, CRL, IPsec policy (IKE-based/direct), display, IPsec policy (IKE-based/template), domain configuration,...
  • Page 714 802.1X authorization VLAN configuration, AAA server, 802.1X basic configuration, access device, 802.1X concurrent port users max, authenticated user redirection, 802.1X configuration, 89, 97 authentication destination subnet, 802.1X controlled/uncontrolled port, authentication modes, 802.1X guest VLAN configuration, authentication page customization, 139, 169 802.1X mandatory port authentication authentication process, domain,...
  • Page 715 page request rules, email authentication, policy server, QQ authentication server, portal authentication ARP or ND entry port-based application recognition. See PBAR conversion for portal clients, power-up self-test, portal authorization strict-checking mode, portal user preauthentication IP address pool, AAA HWTACACS server PPP user, PPPoE portal-free rule, user profile configuration,...
  • Page 716 configuring AAA HWTACACS server PPP configuring ARP active acknowledgement, user, configuring ARP attack detection, configuring AAA HWTACACS server SSH configuring ARP attack detection (source user, MAC-based), 619, 620 configuring AAA ISP domain accounting configuring ARP attack detection (user+packet method, validity check), configuring AAA ISP domain attribute, configuring ARP attack detection packet validity configuring AAA ISP domain authentication...
  • Page 717 configuring attack D&P defense policy, configuring IPsec ACL, configuring attack D&P defense policy (ACK configuring IPsec anti-replay, flood attack), configuring IPsec anti-replay redundancy, configuring attack D&P defense policy (DNS configuring IPsec for IPv6 routing protocols, flood attack), configuring IPsec fragmentation, configuring attack D&P defense policy (FIN configuring IPsec IKE, flood attack),...
  • Page 718 configuring IPsec tunnel for IPv4 packets configuring PKI entity, (manual), configuring PKI OpenCA server certificate configuring IPsec tunnel interface-based request, IPsec for IPv4 packets, configuring PKI RSA Keon CA server certificate configuring IPv4 address object group, request, configuring IPv4 object policy rule, configuring PKI Windows 2003 CA server certificate request, configuring IPv4 source guard (IPv4SG),...
  • Page 719 configuring security password control, configuring SSH2 algorithms (key exchange), configuring security portal authentication configuring SSH2 algorithms (MAC), detection features, configuring SSH2 algorithms (public key), configuring security portal authentication configuring SSL, direct, configuring SSL client policy, configuring security portal authentication configuring SSL server policy, 508, 511 direct local portal Web server, configuring static IPv4 source guard (IPv4SG),...
  • Page 720 displaying IPv6 uRPF, enabling port security MAC move, displaying keychain, enabling port security SNMP notifications, displaying MAC authentication, enabling portal authentication, displaying object group, enabling portal authorization for DHCP users, displaying object policy, enabling portal authorization strict-checking mode, displaying port security, enabling portal logging, displaying portal authentication, enabling rule matching acceleration,...
  • Page 721 maintaining APR, setting password control parameters (local user), maintaining ARP attack detection, setting password control parameters (super), maintaining ASPF, setting password control parameters (user maintaining attack D&P, group), maintaining connection limit, setting port security mode, maintaining crypto engine, setting portal authentication max number users, maintaining IP source guard (IPSG), maintaining IPsec, setting session management aging time...
  • Page 722 specifying security portal authentication Web troubleshooting port security mode cannot be set, server, specifying session management session troubleshooting port security secure MAC session management session, addresses, specifying session management persistent troubleshooting portal authentication cannot log session, out users (access device), specifying SSH Secure Telnet packet source troubleshooting portal authentication no page IP address,...
  • Page 723 802.1X related protocols, 802.1X timer, AAA, MAC authentication quiet timer, AAA HWTACACS, 6, 14 AAA LDAP, 9, 14 AAA RADIUS, 2, 14 PKI architecture, ASPF inspection, PKI certificate, IPsec, RADIUS IPsec IKE, 802.1X EAP over RADIUS, IPsec IKEv2, 802.1X EAP relay enable, IPsec IPv6 routing protocols configuration, 802.1X EAP termination enable, 802.1X RADIUS EAP-Message attribute,...
  • Page 724 scheme VPN instance specification, IPsec IKE configuration (remote extended authentication), server quiet timer, Remote Authentication Dial-In User Service. Use server response timeout timer, RADIUS server SSH user removing authentication+authorization, PKI certificate, server status, request server status detection test profile, PKI certificate request abort, session-control, requesting shared keys,...
  • Page 725 APR application group configuration, portal authentication page file compression+saving rules, APR PBAR configuration, portal authentication page request rules, IPsec IPv6 routing protocols configuration, portal authentication portal-free rule, portal authentication post request rules, IPv6 IPsec routing protocol profile (manual), SSH configuration, S/MIME (PKI secure email), SSH server configuration, IPsec IKEv2 SA rekeying,...
  • Page 726 server configuration (publickey AAA local user, authentication-enabled), AAA MPLS L3VPN implementation, server connection establishment, AAA protocols and standards, SSH application, AAA RADIUS attributes, SSH packet source IP address, AAA RADIUS DAE server, security AAA RADIUS implementation, 802.1X access control method, AAA RADIUS information exchange security mechanism, 802.1X authentication configuration,...
  • Page 727 attack D&P client verification, FIPS mode entry (manual reboot), FIPS mode exit, attack D&P client verification (DNS), attack D&P client verification (HTTP), FIPS mode exit (automatic reboot), attack D&P client verification (TCP), FIPS mode exit (manual reboot), FIPS mode system changes, attack D&P client verification configuration (DNS)(interface-based), FIPS self-test,...
  • Page 728 IPv6 uRPF enable, password history, password not displayed, keychain configuration, 286, 287 keychain display, password setting, local host public key distribution, password updating, 276, 276 password user first login, local key pair creation, local key pair destruction, password user login control, local MAC binding server, peer host public key configuration, local portal Web server configuration,...
  • Page 729 portal authentication HTTPS redirect, SSH Secure Telnet packet source IP address, portal authentication interface NAS-ID profile, SSH SFTP client configuration (publickey authentication-enabled), portal authentication maintain, SSH SFTP directories, portal authentication max number users, SSH SFTP files, portal authentication online user logout, SSH SFTP help information display, portal authentication re-DHCP configuration, SSH SFTP packet source IP address,...
  • Page 730 802.1X Auth-Fail VLAN, IPsec IPv6 routing protocols, IPsec maintain, 802.1X authorization VLAN, 802.1X critical VLAN, IPsec negotitation logging enable, 802.1X guest VLAN, IPsec policy configuration restrictions, IPsec policy configuration restrictions 802.1X overview, (IKE-based), 802.1X related protocols, IPsec protocols, 802.1X supported domain name delimiters, IPsec protocols and standards, 802.1X+ACL assignment configuration, IPsec RRI,...
  • Page 731 session management persistent session, APR NBAR configuration, session management session state machine object policy configuration, 559, 560, 564 loose mode, server session management statistics collection 802.1X authentication configuration, enable, 802.1X authentication server timeout timer, setting maximum number of IPsec tunnels, 802.1X authorization VLAN configuration, 802.1X basic configuration, SSH display,...
  • Page 732 management. See session management session management aging time (protocol state), SSH SCP client key pair, SFTP SSH SFTP client key pair, client configuration (publickey session management authentication-enabled), aging time (application layer protocol or client device configuration, appplication), client local key pair generation, aging time (protocol state), client local key pair generation restrictions, configuration,...
  • Page 733 802.1X access control method, AAA LDAP server SSH user authentication, AAA local SSH user authentication+authorization, 802.1X mandatory port authentication domain, 802.1X supported domain name delimiters, AAA RADIUS Login-Service attribute check method, AAA RADIUS server SSH user AAA HWTACACS accounting server, authentication+authorization, AAA HWTACACS authentication server, authentication methods,...
  • Page 734 SFTP client local key pair, IPv4 source guard (IPv4SG) static binding configuration, SFTP configuration, IPv6 source guard (IPv6SG) configuration, SFTP directories, IPv6 source guard (IPv6SG) static binding SFTP files, configuration, SFTP help information display, port security static secure MAC address, SFTP packet source IP address, statistics SFTP server configuration (password...
  • Page 735 attack D&P client verification configuration (TCP)(interface-based), AAA HWTACACS implementation, attack D&P configuration, 568, 576, 595 ASPF application inspection (TCP), attack D&P configuration (interface-based), attack D&P TCP client verification, 572, 586 attack D&P TCP client verification configuration attack D&P defense policy, (interface-based), attack D&P detection exemption, attack D&P TCP proxy in safe reset mode,...
  • Page 736 AAA RADIUS real-time accounting, IPsec SA negotiation failure (invalid identity info), AAA RADIUS server quiet, IPsec SA negotiation failure (no transform set AAA RADIUS server response timeout, match), 427, 459 MAC authentication offline detect, IPsec SA negotiation failure (tunnel failure), MAC authentication quiet, PKI CA certificate import failure, MAC authentication server timeout,...
  • Page 737 AAA RADIUS request transmission attempts portal authentication max number users, max, portal authentication online user logout, AAA RADIUS session-control, portal authentication re-DHCP configuration, attack D&P defense policy (UDP flood attack), portal authentication re-DHCP configuration+preauthentication domain, uncontrolled port (802.1X), portal authentication roaming, unicast portal authentication user access, 802.1X unicast trigger mode,...
  • Page 738 user login static IPv6 source guard (IPv6SG) configuration, portal logging, user logout AAA HWTACACS scheme VPN instance, portal logging, AAA MPLS L3VPN implementation, user profile AAA RADIUS scheme VPN instance, configuration, 273, 273 IKE-based IPsec tunnel for IPv4 packets, configuration restrictions, IKE-based IPsec tunnel for IPv6 packets, display, IPsec configuration,...
  • Page 739 troubleshooting 802.1X EAD assistant browser users, whitelisting attack D&P, attack D&P address object group whitelist, attack D&P address object group whitelist configuration, 590, 601 Windows 2000 PKI CA server SCEP add-on, 2000 PKI entity configuration, 2003 PKI CA server certificate request, 2003 PKI CA server IKE negotiation+RSA digital signature, wireless...

Table of Contents