Page 1 HPE Moonshot 45Gc/45XGc/180XGc Switch Module Security Configuration Guide Part number: 859335-002 Software version: Release 242x Document version: 6W100-20160201...
Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents Configuring AAA ····························································································· 1 Overview ···························································································································································· 1 RADIUS ······················································································································································ 2 HWTACACS ··············································································································································· 6 LDAP ·························································································································································· 9 AAA implementation on the device ·········································································································· 11 AAA for MPLS L3VPNs ···························································································································· 13 Protocols and standards ·························································································································· 13 ...
Page 4 Authorization VLAN ·································································································································· 72 Guest VLAN ············································································································································· 74 Auth-Fail VLAN ········································································································································ 75 Critical VLAN ············································································································································ 76 Using 802.1X authentication with other features ····························································································· 78 ACL assignment ······································································································································· 78 User profile assignment ··························································································································· 79 ...
Page 5 Configuration prerequisites ···························································································································· 106 Configuration task list ····································································································································· 106 Enabling MAC authentication ························································································································· 107 Specifying a MAC authentication domain ······································································································ 107 Configuring the user account format ·············································································································· 108 Setting MAC authentication timers ················································································································· 108 ...
Page 6 Displaying and maintaining portal ·················································································································· 145 Portal configuration examples ························································································································ 146 Configuring direct portal authentication ·································································································· 146 Configuring re-DHCP portal authentication ···························································································· 153 Configuring cross-subnet portal authentication ······················································································ 157 Configuring extended direct portal authentication ·················································································· 159 ...
Page 7 Configuration procedure ························································································································· 213 Verifying the configuration ······················································································································ 214 Managing public keys ················································································· 216 Overview ························································································································································ 216 FIPS compliance ············································································································································ 216 Creating a local key pair ································································································································ 216 Distributing a local host public key ················································································································· 218 ...
Page 8 Configuring IPsec ························································································ 258 Overview ························································································································································ 258 Security protocols and encapsulation modes ························································································· 258 Security association ······························································································································· 260 Authentication and encryption ················································································································ 260 IPsec implementation ····························································································································· 261 Protocols and standards ························································································································ 262 FIPS compliance ············································································································································...
Page 9 Configuring IKEv2 ······················································································· 306 Overview ························································································································································ 306 IKEv2 negotiation process ····················································································································· 306 New features in IKEv2 ···························································································································· 307 Protocols and standards ························································································································ 307 IKEv2 configuration task list ··························································································································· 307 Configuring an IKEv2 profile ·························································································································· 308 ...
Page 10 Specifying public key algorithms for SSH2 ···························································································· 345 Specifying encryption algorithms for SSH2 ···························································································· 345 Specifying MAC algorithms for SSH2 ···································································································· 346 Displaying and maintaining SSH ···················································································································· 346 Stelnet configuration examples ······················································································································ 346 Password authentication enabled Stelnet server configuration example ··············································· 346 ...
Page 11 Configuration procedure ························································································································· 406 Displaying and maintaining source MAC-based ARP attack detection ·················································· 406 Configuration example ··························································································································· 406 Configuring ARP packet source MAC consistency check ·············································································· 407 Configuring ARP active acknowledgement ···································································································· 408 Configuring authorized ARP ·························································································································· 408 ...
Page 12 Configuring FIPS mode ·································································································································· 437 Entering FIPS mode ······························································································································· 437 Configuration changes in FIPS mode ···································································································· 438 Exiting FIPS mode ································································································································· 439 FIPS self-tests ················································································································································ 439 Power-up self-tests ································································································································ 440 Conditional self-tests ······························································································································ 440 ...
Page 13 Verifying the configuration ······················································································································ 473 Document conventions and icons ······························································· 476 Conventions ··················································································································································· 476 Network topology icons ·································································································································· 477 Support and other resources ······································································ 478 Accessing Hewlett Packard Enterprise Support ···························································································· 478 Accessing updates ········································································································································· 478 ...
Page 14: Configuring Aaa
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. This feature specifies the following security functions: • Authentication—Identifies users and verifies their validity. • Authorization—Grants different users different rights, and controls the users' access to resources and services.
Page 15: Radius
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. The protocol can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Page 16 Basic RADIUS packet exchange process Figure 3 illustrates the interactions between a user host, the RADIUS client, and the RADIUS server. Figure 3 Basic RADIUS packet exchange process RADIUS uses the following workflow: The host sends a connection request that includes the user's username and password to the RADIUS client.
Page 17 Figure 4 RADIUS packet format Descriptions of the fields are as follows: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the main values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
Page 18 Length—Length of the attribute in bytes, including the Type, Length, and Value subfields. Value—Value of the attribute. Its format and content depend on the Type subfield. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.
Page 19: Hwtacacs
Attribute Attribute Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. The Vendor-Specific attribute (attribute 26) allows a vendor to define extended attributes.
Page 20 HWTACACS typically provides AAA services for PPP, VPDN, and terminal users. In a typical HWTACACS scenario, terminal users need to log in to the NAS. Working as the HWTACACS client, the NAS sends users' usernames and passwords to the HWTACACS server for authentication. After passing authentication and obtaining authorized rights, a user logs in to the device and performs operations.
Page 21 Figure 6 Basic HWTACACS packet exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user tries to log in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Continue-authentication packet with the username 7) Authentication response requesting the password 8) Request for password...
Page 22: Ldap
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that includes the login password. 11. If the authentication succeeds, the HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12.
Page 23 Uses the LDAP server administrator DN to bind with the LDAP server. After the binding is created, the client establishes a connection to the server and obtains the right to search. Constructs search conditions by using the username in the authentication information of a user. The specified root directory of the server is searched and a user DN list is generated.
Page 24: Aaa Implementation On The Device
After receiving the request, the LDAP server searches for the user DN by the base DN, search scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the LDAP client of the successful search. There might be one or more user DNs found. The LDAP client uses the obtained user DN and the entered user password as parameters to send a user DN bind request to the LDAP server.
Page 25 AAA methods AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.
Page 26: Aaa For Mpls L3Vpns
• Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.
Page 27: Radius Attributes
User identification that the NAS sends to the server. For the LAN access Calling-Station-Id service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses to identify itself to the RADIUS server.
Page 28 Attribute Description Authentication method used by the user. Possible values include: • 1—RADIUS. Acct-Authentic • 2—Local. • 3—Remote. CHAP challenge generated by the NAS for MD5 calculation during CHAP CHAP-Challenge authentication. Type of the physical port of the NAS that is authenticating the user. Possible values include: •...
Page 29: Fips Compliance
Subattribute Description types, the Control_Identifier attribute does not take effect. Result of the Trigger-Request or SetPolicy operation, zero for success Result_Code and any other value for failure. Connect_ID Index of the user connection. FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this Ftp_Directory attribute is used to set the working directory for an FTP, SFTP, or SCP...
Page 30: Aaa Configuration Considerations And Task List
AAA configuration considerations and task list To configure AAA, complete the following tasks on the NAS: Configure the required AAA schemes. Local authentication—Configure local users and the related attributes, including the usernames and passwords, for the users to be authenticated. Remote authentication—Configure the required RADIUS, HWTACACS, and LDAP schemes.
Page 31: Configuring Aaa Schemes
Tasks at a glance (Optional.) Configuring a NAS-ID profile Configuring AAA schemes This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes, and LDAP schemes. Configuring local users To implement local authentication, authorization, and accounting, create local users and configure user attributes on the device.
Page 32 information about password management and global password configuration, see "Configuring password control." Local user configuration task list Tasks at a glance (Required.) Configuring local user attributes (Optional.) Configuring user group attributes (Optional.) Displaying and maintaining local users and local user groups Configuring local user attributes When you configure local user attributes, follow these guidelines: •...
Page 33 Step Command Remarks In non-FIPS mode: service-type { ftp | { http | https | ssh | telnet | terminal } * } In FIPS mode: service-type { https | ssh | terminal } * (Optional.) Place the local By default, a created local user is in user to the active or state { active | block } active state and can request...
Page 34 Step Command Remarks [ exceed { lock | lock-time time | unlock } ] 10. (Optional.) Assign the By default, a local user belongs to group group-name local user to a user group. the default user group system. Configuring user group attributes User groups simplify local user configuration and management.
Page 35: Configuring Radius Schemes
Displaying and maintaining local users and local user groups Execute display commands in any view. Task Command display local-user [ class { manage | network } | idle-cut { disable | Display the local user enable } | service-type { ftp | http | https | lan-access | portal | ssh | configuration and online user telnet | terminal } | state { active | block } | user-name user-name class statistics.
Page 36 • If the device receives a response from the server within the interval, it sets the server to the active state. • If the device does not receive any response from the server within the interval, it sets the server to the blocked state.
Page 37 becomes unavailable. The device searches for an active server in the order the secondary servers are configured. If redundancy is not required, specify only the primary server. A RADIUS authentication server can act as the primary authentication server for one scheme and a secondary authentication server for another scheme at the same time.
Page 38 number of currently served users for each active server, and then determines the most appropriate server in performance to receive an accounting request. The device sends a stop-accounting request to the accounting server in the following situations: • The device receives a connection teardown request from a host. •...
Page 39 Step Command Remarks radius scheme Enter RADIUS scheme view. radius-scheme-name By default, no shared key is specified. Specify a shared key for key { accounting | The shared key configured on the secure RADIUS authentication } { cipher | device must be the same as the communication.
Page 40 Step Command Remarks system scheme, the ISP domain name is removed. For more information about the startup configuration, see Fundamentals Configuration Guide. data-flow-format { data { byte (Optional.) Set the data | giga-byte | kilo-byte | flow and packet By default, traffic is counted in bytes and mega-byte } | packet measurement units for packets.
Page 41 • When the quiet timer of a server expires or you manually set the server to the active state, the status of the server changes back to active. The device does not check the server again during the authentication or accounting process. •...
Page 42 Step Command Remarks * ] { active | block } Enabling the RADIUS server load sharing feature By default, the device communicates with RADIUS servers based on the server roles. It first attempts to communicate with the primary server, and, if the primary server is unavailable, it then searches for the secondary servers in the order they are configured.
Page 43 The source address of outgoing RADIUS packets is typically the IP address of an egress interface on the NAS to communicate with the RADIUS server. However, in some situations, you must change the source IP address. For example, when VRRP is configured for stateful failover, configure the virtual IP address of the uplink VRRP group as the source IP address.
Page 44 • When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, consider the number of secondary servers. If the retransmission process takes too much time, the client connection in the access module (for example, Telnet) might time out during the process.
Page 45 The security policy server is the management and control center of the HPE EAD solution. To implement all EAD functions, configure both the IP address of the security policy server and that of the IMC Platform on the NAS. To configure the IP address of a security policy server for a scheme:...
Page 46: Configuring Hwtacacs Schemes
To enable SNMP notifications for RADIUS: Step Command Remarks Enter system view. system-view snmp-agent trap enable radius [ accounting-server-down | By default, all types of SNMP Enable SNMP notifications authentication-error-threshold | notifications are enabled for for RADIUS. authentication-server-down | RADIUS. accounting-server-up | authentication-server-up ] * Displaying and maintaining RADIUS...
Page 47 Step Command Remarks scheme and enter hwtacacs-scheme-name scheme is defined. HWTACACS scheme view. Specifying the HWTACACS authentication servers You can specify one primary authentication server and a maximum of 16 secondary authentication servers for an HWTACACS scheme. When the primary server is not available, the device searches for the secondary servers in the order they are configured.
Page 48 • Configure hostname-to-IP address mappings for the VPN instance by using the ip host or ipv6 host command. • Configure a DNS server for the VPN instance by using the dns server or ipv6 dns server command. For more information about these commands, see Layer 3—IP Services Command Reference. To specify HWTACACS authorization servers for an HWTACACS scheme: Step Command...
Page 49 Step Command Remarks hwtacacs-scheme-name • Specify the primary HWTACACS accounting server: primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | By default, no accounting server single-connection | is specified. vpn-instance Two HWTACACS accounting vpn-instance-name ] *...
Page 50 Step Command Remarks network. Setting the username format and traffic statistics units A username is in the userid@isp-name format, where the isp-name argument represents the user's ISP domain name. By default, the ISP domain name is included in a username. If HWTACACS servers do not recognize usernames that contain ISP domain names, you can configure the device to send usernames without domain names to the servers.
Page 51 The source IP address specified in system view for the VPN or public network, depending on where the HWTACACS server resides. The IP address of the outbound interface specified by the route. To specify a source IP address for all HWTACACS schemes of a VPN or the public network: Step Command Remarks...
Page 52 Tries to communicate with the next secondary server in active state that has the highest priority. • The search process continues until the device finds an available secondary server or has checked all secondary servers in active state. If no server is available, the device considers the authentication, authorization, or accounting attempt a failure.
Page 53: Configuring Ldap Schemes
Configuring LDAP schemes Configuration task list Tasks at a glance Configuring an LDAP server: • (Required.) Creating an LDAP server • (Required.) Configuring the IP address of the LDAP server • (Optional.) Specifying the LDAP version • (Optional.) Setting the LDAP server timeout period •...
Page 54 Setting the LDAP server timeout period If the device sends a bind or search request to an LDAP server without receiving the server's response within the server timeout period, the authentication or authorization request times out. Then, the device tries the backup authentication or authorization method. If no backup method is configured in the ISP domain, the device considers the authentication or authorization attempt a failure.
Page 55 To configure LDAP user attributes: Step Command Remarks Enter system view. system-view Enter LDAP server view. ldap server server-name Specify the user search base By default, no user search base search-base-dn base-dn DN is specified. (Optional.) Specify the user search-scope { all-level | By default, the user search scope search scope.
Page 56: Configuring Aaa Methods For Isp Domains
Task Command Display the configuration of LDAP schemes. display ldap scheme [ scheme-name ] Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by specifying configured AAA schemes in ISP domain view. Each ISP domain has a set of system-defined AAA methods, which are local authentication, local authorization, and local accounting.
Page 57: Configuring Authentication Methods For An Isp Domain
• Domain status—By placing the ISP domain in active or blocked state, you allow or deny network service requests from users in the domain. • Authorization attributes—The device assigns the authorization attributes in the ISP domain to the authenticated users who do not receive these attributes from the server. The device supports the following authorization attributes: Default authorization user profile—When a user passes authentication, it typically obtains an authorization user profile from the local or remote server.
Page 58: Configuring Authorization Methods For An Isp Domain
Configuration procedure To configure authentication methods for an ISP domain: Step Command Remarks Enter system view. system-view Enter ISP domain view. domain isp-name authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme By default, the default radius-scheme-name ] [ local ] [ none ] | authentication method is Specify the default ldap-scheme ldap-scheme-name [ local ]...
Page 59: Configuring Accounting Methods For An Isp Domain
• To use a RADIUS scheme as the authorization method, specify the same RADIUS scheme that is configured as the authentication method for the ISP domain. If an invalid RADIUS scheme is specified as the authorization method, RADIUS authentication and authorization fail. Configuration procedure To configure authorization methods for an ISP domain: Step...
Page 60: Enabling The Session-Control Feature
Configuration guidelines When configuring accounting methods, follow these guidelines: • FTP, SFTP, and SCP users do not support accounting. • Local accounting does not provide statistics for charging. It only counts and controls the number of concurrent users who use the same local user account. The threshold is configured by using the access-limit command.
Page 61: Configuring The Radius Dae Server Feature
Step Command Remarks Enter system view. system-view Enable the session-control By default, the session-control radius session-control enable feature. feature is disabled. Configuring the RADIUS DAE server feature Dynamic Authorization Extensions (DAE) to RADIUS, defined in RFC 5176, can log off online users or change their authorization information.
Page 62: Configuring A Nas-Id Profile
Step Command Remarks Enter system view. system-view • In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } By default, the maximum number Set the maximum number of max-sessions of concurrent login users is 32 for concurrent login users.
Page 63: Aaa Configuration Examples
AAA configuration examples AAA for SSH users by an HWTACACS server Network requirements As shown in Figure 11, configure the switch to meet the following requirements: • Use the HWTACACS server for SSH user authentication, authorization, and accounting. • Assign the default user role network-operator to SSH users after they pass authentication. •...
Page 64: Local Authentication, Hwtacacs Authorization, And Radius Accounting For Ssh Users
# Create ISP domain bbb and configure the domain to use the HWTACACS scheme for authentication, authorization, and accounting of login users. [Switch] domain bbb [Switch-isp-bbb] authentication login hwtacacs-scheme hwtac [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login hwtacacs-scheme hwtac [Switch-isp-bbb] quit # Create local RSA and DSA key pairs.
Page 65 Figure 12 Network diagram Configuration procedure Configure the HWTACACS server. (Details not shown.) Configure the RADIUS server. (Details not shown.) Configure the switch: # Configure IP addresses for interfaces. (Details not shown.) # Create local RSA and DSA key pairs. <Switch>...
Page 66: Authentication And Authorization For Ssh Users By A Radius Server
# Create ISP domain bbb and configure the login users to use local authentication, HWTACACS authorization, and RADIUS accounting. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login radius-scheme rd [Switch-isp-bbb] quit # Enable the default user role feature to assign authenticated SSH users the default user role network-operator.
Page 67 # Add the switch to the IMC Platform as an access device. Log in to IMC, click the Service tab, and select User Access Manager > Access Device Management > Access Device from the navigation tree. Then, click Add to configure an access device as follows: a.
Page 68 Figure 15 Adding an account for device management Configure the switch: # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
Page 69: Authentication For Ssh Users By An Ldap Server
# Create a RADIUS scheme. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for secure communication with the server to expert in plain text. [Switch-radius-rad] key authentication simple expert # Include domain names in the usernames sent to the RADIUS server.
Page 70 NOTE: This example assumes that the LDAP server runs Microsoft Windows 2003 Server Active Directory. # Add a user named aaa and set the password to ldap!123456. a. On the LDAP server, select Start > Control Panel > Administrative Tools. b.
Page 71 Figure 18 Setting the user password g. Click OK. # Add user aaa to group Users. h. From the navigation tree, click Users under the ldap.com node. i. In the right pane, right-click the user aaa and select Properties. j. In the dialog box, click the Member Of tab and click Add.
Page 72 Figure 19 Modifying user properties d. In the Select Groups dialog box, enter Users in the Enter the object names to select field, and click OK. User aaa is added to group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456.
Page 73 # Configure the IP address of VLAN-interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 24 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server.
Page 74: Troubleshooting Radius
Verifying the configuration # Initiate an SSH connection to the switch, and enter the username aaa@bbb and password ldap!123456. The user logs in to the switch. (Details not shown.) # Verify that the user can use the commands permitted by the network-operator user role. (Details not shown.) Troubleshooting RADIUS RADIUS authentication failure...
Page 75: Radius Accounting Error
Solution To resolve the problem: Check the following items: The link between the NAS and the RADIUS server work well at both the physical and data link layers. The IP address of the RADIUS server is correctly configured on the NAS. The authentication and accounting UDP port numbers configured on the NAS are the same as those of the RADIUS server.
Page 76 • The administrator DN or password is not configured. • Some user attributes (for example, the username attribute) configured on the NAS are not consistent with those configured on the server. • No user search base DN is specified for the LDAP scheme. Solution To resolve the problem: Check the following items:...
Page 77: 802.1X Overview
The port controls traffic by using one of the following methods: − Performs bidirectional traffic control to deny traffic to and from the client. − Performs unidirectional traffic control to deny traffic from the client. The HPE devices support only unidirectional traffic control.
Page 78: 802.1X-Related Protocols
Figure 22 Authorization state of a controlled port 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the access device, and the authentication server. EAP is an authentication framework that uses the client/server model. The framework supports a variety of authentication methods, including MD5-Challenge, EAP-Transport Layer Security (EAP-TLS), and Protected EAP (PEAP).
Page 79: Eap Over Radius
• Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field contains the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-Challenge) are two examples for the type field. EAPOL packet format Figure 24 shows the EAPOL packet format.
Page 80: 802.1X Authentication Initiation
01-80-C2-00-00-03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client that can send broadcast EAPOL-Start packets. For example, you can use the HPE iNode 802.1X client.
Page 81: 802.1X Authentication Procedures
• Supports only the following EAP authentication methods: MD5-Challenge EAP Works with any RADIUS server authentication. EAP termination that supports PAP or CHAP authentication. The username and password EAP authentication initiated by an HPE iNode 802.1X client.
Page 82: Eap Relay
Packet exchange Benefits Limitations method • The processing is complex on the access device. EAP relay Figure 29 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used. Figure 29 802.1X authentication procedure in EAP relay mode Client Device Authentication server...
Page 83: Eap Termination
challenge (EAP-Request/MD5-Challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the access device. The access device transmits the EAP-Request/MD5-Challenge packet to the client. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5-Challenge packet to the access device.
Page 84 Figure 30 802.1X authentication procedure in EAP termination mode In EAP termination mode, the access device rather than the authentication server generates an MD5 challenge for password encryption. The access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.
Page 85: Configuring 802.1X
Configuring 802.1X This chapter describes how to configure 802.1X on an HPE device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network that requires different authentication methods for different users on a port.
Page 86 VLAN ID with suffix. The suffix can be t or u, which indicates whether the ports assigned to the VLAN are tagged members. For example, 2u indicates that the ports assigned to VLAN 2 are untagged members. NOTE: The access device converts VLAN names and VLAN group name into VLAN IDs before VLAN assignment.
Page 87: Guest Vlan
Table 6 VLAN manipulation Port access control VLAN manipulation method The device assigns the port to the first authenticated user's authorization VLAN. All subsequent 802.1X users can access the VLAN without authentication. Port-based If the port is assigned to the authorization VLAN as an untagged member, the authorization VLAN becomes the PVID.
Page 88: Auth-Fail Vlan
Authentication status VLAN manipulation authentication. 802.1X users on this port can access only resources in the guest VLAN. If no 802.1X guest VLAN is configured, the access device does not perform any VLAN operation. If an 802.1X Auth-Fail VLAN (see "Auth-Fail VLAN") is available, the device assigns the Auth-Fail VLAN to the port as the PVID.
Page 89: Critical Vlan
The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation A user fails 802.1X The device assigns the Auth-Fail VLAN to the port as the PVID. All 802.1X authentication.
Page 90 The access device handles VLANs on an 802.1X-enabled port based on its 802.1X access control method. • On a port that performs port-based access control: Authentication status VLAN manipulation A user that has not been assigned to any The device assigns the critical VLAN to the port as the PVID. VLAN fails 802.1X authentication because The 802.1X user and all subsequent 802.1X users on this port all the RADIUS servers are unreachable.
Page 91: Using 802.1X Authentication With Other Features
Authentication status VLAN manipulation PVID. The device remaps the MAC address of the user to the authorization VLAN. A user in the 802.1X critical VLAN passes If the authentication server (either the local access device 802.1X authentication. or a RADIUS server) does not authorize a VLAN to the user, the device remaps the MAC address of the user to the initial PVID on the port.
Page 92: User Profile Assignment
User profile assignment You can specify a user profile for an 802.1X user to control the user's access to network resources. After the user passes 802.1X authentication, the authentication server assigns the user profile to the user for filtering traffic. The authentication server can be the local access device or a RADIUS server. In either case, you must configure the user profile on the access device.
Page 93: 802.1X Configuration Task List
802.1X configuration task list Tasks at a glance (Required.) Enabling 802.1X (Required.) Enabling EAP relay or EAP termination (Optional.) Setting the port authorization state (Optional.) Specifying an access control method (Optional.) Setting the maximum number of concurrent 802.1X users on a port (Optional.) Setting the maximum number of authentication request attempts (Optional.)
Page 94: Enabling Eap Relay Or Eap Termination
The client is using only MD5-Challenge EAP authentication. • The client is using only the username and password EAP authentication initiated by an HPE iNode 802.1X client. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "Comparing EAP relay and EAP...
Page 95: Specifying An Access Control Method
Step Command Remarks interface view. interface-number dot1x port-control Set the port authorization By default, the auto state { authorized-force | auto | state. applies. unauthorized-force } Specifying an access control method Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view.
Page 96: Setting The 802.1X Authentication Timeout Timers
Setting the 802.1X authentication timeout timers The network device uses the following 802.1X authentication timeout timers: • Client timeout timer—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.
Page 97: Configuration Procedure
• If the network has 802.1X clients that cannot exchange handshake packets with the access device, disable the online user handshake feature. This operation prevents the 802.1X connections from being incorrectly torn down. • Enable the online user handshake reply feature only if 802.1X clients will go offline without receiving EAP-Success packets from the device.
Page 98: Specifying A Mandatory Authentication Domain On A Port
Step Command Remarks (Optional.) Set the username dot1x timer tx-period The default is 30 seconds. request timeout timer. tx-period-value Enter Layer 2 Ethernet interface interface-type interface view. interface-number By default, the multicast trigger is Enable an authentication dot1x { multicast-trigger | enabled, and the unicast trigger is trigger.
Page 99: Enabling The Periodic Online User Reauthentication Feature
Enabling the periodic online user reauthentication feature Periodic online user reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the server. The attributes include the ACL, VLAN, and user profile-based QoS. The reauthentication interval is user configurable. The server-assigned RADIUS Session-Timeout (attribute 27) and Termination-Action (attribute 29) attributes can affect the periodic online user reauthentication feature.
Page 100: Configuration Prerequisites
• Assign different IDs to the voice VLAN, the port VLAN, and the 802.1X guest VLAN on a port. The assignment makes sure the port can correctly process incoming VLAN-tagged traffic. • When you configure multiple security features on a port, follow the guidelines in Table Table 7 Relationships of the 802.1X guest VLAN and other security features Feature...
Page 101: Configuring An 802.1X Auth-Fail Vlan
• Unicast trigger is enabled. With this feature enabled, when a port receives a packet from an unknown MAC address, the device performs the following operations: Sends a unicast EAP-Request/Identity packet to the MAC address. Retransmits the packet if no response has been received within the username request timeout interval set by using the dot1x timer tx-period command.
Page 102: Configuration Prerequisites
Configuration prerequisites Before you configure an 802.1X Auth-Fail VLAN, complete the following tasks: • Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port: Configure the port as a hybrid port.
Page 103: Configuration Procedure
• If the 802.1X-enabled port performs MAC-based access control, perform the following operations for the port: Configure the port as a hybrid port. Enable MAC-based VLAN on the port. For more information about the MAC-based VLAN feature, see Layer 2—LAN Switching Configuration Guide. Assign the port to the 802.1X critical VLAN as an untagged member.
Page 104: Configuration Procedure
Configuration procedure To enable the 802.1X critical voice VLAN feature on a port: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface-type interface view. interface-number Enable the 802.1X critical By default, the 802.1X critical voice VLAN feature on a dot1x critical-voice-vlan voice VLAN feature is disabled on port.
Page 105: Configuring The Ead Assistant Feature
If a username string contains none of the delimiters, the access device authenticates the user in the mandatory or default ISP domain. To specify a set of domain name delimiters: Step Command Remarks Enter system view. system-view Specify a set of domain By default, only the at sign (@) name delimiters for 802.1X dot1x domain-delimiter string...
Page 106: Displaying And Maintaining 802.1X
Displaying and maintaining 802.1X Execute display commands in any view and reset commands in user view. Task Command Display 802.1X session information, display dot1x [ sessions | statistics ] [ interface statistics, or configuration information of interface-type interface-number ] specified or all ports. display dot1x connection [ interface interface-type Display online 802.1X user information.
Page 107 Configuration procedure Configure the 802.1X client. If HPE iNode is used, do not select the Carry version info option in the client configuration. (Details not shown.) Configure the RADIUS servers and add user accounts for the 802.1X users. (Details not shown.)
Page 108: Guest Vlan And Authorization Vlan Configuration Example
Configure 802.1X: # Enable 802.1X on FortyGigE 1/1/1. [Device] interface fortygige 1/1/1 [Device-FortyGigE1/1/1] dot1x # Enable MAC-based access control on the port. By default, the port uses MAC-based access control. [Device-FortyGigE1/1//1] dot1x port-method macbased # Specify ISP domain bbb as the mandatory domain. [Device-FortyGigE1/1//1] dot1x mandatory-domain bbb [Device-FortyGigE1/1//1] quit # Enable 802.1X globally.
Page 109 Figure 32 Network diagram Update server Authentication server VLAN 10 VLAN 2 FGE1/0/1 FGE1/0/4 VLAN 1 VLAN 5 FGE1/0/2 FGE1/0/3 Device Internet Host Port added to the guest VLAN Update server Authentication server Update server Authentication server VLAN 10 VLAN 2 VLAN 10 VLAN 2 FGE1/0/1...
Page 110 [Device-radius-2000] primary authentication 10.11.1.1 1812 # Specify the server at 10.11.1.1 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.11.1.1 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device.
Page 111: 802.1X With Acl Assignment Configuration Example
802.1X with ACL assignment configuration example Network requirements As shown in Figure 33, the host that connects to FortyGigE 1/1/1 must pass 802.1X authentication to access the Internet. Perform 802.1X authentication on FortyGigE 1/1/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server, and the RADIUS server at 10.1.1.2 as the accounting server.
Page 112: 802.1X With Ead Assistant Configuration Example
[Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit Configure an ISP domain: # Create ISP domain bbb and enter ISP domain view. [Device] domain bbb # Apply RADIUS scheme 2000 to the ISP domain for authentication, authorization, and accounting. [Device-isp-bbb] authentication lan-access radius-scheme 2000 [Device-isp-bbb] authorization lan-access radius-scheme 2000 [Device-isp-bbb] accounting lan-access radius-scheme 2000 [Device-isp-bbb] quit...
Page 113 • The hosts use DHCP to obtain IP addresses. • A DHCP server and a Web server are deployed on the 192.168.2.0/24 subnet for users to obtain IP addresses and download client software. Deploy an EAD solution for the intranet to meet the following requirements: •...
Page 114 [Device-radius-2000] primary authentication 10.1.1.1 1812 # Specify the server at 10.1.1.2 as the primary accounting server, and set the accounting port to 1813. [Device-radius-2000] primary accounting 10.1.1.2 1813 # Set the shared key to abc in plain text for secure communication between the authentication server and the device.
Page 115: Troubleshooting 802.1X
Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that you can access the free IP subnet before passing 802.1X authentication. # Verify that you are redirected to the Web server when you enter in your Web browser an IP address not on the free IP.
Page 116: Configuring Mac Authentication
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port.
Page 117 Authorization VLAN You can specify the authorization VLAN for a MAC authentication user to control access to authorized network resources. The authorization VLAN of a MAC authorization user can be specified on the device or be assigned by a remote server. •...
Page 118: Acl Assignment
Authentication status VLAN manipulation authentication for any other reason than server unreachable. The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. A user in the MAC authentication guest VLAN passes MAC If no authorization VLAN is configured for the user on the authentication authentication.
Page 119: User Profile Assignment
User profile assignment You can specify a user profile in the user account for a MAC authentication user to control the user's access to network resources. After the user passes MAC authentication, the authentication server assigns the user profile to the user to filter traffic for this user. The authentication server can be the local access device or a RADIUS server.
Page 120: Enabling Mac Authentication
Tasks at a glance (Optional.) Setting MAC authentication timers (Optional.) Enabling MAC authentication offline detection (Optional.) Setting the maximum number of concurrent MAC authentication users on a port (Optional.) Enabling MAC authentication multi-VLAN mode on a port (Optional.) Configuring MAC authentication delay (Optional.) Enabling parallel processing of MAC authentication and 802.1X authentication (Optional.)
Page 121: Configuring The User Account Format
MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA." To specify an authentication domain for MAC authentication users: Step Command Remarks...
Page 122: Enabling Mac Authentication Offline Detection
To set MAC authentication timers: Step Command Remarks Enter system view. system-view By default, the offline detect mac-authentication timer timer is 300 seconds, the quiet Set MAC authentication { offline-detect offline-detect-value | timer is 60 seconds, and the timers. quiet quiet-value | server-timeout server timeout timer is 100 server-timeout-value } seconds.
Page 123: Enabling Mac Authentication Multi-Vlan Mode On A Port
Enabling MAC authentication multi-VLAN mode on a port The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user.
Page 124: Enabling Parallel Processing Of Mac Authentication And 802.1X Authentication
Enabling parallel processing of MAC authentication and 802.1X authentication This feature enables a port that processes MAC authentication after 802.1X authentication is finished to process MAC authentication in parallel with 802.1X authentication. When the port receives a packet from an unknown MAC address, it sends a unicast EAP-Request/Identity packet to the MAC address.
Page 125: Configuring A Mac Authentication Guest Vlan
Configuring a MAC authentication guest VLAN You must configure the MAC authentication guest VLAN on a hybrid port. Before you configure the MAC authentication guest VLAN on a hybrid port, complete the following tasks: • Enable MAC authentication globally and on the port. •...
Page 126: Enabling The Mac Authentication Critical Voice Vlan
• Configure the VLAN as an untagged member on the port. When you configure the MAC authentication critical VLAN on a port, follow the guidelines in Table Table 13 Relationships of the MAC authentication critical VLAN with other security features Feature Relationship description Reference...
Page 127: Configuration Procedure
IP-MAC mapping of the user. If a match is found, the IMC server verifies the user valid. If no match is found, the user fails the MAC authentication. For information about IMC user IP-MAC bindings, see HPE IMC User Access Manager Administrator Guide. When you configure this feature, follow these guidelines and restrictions: •...
Page 128: Displaying And Maintaining Mac Authentication
• Do not configure this feature together with the MAC authentication guest VLAN on a port. If both features are configured, users in the MAC authentication guest VLAN cannot perform a new round of authentication. To include user IP addresses in MAC authentication requests: Step Command Remarks...
Page 129 • Use the MAC address of each user as the username and password for authentication. A MAC address is in the hexadecimal notation with hyphens, and letters are in lower case. Figure 35 Network diagram Configuration procedure # Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc-12-34-56.
Page 130: Radius-Based Mac Authentication Configuration Example
Password : Not configured Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s Authentication domain : bbb Max MAC-auth users : 4294967295 per slot Online MAC-auth users Silent MAC users: MAC address VLAN ID From port Port index 00e0-fc11-1111...
Page 131 Figure 36 Network diagram Configuration procedure Make sure the RADIUS server and the access device can reach each other. (Details not shown.) Configure the RADIUS servers: # Create a shared account for MAC authentication users. (Details not shown.) # Set the username aaa and password 123456 for the account. (Details not shown.) Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme.
Page 132: Acl Assignment Configuration Example
[Device] mac-authentication Verifying the configuration # Verify the MAC authentication configuration. [Device] display mac-authentication Global MAC authentication parameters: MAC authentication : Enabled Username format : Fixed account Username : aaa Password : ****** Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s...
Page 133 Figure 37 Network diagram Configuration procedure Make sure the RADIUS servers and the access device can reach each other. Configure ACL 3000 to deny packets destined for 10.0.0.1. <Device> system-view [Device] acl number 3000 [Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Device-acl-adv-3000] quit Configure RADIUS-based MAC authentication on the device: # Configure a RADIUS scheme.
Page 134 Configure the RADIUS servers: # Add a user account with 00-e0-fc-12-34-56 as both the username and password on each RADIUS server. (Details not shown.) # Authorize ACL 3000 to the user account. (Details not shown.) Verifying the configuration # Verify the MAC authentication configuration. [Device] display mac-authentication Global MAC authentication parameters: MAC authentication...
Page 135 Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that ACL 3000 has been assigned to port FortyGigE 1/1/1 to deny access to the FTP server.
Page 136: Configuring Portal Authentication
Users can access more Internet resources after passing security check. Security check must cooperate with the HPE IMC security policy server and the iNode client. Portal system components A typical portal system consists of these basic components: authentication client, access device,...
Page 137 Figure 38 Portal system components Portal authentication server Authentication client Portal Web server Authentication client Access device AAA server Authentication client Security policy server Authentication client An authentication client is a Web browser that runs HTTP/HTTPS or a user host that runs a portal client application.
Page 138: Portal System Using The Local Portal Web Server
Web browser. When receiving the HTTP request, the access device redirects it to the Web authentication page provided by the portal Web server. The user can also visit the authentication website to log in. The user must log in through the HPE iNode client for extended portal functions.
Page 139: Portal Authentication Modes
HPE iNode client. NOTE: Portal authentication supports NAT traversal whether it is initiated by a Web client or an HPE iNode client. When the portal authentication client is on a private network and the portal authentication server is on a public network, NAT on the access device does not affect portal authentication.
Page 140 Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication) Figure 40 Direct authentication/cross-subnet authentication process Portal Authentication Portal Web Access Security authentication AAA server client server device policy server server 1) Initiate a connection 2) User information 3) CHAP authentication 4) Authentication request 5) RADIUS authentication Timer...
Page 141: Portal Configuration Task List
Re-DHCP authentication process (with CHAP/PAP authentication) Figure 41 Re-DHCP authentication process The re-DHCP authentication process is as follows: Step 1 through step 7 are the same as those in the direct authentication/cross-subnet authentication process. After receiving the authentication success packet, the client obtains a public IP address through DHCP.
Page 142: Configuration Prerequisites
Tasks at a glance (Required.) Configuring a portal Web server (Required.) Enabling portal authentication on an interface (Required.) Referencing a portal Web server for an interface (Optional.) Controlling portal user access • Configuring a portal-free rule • Configuring an authentication source subnet •...
Page 143: Configuring A Portal Authentication Server
Configuring a portal authentication server Configure this feature when user authentication uses an external portal authentication server. Perform this task to configure the following portal authentication server parameters: • IP address of the portal authentication server • VPN instance of the portal authentication server •...
Page 144: Enabling Portal Authentication On An Interface
Step Command Remarks Specify the VPN instance to By default, the portal Web server which the portal Web server vpn-instance vpn-instance-name belongs to the public network. belongs. Specify the URL of the portal url url-string By default, no URL is specified. Web server.
Page 145: Referencing A Portal Web Server For An Interface
Step Command Remarks layer3 | redhcp } authentication, or both on the • interface. To enable IPv6 portal authentication: portal ipv6 enable method { direct | layer3 } Referencing a portal Web server for an interface After you reference a portal Web server for an interface, the device redirects the HTTP requests of the portal users on the interface to the portal Web server.
Page 146: Configuring An Authentication Source Subnet
Step Command Remarks portal free-rule rule-number { destination ip { ip-address { mask-length | mask } | any } [ tcp Configure an tcp-port-number | udp By default, no IPv4-based IPv4-based portal-free udp-port-number ] | source ip portal-free rule exists. rule.
Page 147: Configuring An Authentication Destination Subnet
In re-DHCP mode, the access device regards the authentication source subnet on an interface as the subnet to which the private IP address of the interface belongs. • If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnets take effect.
Page 148: Setting The Maximum Number Of Portal Users
To configure an IPv6 portal authentication destination subnet: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no IPv6 portal Configure an IPv6 authentication destination subnet is portal ipv6 free-all except destination portal authentication configured, and users accessing ipv6-network-address prefix-length destination subnet.
Page 149: Enabling Outgoing Packets Filtering On A Portal-Enabled Interface
Step Command Remarks By default, no ISP domain is Specify an IPv4 portal portal domain domain-name specified for IPv4 portal users on authentication domain. the interface. To specify an IPv6 portal authentication domain: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view.
Page 150: Configuring Portal Authentication Server Detection
If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires. If the device receives no reply after the maximum number of detection attempts, the device logs out the user.
Page 151: Configuring Portal Web Server Detection
You can configure the device to take the following actions when the server reachability status changes: • Sending a trap message to the NMS. The trap message contains the name and current state of the portal authentication server. • Sending a log message, which contains the name, the current state, and the original state of the portal authentication server.
Page 152: Configuring Portal User Synchronization
• Enabling portal fail-permit. When the portal Web server is unreachable, the portal fail-permit feature on an interface allows users on the interface to have network access. When the server recovers, it resumes portal authentication on the interface. For more information, see "Configuring the portal fail-permit feature."...
Page 153: Configuring The Portal Fail-Permit Feature
Configuring the portal fail-permit feature Perform this task to configure the portal fail-permit feature on an interface. When the access device detects that the portal authentication server or portal Web server is unreachable, it allows users on the interface to have network access without portal authentication. If you enable fail-permit for both a portal authentication server and a portal Web server on an interface, the interface does the following: •...
Page 154: Applying A Nas-Id Profile To An Interface
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, the BAS-IP attribute of an Configure BAS-IP for IPv4 IPv4 portal response packet sent to the portal packets sent to the portal authentication server is the source portal bas-ip ipv4-address portal authentication IPv4 address of the packet, and that of...
Page 155: Enabling Portal Roaming
Enabling portal roaming Portal roaming takes effect only on portal users logging in from VLAN interfaces. If portal roaming is enabled on a VLAN interface, an online portal user can access resources from any Layer 2 port in the VLAN without re-authentication. If portal roaming is disabled, to access external network resources from a Layer 2 port different from the current access port in the VLAN, the user must do the following: •...
Page 156: Customizing Authentication Pages
Customizing authentication pages Authentication pages are HTML files. Local portal authentication requires the following authentication pages: • Logon page • Logon success page • Logon failure page • Online page • System busy page • Logoff success page You must customize the authentication pages, including the page elements that the authentication pages will use, for example, back.jpg for authentication page Logon.htm.
Page 157 Authentication pages logon.htm and logonFail.htm must contain the logon Post request. The following example shows part of the script in page logon.htm. <form action=logon.cgi method = post > <p>User name:<input type="text" name = "PtUser" style="width:160px;height:22px" maxlength=64> <p>Password :<input type="password" name = "PtPwd" style="width:160px;height:22px" maxlength=32>...
Page 158: Configuring A Local Portal Web Server
</html> Configuring a local portal Web server Perform the following tasks for the local portal Web server to support HTTPS: • Configure a PKI policy, obtain the CA certificate, and request a local certificate. For more information, see "Configuring PKI." •...
Page 159: Portal Configuration Examples
Portal configuration examples Configuring direct portal authentication Network requirements As shown in Figure 42, the host is directly connected to the switch (the access device). The host is assigned a public IP address either manually or through DHCP. A portal server acts as both a portal authentication server portal...
Page 160 Figure 43 Portal authentication server configuration Configure the IP address group: a. Select Access Service > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
Page 161 g. Set whether to support the portal server heartbeat and user heartbeat functions. In this example, select No for both Support Server Heartbeat and Support User Heartbeat. h. Click OK. Figure 45 Adding a portal device Associate the portal device with the IP address group: a.
Page 162 The IP address used by the user to access the network must be within this IP address group. e. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations. Configuring the portal authentication server on IMC PLAT 5.0 This example assumes that the portal server runs on IMC PLAT 5.0(E0101) and IMC UAM 5.0(E0101).
Page 163 Figure 49 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to open the page as shown in Figure c.
Page 164 b. Click Add to open the page as shown in Figure c. Enter the port group name. d. Select the configured IP address group. The IP address used by the user to access the network must be within this IP address group.
Page 165 # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit...
Page 166: Configuring Re-Dhcp Portal Authentication
Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal and all Web requests will be redirected to the authentication page.
Page 167 Figure 53 Network diagram Portal Server 192.168.0.111/24 Vlan-int100 20.20.20.1/24 Vlan-int2 10.0.0.1/24 sub 192.168.0.100/24 DHCP server Host Switch 192.168.0.112/24 automatically obtains an IP address RADIUS server 192.168.0.113/24 Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 53 and make sure the host, switch, and servers can reach each other.
Page 168 [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1 [Switch-isp-dm1] quit # Configure domain dm1 as the default ISP domain.
Page 169 Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal and all Web requests will be redirected to the authentication page.
Page 170: Configuring Cross-Subnet Portal Authentication
Configuring cross-subnet portal authentication Network requirements As shown in Figure 54, Switch A supports portal authentication. The host accesses Switch A through Switch B. A portal server acts as both a portal authentication server and a portal Web server. A RADIUS server acts as the authentication/accounting server.
Page 171 # Create an ISP domain named dm1 and enter its view. [SwitchA] domain dm1 # Configure AAA methods for the ISP domain. [SwitchA-isp-dm1] authentication portal radius-scheme rs1 [SwitchA-isp-dm1] authorization portal radius-scheme rs1 [SwitchA-isp-dm1] accounting portal radius-scheme rs1 [SwitchA-isp-dm1] quit # Configure domain dm1 as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.
Page 172: Configuring Extended Direct Portal Authentication
Server name Action Layer3 source network: IP address Prefix length Destination authenticate subnet: IP address Prefix length A user can perform portal authentication by using the HPE iNode client or a Web browser. Before passing authentication, user access only authentication page http://192.168.0.111:8080/portal and all Web requests will be redirected to the authentication page.
Page 173 Figure 55 Network diagram Configuration prerequisites • Configure IP addresses for the host, switch, and servers as shown in Figure 55 and make sure they can reach each other. • Configure the RADIUS server properly to provide authentication and accounting functions. Configuration procedure Perform the following tasks on the switch.
Page 174 [Switch] domain default enable dm1 Configure ACL 3000 as the isolation ACL and ACL 3001 as the security ACL: [Switch] acl number 3000 [Switch-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [Switch-acl-adv-3000] rule deny ip [Switch-acl-adv-3000] quit [Switch] acl number 3001 [Switch-acl-adv-3001] rule permit ip [Switch-acl-adv-3001] quit NOTE:...
Page 175: Configuring Extended Re-Dhcp Portal Authentication
Destination authenticate subnet: IP address Prefix length Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page.
Page 176 Figure 56 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 56 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server properly to provide authentication and accounting functions. •...
Page 177 [Switch-radius-rs1] security-policy-server 192.168.0.114 [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...
Page 178 [Switch] portal web-server newpt [Switch-portal-websvr-newpt] url http://192.168.0.111:8080/portal [Switch-portal-websvr-newpt] quit # Enable re-DHCP portal authentication on VLAN-interface 100. [Switch] interface vlan-interface 100 [Switch–Vlan-interface100] portal enable method redhcp # Reference the portal Web server newpt on VLAN-interface 100. [Switch–Vlan-interface100] portal apply web-server newpt # Configure the BAS-IP as 20.20.20.1 for portal packets sent from VLAN-interface 100 to the portal authentication server.
Page 179: Configuring Extended Cross-Subnet Portal Authentication
Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page. • If the user passes the authentication but fails the security check, the user can access only the resources that match ACL 3000.
Page 180 • Make sure the IP address of the portal device added on the portal server is the IP address (20.20.20.1) of the switch's interface connecting the host. The IP address group associated with the portal device is the subnet of the host (8.8.8.0/24). Configuration procedure Perform the following tasks on Switch A.
Page 181 [SwitchA] portal server newpt [SwitchA-portal-server-newpt] ip 192.168.0.111 key simple portal [SwitchA-portal-server-newpt] port 50100 [SwitchA-portal-server-newpt] quit # Configure a portal Web server. [SwitchA] portal web-server newpt [SwitchA-portal-websvr-newpt] url http://192.168.0.111:8080/portal [SwitchA-portal-websvr-newpt] quit # Enable cross-subnet portal authentication on VLAN-interface 4. [SwitchA] interface vlan-interface 4 [SwitchA–Vlan-interface4] portal enable method layer3 # Reference the portal Web server newpt on VLAN-interface 4.
Page 182: Configuring Portal Server Detection And Portal User Synchronization
Destination authenticate subnet: IP address Prefix length Before a user performs portal authentication by using the HPE iNode client, the user can access only the authentication page http://192.168.0.111:8080/portal. All Web requests the user initiates will be redirected to the authentication page.
Page 183 Figure 58 Network diagram Configuration prerequisites and guidelines • Configure IP addresses for the switch and servers as shown in Figure 58 and make sure the host, switch, and servers can reach each other. • Configure the RADIUS server properly to provide authentication and accounting functions. •...
Page 184 Figure 59 Portal authentication server configuration Configure the IP address group: a. Select Access Service > Portal Service Management > IP Group from the navigation tree to enter the portal IP address group configuration page. b. Click Add to open the page as shown in Figure c.
Page 185 g. Set whether to support the portal server heartbeat and user heartbeat functions. In this example, select Yes for both Support Server Heartbeat and Support User Heartbeat. h. Click OK. Figure 61 Adding a portal device Associate the portal device with the IP address group: a.
Page 186 The IP address used by the user to access the network must be within this IP address group. e. User default values for other parameters. f. Click OK. Select Access Service > Service Parameters > Validate System Configuration from the navigation tree to validate the configurations.
Page 187 g. Click OK. Figure 65 Adding an IP address group Add a portal device: a. Select User Access Manager > Portal Service Management > Device from the navigation tree to enter the portal device configuration page. b. Click Add to open the page as shown in Figure c.
Page 188 a. As shown in Figure 67, click the icon in the Port Group Information Management column of device NAS to enter the port group configuration page. b. Click Add to open the page as shown in Figure c. Enter the port group name. d.
Page 189 [Switch-radius-rs1] user-name-format without-domain [Switch-radius-rs1] quit # Enable RADIUS session control. [Switch] radius session-control enable Configure an authentication domain: # Create an ISP domain named dm1 and enter its view. [Switch] domain dm1 # Configure AAA methods for the ISP domain. [Switch-isp-dm1] authentication portal radius-scheme rs1 [Switch-isp-dm1] authorization portal radius-scheme rs1 [Switch-isp-dm1] accounting portal radius-scheme rs1...
Page 190: Configuring Cross-Subnet Portal Authentication For Mpls L3Vpns
[Switch–Vlan-interface100] portal bas-ip 2.2.2.1 [Switch–Vlan-interface100] quit Verifying the configuration # Use the following command to display information about the portal authentication server. [Switch] display portal server newpt Portal server: newpt : 192.168.0.111 VPN instance : Not configured Port : 50100 Server Detection : Timeout 40s Action: log...
Page 191 <SwitchA> system-view [SwitchA] radius scheme rs1 # For the RADIUS scheme, specify the VPN instance that is bound to the interface connected to the portal/RADIUS server. This example uses VPN instance vpn3. [SwitchA-radius-rs1] vpn-instance vpn3 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.
Page 192: Configuring Direct Portal Authentication Using Local Portal Web Server
# Configure the BAS-IP as 3.3.0.3 for portal packets sent from VLAN-interface 3 to the portal authentication server. [SwitchA–Vlan-interface3] portal bas-ip 3.3.0.3 [SwitchA–Vlan-interface3] quit Verifying the configuration # Verify the portal configuration by executing the display portal interface command. (Details not shown.) # After the user passes authentication, execute the display portal user command to display the portal user information.
Page 193 <Switch> system-view [Switch] radius scheme rs1 # Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers. [Switch-radius-rs1] primary authentication 192.168.0.112 [Switch-radius-rs1] primary accounting 192.168.0.112 [Switch-radius-rs1] key authentication simple radius [Switch-radius-rs1] key accounting simple radius # Exclude the ISP domain name from the username sent to the RADIUS server.
Page 194 Verifying the configuration # Verify that the portal configuration has taken effect. [Switch] display portal interface vlan-interface 100 Portal information of Vlan-interface 100 Nas id profile: Not configured IPv4: Portal status: Enabled Authentication type: Direct Portal Web server: newpt Authentication domain: Not configured Pre-auth IP pool: Not configured BAS-IP: Not configured User Detection:...
Page 195: Troubleshooting Portal
VPN instance: -- VLAN Interface 0015-e9a6-7cfe 2.2.2.2 Vlan-interface100 Troubleshooting portal No portal authentication page is pushed for users Symptom When a user is redirected to the IMC portal authentication server, no portal authentication page or error message is prompted for the user. The login page is blank. Analysis The key configured on the portal access device and that configured on the portal authentication server are inconsistent.
Page 196: Cannot Log Out Portal Users On The Radius Server
Cannot log out portal users on the RADIUS server Symptom The access device uses the HPE IMC server as the RADIUS server to perform identity authentication for portal users. You cannot log out the portal users on the RADIUS server.
Page 197 discards the portal notification packet. As a result, the portal authentication server considers that the user has failed the authentication. Solution Configure the BAS-IP or BAS-IPv6 attribute on the interface enabled with portal authentication. Make sure the attribute value is the same as the portal device IP address specified on the portal authentication server.
Page 198: Configuring Port Security
Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port. Port security provides the following functions: •...
Page 199 Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action.
Page 200 A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
Page 201: Configuration Task List
In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. • macAddressOrUserLoginSecureExt. This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users. • macAddressElseUserLoginSecure. This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies.
Page 202: Setting Port Security's Limit On The Number Of Secure Mac Addresses On A Port
You can use the undo port-security enable command to disable port security. Because the command logs off the online users, make sure no online users are present. Enabling or disabling port security resets the following security settings to the default: •...
Page 203: Configuring Port Security Features
To enable a port security mode: Step Command Remarks Enter system view. system-view By default, no OUI value is configured for user authentication. This command is required for the userlogin-withoui mode. port-security oui index (Optional.) Set an OUI value You can set multiple OUIs, but index-value mac-address for user authentication.
Page 204: Configuring Intrusion Protection
Step Command Remarks { ntk-withbroadcasts | port and all frames are allowed to ntk-withmulticasts | ntkonly } be sent. Configuring intrusion protection Intrusion protection enables a device to take one of the following actions in response to illegal frames: • blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards the frames.
Page 205: Configuration Prerequisites
Table 16 A comparison of static, sticky, and dynamic secure MAC addresses Can be saved Type Address sources Aging mechanism and survive a device reboot? Not available. The static addresses never age out unless you perform any of the following Manually added (by using the tasks: port-security mac-address...
Page 206: Ignoring Authorization Information From The Server
Step Command Remarks timer. • In system view: port-security mac-address security [ sticky ] mac-address interface interface-type By default, no secure MAC interface-number vlan vlan-id address exists. • In Layer 2 Ethernet interface view: Configure a secure In the same VLAN, a MAC MAC address.
Page 207: Applying Nas-Id Profile To Port Security
Step Command Remarks Enter system view. system-view By default, MAC move is Enable MAC move. port-security mac-move permit disabled. Applying NAS-ID profile to port security By default, the device sends its device name in the NAS-Identifier attribute of any RADIUS requests. A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs.
Page 208: Displaying And Maintaining Port Security
Step Command Remarks Enter system view. system-view By default, this feature is disabled, Enable the port-security authorization-fail and the device does not log off authorization-fail-offline offline users who fail ACL or user profile feature. authorization. Displaying and maintaining port security Execute display commands in any view: Task Command...
Page 209 # Set the secure MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Set port security's limit on the number of secure MAC addresses to 64 on port FortyGigE 1/1/1. [Device] interface fortygige 1/1/1 [Device-FortyGigE1/1/1] port-security max-mac-count 64 # Set the port security mode to autoLearn.
Page 210: Userloginwithoui Configuration Example
port-security port-mode autolearn port-security mac-address security sticky 0002-0000-0015 vlan 1 port-security mac-address security sticky 0002-0000-0014 vlan 1 port-security mac-address security sticky 0002-0000-0013 vlan 1 port-security mac-address security sticky 0002-0000-0012 vlan 1 port-security mac-address security sticky 0002-0000-0011 vlan 1 [Device-FortyGigE1/1/1] quit # Verify that the port security mode changes to secure after the number of MAC addresses learned by the port reaches 64.
Page 211 Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference. Make sure the host and the RADIUS server can reach each other. Configure AAA: # Configure a RADIUS scheme named radsun. <Device>...
Page 212 Primary Auth Server: : 192.168.1.2 Port: 1812 State: Active VPN : Not configured Primary Acct Server: : 192.168.1.3 Port: 1813 State: Active VPN : Not configured Second Auth Server: : 192.168.1.3 Port: 1812 State: Active VPN : Not configured Second Acct Server: : 192.168.1.2 Port: 1813 State: Active...
Page 213: Macaddresselseuserloginsecure Configuration Example
Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : Not configured Current secure MAC addresses Authorization : Permitted NAS-ID profile is not configured # Display information about the online 802.1X user to verify 802.1X configuration. [Device] display dot1x # Verify that the port also allows one user whose MAC address has an OUI among the specified OUIs to pass authentication.
Page 214 [Device] port-security enable # Use MAC-based accounts for MAC authentication. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case. [Device] mac-authentication user-name-format mac-address with-hyphen uppercase # Specify the MAC authentication domain. [Device] mac-authentication domain sun # Set the 802.1X authentication method to CHAP.
Page 215 Offline detect period : 60 s Quiet period : 5 s Server timeout : 100 s Authentication domain : sun Max MAC-auth users : 4294967295 per slot Online MAC-auth users Silent MAC users: MAC address VLAN ID From port Port index FortyGigE1/1/1 is link-up MAC authentication...
Page 216: Troubleshooting Port Security
Max 802.1X users : 4294967295 per slot Online 802.1X users FortyGigE1/1/1 is link-up 802.1X authentication : Enabled Handshake : Enabled Handshake reply : Enabled Handshake security : Disabled Unicast trigger : Disabled Periodic reauth : Disabled Port role : Authenticator Authorization mode : Auto Port access control...
Page 217: Cannot Configure Secure Mac Addresses
Solution To resolve the problem: Set the port security mode to noRestrictions. [Device-FortyGigE1/1/1] undo port-security port-mode Set a new port security mode for the port, for example, autoLearn. [Device-FortyGigE1/1/1] port-security port-mode autolearn If the problem persists, contact Hewlett Packard Enterprise Support. Cannot configure secure MAC addresses Symptom Cannot configure secure MAC addresses.
Page 218: Configuring Password Control
Configuring password control Overview Password control allows you to implement the following features: • Manage login and super password setup, expirations, and updates for device management users. • Control user login status based on predefined policies. Local users are divided into two types: device management users and network access users. This feature applies only to device management users.
Page 219: Password Updating And Expiration
when a user configures a password, the system checks the complexity of the password. If the password is complexity-incompliant, the configuration will fail. You can apply the following password complexity requirements: • A password cannot contain the username or the reverse of the username. For example, if the username is abc, a password such as abc982 or 2cba is not complex enough.
Page 220: User Login Control
Current login passwords of device management users are not stored in the password history. This is because a device management user password is saved in cipher text and cannot be recovered to a plaintext password. User login control First login With the global password control feature enabled, users must change the password at first login before they can access the system.
Page 221: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration task list The password control features can be configured in several different views, and different views support different features.
Page 222: Setting Global Password Control Parameters
Step Command Remarks default. • In FIPS mode, the global password control feature is enabled by default, and cannot be disabled. password-control { aging | (Optional.) Enable a specific By default, all four password composition | history | length } password control feature.
Page 223: Setting User Group Password Control Parameters
Step Command Remarks after the specified number of number of attempts must wait for attempts. 1 minute before trying again. Set the number of days during which a user is password-control The default setting is 7 days. notified of the pending alert-before-expire alert-time password expiration.
Page 224: Setting Local User Password Control Parameters
Setting local user password control parameters Step Command Remarks Enter system view. system-view By default, no local user exists. Local user password control applies to device management Create a device local-user user-name class users instead of network access management user and enter manage users.
Page 225: Displaying And Maintaining Password Control
Step Command Remarks Enter system view. system-view Set the password expiration password-control super aging The default setting is 90 days. time for super passwords. aging-time • In non-FIPS mode, the default setting is 10 Configure the minimum password-control super length characters.
Page 226: Configuration Procedure
• A password expires after 30 days. • The minimum password update interval is 36 hours. • The maximum account idle time is 30 days. • A password cannot contain the username or the reverse of the username. • No character appears consecutively three or more times in a password. Configure a super password control policy for user role network-operator to meet the following requirements: •...
Page 227: Verifying The Configuration
[Sysname] password-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text. [Sysname] super password role network-operator simple 123456789ABGFTweuix@#$%! Updating user information. Please wait ..# Create a device management user named test. [Sysname] local-user test class manage # Set the service type of the user to Telnet.
Page 228 # Display the password control configuration for local user test. <Sysname> display local-user user-name test class manage Total 1 local users matched. Device management user test: State: Active Service type: Telnet User group: system Bind attributes: Authorization attributes: Work directory: flash: User role list: network-operator...
Page 229: Managing Public Keys
Managing public keys Overview This chapter describes public key management for the following asymmetric key algorithms: • Revest-Shamir-Adleman Algorithm (RSA). • Digital Signature Algorithm (DSA). • Elliptic Curve Digital Signature Algorithm (ECDSA). Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure communications between two parties, as shown in Figure 74.
Page 230 • If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default. The name of a key pair must be unique among all manually named key pairs that use the same key algorithm.
Page 231: Distributing A Local Host Public Key
Step Command Remarks secp384r1 | secp521r1 } | rsa } [ name key-name ] Distributing a local host public key You must distribute a local host public key to a peer device so the peer device can perform the following operations: •...
Page 232: Destroying A Local Key Pair
NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key compromise, destroy a local key pair and generate a new pair after any of the following conditions occurs: •...
Page 233: Displaying And Maintaining Public Keys
Use the display public-key local public command to display the public key on the peer device. The format of the public key displayed in any other way might be incorrect. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key.
Page 234 # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 235: Example For Importing A Public Key From A Public Key File
88EC54A5D31EFAE4F681257 [DeviceB-pkey-public-key-devicea]6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F B1F2D561BF66EA27DFD4788 [DeviceB-pkey-public-key-devicea]CB47440AF6BB25ACA50203010001 # Save the public key and return to system view. [DeviceB-pkey-public-key-devicea] peer-public-key end Verifying the configuration # Verify that the key is the same as on Device A. [DeviceB] display public-key peer name devicea ============================================= Key name: devicea Key type: RSA Key modulus: 1024 Key code:...
Page 236 ........++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Display all local RSA public keys. [DeviceA] display public-key local rsa public ============================================= Key name: hostkey (default) Key type: RSA Time when key pair created: 16:48:31 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DA3B90F59237347B 8D41B58F8143512880139EC9111BFD31EB84B6B7C7A1470027AC8F04A827B30C2CAF79242E 45FDFF51A9C7E917DB818D54CB7AEF538AB261557524A7441D288EC54A5D31EFAE4F681257 6D7796490AF87A8C78F4A7E31F0793D8BA06FB95D54EBB9F94EB1F2D561BF66EA27DFD4788 CB47440AF6BB25ACA50203010001...
Page 237 200 TYPE is now 8-bit binary ftp> get devicea.pub 227 Entering Passive Mode (10,1,1,1,118,252) 150 Accepted data connection 226 File successfully transferred 301 bytes received in 0.003 seconds (98.0 kbyte/s) ftp> quit 221-Goodbye. You uploaded 0 and downloaded 1 kbytes. 221 Logout.
Page 238: Configuring Pki
Configuring PKI Overview Public Key Infrastructure (PKI) is an asymmetric key infrastructure to encrypt and decrypt data for securing network services. Data encrypted with the public key can be decrypted only with the private key. Likewise, data encrypted with the private key can be decrypted only with the public key. PKI uses digital certificates to distribute and employ public keys, and provides network communication and e-commerce with security services such as user authentication, data confidentiality, and data integrity.
Page 239: Pki Architecture
• The private key is compromised. • The association between the subject and CA is changed. For example, when an employee terminates employment with an organization. CA policy A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke certificates, and to publish CRLs.
Page 240: Pki Applications
A PKI entity submits a certificate request to the RA. The RA verifies the identity of the entity and sends a digital signature containing the identity information and the public key to the CA. The CA verifies the digital signature, approves the request, and issues a certificate. After receiving the certificate from the CA, the RA sends the certificate to the certificate repositories and notifies the PKI entity that the certificate has been issued.
Page 241: Fips Compliance
FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. PKI configuration task list Tasks at a glance (Required.) Configuring a PKI entity (Required.)
Page 242: Configuring A Pki Domain
Step Command Remarks To create multiple PKI entities, repeat this step. Set a common name for the common-name By default, the common name is not entity. common-name-sting set. Set the country code of the country country-code-string By default, the country code is not set. entity.
Page 243 Step Command Remarks (Optional.) Set the By default, the switch polls the CA SCEP polling interval server for the certificate request certificate request polling { count and maximum status every 20 minutes. The count | interval minutes } number of polling maximum number of polling attempts.
Page 244: Requesting A Certificate
Step Command Remarks • Specify the source IPv4 address for This task is required if the CA the PKI protocol packets: policy requires that the CA server source ip { ip-address | interface accept certificate requests from a 12. (Optional.) Specify a {interface-type interface-number } specific IP address or subnet.
Page 245: Configuring Automatic Certificate Request
Configuring automatic certificate request IMPORTANT: The device does not support automatic certificate rollover. To avoid service interruptions, you must manually submit a certificate renewal request before the current certificate expires. In auto request mode, a PKI entity automatically submits a certificate request to the CA when an application works with the PKI entity that does not have a local certificate.
Page 246: Aborting A Certificate Request
Step Command Remarks a key pair if the key pair specified in the PKI domain does not exist. The name, algorithm, and length of the key pair are configured in the PKI domain. Aborting a certificate request Before the CA issues a certificate, you can abort a certificate request and change its parameters, such as the common name, country code, or FQDN.
Page 247: Configuration Procedure
• If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and local certificates first. • If local or peer certificates already exist, you can obtain new local or peer certificates to overwrite the existing ones.
Page 248: Verifying Certificates Without Crl Checking
Step Command Remarks Enter system view. system-view Enter PKI domain view. pki domain domain-name (Optional.) Specify the URL crl url url-string [ vpn-instance By default, the URL of the CRL of the CRL repository. vpn-instance-name ] repository is not specified. By default, CRL checking is Enable CRL checking.
Page 249: Exporting Certificates
After you change the storage path for certificates or CRLs, the certificate files (with the .cer or .p12 extension) and CRL files (with the .crl extension) in the original path are moved to the new path. To specify the storage path for the certificates and CRLs: Task Command Remarks...
Page 250: Configuring A Certificate-Based Access Control Policy
Request a new certificate. To remove a certificate: Step Command Remarks Enter system view. system-view If you use the peer keyword without pki delete-certificate domain domain-name { ca specifying a serial Remove a certificate. | local | peer [ serial serial-num ] } number, the command removes all peer certificates.
Page 251: Displaying And Maintaining Pki
Step Command Remarks enter its view. policy-name access control policy exists. By default, no certificate access control rules are configured, and all certificates can pass the verification. Create a certificate access rule [ id ] { deny | permit } control rule.
Page 252 Configuring the RSA Keon CA server Create a CA server named myca: In this example, you must configure these basic attributes on the CA server: Nickname—Name of the trusted CA. Subject DN—DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).
Page 253 ......++++++ ........++++++ Create the key pair successfully. Request a local certificate: # Obtain the CA certificate and save it locally. [Device] pki retrieve-certificate domain torsa ca The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully.
Page 254: Requesting A Certificate From A Windows Server 2003 Ca Server
Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5 To display detailed information about the CA certificate, use the display pki certificate domain command. Requesting a certificate from a Windows Server 2003 CA server Network requirements Configure the PKI entity (the device) to request a local certificate from a Windows Server 2003 CA...
Page 255 a. Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from the start menu. b. Select Web Sites from the navigation tree. c. Right-click Default Web Site and select Properties > Home Directory. d. Specify the path for certificate service in the Local path box. e.
Page 256 SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain winserver Start to request the general certificate ... …… Certificate requested successfully. Verifying the configuration # Display information about the local certificate in PKI domain winserver.
Page 257: Requesting A Certificate From An Openca Server
herment X509v3 Subject Key Identifier: C9:BB:D5:8B:02:1D:20:5B:40:94:15:EC:9C:16:E8:9D:6D:FD:9F:34 X509v3 Authority Key Identifier: keyid:32:F1:40:BA:9E:F1:09:81:BD:A8:49:66:FF:F8:AB:99:4A:30:21:9 X509v3 CRL Distribution Points: Full Name: URI:file://\\g07904c\CertEnroll\sec.crl Authority Information Access: CA Issuers - URI:http://gc/CertEnroll/gc_sec.crt CA Issuers - URI:file://\\gc\CertEnroll\gc_sec.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 76:f0:6c:2c:4d:bc:22:59:a7:39:88:0b:5c:50:2e:7a:5c:9d: 6c:28:3c:c0:32:07:5a:9c:4c:b6:31:32:62:a9:45:51:d5:f5: 36:8f:47:3d:47:ae:74:6c:54:92:f2:54:9f:1a:80:8a:3f:b2: 14:47:fa:dc:1e:4d:03:d5:d3:f5:9d:ad:9b:8d:03:7f:be:1e: 29:28:87:f7:ad:88:1c:8f:98:41:9a:db:59:ba:0a:eb:33:ec: cf:aa:9b:fc:0f:69:3a:70:f2:fa:73:ab:c1:3e:4d:12:fb:99: 31:51:ab:c2:84:c0:2f:e5:f6:a7:c3:20:3c:9a:b0:ce:5a:bc: 0f:d9:34:56:bc:1e:6f:ee:11:3f:7c:b2:52:f9:45:77:52:fb: 46:8a:ca:b7:9d:02:0d:4e:c3:19:8f:81:46:4e:03:1f:58:03:...
Page 258 Configuring the OpenCA server The configuration is not shown. For information about how to configure an OpenCA server, see related manuals. When you configure the CA server, use the OpenCA version later than version 0.9.2 because the earlier versions do not support SCEP. Configuring the device Synchronize the device's system time with the CA server for the device to correctly request certificates.
Page 259 fingerprint:5AA3 DEFD 7B23 2A25 16A3 14F4 C81C C0FA SHA1 fingerprint:9668 4E63 D742 4B09 90E0 4C78 E213 F15F DC8E 9122 Is the finger print correct?(Y/N):y Retrieved the certificates successfully. # Submit a certificate request manually. [Device] pki request-certificate domain openca Start to request the general certificate ... ……...
Page 260: Certificate Import And Export Configuration Example
Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 24:71:C9:B8:AD:E1:FE:54:9A:EA:E9:14:1B:CD:D9:45:F4:B2:7A:1B X509v3 Authority Key Identifier: keyid:85:EB:D5:F7:C9:97:2F:4B:7A:6D:DD:1B:4D:DD:00:EE:53:CF:FD:5B X509v3 Issuer Alternative Name: DNS:root@docm.com, DNS:, IP Address:192.168.154.145, IP Address:192.168.154.138 Authority Information Access: CA Issuers - URI:http://192.168.222.218/pki/pub/cacert/cacert.crt OCSP - URI:http://192.168.222.218:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://192.168.222.218:830/ X509v3 CRL Distribution Points: Full Name: URI:http://192.168.222.218/pki/pub/crl/cacrl.crl...
Page 261 Figure 82 Network diagram Configuration procedure Export the certificate on Device A to specified files: # Export the CA certificate to a .pem file. <DeviceA> system-view [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.
Page 262 friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11 issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1 -----BEGIN CERTIFICATE----- MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD … -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8 Key Attributes: <No Attributes>...
Page 263 Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:56:49 2011 GMT Not After : Nov 22 05:56:49 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63: ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:f5:00:...
Page 264 Signature Algorithm: sha256WithRSAEncryption 18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2: 46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4: 1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef: 2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36: 29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9: 3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6: 5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37: 02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1: db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3: 5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da: 5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d: ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84: 2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34: 6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d: d6:0a:1c:0b Certificate: Data: Version: 3 (0x2) Serial Number: 08:7c:67:01:5c:b3:5a:12:0f:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1 Validity Not Before: May 26 05:58:26 2011 GMT Not After : Nov 22 05:58:26 2012 GMT Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11 Subject Public Key Info:...
Page 265: Troubleshooting Pki Configuration
X509v3 Key Usage: Key Encipherment, Data Encipherment Netscape Comment: Server of OpenCA Labs X509v3 Subject Key Identifier: CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB X509v3 Authority Key Identifier: keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD X509v3 Subject Alternative Name: email:subencr@docm.com X509v3 Issuer Alternative Name: DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1 Authority Information Access: CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt OCSP - URI:http://titan:2560/ 1.3.6.1.5.5.7.48.12 - URI:http://titan:830/...
Page 266: Failed To Obtain The Ca Certificate
Failed to obtain the CA certificate Symptom The CA certificate cannot be obtained. Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No trusted CA is specified. •...
Page 267: Failed To Request Local Certificates
Check the registration policy on the CR or RA, and make sure the attributes of the PKI entity meet the policy requirements. Obtain the CRL from the CRL repository. Specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator.
Page 268: Failed To Import The Ca Certificate
Analysis • The network connection is down, for example, because the network cable is damaged or the connectors have bad contact. • No CA certificate has been obtained before you try to obtain CRLs. • The URL of the CRL repository is not configured and cannot be obtained from the CA certificate or local certificates in the PKI domain.
Page 269: Failed To Import A Local Certificate
Failed to import a local certificate Symptom A local certificate cannot be imported. Analysis • The PKI domain does not have a locally stored CA certificate, and the certificate file to be imported does not contain the CA certificate chain. •...
Page 270: Failed To Set The Storage Path
If the problem persists, contact Hewlett Packard Enterprise Support. Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set. Analysis • The specified storage path does not exist. • The specified storage path is illegal. •...
Page 271: Configuring Ipsec
Configuring IPsec The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide). CAUTION: ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for the device.
Page 272 to prevent data tampering, but it cannot prevent eavesdropping. Therefore, it is suitable for transmitting non-confidential data. AH supports authentication algorithms HMAC-MD5 and HMAC-SHA1. • ESP (protocol 50) defines the encapsulation of the ESP header and trailer in an IP packet, as 85.
Page 273: Security Association
Figure 85 Security protocol encapsulations in different modes Mode Transport Tunnel Protocol Data AH IP Data Data ESP-T ESP IP Data ESP-T AH-ESP Data ESP-T Data ESP-T Security association A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers.
Page 274: Ipsec Implementation
packet. The receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender's identity valid. IPsec uses the Hash-based Message Authentication Code (HMAC) based authentication algorithms, including HMAC-MD5 and HMAC-SHA1.
Page 275: Protocols And Standards
This mode consumes more system resources when multiple data flows exist between two subnets to be protected. Application-based IPsec This IPsec implementation method does not require an ACL. All packets of the application bound to an IPsec profile are encapsulated with IPsec, and all packets of the applications that are not bound with IPsec and the IPsec packets that failed to be de-encapsulated are dropped.
Page 276: Implementing Acl-Based Ipsec
Implementing ACL-based IPsec Feature restrictions and guidelines ACLs for IPsec take effect only on traffic that is generated by the device and traffic that is destined for the device. They do not take effect on traffic forwarded through the device. For example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it cannot protect all the data flows and voice flows that are forwarded by the device.
Page 277: Configuring An Acl
Configuring an ACL IPsec uses ACLs to identify the traffic to be protected. Keywords in ACL rules An ACL is a collection of ACL rules. Each ACL rule is a deny or permit statement. A permit statement identifies a data flow protected by IPsec, and a deny statement identifies a data flow that is not protected by IPsec.
Page 278 Step Command Remarks Create an IPsec ipsec transform-set By default, no IPsec transform set transform set and enter transform-set-name exists. its view. Optional. Specify the security protocol for the IPsec protocol { ah | ah-esp | esp } By default, the IPsec transform set transform set.
Page 279: Configuring A Manual Ipsec Policy
Step Command Remarks Secrecy (PFS) feature dh-group5 | dh-group14 | For more information about PFS, for the IPsec policy. dh-group19 | dh-group20 | "Configuring IKE." dh-group24 } The security level of the • In FIPS mode: Diffie-Hellman (DH) group of the pfs { dh-group14 | dh-group24 | initiator must be higher than or dh-group19 | dh-group20 }...
Page 280 Step Command Remarks By default, an IPsec policy references no ACL. Specify an ACL for the security acl [ ipv6 ] { acl-number IPsec policy. | name acl-name } An IPsec policy can reference only one ACL. By default, an IPsec policy references Specify an IPsec no IPsec transform set.
Page 281: Configuring An Ike-Based Ipsec Policy
Configuring an IKE-based IPsec policy In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE. To configure an IKE-based IPsec policy, use one of the following methods: • Directly configure it by configuring the parameters in IPsec policy view. •...
Page 282 Step Command Remarks By default, the IPsec policy references no IKE profile, and the device selects an IKE profile configured in system view for negotiation. If no IKE profile is configured, the globally configured IKE settings are used. Specify an IKE profile for the ike-profile profile-name An IPsec policy can reference IPsec policy.
Page 283 Configuring an IKE-based IPsec policy by referencing an IPsec policy template The configurable parameters for an IPsec policy template are the same as those when you directly configure an IKE-based IPsec policy. The difference is that more parameters are optional for an IPsec policy template.
Page 284: Applying An Ipsec Policy To An Interface
Step Command Remarks address of the interface to which the IPsec policy is applied. The local IP address specified by this command must be the same as the IP address used as the local IKE identity. (Optional.) Specify the remote-address { [ ipv6 ] By default, the remote IP address remote IP address of the host-name | ipv4-address | ipv6...
Page 285: Enabling Acl Checking For De-Encapsulated Packets
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, no IPsec policy is applied to the interface. An interface can reference only Apply an IPsec policy to the ipsec apply { policy | one IPsec policy. interface.
Page 286: Configuring Ipsec Anti-Replay Redundancy
IMPORTANT: • IPsec anti-replay is enabled by default. Failure to detect anti-replay attacks might result in denial of services. Use caution when you disable IPsec anti-replay. • Specify an anti-replay window size that is as small as possible to reduce the impact on system performance.
Page 287: Binding A Source Interface To An Ipsec Policy
Step Command Remarks outbound packets. 100000 packets. Binding a source interface to an IPsec policy For high availability, a core device is usually connected to an ISP through two links, which operate in backup or load sharing mode. The two interfaces negotiate with their peers to establish IPsec SAs respectively.
Page 288: Enabling Logging Of Ipsec Packets
Step Command Remarks Enter system view. system-view • To enter IPsec policy view: ipsec { policy | ipv6-policy } policy-name seq-number [ isakmp | manual ] Enter IPsec policy view or • To enter IPsec policy IPsec policy template view. template view: ipsec { policy-template | ipv6-policy-template }...
Page 289: Configuring Ipsec For Ipv6 Routing Protocols
Step Command Remarks interface interface-type Enter interface view. interface-number Configure the DF bit of By default, the interface uses the IPsec packets on the ipsec df-bit { clear | copy | set } global DF bit setting. interface. To configure the DF bit of IPsec packets globally: Step Command Remarks...
Page 290: Configuring Snmp Notifications For Ipsec
• The keys for the IPsec SAs at the two tunnel ends must be configured in the same format. For example, if the key at one end is entered as a string of characters, the key on the other end must also be entered as a string of characters.
Page 291: Displaying And Maintaining Ipsec
To generate and output SNMP notifications for a specific IPsec failure or event type, perform the following tasks: Enable SNMP notifications for IPsec globally. Enable SNMP notifications for the failure or event type. To configure SNMP notifications for IPsec: Step Command Remarks Enter system view...
Page 292: Ipsec Configuration Examples
IPsec configuration examples Configuring a manual mode IPsec tunnel for IPv4 packets Network requirements As shown in Figure 86, establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches. Configure the tunnel as follows: •...
Page 293 # Configure inbound and outbound SPIs for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa spi outbound esp 12345 [SwitchA-ipsec-policy-manual-map1-10] sa spi inbound esp 54321 # Configure the inbound and outbound SA keys for ESP. [SwitchA-ipsec-policy-manual-map1-10] sa string-key outbound esp simple abcdefg [SwitchA-ipsec-policy-manual-map1-10] sa string-key inbound esp simple gfedcba [SwitchA-ipsec-policy-manual-map1-10] quit # Apply the IPsec policy map1 to interface VLAN-interface 1.
Page 294: Configuring An Ike-Based Ipsec Tunnel For Ipv4 Packets
[SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration After the configuration is completed, an IPsec tunnel between Switch A and Switch B is established, and the traffic between the switches is IPsec protected. This example uses Switch A to verify the configuration.
Page 295 Configuration procedure Configure Switch A: # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Configure an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] rule 0 permit ip source 2.2.2.1 0 destination 2.2.3.1 0 [SwitchA-acl-adv-3101] quit...
Page 296 # Apply the IPsec policy map1 to interface VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 Configure Switch B: # Configure an IP address for VLAN-interface 1. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure an ACL to identify data flows between Switch B and Switch A.
Page 297: Configuring Ipsec For Ripng
[SwitchB-ipsec-policy-isakmp-use1-10] quit # Apply the IPsec policy use1 to interface VLAN-interface 1. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ipsec apply policy use1 Verifying the configuration # Initiate a connection from Switch A to Switch B to trigger the IKE negotiation. After IPsec SAs are successfully negotiated by IKE, the traffic between the two switches is IPsec protected.
Page 298 [SwitchA-ipsec-transform-set-tran1] protocol esp [SwitchA-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128 [SwitchA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchA-ipsec-transform-set-tran1] quit # Create and configure the IPsec profile named profile001. [SwitchA] ipsec profile profile001 manual [SwitchA-ipsec-profile-profile1001] transform-set tran1 [SwitchA-ipsec-profile-profile1001] sa spi outbound esp 123456 [SwitchA-ipsec-profile-profile1001] sa spi inbound esp 123456 [SwitchA-ipsec-profile-profile1001] sa string-key outbound esp simple abcdefg [SwitchA-ipsec-profile-profile1001] sa string-key inbound esp simple abcdefg [SwitchA-ipsec-profile-profile1001] quit...
Page 299 Configure Switch C: # Configure IPv6 addresses for interfaces. (Details not shown.) # Configure basic RIPng. <SwitchC> system-view [SwitchC] ripng 1 [SwitchC-ripng-1] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] ripng 1 enable [SwitchC-Vlan-interface200] quit # Create and configure the IPsec transform set named tran1. [SwitchC] ipsec transform-set tran1 [SwitchC-ipsec-transform-set-tran1] encapsulation-mode transport [SwitchC-ipsec-transform-set-tran1] protocol esp...
Page 300 [SwitchA] display ipsec sa ------------------------------- Global IPsec SA ------------------------------- ----------------------------- IPsec profile: profile001 Mode: manual ----------------------------- Encapsulation mode: transport [Inbound ESP SA] SPI: 123456 (0x3039) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA [Outbound ESP SA] SPI: 123456 (0x3039) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 No duration limit for this SA...
Page 301: Configuring Ike
Configuring IKE Unless otherwise specified, the term "IKE" in this chapter refers to IKEv1. The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
Page 302: Ike Security Mechanism
Figure 90 IKE exchange process in main mode As shown in Figure 90, the main mode of IKE negotiation in phase 1 involves three pairs of messages: • SA exchange—Used for negotiating the IKE security policy. • Key exchange—Used for exchanging the DH public value and other values, such as the random number.
Page 303: Protocols And Standards
DH algorithm The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials. The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm.
Page 304: Configuring An Ike Profile
Tasks at a glance Remarks (Optional.) Configuring the IKE keepalive feature (Optional.) Configuring the IKE NAT keepalive feature (Optional.) Configuring IKE DPD (Optional.) Enabling invalid SPI recovery (Optional.) Setting the maximum number of IKE SAs (Optional.) Configuring SNMP notifications for IKE Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation.
Page 305 Step Command Remarks Enter system view. system-view Create an IKE profile and By default, no IKE profile is ike profile profile-name enter its view. configured. match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] By default, an IKE profile has | range low-ipv4-address no peer ID.
Page 306: Configuring An Ike Proposal
Step Command Remarks By default, no inside VPN instance is specified for an IKE profile, and the device 10. (Optional.) Specify an inside inside-vpn vpn-instance vpn-name forwards protected data to the VPN instance. VPN instance where the interface receiving the data resides.
Page 307: Configuring An Ike Keychain
Step Command Remarks • In non-FIPS mode: By default, an IKE proposal uses authentication-algorithm the HMAC-SHA1 authentication { md5 | sha | sha256 | sha384 | Specify an authentication algorithm in non-FIPS mode and sha512 } algorithm for the IKE the HMAC-SHA256 •...
Page 308: Configuring The Global Identity Information
Step Command Remarks mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key [ cipher cipher-key ] (Optional.) Specify a local match local address { interface-type By default, an IKE keychain can interface or IP address to interface-number | { ipv4-address | be applied to any local interface which the IKE keychain can...
Page 309: Configuring The Ike Nat Keepalive Feature
• Configure IKE DPD instead of the IKE keepalive feature unless IKE DPD is not supported on the peer. The IKE keepalive feature sends keepalives at regular intervals, which consumes network bandwidth and resources. • The keepalive timeout time configured on the local device must be longer than the keepalive interval configured at the peer.
Page 310: Enabling Invalid Spi Recovery
If the local device receives a response from the peer during the detection process, the peer is considered alive. The local device performs a DPD detection again when the triggering interval is reached or it has traffic to send, depending on the DPD mode. Follow these guidelines when you configure the IKE DPD feature: •...
Page 311: Configuring Snmp Notifications For Ike
• The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system. To set the limit on the number of IKE SAs: Step Command Remarks...
Page 312: Ike Configuration Examples
Task Command connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-name ] ] ] Delete IKE SAs. reset ike sa [ connection-id connection-id ] Clear IKE MIB statistics. reset ike statistics IKE configuration examples Main mode IKE with pre-shared key authentication configuration example Network requirements As shown in...
Page 313 [SwitchA] ike keychain keychain1 # Specify 12345zxcvb!@#$%ZXCVB as the plaintext pre-shared key. [SwitchA-ike-keychain-keychain1] pre-shared-key address 2.2.2.2 255.255.0.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchA-ike-keychain-keychain1] quit # Create IKE profile profile1. [SwitchA] ike profile profile1 # Specify IKE keychain keychain1. [SwitchA-ike-profile-profile1] keychain keychain1 # Configure a peer ID with the identity type of IP address and the value of 2.2.2.2. [SwitchA-ike-profile-profile1] match remote identity address 2.2.2.2 255.255.0.0 [SwitchA-ike-profile-profile1] quit # Create an IKE-based IPsec policy entry with the name map1 and the sequence number 10.
Page 314: Verifying The Configuration
[SwitchB]ike keychain keychain1 # Specify the plaintext abcde as the pre-shared key to be used with the remote peer at 1.1.1.1. [SwitchB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.0.0 key simple 12345zxcvb!@#$%ZXCVB [SwitchB-ike-keychain-keychain1] quit # Create IKE profile profile1. [SwitchB] ike profile profile1 # Specify IKE keychain keychain1 [SwitchB-ike-profile-profile1] keychain keychain1 # Configure a peer ID with the identity type of IP address and the value of 1.1.1.1.
Page 315: Ike Negotiation Failed Because No Ike Proposals Or Ike Keychains Are Referenced Correctly
When IKE event debugging and packet debugging are enabled, the following messages appear: IKE event debugging message: The attributes are unacceptable. IKE packet debugging message: Construct notification packet: NO_PROPOSAL_CHOSEN. Analysis Certain IKE proposal settings are incorrect. Solution Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals.
Page 316: Ipsec Sa Negotiation Failed Because No Matching Ipsec Transform Sets Were Found
IPsec SA negotiation failed because no matching IPsec transform sets were found Symptom The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet.
Page 317 Remote IP: 192.168.222.71 Remote ID type: IPV4_ADDR Remote ID: 192.168.222.71 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: MD5 Encryption-algorithm: 3DES-CBC Life duration(sec): 86400 Remaining key duration(sec): 85847 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected # Verify that the IPsec policy is referencing an IKE profile. [Sysname] display ipsec policy ------------------------------------------- IPsec Policy: policy1...
Page 318 ACL's step is 5 rule 0 permit ip source 192.168.222.71 0 destination 192.168.222.5 0 Verify that the IPsec policy has a remote address and an IPsec transform set configured and that the IPsec transform set has all necessary settings configured. If, for example, the IPsec policy has no remote address configured, the IPsec SA negotiation will fail: [Sysname] display ipsec policy...
Page 319: Configuring Ikev2
Configuring IKEv2 Overview Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1, IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs fewer message exchanges than IKEv1.
Page 320: New Features In Ikev2
New features in IKEv2 DH guessing In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished.
Page 321: Configuring An Ikev2 Profile
• The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
Page 322 Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
Page 323 Step Command Remarks By default, no keychain is specified for an IKEv2 profile. Specify a keychain. keychain keychain-name Perform this task when the pre-shared key authentication method is specified. By default, the device uses PKI domains configured in system view. certificate domain domain-name Specify a PKI domain.
Page 324: Configuring An Ikev2 Policy
Step Command Remarks feature. Configuring an IKEv2 policy During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion. • If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of the local security gateway.
Page 325 You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority. To configure an IKEv2 proposal: Step Command Remarks Enter system view. system-view By default, an IKEv2 proposal named default exists. In non-FIPS mode, the default proposal uses the following settings: •...
Page 326: Configuring An Ikev2 Keychain
Step Command Remarks In non-FIPS mode: dh { group1 | group14 | group19 | group2 | group20 | group24 | By default, an IKEv2 proposal does group5 } * Specify the DH groups. not have any DH groups. In FIPS mode: dh { group14 | group19 | group20 | group24 } * Configuring an IKEv2 keychain...
Page 327: Configure Global Ikev2 Parameters
Configure global IKEv2 parameters Enabling the cookie challenging feature Enable cookie challenging on responders to protect them against DoS attacks that use a large number of source IP addresses to forge IKE_SA_INIT requests. To enable cookie challenging: Step Command Remarks Enter system view.
Page 328: Displaying And Maintaining Ikev2
Step Command Remarks Set the IKEv2 NAT keepalive By default, the IKEv2 NAT ikev2 nat-keepalive seconds interval. keepalive interval is 10 seconds. Displaying and maintaining IKEv2 Execute display commands in any view and reset commands in user view. Task Command Display the IKEv2 proposal configuration.
Page 329 # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl advanced 3101 [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
Page 330 [SwitchA-ipsec-policy-isakmp-map1-10] ikev2-profile profile1 [SwitchA-ipsec-policy-isakmp-map1-10] quit # Apply IPsec policy map1 to VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec apply policy map1 [SwitchA-Vlan-interface1] quit Configure Switch B: # Assign an IP address to VLAN-interface 1. <SwitchB> system-view [SwitchB] interface Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B.
Page 331: Ikev2 With Rsa Signature Authentication Configuration Example
[SwitchB-ikev2-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0 [SwitchB-ikev2-profile-profile1] quit # Create an IKE-based IPsec policy entry with name use1 and sequence number 10. [SwitchB] ipsec policy use1 10 isakmp # Specify remote IP address 1.1.1.1 for the IPsec tunnel. [SwitchB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1 # Specify ACL 3101 to identify the traffic to be protected.
Page 332 # Configure IPv4 advanced ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl advanced 3101 [SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 [SwitchA-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchA] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel.
Page 333 [SwitchA-ikev2-profile-profile1] certificate domain domain1 # Set the local ID to FQDN name www.switcha.com. [SwitchA-ikev2-profile-profile1] identity local fqdn www.switcha.com # Specify the peer ID that the IKEv2 profile matches. The peer ID is FQDN name www.routerb.com. [SwitchA-ikev2-profile-profile1] match remote identity fqdn www.routerb.com [SwitchA-ikev2-profile-profile1] quit # Create an IKEv2 proposal named 10.
Page 334 [SwitchB-acl-ipv4-adv-3101] quit # Create an IPsec transform set named tran1. [SwitchB] ipsec transform-set tran1 # Set the packet encapsulation mode to tunnel. [SwitchB-ipsec-transform-set-tran1] encapsulation-mode tunnel # Use the ESP protocol for the IPsec transform set. [SwitchB-ipsec-transform-set-tran1] protocol esp # Specify the encryption and authentication algorithms. [SwitchB-ipsec-transform-set-tran1] esp encryption-algorithm des-cbc [SwitchB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [SwitchB-ipsec-transform-set-tran1] quit...
Page 335 [SwitchB-ikev2-profile-profile2] match remote identity fqdn www.switcha.com [SwitchB-ikev2-profile-profile2] quit # Create an IKEv2 proposal named 10. [SwitchB] ikev2 proposal 10 # Specify the integrity protection algorithm as HMAC-MD5. [SwitchB-ikev2-proposal-10] integrity md5 # Specify the encryption algorithm as 3DES-CBC. [SwitchB-ikev2-proposal-10] encryption 3des-cbc # Specify the DH group as Group 1.
Page 336: Troubleshooting Ikev2
Troubleshooting IKEv2 IKEv2 negotiation failed because no matching IKEv2 proposals were found Symptom The IKEv2 SA is in IN-NEGO status. <Sysname> display ikev2 sa Tunnel ID Local Remote Status --------------------------------------------------------------------------- 123.234.234.124/500 123.234.234.123/500 IN-NEGO Status: IN-NEGO: Negotiating, EST: Establish, DEL:Deleting Analysis Certain IKEv2 proposal settings are incorrect.
Page 337 Solution Use the display ikev2 sa command to examine whether an IKEv2 SA exists on both ends. If the IKEv2 SA on one end is lost, delete the IKEv2 SA on the other end by using the reset ikev2 sa command and trigger new negotiation. If an IKEv2 SA exists on both ends, go to the next step.
Page 338: Configuring Ssh
Configuring SSH Overview Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
Page 339: Ssh Authentication Methods
Stages Description TCP connection. Version negotiation The two parties determine a version to use. SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: • Key exchange algorithm for generating session keys. Algorithm negotiation •...
Page 340: Ssh Support For Suite B
NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. Publickey authentication The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows: The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.
Page 341: Protocols And Standards
Protocols and standards RFC 6239, Suite B Cryptographic Suites for Secure Shell (SSH) FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS."...
Page 342: Enabling The Stelnet Server
public key to decrypt the digital signature received from the server. If the decryption succeeds, the server passes the authentication. When you execute any one of the SSH commands on the device to trigger the running of the SSH application, the SSH server automatically generates two RSA key pairs. You can also use the public-key local create command to generate DSA, RSA, or ECDSA key pairs on the device.
Page 343: Enabling The Scp Server
The device that acts as an SFTP server does not support SFTP connections initiated by SSH1 clients. To enable the SFTP server: Step Command Remarks Enter system view. system-view By default, the SFTP server is Enable the SFTP server. sftp server enable disabled.
Page 344: Configuring A Client's Host Public Key
Step Command Remarks Enter system view. system-view Enter VTY user line view. line vty number [ ending-number ] By default, the authentication mode is password. Set the login authentication authentication-mode scheme For more information about this mode to scheme. command, see Fundamentals Command Reference.
Page 345: Configuring An Ssh User
Importing the client's host public key from the public key file Before you import the host public key, upload the client's public key file (in binary) to the server, for example, through FTP or TFTP. During the import process, the server automatically converts the host public key in the public key file to a string in PKCS format.
Page 346: Configuring The Ssh Management Parameters
• For all authentication methods except password authentication, you must specify a client's host public key or digital certificate. For a client that directly sends the user's public key information to the server, you must specify the client's host public key on the server. The specified public key must already exist. For more information about public keys, see "Configuring a client's host public key."...
Page 347: Specifying A Pki Domain For The Ssh Server
Step Command Remarks authentication when the timeout timer expires, the connection cannot be established. • Control IPv4 SSH user connections: ssh server acl acl-number By default, no ACLs are specified Specify an ACL to control • and all SSH users can initiate Control IPv6 SSH user SSH user connections.
Page 348: Configuring The Device As An Stelnet Client
Configuring the device as an Stelnet client Stelnet client configuration task list Tasks at a glance (Optional.) Specifying the source IP address for SSH packets (Required.) Establishing a connection to an Stelnet server (Optional.) Establishing a connection to an Stelnet server based on Suite B Specifying the source IP address for SSH packets As a best practice, specify the IP address of a loopback interface as the source IP address of SSH packets for the following purposes:...
Page 349 Task Command Remarks vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex...
Page 350: Establishing A Connection To An Stelnet Server Based On Suite B
Task Command Remarks prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ipv6 ipv6-address } ] * •...
Page 351: Configuring The Device As An Sftp Client
Configuring the device as an SFTP client SFTP client configuration task list Tasks at a glance (Optional.) Specifying the source IP address for SFTP packets (Required.) Establishing a connection to an SFTP server (Optional.) Establishing a connection to an SFTP server based on Suite B (Optional.) Working with SFTP directories (Optional.)
Page 352 After the connection is established, you can directly enter SFTP client view on the server to perform file or directory operations. To establish a connection to an SFTP server: Task Command Remarks • In non-FIPS mode, establish a connection to an IPv4 SFTP server: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa |...
Page 353: Establishing A Connection To An Sftp Server Based On Suite B
Task Command Remarks ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ipv6...
Page 354: Working With Sftp Directories
Working with SFTP directories Task Command Remarks Change the working directory on cd [ remote-path ] Available in SFTP client view. the SFTP server. Return to the upper-level cdup Available in SFTP client view. directory. Display the current working Available in SFTP client view. directory on the SFTP server.
Page 355: Terminating The Connection With The Sftp Server
Terminating the connection with the SFTP server Task Command Remarks • Available in SFTP client view. Terminate the connection with the • exit SFTP server and return to user These three commands have the • view. quit same function. Configuring the device as an SCP client This section describes how to configure the device as an SCP client to establish a connection with an SCP server and transfer files with the server.
Page 356 Task Command Remarks rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { aes128-cbc | aes256-cbc |...
Page 357: Establishing A Connection To An Scp Server Based On Suite B
Task Command Remarks interface-type interface-number | ipv6 ipv6-address } ] * Establishing a connection to an SCP server based on Suite B Task Command Remarks • Establish a connection to an IPv4 SCP server based on Suite B: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain...
Page 358: Specifying Key Exchange Algorithms For Ssh2
Specifying key exchange algorithms for SSH2 Step Command Remarks Enter system view. system-view • In non-FIPS mode: ssh2 algorithm key-exchange By default, SSH2 uses the key { dh-group-exchange-sha1 exchange algorithms | dh-group1-sha1 | ecdh-sha2-nistp256, dh-group14-sha1 | ecdh-sha2-nistp384, ecdh-sha2-nistp256 | Specify key exchange dh-group-exchange-sha1, ecdh-sha2-nistp384 } * algorithms for SSH2.
Page 359: Specifying Mac Algorithms For Ssh2
Specifying MAC algorithms for SSH2 Step Command Remarks Enter system view. system-view • In non-FIPS mode: ssh2 algorithm mac { md5 | By default, SSH2 uses the MAC md5-96 | sha1 | sha1-96 | algorithms sha2-256, sha2-512, sha2-256 | sha2-512 } * Specify MAC algorithms for sha1, md5, sha1-96, and md5-96 •...
Page 360 • The switch acts as the Stelnet server and uses password authentication. • The username and password of the client are saved on the switch. Figure 95 Network diagram Stelnet client Stelnet server Vlan-int2 192.168.1.56/24 192.168.1.40/24 Host Switch Configuration procedure Configure the Stelnet server: # Generate RSA key pairs.
Page 361 [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit # Create a local device management user client001. [Switch] local-user client001 class manage # Specify the plaintext password as aabbcc and the service type as ssh for the user. [Switch-luser-manage-client001] password simple aabbcc [Switch-luser-manage-client001] service-type ssh # Assign the user role network-admin to the user.
Page 362: Publickey Authentication Enabled Stelnet Server Configuration Example
c. Click Open to connect to the server. If the connection is successfully established, the system notifies you to enter the username and password. After entering the username (client001 in this example) and password (aabbcc in this example), you can enter the CLI of the server. Publickey authentication enabled Stelnet server configuration example Network requirements...
Page 363 Figure 98 Generating a key pair on the client a. Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 99. Otherwise, the progress bar stops moving and the key pair generating progress stops.
Page 364 c. After the key pair is generated, click Save public key to save the public key. A file saving window appears. d. Enter a file name (key.pub in this example), and click Save. Figure 100 Saving a key pair on the client e.
Page 365 The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+ Create the key pair successfully.
Page 366 Figure 101 Specifying the host name (or IP address) c. Select Connection > SSH from the navigation tree. The window shown in Figure 102 appears. d. Specify the Preferred SSH protocol version as 2 in the Protocol options area. Figure 102 Specifying the preferred SSH version...
Page 367: Password Authentication Enabled Stelnet Client Configuration Example
e. Select Connection > SSH > Auth from the navigation tree. The window shown in Figure 103 appears. f. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this example), and click OK. Figure 103 Specifying the private key file g.
Page 368 Configuration procedure Configure the Stelnet server: # Generate RSA key pairs. <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 369 # Assign the user role network-admin to the user. [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Create an SSH user client001. Specify the service type as stelnet and the authentication method as password for the user. By default, password authentication is used if no SSH user is created.
Page 370 [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F7 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit # Establish an SSH connection to the server, and specify the host public key of the server. <SwitchA> ssh2 192.168.1.40 publickey key1 Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. client001@192.168.1.40's password: Enter a character ~ and a dot to abort.
Page 371: Publickey Authentication Enabled Stelnet Client Configuration Example
Publickey authentication enabled Stelnet client configuration example Network requirements As shown in Figure 105: • You can log in to Switch B through the Stelnet client that runs on Switch A. • After login, you are assigned the user role network-admin for configuration management. •...
Page 372 Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys......++++++ ....++++++ ..++++++++ ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes.
Page 373: Stelnet Configuration Example Based On 128-Bit Suite B Algorithms
<SwitchA> ssh2 192.168.1.40 Username: client002 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n client002@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP * Without the owner's prior written consent,...
Page 374 NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an Stelnet client. # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file ssh-client-ecdsa256.p12 to the Stelnet client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server256 for verifying the server's certificate and enter its view.
Page 375 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b # Create a PKI domain named client256 for the client's certificate and enter its view. [SwitchA] pki domain client256 # Disable CRL checking. [SwitchA-pki-domain-client256] undo crl check enable [SwitchA-pki-domain-client256] quit # Import the local certificate file ssh-client-ecdsa256.p12 to the PKI domain client256.
Page 376 Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1: 5c:17:cb:22:fa:8f:b3:e5:76:89:06:9f:96:47:dc:34:87:02: 31:00:e3:af:2a:8f:d6:8d:1f:3a:2b:ae:2f:97:b3:52:63:b6: 18:67:70:2c:93:2a:41:c0:e7:fa:93:20:09:4d:f4:bf:d0:11: 66:0f:48:56:01:1e:c3:be:37:4e:49:19:cf:c6 # Assign an IP address to VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit Configure the Stelnet server: # Upload the server's certificate file ssh-server-ecdsa256.p12 and the client's certificate file...
Page 377: Sftp Configuration Examples
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit # Create an SSH user client001. Specify the authentication method publickey for the user and specify client256 as the PKI domain for verifying the client's certificate. [Switch] ssh user client001 service-type stelnet authentication-type publickey assign pki-domain client256 Establish an SSH connection to the Stelnet server 192.168.1.40 based on the 128-bit Suite B algorithms.
Page 378 Figure 107 Network diagram Configuration procedure Configure the SFTP server: # Generate RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 379: Publickey Authentication Enabled Sftp Client Configuration Example
[Switch-luser-manage-client002] password simple aabbcc [Switch-luser-manage-client002] service-type ssh [Switch-luser-manage-client002] authorization-attribute user-role network-admin work-directory flash:/ [Switch-luser-manage-client002] quit # Create an SSH user client002. Specify the authentication method as password and the service type as sftp for the user. By default, password authentication is used if no SSH user is created.
Page 380 • After login, you are assigned the user role network-admin to execute file management and transfer operations. • Switch B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm. Figure 109 Network diagram Configuration procedure In the server configuration, the client's host public key is required.
Page 381 ....++++++++ Create the key pair successfully. # Generate a DSA key pair. [SwitchB] public-key local create dsa The range of public key size is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort.
Page 382 # Display files under the current directory of the server, delete the file z, and verify the result. sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey...
Page 383: Sftp Configuration Example Based On 192-Bit Suite B Algorithms
NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SFTP client. # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.) # Create a PKI domain named server384 for verifying the server's certificate and enter its view.
Page 384 [SwitchA] pki import domain server384 p12 local filename ssh-server-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
Page 385 # Disable CRL checking. [SwitchA-pki-domain-client384] undo crl check enable [SwitchA-pki-domain-client384] quit # Import the local certificate file ssh-client-ecdsa384.p12 to the PKI domain client384. [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters.
Page 386 33:71:75:5e:11:c9:a6:51:4b:3e:7c:eb:2a:4d:87:2b:71:7c: 30:64:fe:14:ce:06:d5:0a:e2:cf:9a:69:19:ff # Assign an IP address to VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit Configure the SFTP server: # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP server through FTP or TFTP. (Details not shown.) # Create a PKI domain named client384 for verifying the client's certificate and import the file of the client's certificate to this domain.
Page 387: Scp Configuration Examples
SCP configuration examples Unless otherwise noted, devices in the configuration example are in non-FIPS mode. When you configure SCP on a device that operates in FIPS mode, follow these restrictions and guidelines: • The modulus length of the key pair must be 2048 bits. •...
Page 388 .++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+ ...+....+..+...+. Create the key pair successfully. # Generate an ECDSA key pair. [SwitchB] public-key local create ecdsa secp256r1 Generating Keys... Create the key pair successfully. # Enable the SCP server. [SwitchB] scp server enable # Configure an IP address for VLAN-interface 2. The SCP client uses this address as the destination for SCP connection.
Page 389: Scp Configuration Example Based On Suite B Algorithms
NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client. # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP.
Page 390 # Display information about local certificates in the PKI domain server256. [SwitchA] display pki certificate domain server256 local Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=aaa, L=bbb, O=ccc, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:39:51 2015 GMT Not After : Aug 20 08:39:51 2016 GMT Subject: C=CN, ST=aaa, O=ccc, OU=Software, CN=SSH Server secp256 Subject Public Key Info:...
Page 391 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: client256]: # Display information about local certificates in the PKI domain client256.
Page 392 [SwitchA-pki-domain-server384] quit # Import the local certificate file ssh-server-ecdsa384.p12 to the PKI domain server384. [SwitchA] pki import domain server384 p12 local filename ssh-server-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters.
Page 393 # Create a PKI domain named client384 for the client's certificate ecdsa384 and enter its view. [SwitchA] pki domain client384 # Disable CRL checking. [SwitchA-pki-domain-client384] undo crl check enable [SwitchA-pki-domain-client384] quit # Import the local certificate file ssh-client-ecdsa384.p12 to the PKI domain client384. [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair.
Page 394 97:b3:79:d8:25:a0:e2:0e:ed:00:c9:48:3e:c9:71:43:c9:b4: 2a:a6:0a:27:80:9e:d4:0f:f2:db:db:5b:40:b1:a9:0a:e4:02: 31:00:ee:00:e1:07:c0:2f:12:3f:88:ea:fe:19:05:ef:56:ca: 33:71:75:5e:11:c9:a6:51:4b:3e:7c:eb:2a:4d:87:2b:71:7c: 30:64:fe:14:ce:06:d5:0a:e2:cf:9a:69:19:ff # Assign an IP address to VLAN-interface 2. [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit Configure the SCP server: # Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP server through FTP or TFTP.
Page 395: Netconf Over Ssh Configuration Example With Password Authentication
Establish an SCP connection to the SCP server 192.168.0.1: Based on the 128-bit Suite B algorithms: # Specify server256 as the PKI domain of the server's certificate. [SwitchB]ssh server pki-domain server256 # Create an SSH user client001. Specify the authentication method publickey for the user and specify client256 as the PKI domain for verifying the client's certificate.
Page 396: Network Requirements
Network requirements As shown in Figure 113: • The switch uses local password authentication. • The client's username and password are saved on the switch. Establish a NETCONF-over-SSH connection between the host and the switch, so that you can log in to the switch to perform NETCONF operations.
Page 397: Verifying The Configuration
[Switch] netconf ssh server enable # Configure an IP address for VLAN-interface 2. The client uses this address as the destination for NETCONF-over-SSH connection. [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface2] quit # Set the authentication mode to AAA for the user lines. [Switch] line vty 0 63 [Switch-line-vty0-63] authentication-mode scheme [Switch-line-vty0-63] quit...
Page 398: Configuring Ssl
Configuring SSL Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet. SSL security services SSL provides the following security services: •...
Page 399: Fips Compliance
Figure 115 SSL protocol stack The following describes the major functions of SSL protocols: • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data. • SSL handshake protocol—Negotiates the cipher suite used for secure communication, authenticates the server and client, and securely exchanges the keys between the server and client.
Page 400 Step Command Remarks By default: • • In non-FIPS mode: In non-FIPS mode, the ssl version { ssl3.0 | tls1.0 | device supports SSL 3.0, (Optional.) Disable specific tls1.1 } * disable TLS 1.0, TLS 1.1, and TLS SSL protocol versions on the •...
Page 401: Configuring An Ssl Client Policy
Step Command Remarks rsa_rc4_128_sha } * • In FIPS mode: ciphersuite { ecdhe_ecdsa_aes_128_cb c_sha256 | ecdhe_ecdsa_aes_128_gc m_sha256 | ecdhe_ecdsa_aes_256_cbc _sha384 | ecdhe_ecdsa_aes_256_gc m_sha384 | ecdhe_rsa_aes_128_cbc_s ha256 | ecdhe_rsa_aes_128_gcm_s ha256 | ecdhe_rsa_aes_256_cbc_s ha384 | ecdhe_rsa_aes_256_gcm_s ha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 } Set the maximum number of...
Page 402 Step Command Remarks prefer-cipher suite for the SSL client policy. The default preferred cipher { dhe_rsa_aes_128_cbc_s suite is rsa_rc4_128_md5. ha | • In FIPS mode: dhe_rsa_aes_128_cbc_sh The default preferred cipher a256 | suite is dhe_rsa_aes_256_cbc_sh sa_aes_128_cbc_sha. dhe_rsa_aes_256_cbc_sh a256 | ecdhe_ecdsa_aes_128_c bc_sha256 | ecdhe_ecdsa_aes_128_g cm_sha256 |...
Page 403: Displaying And Maintaining Ssl
Step Command Remarks • security, do not specify SSL 3.0 In FIPS mode: for the SSL client policy. version { tls1.0 | tls1.1 | tls1.2 } Enable the SSL client to By default, SSL server authenticate servers through server-verify enable authentication is enabled.
Page 404: Configuring Ip Source Guard
Configuring IP source guard Overview IP source guard (IPSG) prevents spoofing attacks by using an IPSG binding table to match legitimate packets. It drops all packets that do not match the table. The IPSG binding table can include the following bindings: •...
Page 405: Dynamic Ipsg Bindings
• Filter incoming IPv4 or IPv6 packets on the interface. • Cooperate with ARP detection in IPv4 for user validity checking. For information about ARP detection, see "Configuring ARP attack protection." Static IPSG bindings can be global or interface-specific. IPSG first uses the interface-specific bindings to match packets.
Page 406: Configuring The Ipv4Sg Feature
Tasks at a glance (Required.) Enabling IPv6SG on an interface (Optional.) Configuring a static IPv6SG binding Configuring the IPv4SG feature You cannot configure the IPv4SG feature on a service loopback interface. If IPv4SG is enabled on an interface, you cannot assign the interface to a service loopback group. Enabling IPv4SG on an interface When you enable IPSG on an interface, the static and dynamic IPSG are both enabled.
Page 407: Configuring The Ipv6Sg Feature
Configuring a global static IPv4SG binding Step Command Remarks Enter system view. system-view Configure a global ip source binding ip-address ip-address No global static IPv4SG static IPv4SG mac-address mac-address binding exists. binding. Configuring a static IPv4SG binding on an interface Step Command Remarks...
Page 408: Configuring A Static Ipv6Sg Binding
Step Command Remarks • Layer 2 Ethernet interface. • Layer 3 Ethernet interface. • Layer 3 Ethernet subinterface. • VLAN interface. • Layer 3 aggregate interface. By default, the IPv6SG feature is disabled on an interface. ipv6 verify source { ip-address | If you configure this command on Enable the IPv6SG feature.
Page 409: Displaying And Maintaining Ipsg
Displaying and maintaining IPSG Execute display commands in any view and reset commands in user view. Task Command display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-relay | dhcp-server | dhcp-snooping ] ] [ ip-address ip-address ] Display IPv4SG bindings.
Page 410: Dynamic Ipv4Sg Using Dhcp Snooping Configuration Example
[SwitchA-FortyGigE1/1/2] ip source binding ip-address 192.168.0.3 mac-address 0001-0203-0405 [SwitchA-FortyGigE1/1/2] quit # Enable IPv4SG on FortyGigE 1/1/1. [SwitchA] interface fortygige 1/1/1 [SwitchA-FortyGigE1/1/1] ip verify source ip-address mac-address # On FortyGigE 1/1/1, configure a static IPv4SG binding for Host A. [SwitchA-FortyGigE1/1/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0203-0406 [SwitchA-FortyGigE1/1/1] quit Configure Switch B:...
Page 411: Dynamic Ipv4Sg Using Dhcp Relay Configuration Example
• Enable DHCP snooping on the switch to make sure the DHCP client obtains an IP address from the authorized DHCP server. To generate a DHCP snooping entry for the DHCP client, enable recording of client information in DHCP snooping entries. •...
Page 412: Static Ipv6Sg Configuration Example
Figure 119 Network diagram Configuration procedure Configure dynamic IPv4SG: # Configure IP addresses for the interfaces. (Details not shown.) # Enable IPv4SG on VLAN-interface 100 and verify the source IP address and MAC address for dynamic IPSG. <Switch> system-view [Switch] interface vlan-interface 100 [Switch-Vlan-interface100] ip verify source ip-address mac-address [Switch-Vlan-interface100] quit Configure the DHCP relay agent:...
Page 413: Dynamic Ipv6Sg Using Dhcpv6 Snooping Configuration Example
Configuration procedure # Enable IPv6SG on FortyGigE 1/1/1. <Switch> system-view [Switch] interface fortygige 1/1/1 [Switch-FortyGigE1/1/1] ipv6 verify source ip-address mac-address # On FortyGigE 1/1/1, configure a static IPv6SG binding for the host. [Switch-FortyGigE1/1/1] ipv6 source binding ip-address 2001::1 mac-address 0001-0202-0202 [Switch-FortyGigE1/1/1] quit Verifying the configuration # Verify that the static IPv6SG binding is configured successfully on the switch.
Page 414 [Switch-FortyGigE1/1/1] ipv6 verify source ip-address mac-address # Enable recording of client information in DHCPv6 snooping entries on FortyGigE 1/1/1. [Switch-FortyGigE1/1/1] ipv6 dhcp snooping binding record [Switch-FortyGigE1/1/1] quit Verifying the configuration # Verify that a dynamic IPv6SG binding is generated based on a DHCPv6 snooping entry. [Switch] display ipv6 source binding dhcpv6-snooping Total entries found: 1 IPv6 Address...
Page 415: Configuring Arp Attack Protection
Configuring ARP attack protection ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks. Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
Page 416: Configuring Arp Source Suppression
• ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer (25 seconds) is reached or the route becomes reachable. After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request.
Page 417: Configuration Example
Configuration example Network requirements As shown in Figure 122, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack.
Page 418: Configuration Guidelines
Configuration guidelines Configure this feature when MFF, ARP fast-reply, ARP detection, or ARP snooping is enabled, or when ARP flood attacks are detected. Configuration procedure This task sets a rate limit for ARP packets received on an interface. When the number of ARP packets that the interface receives within a period exceeds the rate limit, those packets are discarded.
Page 419: Configuration Procedure
an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the following methods: • Monitor—Only generates log messages. • Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.
Page 420: Configuring Arp Packet Source Mac Consistency Check
Figure 123 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address.
Page 421: Configuring Arp Active Acknowledgement
Step Command Remarks Enter system view. system-view By default, ARP packet source Enable ARP packet source MAC arp valid-check enable MAC address consistency address consistency check. check is disabled. Configuring ARP active acknowledgement Configure this feature on gateways to prevent user spoofing. ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
Page 422: Configuration Example (On A Dhcp Server)
Step Command Remarks subinterface. • VLAN interface. Enable authorized ARP on the By default, authorized ARP is arp authorized enable interface. disabled. Configuration example (on a DHCP server) Network requirements As shown in Figure 124, configure authorized ARP on FortyGigE 1/1/1 of Switch A (a DHCP server) to ensure user validity.
Page 423: Configuration Example (On A Dhcp Relay Agent)
IP Address MAC Address VLAN Interface Aging Type 10.1.1.2 0012-3f86-e94c FGE1/1/1 The output shows that IP address 10.1.1.2 has been assigned to Switch B. Switch B must use the IP address and MAC address in the authorized ARP entry to communicate with Switch A.
Page 424: Configuring Arp Detection
[SwitchB-FortyGigE1/1/1] quit [SwitchB] interface fortygige 1/1/2 [SwitchB-FortyGigE1/1/2] port link-mode route [SwitchB-FortyGigE1/1/2] ip address 10.10.1.1 24 # Enable DHCP relay agent on FortyGigE 1/1/2. [SwitchB-FortyGigE1/1/2] dhcp select relay # Add the DHCP server 10.1.1.1 to DHCP server group 1. [SwitchB-FortyGigE1/1/2] dhcp relay server-address 10.1.1.1 # Enable authorized ARP.
Page 425: Configuring User Validity Check
Configuring user validity check The device checks user validity upon receiving an ARP packet from an ARP untrusted interface as follows: Uses the user validity check rules to match the sender IP and MAC addresses of the ARP packet. If a match is found, the device processes the ARP packet according to the rule. If no match is found, proceeds to step 2.
Page 426: Configuring Arp Restricted Forwarding
• src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded. • dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
Page 427: Enabling Arp Detection Logging
Enabling ARP detection logging The ARP detection logging feature enables a device to generate ARP detection log messages when illegal ARP packets are detected. An ARP detection log message contains the following information: • Receiving interface of the ARP packets. •...
Page 428 Figure 126 Network diagram Configuration procedure Add all interfaces on Switch B to VLAN 10, and specify the IP address of VLAN-interface 10 on Switch A. (Details not shown.) Configure the DHCP server on Switch A, and configure DHCP address pool 0. <SwitchA>...
Page 429: Arp Restricted Forwarding Configuration Example
[SwitchB-FortyGigE1/1/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [SwitchB-FortyGigE1/1/2] quit # Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets. [SwitchB] arp detection validate dst-mac ip src-mac After the configurations are completed, Switch B first checks the validity of ARP packets received on FortyGigE 1/1/1 and FortyGigE 1/1/2.
Page 430: Configuring Arp Scanning And Fixed Arp
[SwitchB-FortyGigE1/1/3] quit # Enable ARP detection for user validity check. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure FortyGigE 1/1/3 as an ARP-trusted port. [SwitchB-vlan10] interface fortygige 1/1/3 [SwitchB-FortyGigE1/1/3] arp detection trust [SwitchB-FortyGigE1/1/3] quit # Configure a static IP source guard entry on interface FortyGigE 1/1/2. [SwitchB] interface fortygige 1/1/2 [SwitchB-FortyGigE1/1/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10...
Page 431: Configuration Restrictions And Guidelines
Configuration restrictions and guidelines When you configure ARP scanning and fixed ARP, follow these restrictions and guidelines: • IP addresses in existing ARP entries are not scanned. • ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
Page 432: Configuration Procedure
Configuration procedure To configure ARP gateway protection: Step Command Remarks Enter system view. system-view Enter Layer 2 Ethernet interface interface interface-type and Layer 2 aggregate interface N/A. interface-number view. Enable ARP gateway protection By default, ARP gateway arp filter source ip-address for the specified gateway.
Page 433: Configuring Arp Filtering
Configuring ARP filtering The ARP filtering feature can prevent gateway spoofing and user spoofing attacks. An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded.
Page 434: Configuring Arp Sender Ip Address Checking
Figure 129 Network diagram Configuration procedure # Configure ARP filtering on Switch B. <SwitchB> system-view [SwitchB] interface fortygige 1/1/1 [SwitchB-FortyGigE1/1/1] arp filter binding 10.1.1.2 000f-e349-1233 [SwitchB-FortyGigE1/1/1] quit [SwitchB] interface fortygige 1/1/2 [SwitchB-FortyGigE1/1/2] arp filter binding 10.1.1.3 000f-e349-1234 Verifying the configuration # Verify that FortyGigE 1/1/1 permits ARP packets from Host A and discards other ARP packets.
Page 435 Step Command Remarks for ARP sender IP address start-ip-address end-ip-address specified for ARP sender IP checking. address checking.
Page 436: Configuring Mff
Configuring MFF Overview MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain. An MFF enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.
Page 437: Basic Concepts
Basic concepts An MFF-enabled device has two types of ports: user port and network port. User port An MFF user port is directly connected to a host and processes the following packets differently: • Allows multicast packets to pass. • Delivers ARP packets to the CPU.
Page 438: Mff Working Mechanism
MFF working mechanism An MFF-enabled device implements Layer 3 communication between hosts by intercepting ARP requests from the hosts and replies with the MAC address of a gateway. This mechanism helps reduce the number of broadcast messages. The MFF device processes ARP packets as follows: •...
Page 439: Enabling Periodic Gateway Probe
Step Command Remarks network-port Enabling periodic gateway probe You can configure the MFF device to detect gateways periodically for the change of MAC addresses by sending forged ARP packets. The ARP packets use 0.0.0.0 as the sender IP address and bridge MAC address as the sender MAC address.
Page 440: Displaying And Maintaining Mff
Displaying and maintaining MFF Execute display commands in any view. Task Command Display MFF port configuration information. display mac-forced-forwarding interface Display the MFF configuration information for a VLAN. display mac-forced-forwarding vlan vlan-id MFF configuration examples Manual-mode MFF configuration example in a tree network Network requirements As shown in Figure...
Page 441: Manual-Mode Mff Configuration Example In A Ring Network
[SwitchA-FortyGigE1/1/2] mac-forced-forwarding network-port Configure Switch B: # Configure manual-mode MFF on VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] mac-forced-forwarding default-gateway 10.1.1.100 # Specify the IP address of the server. [SwitchB-vlan100] mac-forced-forwarding server 10.1.1.200 # Enable ARP snooping on VLAN 100. [SwitchB-vlan100] arp snooping enable [SwitchB-vlan100] quit # Configure FortyGigE 1/1/2 as a network port.
Page 442 # Enable ARP snooping on VLAN 100. [SwitchA-vlan100] arp snooping enable [SwitchA-vlan100] quit # Configure FortyGigE 1/1/2 and FortyGigE 1/1/3 as network ports. [SwitchA] interface fortygige 1/1/2 [SwitchA-FortyGigE1/1/2] mac-forced-forwarding network-port [SwitchA-FortyGigE1/1/2] quit [SwitchA] interface fortygige 1/1/3 [SwitchA-FortyGigE1/1/3] mac-forced-forwarding network-port Configure Switch B: # Enable STP globally to make sure STP is enabled on interfaces.
Page 443: Configuring Urpf
Configuring uRPF Overview Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users or even the administrator. Even if the attackers or other hosts cannot receive any response packets, the attacks are still disruptive to the attacked target.
Page 444 Figure 134 uRPF work flow Checks the received packet Broadcast source address? All-zero source address? Broadcast destination Discards the packet address? Matching FIB entry Default route found? found? Loose uRPF? Loose uRPF? Matching route is a direct Receiving route? interface matches the output interface of the default route？...
Page 445 If yes, uRPF proceeds to step 3. If no, uRPF proceeds to step 6. uRPF checks whether the check mode is loose: If yes, uRPF proceeds to step 8. If no, uRPF checks whether the matching route is a direct route: −...
Page 446: Network Application
Network application Figure 135 Network diagram ISP B uRPF (loose) ISP A ISP C uRPF (strict) User As shown in Figure 135, strict uRPF check is configured between an ISP network and a customer network. Loose uRPF check is configured between ISPs. Configuring uRPF When you configure uRPF, follow these restrictions and guidelines: •...
Page 447: Urpf Configuration Example
Task Command Display uRPF configuration. display ip urpf [ slot slot-number ] uRPF configuration example Network requirements As shown in Figure 136, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks. Figure 136 Network diagram Configuration procedure Enable strict uRPF check on Switch A.
Page 448: Configuring Crypto Engines
Configuring crypto engines Overview Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following types: • Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency.
Page 449: Configuring Fips
Configuring FIPS Overview Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high.
Page 450: Configuring Fips Mode
e. Delete the local user and configure a new local user. Local user attributes include password, user role, and service type. f. Save the current configuration file. g. Specify the current configuration file as the startup configuration file. h. Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.
Page 451: Configuration Changes In Fips Mode
A password that complies with the password control policies in step and step 3. A user role of network-admin. A service type of terminal. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP. Enable FIPS mode. Select the manual reboot method. Save the configuration file and specify it as the startup configuration file.
Page 452: Exiting Fips Mode
characters and 4 character types of uppercase and lowercase letters, digits, and special characters. Exiting FIPS mode After you disable FIPS mode and reboot the device, the device operates in non-FIPS mode. The system provides two methods to exit FIPS mode: automatic reboot and manual reboot. Automatic reboot Select the automatic reboot method.
Page 453: Power-Up Self-Tests
NOTE: If a self-test fails, contact Hewlett Packard Enterprise Support. Power-up self-tests Power-up self-tests include the following types: • Known-answer test (KAT) This test examines the availability of FIPS-allowed cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer.
Page 454: Triggering Self-Tests
• Continuous random number generator test—This test is run when a random number is generated. If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test can also be run when a DSA/RSA asymmetrical key-pair is generated. Triggering self-tests To examine whether the cryptography modules operate correctly, you can trigger a self-test on the cryptographic algorithms.
Page 455: Entering Fips Mode Through Manual Reboot
Verifying the configuration After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters.
Page 456 # Set the minimum length of user passwords to 15 characters. [Sysname] password-control length 15 # Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal. [Sysname] local-user test class manage [Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB [Sysname-luser-manage-test] authorization-attribute user-role network-admin...
Page 457: Exiting Fips Mode Through Automatic Reboot
# Display the current FIPS mode state. <Sysname> display fips status FIPS mode is enabled. Exiting FIPS mode through automatic reboot Network requirements A user has logged in to the device in FIPS mode through a console port. Use the automatic reboot method to exit FIPS mode. Configuration procedure # Disable FIPS mode.
Page 458 flash:/startup.cfg exists, overwrite? [Y/N]:y Validating file. Please wait... Saved the current configuration to device successfully. [Sysname] quit # Delete the startup configuration file in binary format. <Sysname> delete flash:/startup.mdb Delete flash:/startup.mdb?[Y/N]:y Deleting file flash:/startup.mdb...Done. # Reboot the device. <Sysname> reboot Verifying the configuration After the device reboots, enter a username of test and a password of 12345zxcvb!@#$%ZXCVB to enter non-FIPS mode.
Page 459: Configuring User Profiles
Configuring user profiles Overview A user profile saves a set of predefined parameters, such as a QoS policy. The user profile application allows flexible traffic policing on a per-user basis. Each time a user passes authentication, the device automatically applies the parameters in the user profile to this user.
Page 460: Configuring Parameters For A User Profile
Configuring parameters for a user profile Configurations in user profile view take effect only after the device applies the user profile to the user. Configuring QoS parameters for traffic management To configure QoS parameters: Step Command Remarks Enter system view. system-view Enter user profile view.
Page 461 Figure 137 Network diagram Configuration procedure Configure a QoS policy to control the access time for User A: # Create periodic time range for_usera, setting it to be active from 8:30 to 12:00 daily. [Switch] time-range for_usera 8:30 to 12:00 daily # Configure IPv4 basic ACL 2000 to identify packets in time range for_usera.
Page 462 # Create traffic behavior for_userb, and configure a CAR action in traffic behavior database. Set the CIR to 2000 kbps. [Switch] traffic behavior for_userb [Switch-behavior-for_userb] car cir 2000 [Switch-behavior-for_userb] quit # Create QoS policy for_userb, and associate traffic class class with traffic behavior for_userb.
Page 463 # Set the password of local user userb to b12345 in plain text. [Switch-luser-network-userb] password simple b12345 # Specify the service type as lan-access for userb. [Switch-luser-network-userb] service-type lan-access # Configure the authorization user profile as userb. [Switch -luser-network-userb] authorization-attribute user-profile userb [Switch -luser-network-userb] quit # Add local user userc.
Page 464 Network attributes: Interface : Ten-GigabitEthernet1/0/1 MAC address : 6805-ca06-557b Service VLAN : 1 User-Profile: userb Inbound: Policy: for_userb slot 1: User -: Authentication type: 802.1X Network attributes: Interface : Ten-GigabitEthernet1/0/1 MAC address : 80c1-6ee0-2664 Service VLAN : 1 User-Profile: userc Outbound: Policy: for_userc slot 1:...
Page 465: Configuring Attack Detection And Prevention
Configuring attack detection and prevention Overview Attack detection and prevention enables a device to detect attacks by inspecting arriving packets, and to take prevention actions, such as logging and packet dropping, to protect a private network. Attacks that the device can prevent This section describes the attacks that the device can detect and prevent.
Page 466: Scanning Attacks
Single-packet attack Description An attacker sends IP datagrams in which the IP options are abnormal. This IP options attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets. An attacker sends the victim an IP datagram with an offset smaller than 5, IP fragment which causes the victim to malfunction or crash.
Page 467: Flood Attacks
Flood attacks An attacker launches a flood attack by sending a large number of forged requests to the victim in a short period of time. The victim is too busy responding to these forged requests to provide services for legal users, and a DoS attack occurs. The device can detect and prevent the following types of flood attacks: •...
Page 468: Tcp Fragment Attack
An ICMPv6 flood attacker sends ICMPv6 request packets, such as ping packets, to a host at a fast rate. Because the target host is busy replying to these requests, it is unable to provide services. • UDP flood attack. A UDP flood attacker sends UDP packets to a host at a fast rate. These packets consume a large amount of the target host's bandwidth, so the host cannot provide other services.
Page 469: Configuring An Attack Defense Policy
Configuring an attack defense policy Creating an attack defense policy An attack defense policy can contain a set of attack detection and prevention configuration against multiple attacks. To create an attack defense policy: Step Command Remarks Enter system view. system-view Create an attack defense attack-defense policy By default, no attack defense policy...
Page 470: Configuring A Scanning Attack Defense Policy
Step Command Remarks record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ] • signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ] By default, the maximum length of...
Page 471: Configuring A Flood Attack Defense Policy
Configuring a flood attack defense policy Attack detection and prevention takes effect only on packets destined for the device in the current release. The IP address specified for IP address-specific flood attack detection must be an IP address of a Layer 3 interface on the device. Flood attack detection monitors the rate at which connections are initiated to the device.
Page 472 Step Command Remarks logging } * ] Configuring a SYN-ACK flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view. policy-name Enable global SYN-ACK syn-ack-flood detect By default, global SYN-ACK flood flood attack detection. non-specific attack detection is disabled.
Page 473 Step Command Remarks Enable global RST flood By default, global RST flood attack rst-flood detect non-specific attack detection. detection is disabled. Set the global trigger rst-flood threshold threshold for RST flood The default setting is 1000. threshold-value attack prevention. Specify global actions rst-flood action { drop | By default, no global action is against RST flood attacks.
Page 474 Step Command Remarks threshold-value ] [ action { drop | logging } * ] Configuring a UDP flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view. policy-name Enable global UDP flood By default, global UDP flood attack udp-flood detect non-specific attack detection.
Page 475: Configuring Attack Detection Exemption
Configuring an HTTP flood attack defense policy Step Command Remarks Enter system view. system-view Enter attack defense policy attack-defense policy view. policy-name Enable global HTTP flood By default, global HTTP flood attack http-flood detect non-specific attack detection. detection is disabled. Set the global trigger http-flood threshold threshold for HTTP flood...
Page 476: Disabling Log Aggregation For Single-Packet Attack Events
Step Command Remarks Enter system view. system-view Apply an attack defense attack-defense local apply By default, no attack defense policy policy to the device. policy policy-name is applied to the device. Disabling log aggregation for single-packet attack events Log aggregation aggregates all logs generated for attacks targeted at the device during a period of time and sends one log.
Page 477: Displaying And Maintaining Attack Detection And Prevention
Step Command Remarks Enter system view. system-view By default, the login delay feature is disabled. The device does not Enable the login delay attack-defense login delay accepting a login request feature. reauthentication-delay seconds from a user who has failed a login attempt.
Page 478: Attack Detection And Prevention Configuration Example
Task Command Clear flood attack detection and prevention reset attack-defense policy policy-name flood protected { ip | ipv6 } statistics statistics. Attack detection and prevention configuration example Network requirements Configure attack detection and prevention on the switch (the gateway) to protect against network attacks from the user side or the network side.
Page 479: Verifying The Configuration
# Configure SYN flood attack detection for 192.168.2.1. Set the threshold for triggering SYN flood attack prevention to 5000 and specify logging and drop as the actions for SYN packets that are destined for the protected IP address. [Switch-attack-defense-policy-a1] syn-flood detect ip 192.168.2.1 threshold 5000 action logging drop # Enable global SYN flood attack detection, set the global threshold for triggering SYN flood attack prevention to 2000, and specify logging as the global protection action.
Page 480 UDP Bomb Disabled medium UDP Snork Disabled medium UDP Fraggle Disabled medium IP option record route Disabled info IP option internet timestamp Disabled info IP option security Disabled info IP option loose source routing Disabled info IP option stream ID Disabled info IP option strict source routing...
Page 481 DNS flood 1000(default) Disabled HTTP flood 1000(default) Disabled Flood attack defense for protected IP addresses: Address VPN instance Flood type Thres(pps) Actions Ports 192.168.2.1 SYN-FLOOD 5000 If the device receives TCP flag attack packets or scanning attack packets that are destined for the device, the device outputs logs.
Page 482: Configuring Nd Attack Defense
ND packets. packets. By default, the ND logging feature is disabled. (Optional.) Enable the ND ipv6 nd check log enable As a best practice, HPE recommends logging feature. that you disable the ND logging feature to avoid excessive ND logs.
Page 483: Configuring Keychains
Configuring keychains Overview A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption. Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime.
Page 484: Displaying And Maintaining Keychain
Displaying and maintaining keychain Execute display commands in any view. Task Command Display keychain information. display keychain [ name keychain-name [ key key-id ] ] Keychain configuration example Network requirements As shown in Figure 139, establish an OSPFv3 neighbor relationship between Switch A and Switch B, and use a keychain to authenticate packets between the switches.
Page 485 [SwitchA-keychain-abc] key 2 [SwitchA-keychain-abc-key-2] authentication-algorithm hmac-sha-256 [SwitchA-keychain-abc-key-2] key-string plain pwd123 [SwitchA-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06 [SwitchA-keychain-abc-key-2] quit [SwitchA-keychain-abc] quit # Configure VLAN-interface 100 to use the keychain abc for authentication. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface100] ospfv3 authentication-mode keychain abc [SwitchA-Vlan-interface100] quit...
Page 486: Verifying The Configuration
Verifying the configuration When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2015/02/06, verify the status of the keys in the keychain abc. # Display keychain information on Switch A. The output shows that key 1 is the valid key. [SwitchA] display keychain Keychain name : abc...
Page 487 Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-sha-256 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Inactive Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Inactive When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06, verify the status of the keys in the keychain abc.
Page 488 Send status : Inactive Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06 Accept status : Inactive Key ID Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw== Algorithm : hmac-sha-256 Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Send status : Active Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06 Accept status : Active...
Page 489: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Page 490: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 491: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 492: Websites
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 493 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 494: Index
Index mandatory port authentication domain, Numerics online user handshake, 3DES overview, IPsec encryption algorithm, packet format, 802.1X periodic online user reauthentication, 802.1X protocol packet sending rule, port authorization state, access control method, port authorization status, ACL assignment, 78, port security authentication control mode, architecture, port security client authentication,...
Page 495 HWTACACS scheme VPN instance, RADIUS traffic statistics units, HWTACACS server SSH user, RADIUS username format, HWTACACS shared keys, scheme configuration, HWTACACS timer set, SSH user local authentication+HWTACACS authorization+RADIUS accounting, HWTACACS traffic statistics units, troubleshoot HWTACACS, HWTACACS username format, troubleshoot LDAP user authentication fails, HWTACACS/RADIUS differences, troubleshoot RADIUS, ISP domain accounting method,...
Page 496 MAC authentication ACL authorized ARP configuration, assignment, 105, authorized ARP configuration (DHCP relay SSH management parameters, agent), active authorized ARP configuration (DHCP server), ARP active acknowledgement, configuration, security portal authentication type, detection configuration, address filtering configuration, 420, uRPF configuration, 430, 433, fixed ARP configuration, Address Resolution Protocol.
Page 497 AAA RADIUS common standard attributes, IPsec tunnel for IPv4 packets (IKE-based), AAA RADIUS extended attributes, IPsec tunnel for IPv4 packets (manual), AAA RADIUS HPE proprietary attributes, 6, MAC authentication, 103, 106, AAA RADIUS Login-Service attribute check MAC authentication (local), method,...
Page 498 security portal authentication (cross-subnet AAA RADIUS server SSH user for MPLS L3VPN), authentication+authorization, security portal authentication client, AAA RADIUS session-control, security portal authentication server, AAA SSH user local authentication+HWTACACS authorization+RADIUS accounting, security user profile configuration, MAC authentication authorization VLAN, SSH configuration, port security authorization-fail-offline feature, SSH methods, port security server authorization information,...
Page 499 PKI OpenCA server certificate request, SSL client policy configuration, PKI RSA Keon CA server certificate command request, AAA command accounting method, PKI storage path, AAA command authorization method, PKI Windows 2003 CA server certificate communication request, peer public key entry, troubleshooting PKI CA certificate import comparing failure,...
Page 500 AAA scheme, FIPS mode, AAA SSH user local fixed ARP, authentication+HWTACACS IP source guard (IPSG), 391, 392, authorization+RADIUS accounting, IPsec, 258, AAA user group attributes, IPsec ACL, ARP active acknowledgement, IPsec ACL anti-replay, ARP attack detection (source IPsec anti-replay redundancy, MAC-based), 405, IPsec IKE, 288, 290, ARP attack protection,...
Page 501 IPv6 source guard (IPv6SG) static security local portal Web server feature, binding, 395, security password control, 205, 208, keychain, security portal authentication, 123, 128, keychain (on switch), security portal authentication (cross-subnet for MAC authentication, 103, 106, MPLS L3VPN), MAC authentication (local), security portal authentication cross-subnet, MAC authentication (RADIUS-based), security portal authentication destination...
Page 502 SSH Secure Telnet client password 802.1X enable, authentication, MAC authentication enable, SSH Secure Telnet client publickey authentication, PKI, SSH Secure Telnet server password PKI architecture, authentication, PKI CA policy, SSH Secure Telnet server publickey PKI certificate export, authentication, PKI certificate removal, SSH SFTP, PKI certificate-based access control policy, SSH SFTP (192-bit Suite B),...
Page 503 attack D&P defense policy configuration (RST creating user profile, flood), crypto engine configuration, attack D&P defense policy configuration (SYN IPv4 source guard (IPv4SG) dynamic flood), binding+DHCP relay configuration, attack D&P defense policy configuration MFF server IP address, (SYN-ACK flood), security password control, 208, attack D&P policy application (device), security password control configuration, delay...
Page 504 IPv4 source guard (IPv4SG) dynamic SSH SFTP, binding+DHCP relay configuration, disabling IPv6 source guard (IPv6SG) dynamic attack D&P log aggregation, binding+DHCPv6 snooping configuration, displaying security portal authentication extended 802.1X, re-DHCP, AAA, security portal authentication modes, AAA HWTACACS, security portal authentication process, AAA LDAP, security portal authentication re-DHCP, AAA local users/user groups,...
Page 505 security portal authentication domain, 802.1X critical VLAN, Don't Fragment bit. See DF bit 802.1X EAP relay, DoS attack (uRPF), 802.1X EAP termination, 802.1X guest VLAN assignment delay, IPsec IKE DPD, 802.1X periodic online user reauthentication, IPsec IKEv2 DPD, AAA RADIUS server load sharing, AAA RADIUS session-control, IPsec IKE signature authentication, AAA RADIUS SNMP notification,...
Page 506 IPsec encryption algorithm (3DES), IPsec encryption algorithm (AES), fail-permit feature (portal), IPsec encryption algorithm (DES), Federal Information Processing Standard. Use FIPS IPsec RIPng configuration, file IPsec tunnel for IPv4 packets peer host public key import from file, (IKE-based), public key import from file, IPsec tunnel for IPv4 packets (manual), SSH SCP file transfer+password peer public key entry,...
Page 507 attack D&P defense policy configuration, SSH SFTP server connection establishment, attack D&P device-preventable attacks, SSH SFTP server connection establishment based on Suite B, attack type, SSH SFTP server connection termination, forcing SSH SFTP server password authentication, security portal authentication forced type, Fully Qualified Domain Name.
Page 508 accounting server, keychain configuration, authentication server, maintain, authorization server, NAT keepalive, display, negotiation, HWTACACS/RADIUS differences, PFS, maintain, profile configuration, outgoing packet source IP address, proposal configuration, packet exchange process, protocols and standards, protocols and standards, SA max number set, scheme configuration, security mechanism, scheme creation, SNMP notification,...
Page 509 importing authorized ARP (DHCP server), peer host public key from file, MFF server IP address, PKI certificate import/export, SSH packet source IP address, public key from file, SSH SFTP packet source IP address, troubleshooting PKI CA certificate import IP secure failure, keychain configuration, troubleshooting PKI local certificate import...
Page 510 IKE security mechanism, troubleshoot SA negotiation failure (no transform set match), 303, IKE SNMP notification, troubleshoot SA negotiation failure (tunnel IKEv2 configuration, 306, 307, failure), IKEv2 cookie challenge, tunnel establishment, IKEv2 DPD configuration, tunnel for IPv4 packets (IKE-based), IKEv2 global parameters, tunnel for IPv4 packets (manual), IKEv2 keychain, IPv4...
Page 511 dynamic binding+DHCPv6 snooping configuration, 802.1X overview, enable on interface, Layer 2 maintain, MFF configuration, 423, 425, static binding configuration, 395, MFF manual-mode in ring network, ISAKAMP MFF manual-mode in tree network, protocols and standards, 290, Layer 3 ISAKMP, 288, 306, See also IKEv2 IPsec configuration, 258, IPsec IKE configuration, 288, 290,...
Page 512 AAA SSH user local 802.1X MAC-based access control, authentication+HWTACACS address. See MAC addressing authorization+RADIUS accounting, ARP attack detection (source MAC-based), authentication local portal Web server, authentication. See MAC authentication host public key display, SSL services, host public key distribution, MAC address host public key export, 802.1X authentication (access device key pair creation,...
Page 513 guest VLAN, security password control, guest VLAN configuration, security portal authentication, including IP address in MAC authentication managing request, public keys, 216, keep-online, manual local authentication, 103, FIPS mode (manual reboot), maintain, FIPS mode entry (manual reboot), multi-VLAN mode configuration, FIPS mode exit (manual reboot), 439, offline detection enable, IPsec IPv6 routing protocol profile (manual),...
Page 514 MAC authentication multi-VLAN, configuring source MAC consistency check, PKI offline, IPv6. IPv6 ND attack defense PKI online, need to know. Use NTK port security, negotiating port security authentication control, IPsec IKE negotiation, port security autoLearn MAC learning IPsec IKE negotiation mode, control, IPsec IKEv2 negotiation, port security MAC learning control,...
Page 515 AAA RADIUS server SSH user IPsec IKEv2+pre-shared key authentication, authentication+authorization, IPsec IKEv2+RSA signature authentication, AAA scheme, IPsec implementation, AAA SSH user local IPsec IPv6 routing protocol profile (manual), authentication+HWTACACS IPsec IPv6 routing protocols, authorization+RADIUS accounting, IPsec packet DF bit, applying interface NAS-ID profile, IPsec packet logging enable, ARP active acknowledgement, IPsec policy (IKE-based),...
Page 516 MAC authentication timer, Secure Telnet client user line, MAC authentication user account format, security ARP detection logging enable, MAC authentication user profile security password control global parameters, assignment, security password control local user MAC authentication VLAN assignment, parameters, MFF basic concepts, security password control user group parameters, MFF configuration,...
Page 517 SSH SFTP server connection establishment security portal authentication, based on Suite B, security portal authentication SSH SFTP server connection termination, configuration, 123, SSH SFTP server enable, security user profile configuration, SSH SFTP server password SSH configuration, authentication, SSL configuration, 385, SSH user configuration, SSL services, SSH2 algorithms,...
Page 518 AAA RADIUS packet exchange process, security super password control parameters, AAA RADIUS packet format, password ARP active acknowledgement, SSH password authentication, ARP ARP sender IP address checking, SSH password-publickey authentication, ARP attack protection (unresolvable IP SSH SCP file transfer+password attack), 402, authentication, ARP attack protection blackhole routing SSH Secure Telnet client password...
Page 519 architecture, attack D&P defense policy (single-packet), CA digital certificate, attack D&P defense policy creation, CA policy, attack D&P policy application (device), CA storage path, attack defense policy configuration, certificate export, IPsec (manual), certificate import/export, IPsec application to interface, certificate obtain, IPsec IKEv2 configuration, certificate removal, IPsec policy (IKE-based),...
Page 520 security portal authentication extended access device, cross-subnet, authentication destination subnet, security portal authentication extended authentication modes, direct, authentication page customization, 125, security portal authentication extended authentication process, re-DHCP, authentication server, security portal authentication re-DHCP, authentication source subnet, security portal authentication server BAS-IP, detection+user synchronization, client,...
Page 521 user access control, configuring AAA ISP domain method, user logout, configuring AAA LDAP administrator attributes, user online detection, configuring AAA LDAP scheme, user synchronization configuration, configuring AAA LDAP server IP address, users cannot log in (re-DHCP), configuring AAA LDAP server SSH user Web server, authentication, Web server configuration,...
Page 522 configuring attack D&P defense policy (DNS configuring IPsec IKEv2 DPD, flood), configuring IPsec IKEv2 global parameters, configuring attack D&P defense policy (FIN configuring IPsec IKEv2 keychain, flood), configuring IPsec IKEv2 NAT keepalive, configuring attack D&P defense policy configuring IPsec IKEv2 policy, (flood), configuring IPsec IKEv2 profile, configuring attack D&P defense policy (HTTP...
Page 523 configuring MAC authentication multi-VLAN configuring security password control, 208, mode, configuring security portal configuring MAC authentication user account authentication, 128, format, configuring security portal authentication configuring MFF, destination subnet, configuring MFF manual-mode in ring configuring security portal authentication network, detection features, configuring MFF manual-mode in tree configuring security portal authentication network,...
Page 524 configuring SSH SFTP client publickey displaying MFF, authentication, displaying port security, configuring SSH SFTP server password displaying public key, authentication, displaying security attack detection and configuring SSH user, prevention, configuring SSH2 algorithms displaying security password control, (encryption ), displaying security PKI, configuring SSH2 algorithms (key displaying security portal authentication, exchange),...
Page 525 enabling security password control, maintaining IPv4 source guard (IPv4SG), enabling security portal authentication, maintaining IPv6 source guard (IPv6SG), enabling security portal authentication maintaining keychain, roaming, maintaining MAC authentication, enabling SSH SCP server, maintaining security attack detection and enabling SSH SFTP server, prevention, enabling Stelnet server, maintaining security password control,...
Page 526 specifying AAA HWTACACS authentication troubleshooting IPsec SA negotiation failure server, (tunnel failure), specifying AAA HWTACACS authorization troubleshooting PKI CA certificate import server, failure, specifying AAA HWTACACS outgoing packet troubleshooting PKI CA certificate obtain source IP address, failure, specifying AAA HWTACACS scheme VPN troubleshooting PKI certificate export failure, instance, troubleshooting PKI CRL obtain failure,...
Page 527 DAE server, management, 216, display, peer configuration, extended attributes, peer host public key import from file, HPE proprietary attributes, 6, peer public key entry, 219, HWTACACS/RADIUS differences, SSH client host public key configuration, information exchange security, SSH password-publickey authentication, Login-Service attribute check method,...
Page 528 server load sharing, PKI certificate, server status, request server status detection test profile, PKI certificate request abort, session-control, requesting shared keys, PKI certificate request, SNMP notification enable, resource access restriction (portal authentication), SSH user authentication+authorization, restrictions SSH user local authentication+HWTACACS ARP restricted forwarding, 413, authorization+RADIUS accounting, ARP scanning configuration,...
Page 529 802.1X ACL assignment, 802.1X authentication, S/MIME (PKI secure email), 802.1X authentication request attempts max number, IPsec IKEv2, 802.1X Auth-Fail VLAN, IPsec transform set, 802.1X authorization VLAN, security IKE SA max number set, 802.1X authorization VLAN assignment, troubleshooting IPsec SA negotiation failure 802.1X basics, (invalid identity info), 802.1X critical VLAN,...
Page 530 ARP active acknowledgement, HWTACACS protocols and standards, ARP attack detection (source keychain configuration, 470, MAC-based), 405, keychain configuration (on switch), ARP attack protection (unresolvable IP keychain display, attack), 402, keychain maintain, ARP attack protection blackhole routing LDAP protocols and standards, (unresolvable IP attack), local portal Web server configuration, ARP attack protection source suppression...
Page 531 portal authentication direct local portal Web AAA local user, server, AAA RADIUS attributes, portal authentication domain, AAA RADIUS scheme, portal authentication extended AAA RADIUS server status detection test cross-subnet, profile, portal authentication extended direct, AAA scheme, portal authentication extended re-DHCP, ARP attack protection configuration, portal authentication fail-permit, ARP filtering,...
Page 532 IPv4 source guard (IPv4SG) static binding PKI certificate request (manual), configuration, 393, PKI certificate request abort, IPv6 source guard (IPv6SG) PKI certificate verification, configuration, PKI certificate verification (CRL checking), IPv6 source guard (IPv6SG) dynamic PKI certificate verification (w/o CRL binding+DHCPv6 snooping configuration, checking), IPv6 source guard (IPv6SG) enable on PKI certificate-based access control policy,...
Page 533 SSH SCP server enable, troubleshooting PKI CA certificate failure, SSH Secure Telnet client device, troubleshooting PKI CA certificate import failure, SSH Secure Telnet client password authentication, troubleshooting PKI certificate export failure, SSH Secure Telnet client publickey troubleshooting PKI configuration, authentication, troubleshooting PKI CRL obtain failure, SSH Secure Telnet configuration, troubleshooting PKI local certificate failure,...
Page 534 802.1X authentication request attempts max AAA HWTACACS, number, AAA RADIUS, 802.1X authentication timeout timers, signature authentication (IKE), 802.1X port authorization state, single-packet attack 802.1X port users max number, attack D&P defense policy, 802.1X quiet timer, attack D&P device-preventable attacks, AAA concurrent login user max, attack D&P log aggregation disable, AAA HWTACACS timer, attack type,...
Page 535 spoofing Secure Telnet server connection establishment based on Suite B, uRPF configuration, 430, 433, Secure Telnet server password authentication, AAA HWTACACS server SSH user, Secure Telnet server publickey AAA LDAP server SSH user authentication, authentication, server configuration, AAA RADIUS Login-Service attribute check server PKI domain, method, SFTP,...
Page 536 AAA HWTACACS traffic statistics units, IPsec IKE configuration, 288, 290, AAA RADIUS traffic statistics units, IPsec IKE global identity information, Stelnet IPsec IKE invalid SPI recovery, server enable, IPsec IKE keychain, sticky IPsec IKE proposal, port security secure MAC address, IPsec IKE SA max number set, storage IPsec IKE SNMP notification,...
Page 537 TFTP AAA RADIUS, local host public key distribution, AAA RADIUS accounting error, time AAA RADIUS authentication failure, IPsec IKE negotiation (time-based AAA RADIUS packet delivery failure, lifetime), IPsec IKE, timeout IPsec IKE negotiation failure (no proposal MAC authentication server timeout, match), timer IPsec IKE negotiation failure (no proposal or...
Page 538 AAA RADIUS request transmission attempts IPv4 source guard (IPv4SG) static binding max, configuration, AAA RADIUS session-control, IPv6 source guard (IPv6SG) dynamic binding+DHCPv6 snooping configuration, attack D&P defense policy (UDP flood), IPv6 source guard (IPv6SG) static binding uncontrolled port (802.1X), configuration, unicast user account 802.1X unicast trigger mode, 67,...
Page 539 PKI certificate verification (w/o CRL security portal authentication (cross-subnet for checking), MPLS L3VPN), PKI certificate with CRL checking, version WAPI AAA LDAP, PKI configuration, 225, 228, VLAN 802.1X Auth-Fail VLAN, 75, PKI, 802.1X authorization VLAN, security portal authentication, 802.1X authorization VLAN assignment, security portal authentication 802.1X critical VLAN, 76, configuration, 123,...
Page 540 SSH SFTP files, X.500 AAA LDAP implementation,...

This manual is also suitable for:

Moonshot 45xgc 786619-b21 Moonshot 180xgc 786617-b21 704654-b21

HPE Moonshot 45Gc Security Configuration Manual

Configuring AAA

802.1X Overview

Configuring 802.1X

Configuring MAC Authentication

Configuring Portal Authentication

Configuring Port Security

Configuring Password Control

Managing Public Keys

Configuring PKI

Configuring Ipsec

Quick Links

Troubleshooting

Related Manuals for HPE Moonshot 45Gc

Summary of Contents for HPE Moonshot 45Gc