Download Print this page

HP A5830 Series Configuration Manual

Security switch
Hide thumbs

Advertisement

Quick Links

HP A5830 Switch Series
Security

Configuration Guide

Abstract
This document describes the software features for the HP A Series products and guides you through the
software configuration procedures. These configuration guides also provide configuration examples to
help you apply software features to different network scenarios.
This documentation is intended for network planners, field technical support and servicing engineers,
and network administrators working with the HP A Series products.
Part number: 5998-2067
Software version: Release 1109
Document version: 6W100-20110715

Advertisement

loading

  Summary of Contents for HP A5830 Series

  • Page 1: Configuration Guide

    Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
  • Page 3: Table Of Contents

    Contents Configuring AAA ························································································································································· 1 RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 Domain-based user management ··························································································································· 9 RADIUS server feature of the switch ···················································································································· 10 Protocols and standards ······································································································································· 11 RADIUS attributes ·················································································································································· 11 AAA configuration considerations and task list ·········································································································· 14 Configuring AAA schemes ············································································································································...
  • Page 4 Configuring 802.1X ·················································································································································· 71 HP implementation of 802.1X ······································································································································ 71 Access control methods ········································································································································ 71 Using 802.1X authentication with other features ······························································································ 71 Configuration prerequisites ·································································································································· 74 802.1X configuration task list ······························································································································ 74 Enabling 802.1X ··················································································································································· 74 Enabling EAP relay or EAP termination ·············································································································· 75 Setting the port authorization state ······················································································································...
  • Page 5 Configuring port security ········································································································································ 107 Port security features ··········································································································································· 107 Port security modes ············································································································································· 107 Support for guest VLAN and Auth-Fail VLAN ··································································································· 110 Port security configuration task list ····························································································································· 110 Enabling port security ·················································································································································· 111 Configuration prerequisites ································································································································ 111 Configuration procedure ····································································································································...
  • Page 6 PKI operation ······················································································································································· 149 PKI configuration task list ············································································································································ 149 Configuring an entity DN ············································································································································ 150 Configuring a PKI domain ·········································································································································· 151 Submitting a PKI certificate request ···························································································································· 153 Submitting a certificate request in auto mode ·································································································· 153 Submitting a certificate request in manual mode ····························································································· 153 Retrieving a certificate manually ································································································································...
  • Page 7 Displaying help information ······························································································································· 193 Terminating the connection to the remote SFTP server ···················································································· 193 SFTP client configuration example ····························································································································· 193 SFTP server configuration example ···························································································································· 197 Configuring SSL ······················································································································································· 200 SSL security mechanism ······································································································································ 200 SSL protocol stack ··············································································································································· 200 SSL configuration task list ············································································································································...
  • Page 8 How URPF works ················································································································································· 244 Network application ··········································································································································· 247 URPF configuration ······················································································································································· 247 URPF configuration examples ····································································································································· 247 Support and other resources ·································································································································· 249 Contacting HP ······························································································································································ 249 Subscription service ············································································································································ 249 Related information ······················································································································································ 249 Documents ···························································································································································· 249 Websites ······························································································································································ 249 Conventions ··································································································································································...
  • Page 9: Configuring Aaa

    Configuring AAA AAA provides a uniform framework for implementing network access management. It can provide the following security functions: Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants different users different rights and controls their access to resources and •...
  • Page 10: Radius

    RADIUS RADIUS is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813 for accounting.
  • Page 11 Figure 3 Basic RADIUS message exchange process Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host accesses the resources 7) Accounting-Request (stop) 8) Accounting-Response 9) Notification of access termination RADIUS operates in the following manner: The host initiates a connection request that carries the user’s username and password to the RADIUS client.
  • Page 12 Figure 4 RADIUS packet format Descriptions of the fields are as follows: The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description...
  • Page 13 The Attributes field, variable in length, carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with these sub-fields: Type, Length, and Value. Type (1 byte long) indicates the type of the attribute. It ranges from 1 to 255. See Table 2 •...
  • Page 14 Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0; the other three bytes • contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."...
  • Page 15: Hwtacacs

    Figure 5 Segment of a RADIUS packet containing an extended attribute HWTACACS HWTACACS is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for PPP users, VPDN users, and terminal users.
  • Page 16 Figure 6 Basic HWTACACS message exchange process for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...
  • Page 17: Domain-Based User Management

    The user enters the password. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication.
  • Page 18: Radius Server Feature Of The Switch

    In addition, AAA provides the following services for login users to enhance switch security: Command authorization—Enables the NAS to defer to the authorization server to determine • whether a command entered by a login user is permitted for the user, ensuring that login users execute only commands they are authorized to execute.
  • Page 19: Protocols And Standards

    A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication requests, but an HP switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client when you use an HP switch as the RADIUS server.
  • Page 20 User identification that the NAS sends to the server. For the LAN Calling-Station-Id access service provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. NAS-Identifier Identification that the NAS uses for indicating itself.
  • Page 21 Number Attribute Description String for describing the port of the NAS that is authenticating the NAS-Port-Id user. HP proprietary RADIUS sub-attributes Number Sub-attribute Description Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps. Input-Average-Rate Average rate in the direction from the user to the NAS, in bps.
  • Page 22: Aaa Configuration Considerations And Task List

    Number Sub-attribute Description Information that needs to be sent from the server to the client User_Notify transparently. Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored User_HeartBeat in the user list on the device and is used for verifying the handshake messages from the 802.1X user.
  • Page 23 To control access of login users by using AAA methods, you must configure the login authentication mode for the user interfaces as scheme. For more information about the configuration command, see Fundamentals Command Reference. Figure 9 AAA configuration diagram Local AAA Configure AAA methods Configure local users and related attributes...
  • Page 24: Configuring Aaa Schemes

    Configuring AAA schemes Configuring local users To implement local user authentication, authorization, and accounting, you must create local users and configure user attributes on the switch. The local users and attributes are stored in the local user database on the switch. A local user is uniquely identified by a username. Configurable local user attributes are as follows: Service type Types of services that the user can use.
  • Page 25 You can configure an authorization attribute in user group view or local user view to make the attribute effective for all local users in the group or only for the local user. The setting of an authorization attribute in local user view takes precedence over that in user group view. Local user configuration task list Task Remarks...
  • Page 26 To do… Use the command… Remarks Optional. By default, there is no limit to the Set the maximum number of maximum number of concurrent users concurrent users of the local access-limit max-user-number of a local user account. user account. The limit is effective only for local accounting and is not effective for FTP users.
  • Page 27 To do… Use the command… Remarks Optional. Assign the local user to a user group group-name By default, a local user belongs to the group. default user group system. For more information about relevant commands, see Security Command Reference. When the password control feature is enabled globally (by using the password-control enable command), local user passwords are not displayed, and the local-user password-display-mode command is not effective.
  • Page 28: Configuring Radius Schemes

    To do… Use the command… Remarks Optional. Set the password By default, the global password-control aging aging-time aging time. setting (90 days by default) is used. Configure Optional. password control Set the minimum By default, the global password-control length length attributes for password length.
  • Page 29 authentication/authorization servers and accounting servers, or primary servers and secondary servers. The parameters include the IP addresses of the servers, the shared keys, and the RADIUS server type. RADIUS scheme configuration task list Task Remarks Creating a RADIUS scheme Required Specifying the RADIUS authentication/authorization servers Required Specifying the RADIUS accounting servers and the relevant parameters...
  • Page 30 To do… Use the command… Remarks Enter system view. system-view — Enter RADIUS scheme view. radius scheme radius-scheme-name — Specify the primary RADIUS primary authentication { ip-address | Required. authentication/authorization ipv6 ipv6-address } [ port-number | key [ Configure at least one server.
  • Page 31 To do… Use the command… Remarks Enable buffering of stop- Optional. accounting requests to stop-accounting-buffer enable which no responses are Enabled by default. received. Set the maximum number Optional. of stop-accounting retry stop-accounting retry-times 500 by default. attempts. The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.
  • Page 32 Standard—Uses the standard RADIUS protocol, compliant to RFC 2865 and RFC 2866 or later. • Extended—Uses the proprietary RADIUS protocol of HP. • When the RADIUS server runs iMC, you must set the RADIUS server type to extended. When the RADIUS server runs third-party RADIUS server software, either RADIUS server type applies.
  • Page 33 specified limit but it still receives no response, it tries to communicate with other RADIUS servers in the active state. If no other servers are in the active state at the time, it considers the authentication or accounting attempt a failure. For more information about RADIUS server states, see "Setting the status of RADIUS servers."...
  • Page 34 After receiving an authentication/accounting response from a server, the switch changes the status • of the server identified by the source IP address of the response to active if the current status of the server is blocked. By default, the switch sets the status of all RADIUS servers to active. In some cases, however, you may need to change the status of a server.
  • Page 35 To specify a source IP address for all RADIUS schemes: To do… Use the command… Remarks Enter system view. system-view — Required. Specify a source IP radius nas-ip { ip-address | address for outgoing By default, the IP address of the outbound ipv6 ipv6-address } RADIUS packets.
  • Page 36 Configuring the IP address of the security policy server The core of the HP EAD solution is integration and cooperation, and the security policy server is the management and control center. Using a collection of software, the security policy server provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.
  • Page 37 The NAS checks the validity of received control packets and accepts only control packets from known servers. To use a security policy server that is independent of the AAA servers, you must configure the IP address of the security policy server on the NAS. To implement all EAD functions, configure both the IP address of the iMC security policy server and that of the iMC configuration platform on the NAS.
  • Page 38 The failure ratio is generally small. If a trap message is triggered because the failure ratio is higher than the threshold, troubleshoot the configuration and the communication between the NAS and the RADIUS server. To enable the trap function for RADIUS: To do…...
  • Page 39: Configuring Hwtacacs Schemes

    Configuring HWTACACS schemes You cannot remove the HWTACACS schemes in use or change the IP addresses of the HWTACACS servers in use. HWTACACS configuration task list Task Remarks Creating an HWTACACS scheme Required Specifying the HWTACACS authentication servers Required Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers and the relevant parameters Optional...
  • Page 40 To do… Use the command… Remarks Enter system view. system-view — Enter HWTACACS hwtacacs scheme hwtacacs-scheme- — scheme view. name Specify the primary primary authentication ip-address [ port- HWTACACS Required. number ] authentication server. Configure at least one command. Specify the secondary No authentication server is secondary authentication ip-address [ HWTACACS...
  • Page 41 the number of stop-accounting attempts reaches the configured limit. In the latter case, the switch discards the packet. An HWTACACS server can function as the primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time. The IP addresses of the primary and secondary accounting servers cannot be the same.
  • Page 42 Setting the username format and traffic statistics units A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP domain to which the user belongs. The switch uses it to determine which users belong to which ISP domains.
  • Page 43 The IP address of the outbound interface specified by the route To specify a source IP address for all HWTACACS schemes: To do… Use the command… Remarks Enter system view. system-view — Required. Specify a source IP address for outgoing hwtacacs nas-ip ip-address By default, the IP address of the outbound HWTACACS packets.
  • Page 44: Configuring Aaa Methods For Isp Domains

    To do… Use the command… Remarks Optional Set the real-time accounting timer realtime-accounting minutes interval. 12 minutes by default Displaying and maintaining HWTACACS To do… Use the command… Remarks display hwtacacs [ hwtacacs-server- Display the configuration information name [ statistics ] ] [ slot slot-number ] [ Available in any view or statistics of HWTACACS schemes | { begin | exclude | include } regular-...
  • Page 45: Configuring Isp Domain Attributes

    On the switch, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the switch considers the user as belonging to the default ISP domain. To create an ISP domain: To do… Use the command… Remarks Enter system view.
  • Page 46: Configuring Aaa Authentication Methods For An Isp Domain

    To do… Use the command… Remarks Optional. Disabled by default. Configure the idle cut function. idle-cut enable minute [ flow ] This command is effective only for LAN users. Enable the self-service server Optional. location function and specify self-service-url enable url-string the URL of the self-service Disabled by default.
  • Page 47: Configuring Aaa Authorization Methods For An Isp Domain

    To configure AAA authentication methods for an ISP domain: To do… Use the command… Remarks Enter system view. system-view — Enter ISP domain view. domain isp-name — authentication default { hwtacacs-scheme Specify the default Optional. hwtacacs-scheme-name [ local ] | local | authentication method none | radius-scheme radius-scheme-name [ It is set to local by default.
  • Page 48 No authorization (none)—The NAS performs no authorization exchange. After passing • authentication, non-login users can access the network, FTP users can access the root directory of the NAS, and other login users have only the rights of Level 0 (visiting). Local authorization (local)—The NAS performs authorization according to the user attributes •...
  • Page 49: Configuring Aaa Accounting Methods For An Isp Domain

    If you specify the radius-scheme radius-scheme-name local, hwtacacs-scheme hwtacacs-scheme-name [ local | none ] option when you configure an authorization method, local authorization or no authorization is the backup method and is used only when the remote server is not available. If you specify only the local or none keyword in an authorization method configuration command, the switch has no backup authorization method and performs only local authorization or does not perform any authorization.
  • Page 50: Tearing Down User Connections

    To do… Use the command… Remarks Optional. Specify the command accounting command hwtacacs- The default accounting method accounting method. scheme hwtacacs-scheme-name is used by default. Optional. accounting lan-access { local | none | Specify the accounting radius-scheme radius-scheme-name [ The default accounting method method for LAN users.
  • Page 51: Configuring A Switch As A Radius Server

    To do… Use the command… Remarks Create a NAS ID profile and aaa nas-id profile profile-name Required. enter NAS ID profile view. Required. Configure a NAS ID-VLAN nas-id nas-identifier bind vlan By default, no NAS ID-VLAN binding. vlan-id binding exists. Configuring a switch as a RADIUS server RADIUS server functions configuration task list Task...
  • Page 52: Specifying A Radius Client

    ACL does not exist on the NAS, ACL assignment fails, and the NAS forcibly logs the RADIUS user out. If the assigned VLAN does not exist on the NAS, the NAS creates the VLAN and adds the RADIUS user or the access port to the VLAN.
  • Page 53 Figure 10 Configure AAA for Telnet users by an HWTACACS server Configuration procedure Configure the switch. # Assign IP addresses to the interfaces. (Details not shown) # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.
  • Page 54: Aaa For Telnet Users By Separate Servers

    Verify the configuration. Telnet to the switch as a user, and enter the correct username and password. You pass authentication and log in to the switch. By issuing the display connection command on the switch, you can see information about the user connection. AAA for Telnet users by separate servers Network requirements As shown in...
  • Page 55: Authentication/Authorization For Ssh/Telnet Users By A Radius Server

    [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a local user named hello. [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] quit # Configure the AAA methods for the ISP domain. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac [Switch-isp-bbb] accounting login radius-scheme rd [Switch-isp-bbb] quit...
  • Page 56 Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select Device Management Service as the service type. Select HP(A-Series) as the access device type. Select the switch from the device list or manually add the switch with the IP address of 10.1.1.2.
  • Page 57 Click OK to finish the operation. Figure 14 Add an account for device management Configure the switch. # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch accesses the server.
  • Page 58: Aaa For 802.1X Users By A Radius Server

    # Create RADIUS scheme rad. [Switch] radius scheme rad # Specify the primary authentication server. [Switch-radius-rad] primary authentication 10.1.1.1 1812 # Set the shared key for authentication packets to expert. [Switch-radius-rad] key authentication expert # Configure the scheme to include the domain names in usernames to be sent to the RADIUS server. [Switch-radius-rad] user-name-format with-domain # Specify the service type for the RADIUS server, which must be extended when the RADIUS server runs iMC.
  • Page 59 Specify the ports for authentication and accounting as 1812 and 1813, respectively. Select LAN Access Service as the service type. Select HP(A-Series) as the access device type. Select the switch from the device list, or manually add the switch whose IP address is 10.1.1.2.
  • Page 60 Figure 16 Add an access device # Add a charging policy. See Figure Click the Service tab, and select Accounting Manager > Charging Plans from the navigation tree to enter the charging policy configuration page. Then, click Add to enter the Add Charging Plan page, and perform the following configurations: Add a plan named UserAcct.
  • Page 61 Click the Service tab, and select User Access Manager > Service Configuration from the navigation tree to enter the Service Configuration page. Then, click Add to enter the Add Service Configuration page, and perform the following configurations: Add a service named Dot1x auth and set the Service Suffix to bbb, which indicates the authentication domain for the 802.1X user.
  • Page 62 Figure 19 Add an access user account Configure the switch. Configure a RADIUS scheme. • # Create a RADIUS scheme named rad and enter its view. <Switch> system-view [Switch] radius scheme rad # Set the server type for the RADIUS scheme. When using the iMC server, set the server type to extended.
  • Page 63 Enable IEEE 802.1X authentication for this network option and specify the EAP type as MD5-Challenge. If the HP iNode client is used, no advanced authentication options need to be enabled. When using the HP iNode client, the user can pass authentication after entering username dot1x@bbb and the correct password in the client property page.
  • Page 64: Level Switching Authentication For Telnet Users By An Hwtacacs Server

    Start=2011-04-26 19:41:12 ,Current=2011-04-26 19:41:25 ,Online=00h00m14s Total 1 connection matched. As the Authorized VLAN field in the output shows, VLAN 4 has been assigned to the user. Level switching authentication for Telnet users by an HWTACACS server Network requirements As shown in Figure 20, configure the switch to use local authentication for the Telnet user, and assign the privilege level of 0 to the user after the user passes authentication.
  • Page 65 [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch communicates with the server. [Switch] interface vlan-interface 3 [Switch-Vlan-interface3] ip address 10.1.1.2 255.255.255.0 [Switch-Vlan-interface3] quit # Enable the switch to provide Telnet service. [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.
  • Page 66 Configure the HWTACACS server. NOTE: The HWTACACS server in this example runs ACSv4.0. Add a user named test on the HWTACACS server, and configure advanced attributes for the user as shown in Figure Select Max Privilege for any AAA Client and set the privilege level to level 3. After these configurations, the user needs to use the password enabpass when switching to level 1, level 2, or level 3.
  • Page 67: Radius Authentication And Authorization For Telnet Users By A Switch

    Login authentication Username:test@bbb Password: <Switch> ? User view commands: display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection tracert Trace route function When switching to user privilege level 3, the Telnet user only needs to enter password enabpass as...
  • Page 68 Figure 22 RADIUS authentication and authorization for Telnet users by a switch Configuration procedure # Configure an IP address for each interface as shown in Figure 22. (Details not shown) Configure the NAS. # Enable the Telnet server on Switch A. <SwitchA>...
  • Page 69: Troubleshooting Aaa

    # Create RADIUS user aaa and enter its view. <SwitchB> system-view [SwitchB] radius-server user aaa # Configure simple-text password aabbcc for user aaa. [SwitchB-rdsuser-aaa] password simple aabbcc [SwitchB-rdsuser-aaa] quit # Specify the IP address of the RADIUS client as 10.1.1.1 and the shared key as abc. [SwitchB] radius-server client-ip 10.1.1.1 key abc Verify the configuration.
  • Page 70: Troubleshooting Hwtacacs

    Analysis The NAS and the RADIUS server cannot communicate with each other. The NAS is not configured with the IP address of the RADIUS server. The UDP ports for authentication/authorization and accounting are not correct. The port numbers of the RADIUS server for authentication, authorization, and accounting are being used by other applications.
  • Page 71: 802.1X Fundamentals

    In the unauthorized state, a controlled port denies incoming and outgoing traffic in one of the • following ways: Performs bidirectional traffic control to deny traffic to and from the client. Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control.
  • Page 72: 802.1X-Related Protocols

    Figure 24 Authorization state of a controlled port 802.1X-related protocols 802.1X uses EAP to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model. It supports a variety of authentication methods, including MD5-Challenge, EAP-TLS, and PEAP. 802.1X defines EAPOL for passing EAP packets between the client and the network access device over a wired or wireless LAN.
  • Page 73: Eap Over Radius

    Protocol version—The EAPOL protocol version used by the EAPOL packet sender. • Type—Type of the EAPOL packet. Table 5 lists the types of EAPOL packets that the HP • implementation of 802.1X supports. Table 5 Types of EAPOL packets Value...
  • Page 74: Initiating 802.1X Authentication

    03 or the broadcast MAC address. If any intermediate device between the client and the authentication server does not support the multicast address, you must use an 802.1X client (for example, the HP iNode 802.1X client) that can send broadcast EAPOL-Start packets.
  • Page 75: A Comparison Of Eap Relay And Eap Termination

    EAP authentication and the "username + password" EAP Works with any RADIUS server that authentication initiated by an EAP termination supports PAP or CHAP authentication. HP iNode 802.1X client. • The processing is complex on the network access device. EAP relay Figure 31 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5...
  • Page 76 Figure 31 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge (EAP-Request/MD5 challenge) (6) EAP-Request/MD5 challenge (7) EAP-Response/MD5 challenge (8) RADIUS Access-Request (EAP-Response/MD5 challenge) (9) RADIUS Access-Accept (EAP-Success) (10) EAP-Success...
  • Page 77 The authentication server compares the received encrypted password with the one it generated at Step 5. If the two are identical, the authentication server considers the client valid and sends a RADIUS Access-Accept packet to the network access device. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP- Success packet to the client, and it sets the controlled port in the authorized state so the client can access the network.
  • Page 78: Eap Termination

    EAP termination Figure 32 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 32 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server that generates an MD5 challenge for password encryption (see Step 4).
  • Page 79: Configuring 802.1X

    Configuring 802.1X This chapter describes how to configure 802.1X on an HP device. You can also configure the port security feature to perform 802.1X. Port security combines and extends 802.1X and MAC authentication. It applies to a network (a WLAN, for example) that requires different authentication methods for different users on a port.
  • Page 80 For more information about VLAN configuration and MAC-based VLAN, see Layer 2 LAN Switching — Configuration Guide. Guest VLAN You can configure a guest VLAN on a port to accommodate users who have not performed 802.1X authentication so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
  • Page 81 For more information about VLAN configuration and MAC-based VLAN, see Layer 2 LAN Switching — Configuration Guide. Auth-Fail VLAN You can configure an Auth-Fail VLAN to accommodate users who have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password.
  • Page 82: Configuration Prerequisites

    ACL assignment You can specify an ACL for an 802.1X user to control the user’s access to network resources. After the user passes 802.1X authentication, the authentication server (either the local access device or a RADIUS server) assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the ACL on the access device.
  • Page 83: Enabling Eap Relay Or Eap Termination

    If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP authentication initiated by an HP iNode 802.1X client, you can use both EAP termination and EAP relay. To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay. When you make your decision, see "A comparison of EAP relay and EAP...
  • Page 84: Specifying An Access Control Method

    auto—Places the port initially in the unauthorized state to allow only EAPOL packets to pass. After • a user passes authentication, sets the port in the authorized state to allow access to the network. You can use this option in most scenarios. You can set the authorization state for one port in Ethernet interface view or for multiple ports in system view.
  • Page 85: Setting The Maximum Number Of Authentication Request Attempts

    To do… Use the command… Remarks Set the dot1x max-user user-number [ In system view maximum interface interface-list ] Optional. number of interface interface-type interface- concurrent Use either approach. number In Ethernet 802.1X 1024 by default. interface view users on a dot1x max-user user-number [ port interface interface-list ]...
  • Page 86: Configuring The Online User Handshake Function

    To use the online handshake security function, make sure that the online user handshake function is • enabled. HP recommends that you use the iNode client software and iMC server to ensure normal operation of the online user handshake security function.
  • Page 87: Specifying A Mandatory Authentication Domain On A Port

    request attempts set with the dot1x retry command is reached (see "Setting the maximum number of authentication request attempts"). The identity request timeout timer sets both the identity request interval for the multicast trigger and the identity request timeout interval for the unicast trigger. Configuration guidelines Follow these guidelines when you configure the authentication trigger function: Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start...
  • Page 88: Configuring The Quiet Timer

    Configuring the quiet timer The quiet timer enables the network access device to wait a period of time before it can process any authentication request from a client that has failed an 802.1X authentication. You can set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response.
  • Page 89: Configuring An 802.1X Guest Vlan

    Configuring an 802.1X guest VLAN Configuration guidelines Follow these guidelines when you configure an 802.1X guest VLAN: You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on different • ports can be different. Assign different IDs for the default VLAN and the 802.1X guest VLAN on a port so the port can •...
  • Page 90: Configuring An Auth-Fail Vlan

    To do… Use the command… Remarks dot1x guest-vlan guest-vlan-id Configuring an Auth-Fail VLAN Configuration guidelines Follow these guidelines when you configure an 802.1X Auth-Fail VLAN: Assign different IDs for the default VLAN and the 802.1X Auth-Fail VLAN on a port so the port can •...
  • Page 91: Specifying Supported Domain Name Delimiters

    Specifying supported domain name delimiters By default, the access device supports the at sign (@) as the delimiter. You can also configure the access device to accommodate 802.1X users who use other domain name delimiters. The configurable delimiters include the at sign (@), back slash (\), and forward slash (/). If an 802.1X username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter.
  • Page 92 For information about the RADIUS commands used on the access device in this example, see Command Reference Configure the 802.1X client. If HP iNode is used, do not select the Carry version info option in the client configuration. (Details not shown) Configure the RADIUS servers and add user accounts for the 802.1X users.
  • Page 93 # Specify the IP addresses of the primary authentication and accounting RADIUS servers. [Device-radius-radius1] primary authentication 10.1.1.1 [Device-radius-radius1] primary accounting 10.1.1.1 # Configure the IP addresses of the secondary authentication and accounting RADIUS servers. [Device-radius-radius1] secondary authentication 10.1.1.2 [Device-radius-radius1] secondary accounting 10.1.1.2 # Specify the shared key between the access device and the authentication server.
  • Page 94: With Guest Vlan And Vlan Assignment Configuration Example

    Verification Use the display dot1x interface gigabitethernet 1/0/1 command to verify the 802.1X configuration. After an 802.1X user passes RADIUS authentication, you can use the display connection command to view the user connection information. If the user fails RADIUS authentication, local authentication is performed.
  • Page 95 Figure 34 Network diagram for 802.1X with guest VLAN and VLAN assignment configuration Update server Authentication server VLAN 10 VLAN 2 GE1/0/1 GE1/0/4 VLAN 1 VLAN 5 GE1/0/2 GE1/0/3 Device Internet Host Port added to the guest VLAN Update server Authentication server Update server Authentication server...
  • Page 96 [Device-vlan5] quit Configure a RADIUS scheme. # Configure RADIUS scheme 2000 and enter its view. <Device> system-view [Device] radius scheme 2000 # Specify primary and secondary authentication and accounting servers. Set the shared key to abc for authentication and accounting packets. [Device-radius-2000] primary authentication 10.11.1.1 1812 [Device-radius-2000] primary accounting 10.11.1.1 1813 [Device-radius-2000] key authentication abc...
  • Page 97: 802.1X With Acl Assignment Configuration Example

    802.1X with ACL assignment configuration example Network requirements As shown in Figure 35, the host at 192.168.1.10 connects to port GigabitEthernet 1/0/1 of the network access device. Perform 802.1X authentication on the port. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.
  • Page 98 # Create an ISP domain, and specify the RADIUS scheme 2000 as the default AAA scheme for the domain. [Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Configure a time range ftp for the weekdays from 8:00 to 18:00. [Device] time-range ftp 8:00 to 18:00 working-day # Configure ACL 3000 to deny packets destined for the FTP server at 10.0.0.1 on the weekdays during business hours.
  • Page 99: Configuring Ead Fast Deployment

    Configuring EAD fast deployment EAD is an HP integrated endpoint access control solution that enables the security client, security policy server, access device, and third-party server to work together to improve the threat defensive capability of a network. If a terminal device seeks to access an EAD network, it must have an EAD client, which performs 802.1X authentication.
  • Page 100: Displaying And Maintaining Ead Fast Deployment

    To do… Use the command… Remarks Required. dot1x free-ip ip-address { mask- Configure a free IP. By default, no free IP is address | mask-length } configured. When global MAC authentication or port security is enabled, the free IP does not take effect. If you use the free IP, guest VLAN, and Auth-Fail VLAN features together, make sure that the free IP segments are in both guest VLAN and Auth-Fail VLAN.
  • Page 101: Ead Fast Deployment Configuration Example

    EAD fast deployment configuration example Network requirements As shown in Figure 36, the hosts on the intranet 192.168.1.0/24 are attached to port GigabitEthernet 1/0/1 of the network access device, and they use DHCP to obtain IP addresses. Deploy EAD solution for the intranet so that all hosts must pass 802.1X authentication to access the network.
  • Page 102 <Device> system-view [Device] dhcp enable # Configure a DHCP server for a DHCP server group. [Device] dhcp relay server-group 1 ip 192.168.2.2 # Enable the relay agent VLAN interface 2. [Device] interface vlan-interface 2 [Device-Vlan-interface2] dhcp select relay # Correlate VLAN interface 2 to the DHCP server group. [Device-Vlan-interface2] dhcp relay server-select 1 [Device-Vlan-interface2] quit Configure a RADIUS scheme and an ISP domain.
  • Page 103: Troubleshooting Ead Fast Deployment

    Troubleshooting EAD fast deployment Web browser users cannot be correctly redirected Symptom Unauthenticated users are not redirected to the specified redirect URL after they enter external website addresses in their web browsers. Analysis Redirection does not happen for one of the following reasons: The address is in the string format.
  • Page 104: Configuring Mac Authentication

    Configuring MAC authentication MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to enter a username and password for network access. MAC authentication works as follows: The device initiates a MAC authentication process when it detects an unknown source MAC •...
  • Page 105: Mac Authentication Timers

    MAC authentication timers MAC authentication uses the following timers: Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards • the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
  • Page 106: Mac Authentication Configuration Task List

    If a user in the guest VLAN passes MAC authentication, the user is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN. A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
  • Page 107: Specifying An Authentication Domain For Mac Authentication Users

    To do… Use the command… Remarks Optional. mac-authentication user-name-format By default, the username and Configure the properties { fixed [ account name ] [ password { password for a MAC of MAC authentication cipher | simple } password ] | mac- authentication user account must user accounts.
  • Page 108: Configuring A Mac Authentication Guest Vlan

    To do… Use the command… Remarks authentication users. Use either approach. interface interface-type interface- number By default, the system default authentication domain is used for mac-authentication domain domain- MAC authentication users. name Configuring a MAC authentication guest VLAN Configuration prerequisites Before you configure a MAC authentication guest VLAN on a port, complete the following tasks: Enable MAC authentication.
  • Page 109: Displaying And Maintaining Mac Authentication

    Displaying and maintaining MAC authentication To do… Use the command… Remarks display mac-authentication [ Display MAC authentication interface interface-list ] [ | { begin Available in any view information | exclude | include } regular- expression ] Clear MAC authentication reset mac-authentication statistics Available in user view statistics...
  • Page 110 # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication on port GigabitEthernet 1/0/1. [Device] mac-authentication interface gigabitethernet 1/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain aabbcc.net # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Configure MAC authentication to use MAC-based accounts.
  • Page 111: Radius-Based Mac Authentication Configuration Example

    RADIUS-based MAC authentication configuration example Network requirements As shown in Figure 38, a host connects to port GigabitEthernet 1/0/1 on the access device. The device uses RADIUS servers for authentication, authorization, and accounting. Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure that: The device detects whether a user has gone offline every 180 seconds.
  • Page 112 # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication on port GigabitEthernet 1/0/1. [Device] mac-authentication interface gigabitethernet 1/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain 2000 # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Specify username aaa and password 123456 for the account shared by MAC authentication users.
  • Page 113: Acl Assignment Configuration Example

    ACL assignment configuration example Network requirements As shown in Figure 39, a host connects to the device’s port GigabitEthernet 1/0/1, and the device uses RADIUS servers to perform authentication, authorization, and accounting. Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure that an authenticated user can access the Internet but not the FTP server at 10.0.0.1.
  • Page 114 [Sysname-isp-2000] authorization default radius-scheme 2000 [Sysname-isp-2000] accounting default radius-scheme 2000 [Sysname-isp-2000] quit # Enable MAC authentication globally. [Sysname] mac-authentication # Specify the ISP domain for MAC authentication. [Sysname] mac-authentication domain 2000 # Configure the device to use MAC-based user accounts, and specify that the MAC addresses are separated by hyphens and in lowercase characters.
  • Page 115: Configuring Port Security

    MAC authentication. They apply to scenarios that require both 802.1X authentication and MAC authentication. For scenarios that require only 802.1X authentication or MAC authentication, HP recommends that you configure 802.1X authentication or MAC authentication rather than port security. For more information about 802.1X and MAC authentication, see "Configuring...
  • Page 116 Authentication—Security modes in this category implement MAC authentication, 802.1X • authentication, or a combination of these two authentication methods. Table 9 describes the port security modes and the security features. Table 9 Port security modes Features that can Purpose Security mode be triggered noRestrictions (the default mode) Turning off the port security...
  • Page 117 The dynamic MAC address learning function in MAC address management is disabled on ports operating in autoLearn mode, but you can configure MAC addresses by using the mac-address dynamic and mac-address static commands. secure MAC address learning is disabled on a port in secure mode. You configure MAC addresses by using the mac-address static and mac-address dynamic commands.
  • Page 118: Support For Guest Vlan And Auth-Fail Vlan

    For non-802.1X frames, a port in this mode performs only MAC authentication. For 802.1X frames, it performs MAC authentication and then, if the authentication fails, 802.1X authentication. macAddressElseUserLoginSecureExt This mode is similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users, as the keyword Ext implies.
  • Page 119: Enabling Port Security

    Enabling port security Configuration prerequisites To enable port security, you must first disable 802.1X and MAC authentication globally. Configuration procedure To enable port security: To do… Use the command… Remarks Enter system view. system-view — Required. Enable port security. port-security enable By default, the port security is disabled.
  • Page 120: Setting The Port Security Mode

    The port security’s limit on the number of MAC addresses on a port is independent of the MAC learning limit described in MAC address table configuration in Layer 2—LAN Switching Configuration Guide. Setting the port security mode Configuration prerequisites Before you set a port security mode for a port, complete the following tasks: Disable 802.1X and MAC authentication.
  • Page 121: Configuring Port Security Features

    After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, use the undo port-security port-mode command to restore the default port security mode first. Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are...
  • Page 122: Enabling Port Security Traps

    To do… Use the command… Remarks Enter system view. system-view — Enter Layer 2 Ethernet interface interface-type interface- — interface view. number Required. port-security intrusion-mode { Configure the intrusion blockmac | disableport | By default, intrusion protection is protection feature. disableport-temporarily } disabled.
  • Page 123: Configuration Prerequisites

    By default, sticky MAC addresses do not age out. Use the port-security timer autolearn aging command to set an aging timer for sticky MAC addresses. When the timer expires, the sticky MAC addresses are removed. This aging mechanism prevents the unauthorized use of a sticky MAC address when the authorized user is offline, and it removes outdated secure MAC addresses so new secure MAC addresses can be learned.
  • Page 124: Displaying And Maintaining Port Security

    To do… Use the command… Remarks Enter system view. system-view — Enter Layer 2 Ethernet interface interface-type interface- — interface view. number Required. Ignore the authorization By default, a port uses the information from the RADIUS port-security authorization ignore authorization information from the server.
  • Page 125 Figure 40 Network diagram for configuring the autoLearn mode Configuration procedure Configure port security. # Enable port security. <Device> system-view [Device] port-security enable # Set the sticky MAC aging timer to 30 minutes. [Device] port-security timer autolearn aging 30 # Enable intrusion protection traps on port GigabitEthernet 1/0/1. [Device] port-security trap intrusion [Device] interface gigabitethernet 1/0/1 # Set port security’s limit on the number of MAC addresses to 64 on the port.
  • Page 126 The output shows that the port security's limit on the number of secure MAC addresses on the port is 64, the port security mode is autoLearn, intrusion protection traps are enabled, and the intrusion protection action is disabling the port (DisablePortTemporarily) for 30 seconds. Use the command repeatedly to track the number of MAC addresses learned by the port, or use the display this command in Layer 2 Ethernet interface view to display the secure MAC addresses learned: <Device>...
  • Page 127: Configuring The Userloginwithoui Mode

    Configuring the userLoginWithOUI mode Network requirements As shown in Figure 41, a client is connected to the device through port GigabitEthernet 1/0/1. The device authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. The RADIUS server at 192.168.1.2 functions as the primary authentication server and the •...
  • Page 128 [Device-radius-radsun] secondary accounting 192.168.1.2 [Device-radius-radsun] key authentication name [Device-radius-radsun] key accounting money [Device-radius-radsun] timer response-timeout 5 [Device-radius-radsun] retry 5 [Device-radius-radsun] timer realtime-accounting 15 [Device-radius-radsun] user-name-format without-domain [Device-radius-radsun] quit # Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and accounting of all types of users.
  • Page 129 IP: 192.168.1.3 Port: 1812 State: active Encryption Key : N/A Second Acct Server: IP: 192.168.1.2 Port: 1813 State: active Encryption Key : N/A Auth Server Encryption Key : name Acct Server Encryption Key : money Accounting-On packet disable, send times : 5 , interval : 3s Interval for timeout(second) Retransmission times for timeout Interval for realtime accounting(minute)
  • Page 130 Stored MAC address number is 0 Authorization is permitted After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. You can also use the following command to view information about 802.1X: <Device>...
  • Page 131: Configuring The Macaddresselseuserloginsecure Mode

    In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port. Use the following command to view the related information: <Device> display mac-address interface gigabitethernet 1/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
  • Page 132 [Device-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to macAddressElseUserLoginSecure. [Device-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure # Set the NTK mode of the port to ntkonly. [Device-GigabitEthernet1/0/1] port-security ntk-mode ntkonly Verify the configuration. After completing the configurations, use the following command to view the port security configuration information: <Device>...
  • Page 133 1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS Use the following command to view 802.1X authentication information: <Device> display dot1x interface gigabitethernet 1/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled...
  • Page 134: Troubleshooting Port Security

    Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode. [Device-GigabitEthernet1/0/1] port-security port-mode autolearn Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other. Analysis For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly.
  • Page 135 Analysis Changing port security mode is not allowed when an 802.1X authenticated or MAC authenticated user is online. Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode. [Device-GigabitEthernet1/0/1] quit [Device] cut connection interface gigabitethernet 1/0/1 [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] undo port-security port-mode...
  • Page 136: Configuring Password Control

    Configuring password control Password control refers to a set of functions provided by the local authentication server to control user login passwords, super passwords, and user login status based on predefined policies. The rest of this section describes the password control functions in detail. Minimum password length By setting a minimum password length, you enforce users to use passwords long enough for system security.
  • Page 137 Password history With this feature enabled, the system maintains certain entries of passwords that a user has used. When a user changes the password, the system checks the new password against the used ones. The new password must be different from the used ones by at least four characters, and the four characters must not be the same.
  • Page 138: Password Control Configuration Task List

    configures a password, the system checks the complexity of the password. If the password is not qualified, the system refuses the password and displays a password configuration failure message. You can impose the following password complexity requirements: A password cannot contain the username or the reverse of the username. For example, if the •...
  • Page 139: Enabling Password Control

    Task Remarks Setting super password control parameters Optional Setting a local user password in interactive mode Optional Enabling password control To enable password control functions, you must do the following: Enable the password control feature in system view. Password control configurations take effect only after the password control feature is enabled globally.
  • Page 140: Setting User Group Password Control Parameters

    To do… Use the command… Remarks Optional. By default, the minimum number password-control composition Configure the password of password composition types is type-number policy-type [ type- composition policy. 1, and the minimum number of length type-length ] characters of a password composition type is also 1.
  • Page 141: Setting Local User Password Control Parameters

    To do… Use the command… Remarks Optional. Configure the minimum By default, the minimum password password length for the user password-control length length length configured in system view group. is used. Optional. Configure the password password-control composition By default, the password composition policy for the type-number type-number [ type- composition policy configured in...
  • Page 142: Setting A Local User Password In Interactive Mode

    To do… Use the command… Remarks Enter system view. system-view — Optional. Set the password aging time password-control super aging for super passwords. aging-time 90 days by default. Optional. Configure the minimum length password-control super length for super passwords. length 10 characters by default.
  • Page 143: Password Control Configuration Example

    Password control configuration example Network requirements Implement the following global password control policy: An FTP or VTY user failing to provide the correct password in two successive login attempts is • permanently prohibited from logging in. A user can log in five times within 60 days after the password expires. •...
  • Page 144 [Sysname] super password level 3 simple 12345ABGFTweuix # Create a local user named test. [Sysname] local-user test # Set the service type of the user to Telnet. [Sysname-luser-test] service-type telnet # Set the minimum password length to 12 for the local user. [Sysname-luser-test] password-control length 12 # Set the minimum number of password composition types to 2 and the minimum number of characters of each password composition type to 5 for the local user.
  • Page 145 The contents of local user test: State: Active ServiceType: telnet Access-limit: Disable Current AccessNum: 0 User-group: system Bind attributes: Authorization attributes: Password aging: Enabled (20 days) Password length: Enabled (12 characters) Password composition: Enabled (2 types, 5 characters per type) Total 1 local user(s) matched.
  • Page 146: Configuring Public Keys

    Configuring public keys To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure Figure 42 Encryption and decryption The keys that participate in the conversion between the plain text and the cipher text can be the same or...
  • Page 147: Configuring A Local Asymmetric Key Pair On The Local Device

    Task Remarks asymmetric key pair on Displaying or exporting the local host public key Optional the local device Destroying a local asymmetric key pair Optional Specifying the peer public key on the local device Optional Configuring a local asymmetric key pair on the local device Creating a local asymmetric key pair Configuration guidelines...
  • Page 148 Displaying the host public key in a specific format and saving it to a file • Exporting the host public key in a specific format to a file • If your local device functions to authenticate the peer device, you must specify the peer public key on the local device.
  • Page 149: Destroying A Local Asymmetric Key Pair

    The recorded public key must asymmetric key pair. be in the correct format, or the manual configuration of a • If the peer device is an HP format-incompliant public key device, use the display public- Manually configure the public fails.
  • Page 150: Displaying And Maintaining Public Keys

    To manually configure the peer public key on the local device: To do… Use the command… Remarks Enter system view. system-view — Specify a name for the public key and enter public key public-key peer keyname Required. view. Enter public key code view. public-key-code begin —...
  • Page 151 Configuration procedure Configure Device A. # Create local RSA key pairs on Device A, setting the modulus length to the default, 1024 bits. <DeviceA> system-view [DeviceA] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes.
  • Page 152: Importing A Public Key From A Public Key File

    [DeviceB-pkey-key- code]30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814 F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669 A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3B CA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 [DeviceB-pkey-key-code] public-key-code end [DeviceB-pkey-public-key] peer-public-key end # Display the host public key of Device A saved on Device B. [DeviceB] display public-key peer name devicea ===================================== Key Name : devicea Key Type : RSA Key Module: 1024 ===================================== Key Code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854...
  • Page 153 Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the local RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06 2011/03/07 Key name: HOST_KEY Key type: RSA Encryption Key ===================================================== Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854 C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784A...
  • Page 154 User(10.1.1.1:(none)):ftp 331 Password required for ftp. Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] get devicea.pub 227 Entering Passive Mode (10,1,1,1,5,148). 125 BINARY mode data connection already open, transfer starting for /devicea.pub. 226 Transfer complete. FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec.
  • Page 155: Configuring Pki

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. HP's PKI system provides certificate management for SSL. PKI terms Digital certificate A digital certificate is a file signed by a CA for an entity.
  • Page 156: Pki Architecture

    might use different methods to check the binding of a public key with an entity, make sure that you understand the CA policy before selecting a trusted CA for certificate request. PKI architecture A PKI system consists of entities, a CA, an RA, and a PKI repository. See Figure Figure 45 PKI architecture Entity...
  • Page 157: Pki Applications

    PKI applications The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples. A VPN is a private data communication network built on the public communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in conjunction with PKI-based encryption and digital signature technologies for confidentiality.
  • Page 158: Configuring An Entity Dn

    Task Remarks Optional. Retrieving a certificate manually Optional. Configuring PKI certificate verification Optional. Destroying a local RSA key pair Optional. Deleting a certificate Optional. Configuring an access control policy Configuring an entity DN A certificate is the binding of a public key and the identity information of an entity, where the identity information is identified by an entity DN.
  • Page 159: Configuring A Pki Domain

    To do… Use the command… Remarks Optional. Configure the IP address for ip ip-address No IP address is specified by the entity. default. Optional. Configure the locality for the locality locality-name entity. No locality is specified by default. Optional. Configure the organization organization org-name No organization is specified by name for the entity.
  • Page 160 Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity • needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity rejects the root certificate.
  • Page 161: Submitting A Pki Certificate Request

    Submitting a PKI certificate request When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which are the major components of the certificate. A certificate request can be submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an out-of-band method such as phone, disk, or email.
  • Page 162: Retrieving A Certificate Manually

    To do… Use the command… Remarks Required. Generate a local RSA key public-key local create rsa No local RSA key pair exists by pair. default. pki request-certificate domain Submit a local certificate domain-name [ password ] [ Required. request manually. pkcs10 [ filename filename ] ] If a PKI domain already has a local certificate, creating an RSA key pair results in inconsistency between the key pair and the certificate.
  • Page 163: Configuring Pki Certificate Verification

    To do… Use the command… Remarks pki retrieval-certificate { ca | local } domain Online domain-name Retrieve a Required. certificate pki import-certificate { ca | local } domain Use either command. manually. Offline domain-name { der | p12 | pem } [ filename filename ] If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it.
  • Page 164: Configuring Crl-Checking-Disabled Pki Certificate Verification

    To do… Use the command… Remarks Verify the validity of a pki validate-certificate { ca | local Required. certificate. } domain domain-name The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The CRL update period setting manually configured on the switch is prior to that carried in the CRLs.
  • Page 165: Configuring An Access Control Policy

    To do… Use the command… Remarks Enter system view. system-view — pki delete-certificate { ca | local } Delete certificates. Required domain domain-name Configuring an access control policy When you configure a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server.
  • Page 166: Pki Configuration Examples

    To do… Use the command… Remarks display pki certificate attribute- Display information about group { group-name | all } [ | { Available in any view certificate attribute groups begin | exclude | include } regular-expression ] display pki certificate access- Display information about control-policy { policy-name | all } certificate attribute-based access...
  • Page 167 After the configuration, make sure that the system clock of the switch is synchronous to that of the CA, so that the switch can request certificates and retrieve CRLs properly. Configure the switch. Configure the entity DN. • # Configure the entity name as aaa and the common name as device. <Device>...
  • Page 168 SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..CA certificates retrieval success. # Retrieve CRLs and save them locally. [Device] pki retrieval-crl domain torsa Connecting to server for retrieving CRL.
  • Page 169: Requesting A Certificate From A Ca Server Running Windows ® 2003 Server

    73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C...
  • Page 170 From the Start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA. Right-click the CA server in the navigation tree, and select Properties > Policy Module. Click Properties and then select Follow the settings in the certificate template, if applicable.
  • Page 171 Apply for certificates. • # Retrieve the CA certificate and save it locally. [Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..
  • Page 172: Configuring A Certificate Attribute-Based Access Control Policy

    CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt...
  • Page 173 Configuration procedure NOTE: For more information about SSL configuration, see "Configuring SSL." • Fundamentals Configuration Guide For more information about HTTPS configuration, see • The PKI domain to be referenced by the SSL policy must be created in advance. For information •...
  • Page 174: Troubleshooting Pki

    Troubleshooting PKI Failed to retrieve a CA certificate Symptom Failed to retrieve a CA certificate. Analysis Possible reasons include the following: The network connection is not normal. For example, the network cable might be damaged or loose. • No trusted CA is specified. •...
  • Page 175: Failed To Retrieve Crls

    Use the ping command to check whether the RA server is reachable. • Specify the authority for certificate request. • Configure the required entity DN parameters. • Failed to retrieve CRLs Symptom Failed to retrieve CRLs. Analysis Possible reasons include the following: The network connection is not normal.
  • Page 176: Configuring Ssh2.0

    Configuring SSH2.0 SSH offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The switch can not only work as an SSH server to support connections with SSH clients but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
  • Page 177 The server compares the version number carried in the packet with that of its own. If the server supports the version, the negotiation succeeds, and the server and the client proceed with key and algorithm negotiation. Otherwise, the negotiation fails, and the server breaks the TCP connection. All packets involved in the preceding steps are transferred in plain text.
  • Page 178: Configuring The Switch As An Ssh Server

    The server authenticates the client. If the authentication fails, the server sends the client a message to inform the client of the failure and the methods available for re-authentication. The client selects a method from the list to initiate another authentication. The preceding process repeats until the authentication succeeds or the number of failed authentication attempts exceeds the maximum of authentication attempts.
  • Page 179: Generating A Dsa Or Rsa Key Pair

    Generating a DSA or RSA key pair In the key and algorithm negotiation stage, the DSA or RSA key pair is required to generate the session key and session ID and for the client to authenticate the server. To generate a DSA or RSA key pair on the SSH server: To do…...
  • Page 180: Configuring A Client Public Key

    (in binary) to the server through FTP or TFTP. HP recommends that you configure a client public key by importing it from a public key file. Configuring a client public key manually To do…...
  • Page 181: Configuring An Ssh User

    To do… Use the command… Remarks Return to system view. peer-public-key end — Importing a client public key from a public key file To do… Use the command… Remarks Enter system view. system-view — Import the public key from a public-key peer keyname import Required public key file.
  • Page 182: Setting The Ssh Management Parameters

    A user without an SSH account can still pass password authentication and log in to the server through Stelnet or SFTP, as long as the user can pass AAA authentication and the service type is SSH. For successful login through SFTP, you must set the user service type to sftp or all. SSH1 does not support the service type sftp.
  • Page 183: Configuring The Switch As An Ssh Client

    Configuring the switch as an SSH client SSH client configuration task list Task Remarks Specifying a source ip address/interface for the SSH client Optional Configuring whether first-time authentication is supported Optional Establishing a connection between the SSH client and server Required Specifying a source ip address/interface for the SSH client Specify a source IP address or interface for the client to access the SSH server, improving service...
  • Page 184: Establishing A Connection Between The Ssh Client And Server

    To do... Use the command… Remarks Optional. Enable the switch to support ssh client first-time enable By default, first-time authentication first-time authentication. is supported on a client. Disable first-time authentication For successful authentication of an SSH client not supporting first-time authentication, the server host public key must be configured on the client, and the public key name must be specified.
  • Page 185: Displaying And Maintaining Ssh

    Displaying and maintaining SSH To do… Use the command… Remarks Display the source IP address or display sftp client source [ | { interface currently set for the SFTP begin | exclude | include } Available in any view client regular-expression ] Display the source IP address or display ssh client source [ | {...
  • Page 186 # Generate the RSA key pairs. <Switch> system-view [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 187: When The Switch Acts As A Server For Publickey Authentication

    Establish a connection between the SSH client and the SSH server. NOTE: The switch supports a variety of SSH client software, such as PuTTY, and OpenSSH. The following is an example of configuring SSH client using PuTTY Version 0.58. # Establish a connection to the SSH server. Launch PuTTY.exe to enter the following interface.
  • Page 188 Figure 51 Switch acts as server for publickey authentication Configuration procedure NOTE: During SSH server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before you configure the SSH server. Configure the SSH client.
  • Page 189 Figure 53 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. See Figure Figure 54 Generate a key pair on the client 3)
  • Page 190 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private.ppk in this case). See Figure Figure 55 Save a key pair on the client 4) Then, transmit the public key file to the server through FTP or TFTP.
  • Page 191 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3. [Switch-ui-vty0-4] user privilege level 3 [Switch-ui-vty0-4] quit # Import the client’s public key from file key.pub and name it Switch001. [Switch] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.
  • Page 192: Ssh Client Configuration Examples

    Figure 57 SSH client configuration interface 2) Click Open to connect to the server. If the connection is normal, you are prompted to enter the username. After entering the username (client002), you can enter the configuration interface of the server. SSH client configuration examples When the switch acts as client for password authentication Network requirements...
  • Page 193 <SwitchB> system-view [SwitchB] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys...
  • Page 194 # Configure an IP address for VLAN-interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] quit If the client supports first-time authentication, you can directly establish a connection from the client • to the server. # Establish an SSH connection to server 10.165.87.136.
  • Page 195: When The Switch Acts As Client For Publickey Authentication

    [SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server (10.165.87.136) as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136. <SwitchA>...
  • Page 196 Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Export the DSA public key to file key.pub. [SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit Then, transmit the public key file to the server through FTP or TFTP. Configure the SSH server.
  • Page 197 # Set the user command privilege level to 3. [SwitchB-ui-vty0-4] user privilege level 3 [SwitchB-ui-vty0-4] quit # Import the peer public key from the file key.pub. [SwitchB] public-key peer Switch001 import sshkey key.pub # Specify the authentication method for user client002 as publickey, and assign the public key Switch001 to the user.
  • Page 198: Configuring Sftp

    Configuring SFTP SFTP is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The switch can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The switch can also serve as an SFTP client, enabling a user to log in from the switch to a remote device for secure file transfer.
  • Page 199: Configuring The Switch As An Sftp Client

    Configuring the switch as an SFTP client Specifying a source IP address or interface for the SFTP client You can configure a client to use only a specified source IP address or interface to access the SFTP server, enhancing the service manageability. To specify a source IP address or interface for the SFTP client: To do…...
  • Page 200: Working With Sftp Files

    Changing the name of a directory on the server • Creating or deleting a directory • To work with the SFTP directories: To do… Use the command… Remarks Required. For more information, see Enter SFTP client view. "Establishing a connection to the Execute the command in user SFTP server."...
  • Page 201: Displaying Help Information

    To do… Use the command… Remarks Optional. dir [ -a | -l ] [ remote-path ] Display the files under a The dir command functions as the directory. ls [ -a | -l ] [ remote-path ] ls command. Optional. delete remote-file&<1-10>...
  • Page 202 Configuration procedure NOTE: During SFTP server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before you configure the SFTP server. Configure the SFTP client. # Create VLAN-interface 1 and assign an IP address to it. <SwitchA>...
  • Page 203 NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server. [SwitchB] ssh server enable # Enable the SFTP server.
  • Page 204 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub -rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z sftp-client> delete z The following File will be deleted: Are you sure to delete it? [Y/N]:y This operation might take a long time.Please wait...
  • Page 205: Sftp Server Configuration Example

    -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 -rwxrwxrwx 1 noone...
  • Page 206 NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ # Enable the SSH server. [Switch] ssh server enable # Enable the SFTP server.
  • Page 207 Figure 62 SFTP client interface...
  • Page 208: Configuring Ssl

    Configuring SSL SSL is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online banking to ensure secure data transmission over the Internet. SSL security mechanism Secure connections provided by SSL have these features: Confidentiality—SSL uses a symmetric encryption algorithm to encrypt data and uses the •...
  • Page 209: Ssl Configuration Task List

    Figure 64 SSL protocol stack SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and • encrypts the data before transmitting it to the peer end. SSL handshake protocol—Negotiates the cipher suite to be used for secure communication •...
  • Page 210: Ssl Server Policy Configuration Example

    To do... Use the command... Remarks Create an SSL server policy ssl server-policy policy-name Required. and enter its view. Required. Specify a PKI domain for the pki-domain domain-name By default, no PKI domain is SSL server policy. specified for an SSL server policy. ciphersuite [ rsa_3des_ede_cbc_sha | Optional.
  • Page 211 To achieve the goal, perform the following configurations (see Figure 65): Configure the device to work as the HTTPS server, and request a certificate for the device. Request a certificate for the host so that the device can authenticate the identity of the host. Configure a CA server to issue certificates to the device and the host.
  • Page 212: Configuring An Ssl Client Policy

    [Device] ssl server-policy myssl # Specify the PKI domain for the SSL server policy as 1. [Device-ssl-server-policy-myssl] pki-domain 1 # Enable client authentication. [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit # Configure HTTPS service to use SSL server policy myssl. [Device] ip https ssl-server-policy myssl # Enable HTTPS service.
  • Page 213: Displaying And Maintaining Ssl

    To do… Use the command… Remarks Optional. Specify a PKI domain for the pki-domain domain-name No PKI domain is configured by SSL client policy. default. prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | Optional. Specify the preferred cipher rsa_aes_256_cbc_sha | suite for the SSL client policy. rsa_rc4_128_md5 by default.
  • Page 214 Solution Issue the debugging ssl command, and view the debugging information to locate the problem: If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate, • request one for it. If the server’s certificate cannot be trusted, install the root certificate of the CA that issued the local •...
  • Page 215: Configuring Tcp Attack Protection

    Configuring TCP attack protection An attacker can attack the switch during the process of establishing a TCP connection. To prevent such an attack, the switch provides the SYN Cookie feature. Enabling the SYN Cookie feature The establishing of a TCP connection involves the following handshakes: The request originator sends a SYN message to the target server.
  • Page 216: Configuring Ip Source Guard

    Configuring IP source guard IP source guard is intended to improve port security by blocking illegal packets. For example, it can prevent illegal hosts from using a legal IP address to access the network. IP source guard can filter packets according to the packet source IP address and source MAC address. It supports these types of binding entries: IP-port binding entry •...
  • Page 217: Dynamic Ip Source Guard Binding Entries

    Port-based static binding entries are used to check the validity of users who are trying to access a port. Dynamic IP source guard binding entries Dynamic IP source guard entries are generated dynamically according to client entries on the DHCP snooping or DHCP relay agent device.
  • Page 218: Configuring A Static Ipv4 Source Guard Binding Entry

    On a Layer 2 Ethernet port, IP source guard cooperates with DHCP snooping, dynamically obtains the DHCP snooping entries generated during dynamic IP address allocation, and generates IP source guard entries accordingly. On a Layer 3 Ethernet port or VLAN interface, IP source guard cooperates with DHCP relay, dynamically obtains the DHCP relay entries generated during dynamic IP address allocation across network segments, and generates IP source guard entries accordingly.
  • Page 219: Setting The Maximum Number Of Ipv4 Source Guard Binding Entries

    To do… Use the command… Remarks interface interface-type interface- Enter Layer 2 interface view. — number ip source binding { ip-address ip- Required. Configure a static IPv4 source address | ip-address ip-address guard binding entry on the By default, no static IPv4 binding mac-address mac-address | mac- port.
  • Page 220: Configuring A Static Ipv6 Source Guard Binding Entry

    Cooperating with DHCPv6 snooping, IP source guard dynamically generates IP source guard entries based on the DHCPv6 snooping entries that are generated during dynamic IP address allocation. Cooperating with ND snooping, IP source guard dynamically generates IP source guard entries based on dynamic ND snooping entries.
  • Page 221: Setting The Maximum Number Of Ipv6 Source Guard Binding Entries

    To do… Use the command… Remarks ipv6 source binding { ipv6- Required. address ipv6-address | ipv6- Configure a static IPv6 address ipv6-address mac- By default, no static IPv6 binding binding entry on a port. address mac-address | mac- entry is configured on a port. address mac-address } You cannot configure the same static binding entry on one port repeatedly, but you can configure the same static binding entry on different ports.
  • Page 222: Ip Source Guard Configuration Examples

    To do… Use the command… Remarks display ip source binding static [ interface interface-type interface-number | ip- Display static IPv4 source guard address ip-address | mac-address mac- Available in any view binding entries address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] display ip source binding [ interface interface-type interface-number | ip-...
  • Page 223 Figure 67 Network diagram for configuring static IPv4 source guard binding entries Configuration procedure Configure Device A. # Configure the IPv4 source guard function on GigabitEthernet 1/0/2 to filter packets based on both the source IP address and MAC address. <DeviceA>...
  • Page 224: Dynamic Ipv4 Source Guard Binding By Dhcp Snooping Configuration Example

    # Configure the IPv4 source guard function on GigabitEthernet 1/0/1 to filter packets based on the source IP address. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] ip verify source ip-address # Configure GigabitEthernet 1/0/1 to allow only IP packets with the source IP address of 192.168.0.2 to pass.
  • Page 225: Dynamic Ipv4 Source Guard Binding By Dhcp Relay Configuration Example

    Configuration procedure Configure DHCP snooping. # Enable DHCP snooping. <Device> system-view [Device] dhcp-snooping # Configure port GigabitEthernet 1/0/2, which is connected to the DHCP server, as a trusted port. [Device] interface gigabitethernet1/0/2 [Device-GigabitEthernet1/0/2] dhcp-snooping trust [Device-GigabitEthernet1/0/2] quit Configure the IPv4 source guard function. # Configure the IPv4 source guard function on port GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address.
  • Page 226 Enable the IPv4 source guard binding function on the switch’s VLAN-interface 100 to filter packets based on the DHCP relay entry, allowing only packets from clients that obtain IP addresses from the DHCP server to pass. Figure 69 Network diagram for configuring dynamic IPv4 source guard binding through DHCP relay DHCP client DHCP relay agent DHCP server...
  • Page 227: Static Ipv6 Source Guard Binding Entry Configuration Example

    Static IPv6 source guard binding entry configuration example Network requirements As shown in Figure 70, the host is connected to port GigabitEthernet 1/0/1 of the device. Configure a static IPv6 source guard binding entry for GigabitEthernet 1/0/1 of the device to allow only packets from the host to pass.
  • Page 228 Figure 71 Network diagram for configuring dynamic IPv6 source guard binding by DHCPv6 snooping Configuration procedure Configure DHCPv6 snooping. # Enable DHCPv6 snooping globally. <Device> system-view [Device] ipv6 dhcp snooping enable # Enable DHCPv6 snooping in VLAN 2. [Device] vlan 2 [Device-vlan2] ipv6 dhcp snooping vlan enable [Device-vlan2] quit # Configure the port connecting to the DHCP server as a trusted port.
  • Page 229: Dynamic Ipv6 Source Guard Binding By Nd Snooping Configuration Example

    Dynamic IPv6 source guard binding by ND snooping configuration example Network requirements As shown in Figure 72, the client is connected to the device through port GigabitEthernet 1/0/1. Enable ND snooping on the device, establishing ND snooping entries by listening to DAD NS messages. Enable the IPv6 source guard function on port GigabitEthernet 1/0/1 to filter packets based on the ND snooping entries, allowing only packets with a legally obtained IPv6 address to pass.
  • Page 230: Troubleshooting Ip Source Guard

    Troubleshooting IP source guard Cannot configure static binding entries or dynamic binding function Symptom Failed to configure static binding entries or the dynamic binding function on a port. Analysis IP source guard is not supported on a port in an aggregation group. Solution Remove the port from the aggregation group.
  • Page 231: Configuring Arp Attack Protection

    Configuring ARP attack protection The term "interface" in the ARP attack protection features refers to Layer 3 interfaces, including VLAN interfaces and route-mode (or Layer 3) Ethernet ports. You can set an Ethernet port to operate in route mode by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide). CAUTION: Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks.
  • Page 232: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks prevention Optional. Configuring ARP active acknowledgement Configure this function on gateways (recommended). Optional. Configuring ARP detection Configure this function on access devices (recommended). Optional. Configuring ARP automatic scanning and fixed Configure this function on gateways (recommended). Configuring ARP defense against IP packet attacks If the device receives a large number of IP packets from a host addressed to unreachable destinations, the following occur: The device sends a large number of ARP requests to the destination subnets.
  • Page 233: Enabling Arp Black Hole Routing

    Enabling ARP black hole routing To do… Use the command… Remarks Enter system view. system-view — Optional Enable ARP black hole arp resolving-route enable routing. Enabled by default Displaying and maintaining ARP defense against IP packet attacks To do… Use the command… Remarks display arp source-suppression [ Display the ARP source suppression...
  • Page 234: Configuring Arp Packet Rate Limit

    Configuration considerations If the attacking packets have the same source address, you can enable the ARP source suppression function by doing the following: Enable ARP source suppression. • Set the threshold for ARP packets from the same source address to 100. If the number of ARP •...
  • Page 235: Configuring Source Mac Address-Based Arp Attack Detection

    Configuring source MAC address-based ARP attack detection With this feature enabled, the device checks the source MAC address of ARP packets delivered to the CPU. It detects an attack when one MAC address sends more ARP packets in 5 seconds than the specified threshold.
  • Page 236: Source Mac Address-Based Arp Attack Detection Configuration Example

    Source MAC address-based ARP attack detection configuration example Network requirements As shown in Figure 74, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway may crash and cannot process requests from the clients.
  • Page 237: Configuring Arp Packet Source Mac Address Consistency Check

    [Device] arp anti-attack source-mac aging-time 60 # Configure 0012-3f86-e94c as a protected MAC address. [Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c Configuring ARP packet source MAC address consistency check The ARP packet source MAC address consistency check feature enables a gateway device to filter out ARP packets that have a different source MAC address in the Ethernet header from the sender MAC address in the message, so that the gateway device can learn correct ARP entries.
  • Page 238: Security Entries

    If both the ARP detection based on specified objects and the ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1X security entries are enabled, the former one applies first, and then the latter applies. Enabling ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1x security entries With this feature enabled, the device compares the sender IP and MAC addresses of an ARP packet received from the VLAN against the static IP source guard binding entries, DHCP snooping entries, or...
  • Page 239: Configuring Arp Detection Based On Specified Objects

    To do… Use the command… Remarks Return to system view. quit — Enter Layer 2 Ethernet interface/Layer 2 interface interface-type — aggregate interface interface-number view. Configure the port as a Optional. trusted port on which arp detection trust ARP detection does not The port is an untrusted port by default.
  • Page 240: Configuring Arp Restricted Forwarding

    Configuring ARP restricted forwarding ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted ports and have passed ARP detection in the following cases: If the packets are ARP requests, they are forwarded through the trusted ports. •...
  • Page 241 Figure 75 Network diagram for ARP detection configuration Gateway DHCP server Switch A GE1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B Configuration procedure Add all ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A.
  • Page 242: Arp Detection Configuration Example 2

    # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default). [SwitchB-vlan10] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] arp detection trust [SwitchB-GigabitEthernet1/0/3] quit After the preceding configurations are complete, when ARP packets arrive at interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, they are checked against 802.1X security entries.
  • Page 243: Arp Restricted Forwarding Configuration Example

    [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/3] quit # Enable ARP detection for VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] arp detection enable # Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default).
  • Page 244 Figure 77 Network diagram for ARP restricted forwarding configuration Gateway DHCP server Switch A GE1/0/3 Vlan-int10 10.1.1.1/24 VLAN 10 DHCP snooping GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10.1.1.6 DHCP client 0001-0203-0607 Configuration procedure Configure VLAN 10, add ports to VLAN 10, and configure the IP address of the VLAN-interface, as shown in Figure 73.
  • Page 245: Configuring Arp Automatic Scanning And Fixed Arp

    ARP automatic scanning) into static ARP entries. The fixed ARP feature effectively prevents ARP entries from being modified by attackers. HP recommends that you use ARP automatic scanning and fixed ARP in a small-scale network such as a cybercafe.
  • Page 246 The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries into static ARP entries. To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address command.
  • Page 247: Configuring Nd Attack Defense

    Configuring ND attack defense The IPv6 ND protocol provides rich functions, such as address resolution, neighbor reachability detection, duplicate address detection, router/prefix discovery and address autoconfiguration, and redirection. However, it does not provide any security mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending forged packets.
  • Page 248: Enabling Source Mac Consistency Check For Nd Packets

    To identify forged ND packets, HP developed the source MAC consistency check and ND detection features. For more information about the functions of the ND protocol, see Layer 3—IP Services Configuration Guide. Enabling source MAC consistency check for ND packets Use source MAC consistency check on a gateway to filter out ND packets that carry different source MAC addresses in the Ethernet frame header and the source link layer address option.
  • Page 249: Configuring Nd Detection

    The ND snooping table is created automatically by the ND snooping module. For more information, see Layer 3—IP Services Configuration Guide. Configuring ND detection ND detection performs source check by using the binding tables of IP source guard, DHCPv6 snooping, and ND snooping.
  • Page 250: Network Diagram

    Enable ND detection on Switch B to filter out forged ND packets. Network diagram Figure 79 Network diagram for ND detection configuration Internet Gateway Switch A GE1/0/3 Vlan-int10 10::1 VLAN 10 ND snooping GE1/0/3 Switch B GE1/0/1 GE1/0/2 Host A Host B 10::5 10::6...
  • Page 251 # Create VLAN 10. [SwitchB] vlan 10 [SwitchB-vlan10] quit # Add ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 10. [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port access vlan 10 [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port access vlan 10 [SwitchB-GigabitEthernet1/0/2] quit [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] port link-type trunk...
  • Page 252: Configuring Urpf

    Configuring URPF The term "router" in this document refers to both routers and Layer 3 switches. URPF protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers launch attacks by creating a series of packets with forged source addresses. For applications using IP-address-based authentication, this type of attack allows unauthorized users to access the system in the name of authorized users, or even to access the system as the administrator.
  • Page 253 Figure 81 URPF work flow URPF checks the source address validity and does the following: Discards packets with a broadcast source address. • Discards packets with an all-zero source address but a non-broadcast destination address. (A • packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a DHCP or BOOTP packet, and it is not discarded.)
  • Page 254 For other packets, proceed to Step 2. • URPF checks whether the source address matches a FIB entry: If it does, proceed to Step 3. • If it does not, proceed to Step 6. • URPF checks whether the check mode is loose: If it is, proceed to Step 8.
  • Page 255: Network Application

    { loose | strict } Disabled by default The routing table size decreases by half when URPF is enabled on the HP A5830 switches. To prevent loss of routes and packets, URPF cannot be enabled if the number of route entries the switch maintains exceeds half the routing table size.
  • Page 256 Figure 83 Network diagram for URPF configuration Configuration procedure Configure Switch A. # Enable strict URPF check. <SwitchA> system-view [SwitchA] ip urpf strict Configure Switch B. # Enable strict URPF check. <SwitchB> system-view [SwitchB] ip urpf strict...
  • Page 257: Support And Other Resources

    Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
  • Page 258: Conventions

    Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 259 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
  • Page 260: Index

    802.1X enabling periodic online user re-authentication function, 80 AAA for RADIUS server 802.1X user, 50 enabling security entry detection (ARP attack access control methods (HP implementation), 71 protection), 230 access device as authentication initiator, 66 fundamentals, 63 ACL assignment, 74...
  • Page 261 assignment (MAC authentication), 97 configuring ISP domain accounting method, 41 configuring ISP domain attribute, 37 configuring with assignment (802.1X), 89 configuring ISP domain authentication method, 38 algorithm configuring ISP domain authorization method, 39 negotiation (SSH2.0), 169 configuring local user, 16 application configuring local user attributes, 17 PKI, 149...
  • Page 262 mechanism (RADIUS), 2 maintaining ARP detection, 232 maintaining defense against IP packet attack, 225 Message-Authentication attribute (802.1X), 66 maintaining source MAC address-based ARP procedures (802.1X), 66 attack detection, 227 RADIUS server for SSH/Telnet user (AAA), 47 assigning setting maximum number of authentication request attempts (802.1X), 77 ACL (802.1X), 74 VLAN (802.1X), 71...
  • Page 263 ARP attack protection, 223 submitting request, 153 submitting request in auto-mode (PKI), 153 authentication (802.1X), 83 submitting request in manual mode (PKI), 153 authentication trigger function (802.1X), 78 certificate authority (CA), 148 Auth-Fail VLAN (802.1X), 73, 82 class attribute autoLearn mode (port security), 116 configuring interpretation as CAR parameters automatic scanning (ARP attack protection), 237 (RADIUS), 29...
  • Page 264 public key, 138, 142 for HWTACACS server Telnet user (AAA), 44 for separate server Telnet user (AAA), 46 quiet timer (802.1X), 80 free IP (EAD fast deployment), 91 RADIUS user, 43 guest VLAN (802.1X), 72, 81, 86 RADIUS-based MAC authentication, 103 interpretation of class attribute as CAR parameters redirect URL (EAD fast deployment), 92 (RADIUS), 29...
  • Page 265 VLAN assignment(802.1X), 86 with ACL assignment (802.1X), 89 SSH2.0, 177 connection idle timeout period (SFTP), 190 SSL, 205 TCP attack protection, 207 contacting HP, 249 controlled/uncontrolled port (802.1X), 63 documentation creating conventions used, 250 ISP domain (AAA), 36 website, 249...
  • Page 266 exporting enabling EAP termination (802.1X), 75 Message attribute (802.1X), 65 host public key in specific format to a file, 140 Message-Authentication attribute (802.1X), 66 feature over RADIUS (802.1X), 65 ACL assignment (MAC authentication), 97 packet format (802.1X), 64 configuring autoLearn mode (port security), 116 EAPOL configuring intrusion protection (port security), 113 packet format (802.1X), 65...
  • Page 267 configuring SSH client (SSH2.0), 171 HWTACACS configuring AAA for HWTACACS server Telnet intrusion protection (port security), 107 user, 44 configuring scheme, 31 configuring defense against packet attack (ARP creating scheme, 31 attack protection), 224 specifying client source address/interface (SFTP), differences from RADIUS, 7 displaying, 36 specifying source address/interface for client level switching authentication for Telnet user, 56...
  • Page 268 loose URPF, 244 setting maximum number of IPv6 source guard binding entries, 213 static binding entries, 208 authentication approaches, 96 troubleshooting, 222 authentication timers, 97 IPv4 configuring authentication, 96 configuring IPv4 source guard on a port, 209 performing authentication (port security), 109 configuring IPv6 source guard on a port, 211 performing MAC-802.1X...
  • Page 269 performing MAC authentication (port security), ARP defense against IP packet attack, 225 ARP detection, 232 performing MAC-802.1X authentication (port EAD fast deployment, 92 security), 109 HWTACACS, 36 PKI, 149 IP source guard, 213 port security, 107 local user (AAA), 20 SSH (SSH2.0), 168 local user group (AAA), 20 NAS ID...
  • Page 270 URPF configuration, 247 detection configuration (ARP attack protection), 232, 234 userLoginWithOUI mode configuration (port dynamic IPv4 binding by DHCP relay (IP source security), 119 guard), 217 verifying authentication configuration (802.1X), dynamic IPv4 binding by DHCP snooping (IP source guard), 216 verifying configuration with...
  • Page 271 terminology, 147 setting super password control parameter, 133 setting user group control parameter, 132 troubleshooting, 166 virtual private network (VPN), 149 applications, 149 web security, 149 architecture, 148 port certificate authority (CA), 148 authorization status (802.1X), 63 certificate authority (CA) policy, 147 controlled/uncontrolled (802.1X), 63 certificate revocation list (CRL), 147 enabling client listening port (RADIUS), 30...
  • Page 272 configuring CRL-checking enabled certificate trap, 107 verification (PKI), 155 troubleshooting, 126 configuring detection (ARP attack protection), 229, VLAN support, 110 233, 234 procedure configuring detection function (ND attack defense), AAA for RADIUS server 802.1X user (AAA), 50 authentication (802.1X), 66 configuring domain (PKI), 151 configuring AAA for RADIUS server 802.1X user configuring dynamic IPv4 binding by DHCP relay...
  • Page 273 configuring server policy (SSL), 201, 203, 204 configuring level switching authentication for Telnet user (HWTACACS), 56 configuring source MAC address-based detection configuring local user (AAA), 16 (ARP attack protection), 227, 228 configuring local user attributes (AAA), 17 configuring source suppression (ARP attack protection), 224...
  • Page 274 ignoring server authorization information (port deleting certificate (PKI), 156 security), 115 destroying local asymmetric key pair (public key), importing client public key from public key file (SSH2.0), 173 destroying local RSA key pair (PKI), 156 importing public key from public key file, 144 disabling first-time authentication...
  • Page 275 protocols setting user group control parameter (password control), 132 802.1X, 64 setting username format (HWTACACS), 34 AAA, 11 setting username format (RADIUS), 23 HWTACACS, 11 specifying access control method (802.1X), 76 RADIUS, 11 specifying accounting server and parameters public key (RADIUS), 22 configuration, 138, 142 specifying authentication domain for users (MAC...
  • Page 276 repository (PKI), 148 configuring scheme, 20 configuring switch as server, 43 retrieving configuring user, 43 certificate manually (PKI), 154 creating scheme, 21 scheme differences from HWTACACS, 7 configuring (AAA), 16 discussion, 2 scheme (HWTACACS), 31 displaying, 30 scheme (RADIUS), 21 EAP over (802.1X), 65 secure e-mail (PKI), 149 enabling client listening port, 30...
  • Page 277 security mode (port security), 112 RADIUS server authentication/authorization for SSH/Telnet user (AAA), 47 server status (RADIUS), 25 setting status (RADIUS), 25 super password control parameter (password setting supported type (RADIUS), 24 control), 133 setting timer control communication supported server type (RADIUS), 24 (HWTACACS), 35 timer control...
  • Page 278 interaction, 170 peer public key on local device, 141 RADIUS client, 44 key negotiation, 169 source address outgoing packets maintaining, 177 (HWTACACS), 34 session request, 170 source IP address for outgoing packets (RADIUS), setting management parameter, 174 specifying source IP address/interface for client, source IP address/interface for client (SSH2.0), SSH operation, 168 supported domain name delimiters (802.1X), 83...
  • Page 279 cannot change port security mode when a user is configuring as RADIUS server, 43 online (port security), 126 configuring as server (SFTP), 190 cannot configure secure MAC addresses (port configuring as SSH server (SSH2.0), 170 security), 126 enabling first-time authentication support (SSH2.0), cannot configure static binding entries or dynamic binding function (IP source guard), 222 RADIUS server feature, 10...
  • Page 280 domain-based management (AAA), 9 VLAN enabling periodic online user re-authentication assignment (802.1X), 71 function (802.1X), 80 assignment (MAC), 97 level switching authentication for Telnet user Auth-Fail (802.1X), 73 (HWTACACS), 56 configuring assignment (802.1X), 86 RADIUS server 802.1X user (AAA), 50 configuring guest VLAN (802.1X), 86 RADIUS server authentication/authorization for configuring NAS ID-VLAN binding (AAA), 42...